Netlas and ZoomEye are two widely used IoT search engines, each offering unique strengths for cybersecurity professionals. This comparison will examine their capabilities, data volume and relevance, and enterprise features to determine how they differ and where each platform excels.
Choosing the right tool depends on your specific needs—whether you require broad scanning capabilities, deeper analysis, or a balance between cost and functionality. Let’s break down the key differences and find out which platform is best suited for different use cases.
Capabilities
The first part of our research offers a high-level overview of the capabilities provided by both platforms.
This article does not delve into query syntax or other technical details. For those specifics, we recommend consulting the official documentation for Netlas and check cheatsheet in the ZoomEye search. Instead, we will focus on the key differences between these search engines and highlight scenarios where each is most effective.
Search Engine
The core functionality of both platforms lies in their search engines, which are designed to identify internet-connected devices. In Netlas, this capability is handled by the Responses Search Tool, providing structured access to scanned data. Zoomeye, on the other hand, does not have a specifically named tool for this purpose but offers similar search functionality within its platform.
IoT search engines like Netlas and Zoomeye provide cybersecurity professionals with powerful tools to analyze vast amounts of server responses. These platforms help identify vulnerabilities, evaluate network configurations, and improve overall system security.
Both search engines offer advanced filtering capabilities, allowing users to search by IP address, port, protocol, or technology names such as Apache, Nginx, and OpenSSH. This makes it easier to pinpoint specific services, detect outdated software, and assess the exposure of networked devices.
For more complex investigations, users can leverage logical operators like AND, OR, and NOT to refine their queries. This flexibility enables specialists to conduct deep searches, uncover hidden vulnerabilities, and detect misconfigurations across large-scale networks.
External Attack Surface Management
Another key feature of both search engines is their application in external attack surface management, with dedicated tools designed to help security professionals map and analyze exposed assets.
Netlas offers two primary tools for this purpose: the Attack Surface Discovery Tool and the Private Scanner.
The Attack Surface Discovery Tool simplifies and visualizes attack surface mapping by allowing researchers to construct interactive graphs. Users can add different types of objects, such as domains, subdomains, IP addresses, and services, with relationships between them generated automatically. Expanding the graph is intuitive—clicking on an existing node and selecting a search operation (such as retrieving all subdomains of a domain) dynamically incorporates new results. This process can be repeated iteratively, enabling the creation of a comprehensive attack surface representation.
To enhance usability, the tool also supports grouping and excluding nodes. Similar objects can be clustered into a single node, making large datasets easier to manage. Additionally, researchers can manually remove irrelevant results or exclude nodes from further interaction. Excluded nodes remain on the graph but are stripped of functionality and are not included in exported data. A single-click option allows users to hide excluded nodes, keeping the visualization clean and focused.
The following image showcases an example of a graph generated using the Attack Surface Discovery Tool.
The Private Scanner extends the functionality of the Attack Surface Discovery Tool by providing real-time data on a user’s attack surface through Netlas’s scanning capabilities. Researchers can input a list of targets, which are then scanned across more than 1,200 ports. The collected data is stored in a private index, where relevant tags, such as CVEs or product details, are automatically applied. Searching within this private dataset is just as seamless as querying public data in the Responses Search Tool.
A major advantage of the Private Scanner is its direct integration with the Attack Surface Discovery Tool. With a single click, users can initiate a scan from their constructed graph, significantly streamlining attack surface analysis and reducing the process to just two steps.
The following image demonstrates the Private Scanner interface.
For a more detailed explanation, refer to the article “ Complete Guide on Attack Surface Discovery”.
On the other hand, ZoomEye provides a tool called On-Demand Scanning.
In fact, this tool is an analogue of Netlas Private Scanner. The user can specify a set of targets in the form of IP addresses and domains, after which they will be scanned by ZoomEye, which will provide the most up-to-date information.
CLI and API
Both search engines offer API access, command-line interfaces, and Python libraries, making it easy to integrate them into automated workflows.
To install them, use the following commands:
pip install netlaspip install zoomeyeThere is one potential issue worth mentioning here. When I first tested the ZoomEye CLI, I was unable to enter the API key due to the following error:
ValueError: this service not aviliable in your area, please use api.zoomeye.ai insteadThe problem is that the SDK files specify the wrong path to the API. To fix this, you need to find sdk.py among the installed package files, and then edit the following lines:
self.search_api = "https://api.zoomeye.org/v2/search"
self.userinfo_api = "https://api.zoomeye.org/v2/userinfo"Change “.org” to “.ai” and the CLI will work.
