It’s not Google. It’s the opposite of Google. And if you’re running anything on the internet, you should probably know what it sees.
You’re online, so need to know about a search engine that most people have never heard of, but every security professional uses daily. It doesn’t index web pages. It doesn’t care about your blog posts or product listings. Instead, it catalogs every device connected to the internet—your security cameras, routers, industrial control systems, databases, and yes, that smart refrigerator you set up and forgot about, and the common printer in the corner of the office.
It’s called Shodan. And it’s been quietly mapping the entire internet since 2009.
What Shodan Actually Does
If Google is a librarian catalogs book, then Shodan is more like someone walking up to every building in the world, simply testing their doorknobs and locks and making a list.
When you connect a device to the internet—a webcam, a server, a thermostat, anything—it announces itself through open ports and services. Shodan listens to these announcements. Constantly. It scans billions of IP addresses, documenting what’s running, which ports are open, what software versions are active, and crucially, what’s accessible without authentication.
The results are searchable. Type in a product name, a service type, or even an error message, and Shodan shows you every exposed instance worldwide.
For security researchers, it’s invaluable. For system administrators who misconfigured something, it’s terrifying. For attackers looking for easy targets, it’s a shopping catalog.
It Exists Because it Matters
John Matherly created Shodan in 2009 as a research project. The name comes from SHODAN, the malevolent AI from the 1994 video game System Shock—a choice that tells you everything about how Matherly viewed the internet’s security posture even then.
The project went commercial around 2013, and it’s been growing ever since. Today, Shodan indexes roughly 500 million devices. Every day, it updates its database with fresh scans. The internet is constantly changing, and Shodan tracks every shift.
Here’s what makes it different from ordinary search engines: Shodan doesn’t wait for you to publish and broadcast information; it actively probes. When your router broadcasts its presence on port 80, Shodan notes it. When your database accidentally exposes itself on port 27017, Shodan catalogs it. When your industrial control system runs on default credentials, Shodan records that too.
This is not hacking. What it finds is already public by definition, and Shodan is but the observer. However, the line between observation and reconnaissance gets awfully thin when the observer has perfect memory and shares findings with everyone.
The Competition – Shodan shows them up
Shodan isn’t alone anymore. A few competitors have emerged, each with their own strengths.
Censys launched in 2015 out of the University of Michigan—more academically focused with superior certificate transparency data, but a smaller device index and steeper learning curve. ZoomEye came out of China in 2013 with solid Asian coverage and a decent free tier, though documentation skews heavily Chinese.
BinaryEdge started in Portugal in 2016, now owned by Trend Micro, offering good historical data but carrying the highest price tag.
Then there’s Fofa and Criminal IP, both newer entrants focused on specific regions.
Why Shodan keeps winning: It got there first, built the largest index, invested in documentation and community, and maintained the best search syntax. Network effects matter in security tools. When everyone’s building tools and scripts around one platform, switching becomes harder. Shodan has that lock.
What You Can Actually Find
Let me be specific about what Shodan reveals, because the examples get uncomfortable quickly, (which is entirely my point).
Security researchers have used Shodan to discover:
- Over 100,000 MongoDB databases exposed without authentication
- Thousands of industrial control systems (SCADA) accessible from the public internet
- Prison security systems with default credentials
- Hospital equipment broadcasting patient data
- Webcams in private homes with no password protection
- Bitcoin mining operations running on compromised servers
In one memorable case, researchers found a nuclear power plant’s control systems partially exposed. Not the dangerous bits, thankfully, but enough to raise serious questions about segmentation and access control.
This isn’t theoretical. These are real findings from the past few years.
The OpenClaw Connection
You might have seen Shodan mentioned in recent coverage of OpenClaw, the AI agent that’s been making security headlines. Researchers used Shodan to discover hundreds of exposed OpenClaw instances—control panels that were supposed to be localhost-only, accidentally made public through misconfiguration.
Within hours of those instances being indexed, attackers had the list. That’s the problem with Shodan: discovery cuts both ways. The same tool that helps defenders find vulnerabilities also helps attackers find targets.
The Ethical Minefield
Here’s where things get complicated. Shodan publishes information that’s technically already public—anyone could scan for it—but making it searchable changes the equation entirely.
A single vulnerable device lost in billions of IP addresses is effectively invisible. That same device, indexed and searchable on Shodan, becomes a target within hours. Is that Shodan’s fault? Or the fault of whoever left it exposed?
The security community remains divided. Some argue Shodan provides an essential service by exposing the internet’s actual security posture. Others worry it weaponizes information, making attacks trivially easy for anyone with a subscription.
