Censys · Capability
Censys Platform — Threat Hunting
Censys Platform — Threat Hunting. 13 operation(s). Lead operation: Censys CensEye: List Jobs. Self-contained Naftiko capability covering one Censys business surface.
What You Can Do
GET
V3 threathunting censeye jobs list
— Censys CensEye: List Jobs
/v1/threat-hunting/censeye/jobs
POST
V3 threathunting censeye jobs create
— Censys CensEye: Create a Pivot Analysis Job
/v1/threat-hunting/censeye/jobs
GET
V3 threathunting censeye jobs get
— Censys CensEye: Get Job Status
/v1/threat-hunting/censeye/jobs/{job_id}
GET
V3 threathunting censeye job results
— Censys CensEye: Get Job Results
/v1/threat-hunting/censeye/jobs/{job_id}/results
GET
V3 threathunting get host observations with certificate
— Censys Get Host History for a Certificate
/v1/threat-hunting/certificate/{certificate_id}/observations/hosts
GET
V3 threathunting endpoint observations on host
— Censys Get Endpoint Observation History for a Host
/v1/threat-hunting/host/{ip}/observations/endpoints
GET
V3 threathunting fingerprint observations on host
— Censys Get Fingerprint Observation History for a Host
/v1/threat-hunting/host/{ip}/observations/fingerprints
GET
V3 threathunting threats on host
— Censys Get Threat History for a Host
/v1/threat-hunting/host/{ip}/observations/threats
POST
V3 threathunting scans discovery
— Censys Live Discovery: Initiate a New Scan
/v1/threat-hunting/scans/discovery
GET
V3 threathunting scans get
— Censys Get Scan Status
/v1/threat-hunting/scans/{scan_id}
GET
V3 threathunting threats list
— Censys List Active Threats
/v1/threat-hunting/threats
POST
V3 threathunting value counts
— Censys CensEye: Retrieve Value Counts to Discover Pivots
/v1/threat-hunting/value-counts
GET
V3 threathunting threats on web
— Censys Get Threat History for a Web Property
/v1/threat-hunting/web/{webproperty_id}/observations/threats
MCP Tools
censys-censeye-list-jobs
Censys CensEye: List Jobs
read-only
idempotent
censys-censeye-create-pivot-analysis
Censys CensEye: Create a Pivot Analysis Job
censys-censeye-get-job-status
Censys CensEye: Get Job Status
read-only
idempotent
censys-censeye-get-job-results
Censys CensEye: Get Job Results
read-only
idempotent
censys-get-host-history-certificate
Censys Get Host History for a Certificate
read-only
idempotent
censys-get-endpoint-observation-history
Censys Get Endpoint Observation History for a Host
read-only
idempotent
censys-get-fingerprint-observation-history
Censys Get Fingerprint Observation History for a Host
read-only
idempotent
censys-get-threat-history-host
Censys Get Threat History for a Host
read-only
idempotent
censys-live-discovery-initiate-new
Censys Live Discovery: Initiate a New Scan
censys-get-scan-status
Censys Get Scan Status
read-only
idempotent
censys-list-active-threats
Censys List Active Threats
read-only
idempotent
censys-censeye-retrieve-value-counts
Censys CensEye: Retrieve Value Counts to Discover Pivots
read-only
censys-get-threat-history-web
Censys Get Threat History for a Web Property
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Censys Platform — Threat Hunting
description: 'Censys Platform — Threat Hunting. 13 operation(s). Lead operation: Censys CensEye: List Jobs. Self-contained Naftiko capability covering one Censys business surface.'
tags:
- Censys
- Platform
- Threat Hunting
created: '2026-05-29'
modified: '2026-05-29'
binds:
- namespace: env
keys:
CENSYS_PERSONAL_ACCESS_TOKEN: CENSYS_PERSONAL_ACCESS_TOKEN
capability:
consumes:
- type: http
namespace: platform-threat-hunting
baseUri: https://api.platform.censys.io
description: Censys Platform — Threat Hunting business capability. Self-contained, no shared references.
authentication:
type: bearer
token: '{{env.CENSYS_PERSONAL_ACCESS_TOKEN}}'
resources:
- name: v3-threat-hunting-censeye-jobs
path: /v3/threat-hunting/censeye/jobs
operations:
- name: v3-threathunting-censeye-jobs-list
method: GET
description: "Censys CensEye: List Jobs"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
- name: host_id
in: query
type: string
required: false
description: Filter by host IP address.
- name: webproperty_id
in: query
type: string
required: false
description: Filter by web property (hostname:port).
