Release Notes: 2025

Shodan Monitor

Keep track of what you have exposed to the Internet and get notified of changes: https://monitor.shodan.io

Added

Webhook payload now includes alert and asset group information: Webhook POST requests now contain alert and asset group details in the request body
ai default trigger: Added “ai” to the list of default alert triggers
New asset search filter: Browse monitored assets using the new asset: query filter with support for the after parameter to match dashboard information
Vulnerability information in events: Event Detail page now displays vulnerability information for better security visibility
Hostname information in events: Asset Updated events now include hostname information for improved context
Expanded port coverage: Added 1,000+ ports to the scanning list

Changed

Email notifications now link directly to events: Notification emails now link directly to the specific event instead of the general Events Log
Domain-based notifications filtered by hostname: For domain-based assets, notifications for ports 80/443 are now only sent when the hostname belongs to the asset group domain, reducing noise from unrelated services
Improved asset group name formatting: Better visual presentation of asset group names
Reduced DNS asset group timeframe: Changed from 48 hours to 24 hours for DNS-based asset groups to mitigate issues with frequently changing cloud IPs
Optimized rescan algorithm: Networks are now bucketed into /24 prefixes maximum
Increased rescan frequency: Rescans can now happen more frequently than once per day when capacity allows
Performance improvements

Fixed

Placeholder IP handling: Use placeholder IP (1.1.1.1) for domains/hostnames without current DNS information and for query-based asset groups with no search results
DNS update stability: Prevent constant IP switching events when DNS queries fail intermittently for domain-based asset groups

Shodan Enterprise

Bulk data files, unlimited network monitoring and tools to manage access for your entire organization: https://enterprise.shodan.io

Added

Dataset table headers and timestamps: The dataset view now displays table headers and timestamps for better data organization and clarity

Changed

Redesigned datasets layout: Improved the visual layout of the datasets page for a cleaner appearance, with links to documentation where available
Documentation migration: Updated documentation links to use the new https://book.shodan.io domain
Platform technical information: Updated platform technical details to reflect current specifications (more ports, more data, larger infrastructure)

Fixed

Access portal menu: Resolved an issue where the access portal menu was unclickable

Shodan Trends

See how search query results have changed over time: https://trends.shodan.io

Added

IPv6 Support: Added support for IPv6 addresses in the net filter, enabling searches across IPv6 address ranges
Dynamic Facet Aggregation: City and version facets now dynamically aggregate based on search query context
Query Caching: Implemented cached queries with configurable expiration time for improved website performance
Export to CSV: Added ability to export trend data to CSV format
Timeline Playback: Added play/pause functionality for timeline visualization with keyboard controls (Backspace)
Filter Lines Feature: New filter box showing line colors for easier data filtering
Explore Page Data Endpoint: Created dedicated /explore/data endpoint for optimized data fetching

Changed

VueJS Frontend: Complete migration to VueJS framework with modern component architecture
- Reorganized navigation with hash-based routing
- Updated responsive mobile layouts and tooltip positioning
Search Optimization: Multiple performance improvements to search engine
JSON Response Format: Changed data structure from {value, count} to [value, count], reducing JSON size by over 50%
Theme Support: Added proper dark theme support including cyberpunk and outrun themes inheriting dark colors

Deprecated

cloud.* Filters: Hidden cloud-related filters as they are not currently indexed

Fixed

Data Accuracy:
- Fixed incorrect bucket aggregation counts when displaying charts
- Corrected Trends response data when requested via API/CLI
- Fixed wrong data generated for missing months affecting world map display
World Map: Fixed country selection through world map automatically selecting all lines
API Responses: Fixed API data response format and error display
Query Handling:
- Fixed queries with no results incorrectly raising 500 errors
- Fixed search queries with quotes
Frontend Issues:
- Fixed FacetPage not rebuilding on data store updates
- Fixed line chart rendering issues
- Fixed dark theme not applying correctly based on account settings
- Fixed DataTables scrolling and highlighting behavior

Performance

Query Optimization: Reduced unnecessary requests to indices with no results
Aggregation Efficiency: Reduced number of index buckets (frontend fills missing months)
Cache Improvements: Added module-level caching for country code lookups
Search Function: Optimized search function with improved CPU utilization
File Processing: Implemented chunked reading for .zst and .json.gz files
Frontend Loading: Added deferred rendering for DataTables and preloading for vendor assets

Shodan API

Everything at Shodan is powered by an API. This is the main API for the search engine, IP lookups and network monitoring: https://developer.shodan.io/api

