You can integrate ShadowTrackr in two ways. The first is to pull ShadowTrackr data into another application, which you do with the
API.
The second way is to have ShadowTrackr use data from other systems. You can build anything you want with the API too for this, but we have some built-in integrations that do it for you. You only have to put in your API key and enable it, no code required :-)
You can find the built-in integrations under
Settings in the GUI.
Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
The big difference with ShadowTrackr is that Shodan scans a large part of the hosts on internet and mostly focuses on ICS and IoT. So if Shodan scans a host, there will be more ports scanned and more port data available than you get from a ShadowTrackr scan. ShadowTrackr scans all your assets and all related infrastructure (not the entire internet), and tracks your historic data. So, in short: ShadowTrackr is more suited for discovering and monitoring your entire attack surface, Shodan is more suited for in-depth port scans and ICS/IoT. If you need more port data or expect to find ICS/IoT, then enabling the Shodan integration is useful.
When scanning subnets for new hosts, results can differ. Not all scans are the same and it might be that some scans are blocked and others not. The same is true for the IP addresses of the scanner nodes. If you expect this might be the case, then enabling the Shodan integration is also useful. This might result in new hosts being found and a better view of your attack surface. Once found through Shodan, ShadowTrackr will discover and process all infrastructure related to the new host as usual.
Shodan data is pulled into ShadowTrackr on the first time an asset is found and then renewed every three days. Note that if you use the ShadowTrackr API and want to include the raw Shodan data you have to set the full parameter to True. See
exporting raw data for details.
Censys is an internet intelligence platform that allows users to search for hosts and services exposed on the public internet using a wide range of structured filters. It collects and indexes data from continuous internet-wide scans, including protocol handshakes and service metadata, giving users visibility into how systems are configured and exposed.
The main difference with ShadowTrackr is that Censys performs large-scale scanning across the global internet and provides detailed protocol-level insights based on its own scanning methodology. This often results in richer contextual information about certificates, service configurations, and exposure trends. ShadowTrackr, on the other hand, focuses on discovering and monitoring your own assets and all related infrastructure rather than scanning the entire internet. It also maintains historical visibility of your attack surface over time. In short: ShadowTrackr is better suited for continuous attack surface discovery and monitoring, while Censys is more suited for broad exposure research and detailed internet-wide service intelligence. If you need additional context about how your assets appear externally or want to identify exposures discovered by independent global scans, enabling the Censys integration can be valuable.
When scanning IP ranges or subnets for new hosts, differences in scan coverage and timing can lead to varying results. Some networks may block certain scanner sources while allowing others, and scanning frequency can also affect what is detected. In such cases, enabling the Censys integration may help uncover hosts or services that were not initially identified, improving overall visibility into your external attack surface. Once a host is identified through Censys, ShadowTrackr will automatically correlate and map all related infrastructure as part of its normal discovery process.
Shadowserver
Shadowserver is a threat intelligence organization that collects and distributes security data about malicious activity, exposed services, and vulnerabilities observed across the internet. Its remediation reports help network owners identify infected systems, misconfigurations, and other security issues affecting their infrastructure.
The main difference with ShadowTrackr is that Shadowserver gathers intelligence from large-scale external sources and shares this information through targeted reports. These reports can be used to enrich asset discovery and provide additional host data that may not be identified through regular attack surface scans. ShadowTrackr focuses on scanning and monitoring your organization’s infrastructure in depth, maintaining historical visibility and providing extensive reporting capabilities. In short: ShadowTrackr is better suited for continuous attack surface management, while Shadowserver is more suited for receiving external threat intelligence and alerts about security issues detected in the wild.
Because Shadowserver uses different collection methods and vantage points, it may detect assets or incidents that ShadowTrackr has not yet discovered. Integrating Shadowserver data can therefore improve discovery and provide useful alerts that enhance visibility into potential risks affecting your environment. Future versions of the integration may expand support for additional alert types.
When configuring the integration, it is important to understand the scope of the Shadowserver reports you receive. Some organizations — such as industry CERTs or law-enforcement agencies — may receive data covering entire sectors or jurisdictions. In such cases, enabling the “no suggestions” option in ShadowTrackr helps prevent large numbers of unrelated assets from being added as discovery suggestions.
Shadowserver data can be imported into ShadowTrackr to enrich host information and support asset discovery workflows. By correlating this external intelligence with internally discovered infrastructure, ShadowTrackr provides a more complete and actionable view of your organization’s external attack surface.