- name: certificate_id
in: query
type: string
required: false
description: Filter by certificate SHA-256 fingerprint.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threathunting-censeye-jobs-create
method: POST
description: "Censys CensEye: Create a Pivot Analysis Job"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: body
in: body
type: object
required: true
description: Request body.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-censeye-jobs-job-id
path: /v3/threat-hunting/censeye/jobs/{job_id}
operations:
- name: v3-threathunting-censeye-jobs-get
method: GET
description: "Censys CensEye: Get Job Status"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: job_id
in: path
type: string
required: true
description: The unique identifier of the CensEye job.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-censeye-jobs-job-id-results
path: /v3/threat-hunting/censeye/jobs/{job_id}/results
operations:
- name: v3-threathunting-censeye-job-results
method: GET
description: "Censys CensEye: Get Job Results"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: job_id
in: path
type: string
required: true
description: The unique identifier of the CensEye job.
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-certificate-certificate-id-observations-hosts
path: /v3/threat-hunting/certificate/{certificate_id}/observations/hosts
operations:
- name: v3-threathunting-get-host-observations-with-certificate
method: GET
description: Censys Get Host History for a Certificate
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: certificate_id
in: path
type: string
required: true
description: SHA-256 hash of the certificate
- name: start_time
in: query
type: string
required: false
description: Only show ranges ending at or after this time (ISO 8601)
- name: end_time
in: query
type: string
required: false
description: Only show ranges starting at or before this time (ISO 8601)
- name: port
in: query
type: integer
required: false
description: The port to filter by
- name: protocol
in: query
type: string
required: false
description: The transport protocol to filter by
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response to retrieve next page of results
- name: page_size
in: query
type: integer
required: false
description: Number of results per page. Maximum 100, defaults to 100 if not specified
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-host-ip-observations-endpoints
path: /v3/threat-hunting/host/{ip}/observations/endpoints
operations:
- name: v3-threathunting-endpoint-observations-on-host
method: GET
description: Censys Get Endpoint Observation History for a Host
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: start_time
in: query
type: string
required: false
description: Start of date range (RFC3339 format, e.g., 2024-01-01T00:00:00Z). If not specified, defaults to the maximum query window back from the end time.
- name: end_time
in: query
type: string
required: false
description: End of date range (RFC3339 format, e.g., 2024-01-31T23:59:59Z). If not specified, defaults to now. Cannot be in the future.
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
- name: port
in: query
type: integer
required: false
description: Filter by port number
- name: observation_value
in: query
type: string
required: false
description: Filter by observation value for the selected observation_type
- name: ip
in: path
type: string
required: true
description: The IP address of a host.
- name: observation_type
in: query
type: string
required: true
description: Endpoint observation type to query.
- name: order_by
in: query
type:
- array
- "null"
required: false
description: Order observations by these fields. Multiple values can be provided (e.g., ['port DESC', 'observation_value ASC']).
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-host-ip-observations-fingerprints
path: /v3/threat-hunting/host/{ip}/observations/fingerprints
operations:
- name: v3-threathunting-fingerprint-observations-on-host
method: GET
description: Censys Get Fingerprint Observation History for a Host
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: start_time
in: query
type: string
required: false
description: Start of date range (RFC3339 format, e.g., 2024-01-01T00:00:00Z). If not specified, defaults to the maximum query window back from the end time.
- name: end_time
in: query
type: string
required: false
description: End of date range (RFC3339 format, e.g., 2024-01-31T23:59:59Z). If not specified, defaults to now. Cannot be in the future.
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
- name: port
in: query
type: integer
required: false
description: Filter by port number
- name: transport_protocol
in: query
type: string
required: false
description: Filter by transport protocol when supported by the selected observation_type
- name: observation_value
in: query
type: string
required: false
description: Filter by observation value for the selected observation_type
- name: ip
in: path
type: string
required: true
description: The IP address of a host.
- name: observation_type
in: query
type: string
required: true
description: Fingerprint observation type to query.
- name: order_by
in: query
type:
- array
- "null"
required: false
description: Order observations by these fields. Multiple values can be provided (e.g., ['port DESC', 'observation_value ASC']). transport_protocol ordering is only supported for observation types whose timelines expose that field; see the endpoint description for details.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-host-ip-observations-threats
path: /v3/threat-hunting/host/{ip}/observations/threats
operations:
- name: v3-threathunting-threats-on-host
method: GET
description: Censys Get Threat History for a Host
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: start_time
in: query
type: string
required: false
description: Start of date range (RFC3339 format, e.g., 2024-01-01T00:00:00Z). If not specified, defaults to the maximum query window back from the end time.