Added

New asset search filter: Filter search results by assets configured in Shodan Monitor, making it easier to focus on your monitored infrastructure
TTL included in DNS domain lookups: DNS lookup results now include TTL (Time To Live) values for more complete DNS information
API usage statistics endpoint: New stats parameter on /api-info returns daily and monthly API usage statistics with the 30 most recent days of data
New search filters and facets:
- http.dom_hash and http.title_hash for HTTP content fingerprinting
- http.server_hash for server identification
- open_dir.hash and open_dir.extension for open directory analysis
- HTTP identifier filters and facets
New bulk data datasets:
- cloud dataset for cloud and CDN provider information
- whoisdb dataset for IP WHOIS data
- internet-scanners dataset for known scanner identification
- ping dataset daily ICMP sweep of the Internet
Parquet file support: Bulk data listings now support .parquet files with Zstd compression

Changed

Facet size limits based on subscription: Facet result sizes are now limited based on the user’s subscription level
Improved API usage stats formatting: Stats now show calendar-based daily data with “0” for inactive days, with clearer property names (month, date)
Bulk data cache reduced to 1 minute: File listings now refresh every minute instead of hourly, ensuring access to the most recent data files
Alerts page size increased: Alert listings now return up to 10,000 items to better accommodate users with many configured alerts
Organization account limits: Added limits on the number of accounts that can be added to an organization
More unique scroll hashes: Scroll identifiers are now more unique to prevent conflicts when the same query runs concurrently
Scroll retry complexity: Removed special handling for scrolling into larger pages that could cause issues during data download retries
Filtered empty banners: Skip indexing empty banners from:
- Google services (millions of empty records)
- Incapsula
- Cloudflare
Honeypot optimization: Skip indexing larger properties for honeypots to improve index efficiency
Updated CVSS scoring to use latest version: Vulnerability scoring now uses the most recent CVSS version available instead of CVSSv2, providing more accurate and up-to-date risk assessments

Fixed

InternetDB file listing: Fixed issue with InternetDB bulk data file listings
DNSDB file listing: Fixed bug preventing customers from downloading dnsdb.sqlite files from the previous month
Ping dataset listing: Fixed to return the most recent files correctly
Private TLD DNS lookups: Private domains with DNS records are now properly looked up by TLD in the database
IP lookup validation: Fixed crash when users request invalid IP addresses
Historical IP lookup timeouts: Added fallback to smaller result sets (100 rows) when full queries (1,000 rows) time out
Corporate membership upgrades: Fixed bug that incorrectly limited membership upgrades for Corporate customers
Tools endpoints: Fixed various issues with /tools API endpoints

Infrastructure

Kubernetes migration: API infrastructure migrated to Kubernetes
Performance improvements: Increased server resources, replica counts, and request timeouts to improve reliability

Shodan Book

We’ve launched a new website to consolidate our documentation:

https://book.shodan.io

Added

Guide for using n8n-nodes-shodan community node integration
Documentation for RoutesDB dataset
Documentation for WhoisDB dataset
Section on tailored solutions for enterprise customers
Organization management page documentation
Shodan Trends documentation
Article explaining the difference between open ports and services
Reference to bulk data in enterprise section
Page listing all scanned ports
Timeframe information for domain-based asset groups
Basic section on Developer APIs
Webhook validation code sample
Documentation for “internet-scanners” dataset with daily cadence information
Telegram notifier documentation
CVEDB dataset page
Slack notifier setup steps
shodan-hash command documentation
Slack notifier documentation
Datapedia website documentation
Shodan Monitor section with comprehensive documentation
Websites section documenting Shodan web properties
Getting Started section
Behind the Scenes section
Updated changelog documentation
geodns command documentation
geoping command documentation
nrich command documentation
strend command documentation
Command-line tools section

Shodan Search Engine

The main Shodan website that lets you search across the Internet: https://www.shodan.io

Added

Advanced Search page: New dedicated page for building complex search queries, with quick access buttons added to the Dashboard, Filters, and Examples pages
Whois integration: View domain registration information directly within the Shodan website, including last updated timestamps for Whois data
IP Timeline view: Restored the IP history page, now renamed to “Timeline” to better reflect that it shows recently collected data rather than complete historical records
Hashes table: Display file hashes on the Host info page
Copy to clipboard: Added ability to copy data directly to clipboard
Trends cache indicator: Search results on Trends now show whether the query was served from cache
Vulnerability search filter: Added support for the has_vuln search filter to find hosts with known vulnerabilities

Changed

Responsive layout: Improved page layouts for better display across different screen sizes
CVE UI updates: Refreshed the vulnerability information display
Host info page improvements: Updated layout and information presentation
JSON tree improvements: Better handling of string values and multi-line data formatting
Banner data display: Non-standard labels are now highlighted for easier identification
UTF-8 handling: Improved decoding for HTTP titles and HTML content
Documentation: Updated port scanning documentation to reflect current crawler coverage

