Censys: You Can’t Protect What You Can’t See

We are excited to announce Decibel’s investment in Censys, an Ann Arbor-based company that offers the most widely-used and continuously updated database of potential vulnerabilities in the world’s internet-facing networks and devices. Used by 20% of the Fortune 100 and around the world, Censys allows companies and governments to understand their vulnerable surface areas (a.k.a., where they can be hacked) through the lens of an attacker.  By continuously scanning the entire Internet with unprecedented breadth, depth, and scale, Censys provides a true “outside-in” perspective for every organization that is rapidly embracing digital transformation.  

Dug Song, founder and CEO of Duo Security, serves as a board member for Censys and recently shared his thoughts on the company in this Q&A:

You’ve been in the cybersecurity industry for over 20 years. What is Censys doing that is unique?

Prior to founding Duo, I was a security researcher, administrator, and architect at the University of Michigan and at Arbor Networks. Whether you are an attacker or defender, you are always trying to understand how organizations are exposed in terms of vulnerability and access, which has gotten much more complex in the modern IT era. In prior generations of IT security, we created secure perimeters with strictly defined policies that limited what parts of our network were accessible to the Internet. The combination of cloud computing, the internet of things, SaaS, bring your own device, and DevOps have moved the goalposts, as the data and access to protect is now everywhere. In a fast moving environment, organizations need to look both inside-out, and outside-in to see what attackers can see, and where you are vulnerable. Censys has created a search engine that maps the world’s networks, devices, and Internet-facing attack surface. It’s like a detailed Google Maps view for every public IP address.

You have been involved with Censys since its early days as a security research project at the University of Michigan. How was the company started?

The original technology behind Censys is a popular open source project called ZMap. This project was the work of University of Michigan Professor J. Alex Halderman, Stanford Professor Zakir Durumeric, and University of Michigan Ph.D (and former Duo intern!) David Adrian. Their research pioneered web-scale scanning of the Internet for security vulnerabilities in a fraction of the time of previous approaches. ZMap today is the most widely used technology for Internet-wide scanning, and several commercial companies use ZMap’s underlying technology for their own security offerings.  

For many who have been security researchers in our community, it is not surprising that a technology like Censys has such close roots to University of Michigan - Merit Network (hosted by U-M) was responsible for building out the National Science Foundation Network, which became the backbone of the commercial Internet. This history has allowed the founding team to build a platform with reach and scale that would be very difficult for a traditional start-up to replicate on its own.  

Who are the early adopter customers for Censys' product?

Censys initially created a free search tool that anyone could use, representing the largest database of Internet-wide scans. Over the course of 18 months, over 60,000 researchers, and Fortune 500 IT and security teams signed up. Companies and organizations from Google to the Department of Defense now use Censys to create a view of their Internet-facing attack surface. Because the company stores real-time and historical scan data, customers can see their vulnerabilities across time–past and present. The early adopters of the product are household names, with steady inbound referrals from Censys’ existing customers. Censys now has dozens of large, paying enterprise customers, and have done so without a traditional enterprise sales force.  

You have been a pioneer of “Zero Trust” security, among other security innovations. How does Censys fit into your long term view for how the security industry evolves?

Zero Trust shifts the idea of security from static perimeters and legacy access controls to verifying security policy, user identity, and device posture, anytime and anywhere access happens. The enterprise world moves very fast - the workforce is ever-changing, data is everywhere, and every device is now Internet-enabled. With this digital transformation, it is near-impossible for organizations to keep up with their physical and digital footprint. Most internal teams struggle to create an up-to-date map of their users, devices, applications, and hosts internally. But customers want to validate that internal view of risk from the external perspective of an attacker and Censys completes this through their continuous monitoring and assessment.

How will Decibel look to work with Censys going forward?

Decibel’s goal is to put founders first, and to help entrepreneurs build the next great B2B technology companies. When I founded Duo a decade ago with Jon Oberheide, we relied heavily on the wisdom and guidance of successful founders and investors that had come before us. There were many important lessons learned along the way, and in many ways we are still learning together with Cisco. I’ve always believed in giving back to the community that supported you, and I’m grateful to be able to help young companies and share what we’ve learned, especially here in Ann Arbor. The world is more connected than ever, and if we are going to build a safer Internet, we all need to work together.

‍