An example of usage is shown in the following image.
When working with Python, users can import the netlas and zoomeye modules, utilizing their API wrappers for seamless integration into scripts. These libraries simplify interactions with their respective search engines, making it easier to retrieve and process data efficiently.
For detailed usage instructions, refer to the documentation for Netlas and ZoomEye.
It is important to note that access to the ZoomEye API requires a paid subscription, whereas the Netlas API is available starting from the free Community tier. Subscription options will be discussed in more detail later.
Other Ways to Use
Beyond the web interface and API, both search engines offer integrations with various third-party applications. These integrations expand their functionality, making it easier to incorporate their data into security workflows. This subsection provides a brief overview of the available integrations and their key features.
Browser Plugins: Netlas provides an official way to search via browser plugins. You can install them here: Google, Mozilla. ZoomEye also has a Chrome Extension.
Modules for Maltego: Maltego is one of the leading tools for reconnaissance, automation, and visualization of results. Both search engines discussed here can be integrated into Maltego using dedicated modules. You can find more details about Netlas integration in the corresponding article. Meanwhile, ZoomEye is featured inside the Social Links CE plugin.
Data Files and Streaming API: For users who prioritize anonymity and prefer processing data on their own servers, Netlas offers two solutions: Datastore and Streaming API. The Datastore allows users to purchase datasets containing specific types of data, such as scanned DNS records and database responses. The Streaming API provides continuous access to data directly from Netlas scanners, enabling real-time processing and analysis. These features are available as part of paid plans, with additional benefits for Corporate and Enterprise-level users. Similarly, ZoomEye offers users the opportunity to purchase datasets from its store.
This concludes our overview of the most significant features of both search engines. As shown, they share many core capabilities; however, ZoomEye lacks browser add-ons for Mozilla and offers slightly fewer features for external attack surface management compared to Netlas.
Now, let’s take a closer look at some smaller yet noteworthy features.
Minor Capabilities
In this section, we will examine additional features that improve the usability of search engines and offer new opportunities for researchers. These enhancements can streamline workflows, provide deeper insights, and make data retrieval more efficient.
Netlas Tools
Let’s take a look at the additional tools available in Netlas. Beyond the Responses Tool, Attack Surface Discovery Tool, and Private Scanner, Netlas also offers the following:
- IP/Domain Info: This tool provides users with a quick summary of a domain name or IP address. The retrieved data includes open ports, reputation details, and key fields from the WHOIS protocol, making it useful for rapid assessments.
DNS Search: The primary function of this tool is to retrieve detailed information about DNS records. It supports both forward DNS search and reverse DNS search, allowing for comprehensive DNS analysis and insight into domain infrastructure.
IP WHOIS Search: This tool allows users to search within WHOIS protocol fields. Netlas collects WHOIS data for every known IP address, making it a valuable resource for investigations, attack surface mapping, and tracking ownership or infrastructure changes.
Domain WHOIS Search: This tool operates similarly to the previous one but is specifically designed for searching WHOIS protocol data for domain names rather than IP addresses.
Certificates Search: This tool allows users to search within SSL certificate fields, making it particularly useful for identifying devices and services that use specific certificates. It can help track certificate issuers, expiration dates, and other relevant details for security assessments.
Netlas Team Access
Another useful feature in Netlas is team access. By joining a team, users can view private scans and attack surface discovery graphs shared by the owner. This functionality improves collaboration by enabling seamless data sharing and coordinated analysis. The following image illustrates the team access interface.
This setup significantly improves collaboration by providing team members with direct access to shared results in a centralized location. Without this feature, users would need to share attack surface data as separate documents, which could slow down workflows and complicate data management.
ZoomEye Tools
Like Netlas, ZoomEye provides a set of small yet valuable features. Let’s take a closer look at them below.
AI Search
This tool is similar to Censys GPT, which was reviewed in the previous article. It integrates with ChatGPT to generate queries for ZoomEye based on a text description provided by the user. This feature can assist those unfamiliar with query syntax by automatically constructing relevant searches. The following image provides an example of its functionality.
However, it is important to note that this tool does not always generate valid queries. Some searches may fail entirely, while others might return fewer results than what is actually available. It should be considered a useful assistive feature rather than a replacement for manually crafting precise search queries.
Domain/IP Lookup
A straightforward tool that provides a list of domains associated with a given IP address, as well as a list of subdomains for a specified domain. This can be useful for reconnaissance and attack surface analysis. The following screenshot demonstrates its usage.