Fixed

Host page crashes: Resolved issues causing the host information page to crash, including problems with special characters (< and >) in CVE summaries
JSON tree display: Fixed issue where string values without newline characters weren’t displayed correctly
JSON tree exceptions: Resolved various exception errors in the JSON tree component
Globe icon display: Fixed missing globe icon for HTTP banners without favicons
Asset filter downloads: Fixed bug preventing users from downloading results when using the asset search filter

Shodan Data Status

We launched a new website to show high-level information about the data that Shodan has collected the past 24 hours:

https://data-status.shodan.io

Added

JSON Download Section: Added ability to download data in JSON format with a dedicated UI section
Data Quality Metrics: Comprehensive data quality metrics with additional analysis views
Yesterday Comparison: Compare current data metrics with yesterday’s data for trend analysis
Port Analysis: In-depth port analysis with limited ports view and heatmap distribution visualization
Pagination & Sorting: Enhanced table pagination and sorting across all data views including detail pages

WhoisDB and RoutesDB

Added

Whois Database Integration: Added comprehensive Whois data crawling and storage capabilities
- New Whois crawler for collecting registration data
- RDAP data integration for expanding prefix information
- Handle and parent handle tracking for ownership chains
Country Information: Added country data to route records for geographic context
Organization Data: Routes database now includes organization information alongside ASN data
- Export support for JSON and SQLite formats

Changed

Crawler Optimizations:
- Prioritized processing of records with empty raw data
- Improved rate limiting handling for LACNIC queries
Prefix Sorting: Added sorting step before building MMDB files for consistent output

Fixed

Whois MMDB Generation: Fixed issues with Whois MMDB file creation
Missing Prefixes: Resolved issue where some prefixes were not being included in output
Stale Data: Fixed bug where stale data was not being updated properly
Country Lookup: Return None instead of ‘not found’ string for missing country data

Shodan DNSDB

Shodan collects billions of DNS records and makes the information available via the /dns/domain/ endpoint of the API as well as several bulk data files.

Added

Added PTR record scanning for Internet IPv4 addresses and database IPs
Added Parquet export format with Zstd compression for improved query performance and smaller file sizes
Added last_seen timestamp to daily data files for tracking record freshness
Added options column export for checking valid DNS records based on TTL
Added TTL (Time-To-Live) information to DNS records
Added daily DNSDB data files containing looked-up records for that day
Added ability for users to submit hostname lists and subscribe for real-time scan results
Added DMARC detection for domains

Changed

Optimized daily file generation and upload process
Changed to Zstd compression for new data files (faster than gzip)
Removed ip_hostname table from dnsdb.sqlite to reduce size (~250GB savings)
Optimized A/AAAA record refresh schedule to twice per week
Improved domain validation
Corrected domain suffix parsing with PSL (Public Suffix List) private domains
Added validation for CommonCrawl subdomains before database insertion

Fixed

Fixed missing DNS records for private domains
Fixed AAAA records not being produced for user-scanned hostnames
Fixed Zstd decompression errors from improperly closed files
Fixed invalid gzip files during unload operations

Removed

Removed ip_hostname table from weekly SQLite exports (moved to separate Parquet)

Internet Exposure Dashboard

Understand Internet exposure by country: https://exposure.shodan.io

Added

Czechia (CZ) support: Added Czechia as a supported country with custom state/region mappings for accurate geographic data representation
New Zealand (NZ) support: Added New Zealand as a supported country for exposure dashboards

Help Center

Articles that answer common questions: https://help.shodan.io

Added

Events Log documentation for Shodan Monitor: Added a new article explaining how to use the Events Log feature in Shodan Monitor to track and review monitoring activity: https://help.shodan.io/shodan-monitor/events-log
Data timeframes reference guide: Added documentation outlining the different data retention timeframes used across various Shodan APIs and websites: https://help.shodan.io/mastery/data_timeline
Microsoft Copilot for Security integration guide: Added a comprehensive guide for using the Shodan plugin with Microsoft Copilot for Security: https://help.shodan.io/integrations/microsoft-copilot-security

Changed

Webhook documentation updates: Updated webhook docs to include the new _shodan.alert property and added information about the dedicated webhook proxy at webhook.monitor.shodan.io: https://help.shodan.io/developer-fundamentals/monitor-webhooks
IP history clarification: Clarified that the history API does not include the full IP history: https://help.shodan.io/mastery/data_timeline
Graylog integration: Updated the Graylog releases link to point to the correct location: https://help.shodan.io/integrations/graylog-integration

