Shadowspotter

Internet-wide Scanning

Shadowspotter operates a research scanning infrastructure that periodically probes publicly reachable systems on the internet. This page explains what we do, why we do it, and how to recognise our traffic.

What we scan

Our scanners enumerate publicly accessible services on the IPv4 and IPv6 internet. We collect basic protocol-level metadata such as banners, TLS certificates, HTTP response headers, DNS records and WHOIS data. In addition to passive collection, we perform active probing: JARM fingerprinting of TLS endpoints and application banner grabbing via zgrab2 across a range of common protocols (HTTP/HTTPS, SSH, FTP, SMTP and others). We may add further banner-grabbing methods over time as new protocols become relevant. We do not attempt to authenticate, exploit vulnerabilities, brute-force credentials, or otherwise interact with systems beyond the standard handshake required to characterise the exposed service.

Why we do this

A continuously updated picture of the public internet is the foundation of modern threat intelligence and attack surface management. We use the data we collect to help our customers and the broader security community in several ways:

  • Phishing detection — identifying lookalike domains and newly registered phishing infrastructure before they are weaponised against organisations and their customers.
  • Attack surface monitoring — helping organisations discover their own exposed assets, misconfigurations and forgotten systems before adversaries can find them.
  • Threat actor tracking — mapping malicious infrastructure across certificates, DNS and hosting patterns to track campaigns and disrupt them earlier.

How we scan responsibly

We follow the practices established by the security research community for considerate, low-impact internet scanning:

Rate-limited, distributed probes

Scans are spread across our address pool and rate-limited per destination so that any given network sees only a small number of packets at a time. We avoid bursts and back off on errors.

Read-only, standards-compliant

Our probes use the same TCP, TLS, HTTP and DNS handshakes that any browser or standard client would. We do not exploit vulnerabilities, submit forms, log in, or send unsolicited data beyond what protocol negotiation requires.

Identifiable traffic

Our scanning IPs have reverse-DNS pointing back to Shadowspotter. The address ranges below can be used to identify our traffic in your logs.

Opt-out is not available

Because the value of our dataset depends on consistent, comprehensive coverage of the public internet, we do not maintain an opt-out list. If you do not want our scanners to reach your network, please block the egress IP addresses listed below at your firewall or upstream provider. Blocked traffic is not retried from other ranges.

Our scanning IPs

All scan traffic originates from the egress addresses listed below. You can use this list to whitelist, identify or filter our traffic in your firewalls and SIEM. The list is kept up to date as we add or retire infrastructure. 

116.203.252.4
188.34.176.54
49.12.242.8

Last updated: 2026-05-06.

Questions about our scanning?

Reach our research team at mail@shadowspotter.com.