DarkEye
A separate tool designed to monitor data leaks. Unfortunately, we were unable to test it, but according to the description, DarkEye monitors mentions of domain names in Telegram channels, hacker forums, Discord, and so on.
Features Comparison Summary
Having examined this aspect, we can now summarize the key findings. To present the information clearly, I have compiled a concise table highlighting the main points.
| Feature | Netlas | ZoomEye |
|---|---|---|
| Responses Search | + | + |
| API | Free users | Paid users |
| Automation | Python SDK, CLI usage | Python SDK, CLI usage |
| EASM Tools | Visual Discovery, Private Scanner | On-Demand Scanning |
| Browser Plugins | Chrome, Firefox | Chrome |
| DNS Data | + | - |
| Certificates Data | + | + |
| WHOIS Data | + | - |
| Vulnerability Data | + | - |
| Host Reputation | + | - |
Technical Differences
Before evaluating the volume and relevance of data, it is important to understand the different scanning methods used by Netlas and ZoomEye. This section will explore their distinct approaches to scanning, how they classify and label collected data, and the number of ports each search engine scans. Understanding these differences will provide better context for the subsequent comparisons.
Scan Differences
Netlas follows a structured approach to protocol identification. It initially assumes a specific protocol for each scanned port and then verifies whether the detected service aligns with this expectation. If the service does not match, it is labeled as RAW, indicating an unidentified or unexpected response. However, if the protocol is confirmed, the service is recorded under the initially detected protocol, ensuring accurate classification of scanned data.
Unfortunately, ZoomEye does not publicly disclose details about its scanning technology.
Number of Scanning Ports
It is also important to note that both search engines have limitations on the number of ports they scan.
For public data collection, Netlas scanners examine up to 146 ports per IP address, including 141 TCP ports and 5 UDP ports. A detailed list of these ports is available in the relevant section of the documentation.
While this number may seem restrictive, the Private Scanner expands the number of scanned ports to approximately 1,300, providing a more comprehensive view of network assets.
An exact list of ports scanned by ZoomEye is not publicly available. However, an experiment was conducted to compare its scanned ports with those of Shodan. The results showed that ZoomEye scans only 17 fewer ports than Shodan. The total number of ports examined is 3,828.
Scanning Timing
An analysis of ZoomEye’s results revealed that, like many other search engines, it prioritizes scanning based on port popularity. Common ports, such as 80, are scanned daily, while less frequently used ports may not be updated for months.
In contrast, Netlas follows a subnet-by-subnet scanning approach, where entire subnets are scanned together and added to the index as they are updated. This ensures that all services on a given IP address are refreshed simultaneously, providing a more consistent and structured update process.
This fundamental difference in scanning methodology makes direct comparisons of data freshness between Netlas and ZoomEye challenging. More details on this will be discussed in the following section.
Volume and Relevance of Data
The most crucial factor in evaluating any search engine is the amount of data it provides and its relevance. In this section, we will conduct several tests to compare Netlas and ZoomEye based on these key metrics.
Rather than performing a broad analysis using the * query, which would offer little meaningful insight, we conducted targeted tests based on the following criteria:
- 5 popular ports
- 5 popular web servers
- 5 popular database management systems (DBMS)
- 10 recent vulnerabilities
By focusing on these specific areas, we aim to provide a more accurate and practical comparison of the data coverage and freshness of both search engines.
Volume Test
The first test focuses on port analysis. Однако предварительно нужно уточнить несколько моментов.
In our study, we focused on the most recent data available. For Netlas, this meant analyzing the last two indexes, while for ZoomEye, we applied a date filter from 2025-01-11 to 2025-03-11. As a result, some data may appear missing in ZoomEye, even though it might be retrievable without a time restriction. However, we chose this approach because, in most cases, comparing only the most recent data is the most relevant metric for assessing a search engine’s effectiveness.
This method of evaluating data completeness is consistent with how we conducted previous comparisons.
