Censys – Weekly Recap

Censys is the focus of this weekly summary, which highlights a series of threat intelligence disclosures, product integrations, and research initiatives that underscore its role in external attack-surface management and cloud security visibility. Across multiple posts, the company emphasized its ability to provide internet-wide telemetry, enrich security workflows, and support security operations center decision-making.

The dominant development was Censys’s analysis of a critical cPanel and WHM vulnerability, CVE-2026-41940, which it labeled a pre-authentication bypass with a CVSS score of 9.8. The company reported roughly 1.1 million exposed hosts and about 6.7 million web properties potentially affected, and said exploitation attempts appeared almost immediately after disclosure.

Follow-on telemetry showed rapid weaponization, with Censys data and correlated GreyNoise intelligence indicating that about 80% of newly identified malicious hosts on May 1 were running cPanel or WHM. Roughly 15,000 cPanel systems were flagged as malicious in a single day, with observed attack paths including Mirai-based botnets and ransomware that encrypts files with a “.sorry” extension.

Censys advised organizations to assume active exploitation, prioritize patching, and treat any exposed cPanel or WHM instance as in-scope until verified locally. These disclosures highlight the company’s ability to surface near real-time insight into emerging threats against widely deployed infrastructure and may reinforce demand for attack-surface monitoring and threat intelligence.

The company also promoted research from its Censys ARC team on a sophisticated adversary-in-the-middle phishing cluster known as OLUOMO targeting Microsoft credentials and session tokens. The campaign uses fake document portals, compromised websites, Azure-hosted proxies, and Microsoft OAuth, with lures referencing a real U.S. naturalization petition to increase credibility.

By publicizing this research, Censys is signaling competence in tracking complex, multi-component phishing operations that span traditional web and cloud environments. This research-driven visibility could enhance its positioning with organizations focused on cloud and identity security, supporting use cases in threat intelligence, managed detection, and incident response.

On the product side, Censys highlighted a collaboration with Microsoft Security to integrate its internet intelligence into Microsoft Sentinel’s cloud-native SIEM and SOAR workflows. The integration aims to add contextual data for alerts tied to external IPs, domains, or certificates, reduce tool switching, and accelerate SOC triage and investigations.

The Microsoft Sentinel integration may deepen Censys’s ecosystem presence, expand its addressable market among enterprise customers, and support recurring usage as part of established cloud security stacks. While no financial details were disclosed, alignment with a major platform suggests strategic progress in embedding Censys data directly into security operations.

Censys also detailed how infrastructure context can enhance triage of identity and access management alerts from systems such as Okta, Microsoft Entra, and VPN or privileged access tools. By linking host intelligence to IAM alerts, the company is positioning its platform as a complementary layer that helps analysts decide whether to escalate, downgrade, or further scope incidents.

This focus on workflow integration and IAM alert enrichment may help Censys gain deeper penetration into security operations center budgets and increase average deal sizes. Overall, the week’s developments portray a company actively leveraging threat research, high-profile vulnerabilities, and ecosystem integrations to reinforce its relevance in attack-surface management and threat intelligence markets.