Shodan Crawler

The crawler is responsible for identifying services and collecting banners (see https://datapedia.shodan.io)

Added

Detection for RADIUS
MQTT SSL detection
Networked Transport of RTCM via Internet Protocol
Advanced Device Discovery Protocol for Digi devices
OpenClaw fingerprint and control port detection
Rlogin server detection
ZeroMQ message queue detection
NMEA product detection for GPS/marine devices
NSQ message queue detection
IBM Message Queue module
Apache Dubbo host scanning
Dogecoin node detection
Litecoin node detection
WebLogic detection
Bigfix detection
Ingenico terminals
Spice protocol with product, version, and CPE
Executable and Linkable Format file detection
Supabase database detection
AWS Redshift detection
PgBouncer instances
Milvus vector database detection
Dgraph graph database detection
Chroma vector database detection
Apache Druid database detection
Skytable database detection
Improved TiDB recognition (previously misidentified as MySQL), added CPE
Ollama detection and enrichment with CPE
ComfyUI detection
FlowiseAI detection with CPE
Langflow product detection with version and CPE
TorchServe exposure detection
n8n automation workflow detection
LobeChat AI detection
Ray dashboard honeypot detection
Apache Flink plugin detection with EOL database update
Improved Apache Spark detector
Airflow detection
Apache Skywalking detection and monitoring services
Apache Superset detection with EOL status
Prefect workflow orchestration detection with CVE and CPE
OpenObserve observability platform detection
Added CPE for Portainer
Rule detection for Jupyter notebooks
Rocket Chat detection
Improved Confluence detection with title rule
Moodle version detection with CPE
Jellyfin media server detection with CVEs, CPE, and metadata
Check Point Quantum Spark and SSL Network Extender CPE
Authentik identity provider detection with version and CPE
Updated Cobalt Strike plugin
Adaptix C2 framework detection
TP-Link Kasa encrypted protocol
TP-Link VIGI and Mercury IP camera detection
Shelly smart home device plugin
Broadlink device detection
Huawei Home Gateway information extraction
Metadata extraction from TilginAB HomeGateway
DD-WRT firmware scanning with metadata, version, build number
Draytek Vigor updated databases and improved model detection
GL.iNet router detection
Auerswald Compact PBX VoIP Series detection
D-Link ShareCenter NAS detection
AirPlay new Apple device detection
Seven Days To Die detection
Satisfactory dedicated server
FictusVNC honeypot detection
Clawdbot/Moltbot detection
Detection of Quad7 botnet variants and compromised AVTech cameras
Draytek honeypot detection
Confluent and Ray dashboard honeypots
Multiple additional honeypot signatures for K8s and Linode deployments
Vulnerability detection for Citrix Netscaler (CVE-2025-5777)
Anti-spoofing for MSSQL monitor
Anti-spoofing check for GTP protocol
Anti-spoofing check for NetBIOS module
Product, OS, and Version fingerprinting from HTTP server banners
Product, OS, Version, and CPE from SNMP system descriptions
CPE mapping support for WAF detection
http.identifiers: New HTTP identifiers property to store unique IDs from pixel/ ad/ analytics trackers
New HTTP hash properties (http.server_hash, http.title_hash, http.dom_hash)
Support for HTTP Content-Encoding header
Open directory information extraction (open_dir property and tag)
Improved PHP version detection
CPEs automatically added to banners with products missing CPE
Updated web component technologies database
proxy tag for Squid proxies and others
Exoscale cloud IP range support
Expanded port coverage
Added default SSH port for T-Pot
Added Veeam backup ports
Improved detection of Fortinet devices
Updated EOL database with PHP, Tarantool, CouchDB, PAN-OS
Updated Datapedia schema with Apache Skywalking, TilginAB, and new properties
Updated Cisco IronPort fingerprint to be less model-specific

Fixed

Fixed SharePoint fingerprinting issues
Fixed base64-encoded response validation in Citrix NetScaler detection
Fixed bug when end of life minimum version is unavailable
Fixed ELF version output to be string instead of integer
Fixed HTML detection when charset is inside single quotes; added non-UTF-8 charset support
Fixed Superset end-of-life detection
Changed dictionary module to only return data if not None
Fixed inability to get FortiGate certificate
Fixed detection for Bitcoinwire and Bitcoin ABC nodes
Fixed Wyze smart home plugin
Fixed and improved DD-WRT plugin
Fixed Apache Dubbo module
Removed inaccurate version value for MinIO
Fixed duplicate text issue in PHP version detection
Fixed OpenSSH CPE fingerprint not identifying Ubuntu
Fixed TP-Link Kasa module
Fixed and updated IBM cloud ranges