- name: end_time
in: query
type: string
required: false
description: End of date range (RFC3339 format, e.g., 2024-01-31T23:59:59Z). If not specified, defaults to now. Cannot be in the future.
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
- name: port
in: query
type: integer
required: false
description: Filter by port number
- name: protocol
in: query
type: string
required: false
description: Filter by application protocol
- name: threat_name
in: query
type: string
required: false
description: Filter by threat name
- name: transport_protocol
in: query
type: string
required: false
description: Filter by transport protocol
- name: ip
in: path
type: string
required: true
description: The IP address of a host.
- name: order_by
in: query
type:
- array
- "null"
required: false
description: Order observations by these fields. Multiple values can be provided to sort by multiple fields (e.g., ['port DESC', 'protocol ASC']).
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-scans-discovery
path: /v3/threat-hunting/scans/discovery
operations:
- name: v3-threathunting-scans-discovery
method: POST
description: "Censys Live Discovery: Initiate a New Scan"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: body
in: body
type: object
required: true
description: Request body.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-scans-scan-id
path: /v3/threat-hunting/scans/{scan_id}
operations:
- name: v3-threathunting-scans-get
method: GET
description: Censys Get Scan Status
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: scan_id
in: path
type: string
required: true
description: The unique identifier of the tracked scan
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-threats
path: /v3/threat-hunting/threats
operations:
- name: v3-threathunting-threats-list
method: GET
description: Censys List Active Threats
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: query
in: query
type: string
required: false
description: Optional CenQL filter to constrain threats list
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-value-counts
path: /v3/threat-hunting/value-counts
operations:
- name: v3-threathunting-value-counts
method: POST
description: "Censys CensEye: Retrieve Value Counts to Discover Pivots"
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: body
in: body
type: object
required: true
description: Request body.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v3-threat-hunting-web-webproperty-id-observations-threats
path: /v3/threat-hunting/web/{webproperty_id}/observations/threats
operations:
- name: v3-threathunting-threats-on-web
method: GET
description: Censys Get Threat History for a Web Property
inputParameters:
- name: organization_id
in: query
type: string
required: true
description: The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information.
- name: X-Organization-ID
in: header
type: string
required: false
description: "The ID of a Censys organization to associate the request with. See the [Getting Started docs](https://docs.censys.com/reference/get-started#step-3-find-and-use-your-organization-id-optional) for more information. Note: The header parameter is supported for atypical use cases; we recommend always providing this field via the query parameter."
- name: start_time
in: query
type: string
required: false
description: Start of date range (RFC3339 format, e.g., 2024-01-01T00:00:00Z). If not specified, defaults to the maximum query window back from the end time.
- name: end_time
in: query
type: string
required: false
description: End of date range (RFC3339 format, e.g., 2024-01-31T23:59:59Z). If not specified, defaults to now. Cannot be in the future.
- name: page_size
in: query
type: integer
required: false
description: Number of results per page (max 100)
- name: page_token
in: query
type: string
required: false
description: Pagination token from previous response
- name: threat_name
in: query
type: string
required: false
description: Filter by threat name
- name: webproperty_id
in: path
type: string
required: true
description: A web property identifier in hostname:port format.
- name: order_by
in: query
type:
- array
- "null"
required: false
description: Order observations by these fields. Multiple values can be provided to sort by multiple fields (e.g., ['threat_name DESC']).
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
namespace: platform-threat-hunting-rest
port: 8080
description: REST adapter for Censys Platform — Threat Hunting. One Spectral-compliant resource per consumed operation, prefixed with /v1.
resources:
- path: /v1/threat-hunting/censeye/jobs
name: threat-hunting-censeye-jobs
description: REST surface for threat-hunting-censeye-jobs.
operations:
- method: GET
name: v3-threathunting-censeye-jobs-list
description: "Censys CensEye: List Jobs"
call: platform-threat-hunting.v3-threathunting-censeye-jobs-list
with:
organization_id: rest.organization_id
X-Organization-ID: rest.X-Organization-ID
page_size: rest.page_size
page_token: rest.page_token
host_id: rest.host_id
webproperty_id: rest.webproperty_id
certificate_id: rest.certificate_id
outputParameters:
- type: object
mapping: $.
- method: POST
name: v3-threathunting-censeye-jobs-create
description: "Censys CensEye: Create a Pivot Analysis Job"
call: platform-threat-hunting.v3-threathunting-censeye-jobs-create
with:
organization_id: rest.organization_id
X-Organization-ID: rest.X-Organization-ID
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/threat-hunting/censeye/jobs/{job_id}
name:
# --- truncated at 32 KB (50 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/censys/refs/heads/main/capabilities/platform-threat-hunting.yaml