RECON Blocklists
RECON Blocklists are dedicated IP feeds for individual reconnaissance scanners. They're separate from the main ELLIO Threat List MAX so you can make a per-provider policy decision: which scanners reach you, which don't.
The full list is on the same page as the threat lists:
platform.ellio.tech/dashboard/edl-blocklists.
Why RECON is separate from MAX
ELLIO Threat List MAX is high-precision: it excludes RECON IPs by design. This is deliberate - most reconnaissance scanners are operated by research organisations, security vendors, or your own attack-surface tooling, and blocking them by default causes more harm than benefit.
Keeping RECON IPs in dedicated lists means:
- MAX stays clean - including MAX in your EDL doesn't accidentally block Shadowserver, Rapid7 Project Sonar, or Censys.
- You make the call per-provider - exclude scanners you trust, include scanners you don't.
The catalogue
| List | Operator | Why ELLIO tracks it |
|---|---|---|
| Censys Scanner IPs | censys.io | Internet-wide measurement and attack-surface index. Largest of the bunch (~600K IPs). |
| Shodan Scanner IPs | shodan.io | The original internet-of-things search engine. ~400 active scanner IPs. |
| Shadowserver Scanner IPs | shadowserver.org | Non-profit cybersecurity research. Sends free abuse reports - most organisations want to remain reachable. |
| BinaryEdge Scanner IPs | binaryedge.io | Internet exposure scanning. |
| BufferOver Scanner IPs | bufferover.run | DNS-based attack-surface discovery. Small footprint. |
| Cortex Xpanse | Palo Alto Networks | Attack-surface management. Customers may have their own Xpanse subscription scanning their own assets. |
| Driftnet Scanner IPs | driftnet.io | Asset discovery and intelligence. |
| InfraWatch Scanner IPs | InfraWatch | Internet infrastructure monitoring. |
| Internet Census Scanner IPs | Various census projects | Academic and research measurement. |
| InternetTL Scanner IPs | InternetTL | Internet topology mapping. |
| LeakIX Scanner IPs | leakix.net | Open-data leak detection. |
| NetScout Scanner IPs | netscout.com | NetScout ATLAS network intelligence. |
| Nokia Deepfield Scanner IPs | Nokia Deepfield | Internet security analytics. |
| Rapid7 Scanner IPs | rapid7.com | Project Sonar - internet-wide research. Many SOCs explicitly allow Rapid7. |
| Stretchoid Scanner IPs | Stretchoid | Network reconnaissance. |
Default policy guidance
There is no universally right answer. Common starting points:
- Most enterprises: exclude Shadowserver and Rapid7 (high-value research, free abuse reports), block everyone else.
- Public-facing services that want to be discoverable: also exclude Censys, Shodan, BinaryEdge.
- Allow-listed environments: include all RECON lists in a blocklist EDL - your trusted scanners go in My IP Rulesets instead.
- Internal-only systems: include all RECON lists. There's no business reason for any of them to reach you.
How RECON interacts with MAX
MAX excludes RECON IPs at generation time. So:
- If you include MAX only, no RECON IPs are blocked.
- If you include MAX + Censys RECON, Censys IPs are blocked but other RECON providers aren't.
- If you include MAX + Censys RECON, exclude Shadowserver RECON, Censys is blocked, Shadowserver is explicitly allowed even if it later overlaps with another list, every other RECON provider is allowed by default.
Excludes always win - see Include / exclude logic.