The results are presented in the table below.
| Port | Netlas | ZoomEye |
|---|---|---|
| 80 / HTTP | 324,239,572 | 109,380,062 |
| 443 / HTTPS | 269,094,276 | 96,573,539 |
| 7547 / CWMP | 26,601,066 | 2,761,490 |
| 22 / SSH | 15,949,064 | - |
| 161 / SNMP | 17,871,767 | 312,787 |
The results show that Netlas dominates across all five most popular ports. Let’s move on to the next step, five popular web servers.
| Web Server | Netlas | ZoomEye |
|---|---|---|
| Nginx | 120,169,855 | 22,739,763 |
| Apache | 67,860,319 | 8,042,863 |
| Microsoft IIS | 13,125,936 | 2,622,161 |
| Cisco-IOS | 66,702 | 27,639 |
| Cloudflare | 143,390,218 | 3,698,260 |
Once again, Netlas is in first place. In this case, the result is expected, since this tool has always been more focused on the web component of IoT.
Next we will look at popular databases.
| Database | Netlas | ZoomEye |
|---|---|---|
| PostgreSQL | 476,292 | 192,623 |
| MongoDB | 92,006 | 60,921 |
| MySQL | 2,670,108 | 2,050,839 |
| Elastic | 31,958 | 16,120 |
| CouchDB | 5,104 | 225,623 |
Here we see a more intense battle, with ZoomEye managing to take the lead in terms of detecting CouchDB, and coming pretty close in other cases as well.
Finally, let’s examine some critical vulnerabilities from 2024.
| CVE | Netlas | ZoomEye |
|---|---|---|
| CVE-2024-39710 (Ivanti Connect Secure) | 19,372 | 2,487 |
| CVE-2024-45763 (Dell SonicOS) | 11,862 | 4,257 |
| CVE-2024-46538 (pfSense) | 55,031 | 39,217 |
| CVE-2024-49768 (Waitress Python Server) | 23,024 | 7,769 |
| CVE-2024-50388 (QNAP NAS) | 108,587 | 35,250 |
| CVE-2024-46483 (Xlight FTP) | 2,207 | 1,071 |
| CVE-2024-45157 (Rancher) | 3,304 | - |
| CVE-2024-9264 (Grafana) | 95,565 | 5,900 |
| CVE-2024-49193 (Zendesk) | 27,397 | 6,119 |
| CVE-2024-3656 (Keycloak) | 12,148 | 64 |
In this test, Netlas consistently holds the advantage across all cases, although ZoomEye comes close in some instances.
The key takeaway from this comparison is that Netlas generally provides more complete fresh data than ZoomEye in many cases. Now, let’s move on to evaluating data relevance — specifically, the average age of information stored in the search engines’ current databases.
Data Relevance
Netlas crawlers typically scan the entire internet approximately every three weeks. This can be verified by checking the crawl periods listed on the About page. ZoomEye, on the other hand, does not disclose the age of its data.
In order to confirm the information from one search engine and calculate freshness for the second, we will conduct a small test.
For this test, a script was used to randomly generate two senior octets of an IPv4 address, forming a subnet with a /16 mask. From this subnet, two addresses were randomly selected from the data available in both search engines. The scan age of these addresses was then recorded and compared.
| Average Data Age, days | |
|---|---|
| Netlas | 23 |
| ZoomEye | 108 |
The results of this test indicate that Netlas provides significantly fresher data. However, it is important to note that our analysis was limited to matching ports that were scanned for each address. Adjusting the experimental approach, such as including a broader range of ports or different filtering criteria, could lead to varying results.
Also, If you are reading this article as part of a series, you may have noticed that the average age of data in Netlas fluctuates over time. This is because scanning is a continuous process—some data becomes outdated while new scans update the database.
As previously mentioned, Netlas scans the internet subnet by subnet. If, during our data freshness test, we happen to sample a recently scanned subnet, it can significantly lower the average data age. However, since subnets are selected randomly, the likelihood of this significantly impacting the overall results remains low.
Engines Limitations
After evaluating the capabilities of both search engines, it is essential to consider their limitations. Some features are restricted to paid subscription plans, meaning not all users have full access to the tools and data.
In this section, we will provide the subscription plan tables for Netlas and ZoomEye, along with a summary table outlining the minimum required plan for accessing different features. This comparison will help determine which platform offers the best value for specific use cases.
Netlas Plans
| Plan | Cost at month |
|---|---|
| Community | 0 $ |
| Freelancer | 49 $ |
| Business | 249 $ |
| Corporate | 830 $ |
| Enterprise | Custom |
ZoomEye Plans
| Plan | Cost at month |
|---|---|
| Registered User | 0 $ |
| Personal | 19 $ |
| Professional | 109 $ |
| Business | 1,099 $ |
| Corporate | Custom |
ZoomEye appears to offer more competitive pricing compared to Netlas, largely due to an ongoing discount that is unlikely to expire. However, pricing alone does not determine the true value of a service—what matters is the functionality included in each plan.
