# Censys MCP for AI Agents MCP

> Censys allows your AI agent to explore the world's largest internet scanning platform. You can discover exposed services, analyze SSL certificates, and map an organization's full attack surface by querying internet-facing hosts, ports, and infrastructure changes.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** internet-scanning, attack-surface, ssl-certificates, threat-intelligence, network-security, ip-lookup

## Description

This MCP gives your AI client access to deep network intelligence, allowing you to investigate what parts of the internet are visible to an attacker. Instead of manually checking dozens of dashboards or running multiple CLI commands, you can ask your agent to look at a target IP address and get all the data in one go—open ports, services running there, OS detection, and even who issued any associated certificates.

For example, if you suspect a misconfigured web server, you can use this MCP to search for hosts running specific services, like finding every machine using an Nginx banner across different countries. It's powerful data mapping. If you subscribe through Vinkius, your agent gets access to the entire catalog of specialized tools, making it easy to correlate host findings with certificate details or check historical changes over time. It turns raw internet scan data into actionable intelligence for security teams.

## Tools

### aggregate_hosts
Groups search results by fields like country or port to calculate counts, showing the distribution of exposed services or infrastructure types.

### get_account_info
Checks your remaining API quota and account limits so you know when you need to top up your access.

### get_certificate
Pulls all detailed data for a specific certificate, including its issuer, validity period, key information, and extensions.

### get_certificate_hosts
Finds every host (IP address) that is using a particular SSL/TLS certificate, detailing the ports and timestamps.

### get_host
Gets all open ports, service banner text, TLS certificates, OS detection, and location data for one specific IP address.

### get_host_history
Shows a timeline of how an IP's services, ports, and certificates have changed over time, marking all observed modifications.

### search_certificates
Searches for SSL/TLS certificates using criteria like issuer names, subject fields, or specific validity dates.

### search_hosts
Performs powerful searches on internet-connected hosts using services (e.g., 'ssh'), ports, OS types, or geographic locations.

### view_host_diff
Compares two different IP addresses to highlight infrastructure differences, making it easy to spot what changed between them.

## Prompt Examples

**Prompt:** 
```
Find all exposed SSH servers in Germany.
```

**Response:** 
```
### 🇩🇪 Exposed Infrastructure Report

We found **3,120** hosts running SSH (Port 22) in the DE region.

*   **Top OS:** Linux (Ubuntu/CentOS)
*   **Common ASNs:** AS64512 (Deutsche Telekom), AS7019 (Vodafone).
*   **Key Findings:** Several hosts are running outdated SSH protocols. We recommend checking the `get_host_history` for specific IP ranges to confirm if these ports were opened recently.
```

**Prompt:** 
```
Show me all certificates issued by DigiCert expiring this quarter.
```

**Response:** 
```
**🔍 Certificate Expiry Alert: Q3 2026**

Found **1,542+** certificates matching the criteria. Key details:

| Issuer | Expiration Date Range | Common Subject Domains |
| :--- | :--- | :--- |
| DigiCert Inc | Jul - Sep 2026 | .com, .net, banking.

*Most certificates use RSA 4096-bit keys. Check the `get_certificate` tool for full parsing details on any specific fingerprint.
```

**Prompt:** 
```
Compare these two IPs and tell me what changed.
```

**Response:** 
```
**📊 Host Comparison: IP A vs IP B**

The following infrastructure changes were detected:

*   ✅ **New Service:** IP B opened port 8080 (HTTP Alternate) which was closed on IP A.
*   ❌ **Removed Feature:** IP A had a specific TLS banner that is missing from IP B.
*   🌐 **Location Change:** The ASN associated with IP B has changed since the last scan. 

Use `view_host_diff` to track these subtle but critical changes in your infrastructure.
```

## Capabilities

### Map and search exposed hosts
Search the entire internet-facing landscape by service, port number, operating system, or geographical location.

### Analyze host details and history
Retrieve detailed information on any IP address, including all open ports, services, certificates, and a timeline of how the host's profile has changed.

### Investigate SSL/TLS certificates
Find specific certificate details by fingerprint or search for expiring certificates issued by certain authorities.

### Correlate infrastructure data
Compare two different hosts to pinpoint exactly what services, ports, or OS features have changed between them.

### Analyze service distributions
Group search results by fields like country or autonomous system name to understand the overall distribution of exposed infrastructure.

## Use Cases

### Checking a competitor's public footprint
A security researcher wants to know if a rival company is using any old certificates. They run `search_certificates` for specific issuers and then use `get_certificate_hosts` to find every domain attached to those credentials, mapping out the full infrastructure.

### Monitoring internal network drift
A sysadmin runs a scan on two IPs: one from last year and one today. By using `view_host_diff`, they quickly see that three critical ports were opened unexpectedly, signaling a possible misconfiguration or breach.

### Assessing general network risk
A threat hunter needs to gauge the global prevalence of a specific service. They use `search_hosts` for 'ftp' and then run `aggregate_hosts` by country, instantly creating a map showing which countries have the highest concentration of exposed FTP services.

### Vetting a target system
A penetration tester gets an IP address. They use `get_host` to gather all foundational data—OS, ports, certificates—and then run `get_account_info` to ensure they have enough quota for the deep dive.

## Benefits

- Identify infrastructure changes: Use `view_host_diff` to instantly compare two hosts and pinpoint exactly what services or ports have been added or removed.
- Deep dive on IPs: The `get_host` tool pulls everything—OS, open ports, banners, certificates—for a single IP in one request.
- Certificate tracking: Never miss an expired credential. Use `search_certificates` to find all SSL/TLS certs issued by specific authorities or nearing expiration.
- Historical view: Need to know if a host was compromised last month? Run `get_host_history` to see the full timeline of service changes for any IP.
- Broad pattern analysis: Use `aggregate_hosts` to analyze large datasets, grouping results by country or ASN to understand global exposure trends.

## How It Works

The bottom line is that you get automated access to massive-scale network scan data without needing to run the complex queries yourself.

1. First, subscribe to this MCP and provide your Censys API ID and Secret credentials.
2. Next, direct your AI client to perform an inquiry—for instance, asking it to find all hosts running a specific service port in a certain region.
3. The tool returns structured data detailing the open ports, services, certificates, or historical records for the requested IP range.

## Frequently Asked Questions

**How can Censys MCP help me map my network's attack surface?**
It lets you search the entire internet for exposed services and ports without needing to be physically connected. You can use your agent to find every publicly visible credential or service running on a target IP.

**Does Censys MCP track changes over time?**
Yes, it tracks host history. It shows you if an open port or a service banner was added recently, allowing you to detect potential misconfigurations that happened after the fact.

**What kind of certificate information can I get with Censys MCP?**
You can find detailed data on certificates, including who issued them, when they expire, and critically, every single IP address or domain name using that specific certificate.

**Is this better than running manual network scans?**
It's more comprehensive. It automates the correlation of data points—linking a port finding to its associated certificate and then tracking its history—in one workflow, saving massive amounts of time.

**Can Censys MCP help me find similar infrastructure?**
Absolutely. You can compare two different IP addresses using the tool to spot differences in open services or OS types, which is helpful when auditing related systems.