Censys Formalizes Elite Cyber Unit to Map Global Internet Threats
- 400 exposed human-machine interfaces (HMIs) identified at U.S. water facilities, leading to a 96% remediation success rate in securing vulnerable systems.
- 175,000 internet-reachable hosts associated with self-hosted Large Language Models (LLMs) discovered, posing risks like 'LLMjacking'.
- Over half of the Fortune 500 trust Censys's platform for internet intelligence.
Experts view Censys ARC as a critical asset in the cybersecurity landscape, providing data-driven intelligence that enhances global threat detection and mitigation efforts.
Censys Formalizes Elite Cyber Unit to Map Global Internet Threats
ANN ARBOR, Mich. β March 10, 2026 β Internet intelligence firm Censys today announced the formal launch of the Censys Advanced Research Collective (ARC), codifying its long-standing research division into a dedicated team of elite security experts. The move solidifies the company's commitment to using its vast map of the global internet to uncover and analyze the worldβs most pressing digital threats, from exposed critical infrastructure to the hidden networks of nation-state hackers.
Censys ARC is composed of security researchers, threat analysts, and engineers tasked with a singular mission: to transform raw, global internet telemetry into actionable intelligence. By systematically scanning the entire public internet, the team provides critical insights that help governments, corporations, and the broader security community defend against an increasingly sophisticated threat landscape.
"Censys researchers are among the top in the world, and our work has long shaped how the industry understands Internet behavior and risk," said Michael Schwartz, Senior Director of Research and Security at Censys. "Censys ARC formally recognizes that legacy and propels it forward β codifying our commitment to rigorous, data-driven intelligence that defenders can act on immediately."
From Academic Project to Global Cyber Shield
While the ARC name is new, the function it represents is foundational to Censys. The company originated as a research project at the University of Michigan, focused on creating a comprehensive, searchable map of every device connected to the internet. That academic endeavor has since evolved into a commercial platform trusted by over half of the Fortune 500.
The real-world impact of this research is significant and tangible. In one of its most notable recent successes, Censys researchers identified over 400 exposed human-machine interfaces (HMIs) at U.S. water facilities. These interfaces, which allow for the monitoring and control of industrial equipment, were accessible online, with some requiring no authentication whatsoever. In partnership with the U.S. Environmental Protection Agency (EPA), Censys's findings led to a nationwide remediation effort that successfully secured over 96% of the vulnerable systems, preventing a potentially catastrophic risk to public health and safety.
This work extends beyond misconfigurations to actively disrupting malicious actors. The ARC team has a proven track record of linking digital infrastructure to sophisticated nation-state threat groups and mapping the command-and-control servers used in global malware campaigns. This proactive threat hunting provides defenders with an early warning system, often identifying adversary infrastructure before it can be weaponized in an attack.
Mapping the Digital Battlefield
The unique advantage fueling Censys ARC is the Censys Internet Map, arguably the most complete and continuously updated atlas of the digital world. The team operates by constantly probing every public IPv4 address and domain, completing protocol handshakes to gather rich data about the services running on them. This isn't limited to standard web ports; the company employs a machine learning-driven approach called "Predictive Scanning" to discover services across all 65,000 possible ports, where research shows over two-thirds of internet services actually reside.
This deep technical capability allows ARC to spot systemic risks at a massive scale. A recent joint investigation with SentinelOne, for instance, uncovered a sprawling, unmanaged layer of AI infrastructure. The teams identified approximately 175,000 internet-reachable hosts associated with self-hosted Large Language Models (LLMs), many exposed through popular open-source tools like Ollama. These exposed instances create a significant risk of "LLMjacking," where attackers could hijack the computational power for cryptocurrency mining, disinformation campaigns, or other malicious activities.
This ability to provide rapid, data-driven analysis during critical events has made ARC's advisories a go-to resource for security professionals. The team has published authoritative insights on actively exploited flaws, including vulnerabilities in Fortinet's FortiWeb and a critical flaw in the n8n workflow automation tool with the potential for full system compromise, giving defenders the crucial context needed to prioritize patching and mitigation.
A Strategic Play in the Intelligence Arms Race
The formalization of ARC is a clear strategic move by Censys to position itself as a leader in the competitive threat intelligence market, alongside established research powerhouses like Palo Alto Networks' Unit 42 and Google's Mandiant. While many research teams rely on telemetry from endpoint or network products, ARC's focus on the entire internet's external attack surface provides a distinct and complementary view of global risk.
This perspective is increasingly vital for specialized sectors. "The global health sector faces unique risks, particularly from exposed medical devices, clinical systems, and operational technology that directly impact patient safety," said Errol Weiss, Chief Security Officer at Health-ISAC. "Censys ARC research helps the healthcare community better understand device and system exposures, reduce risk, and strengthen resilience across hospitals, health systems, and medical device environments worldwide."
Other intelligence partners emphasize the foundational importance of this data. "High-quality Internet telemetry is foundational to modern detection and response," noted François Deruty, Chief Intelligence Officer of Sekoia.io. "Censys ARC research delivers data-driven measurement and transparency across the public Internet, enabling the security community to rapidly assess real-world exposure and move decisively from disclosure to mitigation."
Research as a Product Engine
Beyond contributing to the public good, the intelligence generated by Censys ARC serves as a powerful engine for the company's own commercial solutions. Insights from the research team are directly integrated into the Censys platform, enhancing its capabilities for attack surface management, threat hunting, and proactive incident response. When ARC discovers a new pattern of exposure or a novel adversary technique, that intelligence is used to improve the platform's detection logic, risk scoring, and asset attribution for all customers.
This creates a virtuous cycle: the quest to map the entire internet powers ARC's research, and the research, in turn, makes the map and the tools used to navigate it more powerful and precise for paying customers. This synergy ensures that the platform's defenses evolve in lockstep with the threats discovered in the wild.
"Censys was founded on research, and that foundation continues to shape the value we deliver to customers and partners," said Zakir Durumeric, Founder and CEO of Censys. "With Censys ARC, we are deepening our commitment to delivering authoritative Internet Intelligence by strengthening the insights embedded in our platform and advancing the threat research we share with the broader community. For our customers, this means clearer visibility into exposed assets, adversary-controlled infrastructure, and emerging vulnerabilities across the Internet."