To get a clearer picture, let’s compare which subscription tiers are required to access specific features on both platforms.
Features
| Feature | Plan in Netlas | Plan in ZoomEye |
|---|---|---|
| Search via API | Community | Personal |
| Search via CLI | Community | Personal |
| Historical Lookups | Community | Business |
| DNS Lookups | Community | Community |
| Search by Domain | Community | Community |
| Commercial Use | Freelancer | Business |
| Scanner | Freelancer | Professional |
| Vulnerability Information | Freelancer | - |
| Search by Vulnerability | Business | - |
| Search by Tags | Business | Personal |
| Honeypot Tagging | Business | Personal |
| Honeypot Filter | Business | Business |
| Bulk Data Files | Enterprise | - |
Here, we can see that Netlas generally offers better value. Most of its key features are already available starting from the Freelancer subscription, which also permits commercial use. This is particularly important for small companies with limited budgets, as it allows them to access powerful search capabilities without needing to invest in higher-tier plans.
Ease of Use
- Queries Creation. Most queries in ZoomEye are limited to IP addresses, products, domains, or simple terms entered into the search bar. While this works well for basic searches, it becomes restrictive when building more complex patterns. Netlas, on the other hand, allows for flexible query customization and enables users to search by any field of any detected protocol. ZoomEye offers significantly fewer options for constructing queries compared to Netlas. It allows field-based searches only for two specific protocols: SSL and HTTP. In total, ZoomEye provides just 52 basic query types, which can be combined to refine searches. In contrast, Netlas supports hundreds of search fields, enabling much more granular and flexible filtering. This broader query capability makes Netlas a more powerful tool for users who require precise searches across various protocols and datasets. Another drawback of the ZoomEye search engine is the lack of autocomplete functionality in its search bar. Netlas addresses this with query suggestions in the Responses Tool, significantly improving search speed and efficiency. The following image demonstrates how these suggestions appear in Netlas.
ZoomEye, on the other hand, attempts to assist users by suggesting popular queries that contain the searched keyword. While this can be helpful, it is less convenient for experienced users who prefer to construct complex queries manually.
- Documentation. Unfortunately, ZoomEye provides detailed documentation only for its API, which can be accessed
here. When it comes to query construction, users must rely on a brief cheatsheet. The rest of the search functionalities must be learned through trial and error.
This lack of clear documentation can make it difficult for new users to fully understand the platform’s capabilities. Even after purchasing a subscription while writing this article, I found it unclear what certain features actually provide.
Enterprise Features
Let’s examine the two highest subscription tiers, which are designed for large organizations. At these levels, both Netlas and ZoomEye provide similar core functionalities, but with differences in accessibility, data limits, and pricing structure.
To provide a clear comparison, we will illustrate these differences using two pivot tables. We will start by comparing the Corporate and Business tier plans.
| Feature | Netlas | ZoomEye |
|---|---|---|
| Price | 830 $ | 1,099 $ |
| Results at month | 100,000,000 | 10,000,000 |
| Maximum result pages | 200 | 100 |
| Available Search Filters | All | All |
| Available Fields in API | All | 78 |
| Number of API Keys | Up to 5* | 1 |
| API requests rate limit | 1 request/sec | 2 requests/sec |
| Hostname Search | + | + |
| Bulk Data Files | - | - |
* - It is important to distinguish between the number of users and the number of API keys. In Netlas, when purchasing this plan, a company effectively acquires five separate licenses, each with its own API key. This setup allows for higher request volumes and more efficient collaboration.
Next, we’re going to Enterpise and Corporate tiers.
| Feature | Netlas | ZoomEye |
|---|---|---|
| Price | Custom | Custom |
| Results at month | Custom | Custom |
| Maximum result pages | 200 | Custom |
| Available Search Filters | All | All |
| Available Fields in API | All | 78 |
| Number of API Keys | Custom | Custom |
| API requests rate limit | Custom | Custom |
| Hostname Search | + | + |
| Bulk Data Files | + | - |
Summary
In the end, you can see that Netlas is the leader in most of the comparisons. The only thing it significantly lags behind is the number of ports scanned. However, this can be compensated for by using Private Scanner, which becomes available to the user starting with the cheapest subscription.
However, as in previous articles, we recommend that you take a closer look at both tools. Using several at once will allow you to cover a larger number of targets, which reduces the likelihood of missing something important. Moreover, Netlas and ZoomEye are quite inexpensive.