Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

RECON Blocklists

RECON Blocklists are dedicated IP feeds for individual reconnaissance scanners. They’re separate from the main ELLIO Threat List MAX so you can make a per-provider policy decision: which scanners reach you, which don’t.

The full list is on the same page as the threat lists: platform.ellio.tech/dashboard/edl-blocklists.

ELLIO Threat List MAX is high-precision: it excludes RECON IPs by design. This is deliberate - most reconnaissance scanners are operated by research organisations, security vendors, or your own attack-surface tooling, and blocking them by default causes more harm than benefit.

Keeping RECON IPs in dedicated lists means:

  • MAX stays clean - including MAX in your EDL doesn’t accidentally block Shadowserver, Rapid7 Project Sonar, or Censys.
  • You make the call per-provider - exclude scanners you trust, include scanners you don’t.
List Operator Why ELLIO tracks it
Censys Scanner IPs censys.io Internet-wide measurement and attack-surface index. Largest of the bunch (~600K IPs).
Shodan Scanner IPs shodan.io The original internet-of-things search engine. ~400 active scanner IPs.
Shadowserver Scanner IPs shadowserver.org Non-profit cybersecurity research. Sends free abuse reports - most organisations want to remain reachable.
BinaryEdge Scanner IPs binaryedge.io Internet exposure scanning.
BufferOver Scanner IPs bufferover.run DNS-based attack-surface discovery. Small footprint.
Cortex Xpanse Palo Alto Networks Attack-surface management. Customers may have their own Xpanse subscription scanning their own assets.
Driftnet Scanner IPs driftnet.io Asset discovery and intelligence.
InfraWatch Scanner IPs InfraWatch Internet infrastructure monitoring.
Internet Census Scanner IPs Various census projects Academic and research measurement.
InternetTL Scanner IPs InternetTL Internet topology mapping.
LeakIX Scanner IPs leakix.net Open-data leak detection.
NetScout Scanner IPs netscout.com NetScout ATLAS network intelligence.
Nokia Deepfield Scanner IPs Nokia Deepfield Internet security analytics.
Rapid7 Scanner IPs rapid7.com Project Sonar - internet-wide research. Many SOCs explicitly allow Rapid7.
Stretchoid Scanner IPs Stretchoid Network reconnaissance.

There is no universally right answer. Common starting points:

  • Most enterprises: exclude Shadowserver and Rapid7 (high-value research, free abuse reports), block everyone else.
  • Public-facing services that want to be discoverable: also exclude Censys, Shodan, BinaryEdge.
  • Allow-listed environments: include all RECON lists in a blocklist EDL - your trusted scanners go in My IP Rulesets instead.
  • Internal-only systems: include all RECON lists. There’s no business reason for any of them to reach you.

MAX excludes RECON IPs at generation time. So:

  • If you include MAX only, no RECON IPs are blocked.
  • If you include MAX + Censys RECON, Censys IPs are blocked but other RECON providers aren’t.
  • If you include MAX + Censys RECON, exclude Shadowserver RECON, Censys is blocked, Shadowserver is explicitly allowed even if it later overlaps with another list, every other RECON provider is allowed by default.

Excludes always win - see Include / exclude logic.