My take: Shodan reveals problems that already exist. The internet is scanning itself constantly anyway—automated bots probe for vulnerabilities 24/7. Shodan just makes the results visible. If that makes you uncomfortable, good. Maybe you’ll check your configurations.
This Happens To Everyone
Don’t believe the internet is constantly scanning? Check your firewall logs. Services like Palo Alto Networks, CensysInspect, and InternetMeasurement regularly attempt to connect to my system. My firewall refuses connection, of course, but the attempts happen daily—automated reconnaissance sweeping through IP ranges, testing ports, cataloging what responds.
These aren’t attacks, just annoyances. They’re exactly what Shodan does: mapping the internet’s topology, documenting what’s exposed. The difference is you’ll never see these connection attempts unless you’re looking. Shodan just makes the findings searchable.
Securing Your Home Connection: The Fundamentals
If you run any internet-facing infrastructure—or just want to protect your home network—here’s where to start:
Check what’s exposed. Visit Shields Up! or use your router’s port scanning feature to see which ports respond to external probes. Ideally, everything should show as “stealth” (not responding at all). Open ports mean exposed services.
Enable your router’s firewall. Modern routers include an internal firewall that’s enabled by default, but verify it’s actually running. This is your first line of defense against external connection attempts.
Review UPnP settings. Universal Plug and Play makes device setup convenient, but it also lets applications open ports automatically. Disable UPnP unless you have a specific reason to keep it enabled, then manually forward only the ports you actually need.
Monitor connection attempts. Enable logging on your router’s firewall and review the logs weekly. You’ll see constant scanning attempts from services like the ones I mentioned—CensysInspect, InternetMeasurement, and others. These attempts are normal. What’s not normal is seeing successful connections you didn’t authorize.
Update everything. Your router’s firmware, your IoT devices, your security cameras—everything connected needs current software. Set automatic updates where possible. Most devices exploited through Shodan searches are running outdated software with known vulnerabilities.
Change default credentials. Immediately. Every device ships with default usernames and passwords documented in manuals that anyone can download. These defaults are the first thing attackers try. Use unique, strong passwords for everything, and store them in a password manager.
Segment your network. <Advanced user alert> Most modern routers support guest networks; devices on these networks cannot reach sensitive devices. This will allow you to put IoT devices on a separate network from your computers and phones. If someone compromises your smart light bulb, they shouldn’t be able to reach your laptop.
Use a VPN for remote access. If you need to access your home network remotely, use a VPN rather than opening ports directly. Services like WireGuard or Tailscale are free, secure, and far safer than exposing SSH or RDP to the internet. I’m a fan of ProtonVPN which you can use for free, with advanced speeds included with premium plans, a great bonus if you’re de-Googling like me.
The Bigger Picture
Shodan exists because the internet was started as fundamentally transparent. We built a global network where devices announce themselves, services broadcast their versions, and misconfigurations become instantly visible to anyone looking.
That transparency enables efficient and convenient results—automatic service discovery, load balancing, peer-to-peer networking. But as with every technological convenience, it also means compromises and risk for privacy and security. Default settings rarely favor safety.
Shodan didn’t create this problem. It just made it impossible to ignore.
Sixteen years after its launch, Shodan remains the most comprehensive map of the internet’s actual security posture. Not the polished websites and carefully crafted public faces, but the messy reality of billions of connected devices, many of them poorly configured, running outdated software, and trusting networks they shouldn’t.
If that map makes you nervous, good. It should. Now go check your router.
Related Reading
About Brendon
Brendon Brown is a fractional CTO and digital strategist working with private brands, religious institutions, and mid-market businesses that refuse to settle for mediocre technology. Fourteen years in digital marketing, IT infrastructure, and eCommerce migrations taught him that most companies are running on systems that actively work against them — bloated, expensive, badly integrated, and genuinely ugly. He fixes that. The technical side is table stakes: process automation, marketing stack deployment, complex migrations handled in-house. What sets the work apart is the refusal to treat aesthetics as optional. Your website is your reputation engine. If it looks like everyone else’s, you’ve already lost.
Need help securing your infrastructure? Most security problems aren’t technical — they’re architectural. Book a short call with Brendon. Thirty minutes. No slides, no pitch deck. Just a straight conversation about where your exposure actually is and what’s worth fixing first. Schedule a call →
Pingback: You’re Going to Need to De-Google. Let Me Tell You Why. – Brendon Brown
Pingback: Bye, Google Photos: How to Deploy Immich via Docker Compose – Brendon Brown