After this lesson, you will be able to: Use Shodan, Censys, VirusTotal, and URLscan.io to investigate suspicious infrastructure, files, and domains during a threat intel investigation.
OSINT tools turn a single IoC into context. This lesson covers the four canonical free-tier tools every threat analyst uses daily and the workflow that ties them together.
Shodan, an internet-wide port scanner with historical data. Search by IP, service banner, JARM hash, ASN. Censys, similar to Shodan with better TLS-certificate search. Pivot from a leaked cert to every server using it. VirusTotal, file + URL + IP reputation. Upload a file or paste a URL and get scanner verdicts plus passive DNS data. URLscan.io, automated browser-based URL inspection. Shows the rendered page, DOM, network traffic, and screenshots without you visiting the URL.
Sign up for free at shodan.io for ~50 lookups per month.
Paste a suspicious IP into Shodan search; record the open ports, service banners, and observed certificates
Note any JARM hash (TLS fingerprint that identifies the server software stack); the same JARM across multiple IPs often indicates the same operator
Use the 'related' tab to find other servers in the same ASN or with similar fingerprints
Export findings: IP, ports, JARM, certificate CN, hosting provider
Flag the IP in your IoC list with the context you found
Censys's strength is certificate search. This is how you find an entire C2 fleet from one leaked cert.
Find a suspicious certificate (e.g., self-signed, expired, or with unusual CN field) on a known malicious host
In Censys, search for hosts using that certificate's SHA-256 fingerprint
Review the resulting host list, these are likely peers in the same campaign
For each, capture port banners and any other certs; build a graph of the campaign infrastructure
Export the host list as JSON for ingestion into your SIEM as new IoCs
VirusTotal is the first stop for any suspicious indicator.
Paste a SHA-256 hash, a URL, or a file into VirusTotal
Review the scanner results, NOT just the 'detection ratio' (vendors often disagree on edge cases). Look for high-confidence vendors (Microsoft, ESET, Kaspersky, Bitdefender)
Click the Details tab for sandbox behaviours: child processes, registry edits, network beacons, dropped files
Review the Relations tab: passive DNS, ITW URLs, communicating files. This is where the threat-actor pivot lives.
Flag the hash in your IoC list with context (sandbox-observed behaviour, related infrastructure, suspected family)
Never click a suspect URL directly. URLscan.io renders it for you in a sandbox.
Paste the URL at urlscan.io and submit a scan (public or unlisted depending on sensitivity)
Review the rendered screenshot, the page source, and the network requests
Note any redirects, exfiltration endpoints, or credential-harvest forms
Download the DOM snapshot and the HAR file for evidence preservation
Flag the URL in your IoC list
Treating VirusTotal's detection ratio as truth. 5/70 from low-confidence vendors is less meaningful than 1/70 from Microsoft Defender's heuristic. Pivoting from one IoC and missing the campaign. One bad hash usually has 10+ related files in VirusTotal's Relations tab. Submitting sensitive samples to VirusTotal public. Once uploaded, the sample is searchable; if it's a customer artefact under NDA, don't upload it. Forgetting passive DNS. The relationship between domains and IPs over time often reveals the actor's hosting pattern. Using only one tool. Shodan misses some hosts Censys finds and vice versa; cross-validate.
Pick the safest first step.
Sign in and purchase access to unlock this lesson.