The new year has already begun, so it’s time to look back on 2025 and list what we’ve accomplished at ONYPHE. It’s also time to talk about upcoming developments. And once again, they’re ambitious, as they are every year for us.
First major development: the scanning platform
For over a year, we’ve been rebuilding our storage platform and, by 2025, our internet scanning architecture. We’re proud to announce that our platform is now fully horizontally scalable, enabling us to scan tens of thousands of ports—just like our leading competitor.
In just one year, our data collection volume has surged from 21TB per month to 125TB per month, marking a 500% increase. We’ve also expanded both the number of ports scanned and the refresh rate. Previously, we scanned over 1,300 ports weekly; now, we scan more than 2,600, with weekly updates.
We’ve also scaled up our URL scanning. We now process 40 million URLs daily. While we’re not Google, we’re proud of this milestone, as it allows us to identify internet-exposed assets that our competitors miss.
Our DNS query capacity has grown significantly as well. Each month, we generate over 7 billion DNS queries to build our passive DNS database. Additionally, we now brute-force more subdomains than before—30 instead of 10. Our domain name inventory has exceeded 400 million entries, and our subdomain inventory has surpassed 7 billion.
We’ve also implemented real-time DNS queries for every newly detected domain name, using the following record types:
- A, AAAA, PTR ;
- NS, SOA, MX ;
- TXT, SPF ;
- CNAME, DNAME.
Our CTISCAN product, launched last year, has now reached maturity. In 2025, we introduced new CTI pivots, including:
- Improved favicon collection;
- HHHash fingerprints (see Improving classification and correlation of HTTP servers crawled/scanned);
- JA3S footprints;
- JA4S footprints;
- Automatic TLS detection, regardless of port.
A full description of the data model is available on our Docs portal, along with example queries.
Need a brief introduction to CTISCAN? Contact us at support[at]onyphe{dot}io
Operation: let’s kill the technical debt
We’ve also started a complete rewrite of our codebase with one clear objective: eliminating technical debt. Several key components have already been fully reviewed—and improved in the process:
- Certificate Transparency Logs (CTL) data collection engine
- Today we likely offer the best CTL collection solution on the market
- All collected domain names are processed through our DNS brute-force engine.
- DNS resolution engine
- Enhanced performance and expanded support for more resource records
- Eliminated brute-forced subdomains
- The UDP scanning engine
- Our goal: to significantly increase scanning capacity
- Scan UDP over IPv6
Product updates for “ASM Edition”
Our “ASM Edition” is designed specifically for attack surface management. The goal of this product is to identify risks associated with internet-exposed assets, making the RISKSCAN category central to its function
Additionally, data collected from CTISCAN is now directly integrated into RISKSCAN. As more ports are being scanned more risks now identified. RISKSCAN itself is built by analyzing data from DATASCAN, VULNSCAN, and CTISCAN. Previously, data was integrated hourly, but it is now processed in real time.
During 2025, we also introduced the following enhancements:
- Integration of IPv6 scanning into the product;
- Automatic scans enabled via On-Demand Scanning APIs
- Dedicated dashboards for on-demand scanning;
- The ability to launch On-Demand scans directly from the interface
Export and download of raw data
With the dramatic increase in data collection, we needed to upgrade our storage servers for raw data—both for on-premise use by our clients and to enable real-time exports.
For our “raw data” customers, the new data export architecture delivers the following benefits:
- Near real-time exports, with files available within one hour (previously, this took a full day).
- Uncompressed data access for 48 hours, with the option to compress files “on-the-fly” for download.
- 18 months of accessible historical data (compared to just a few months previously).
Other new features
Our new query language, OQLv2 (ONYPHE Query Language), is now production-ready. It introduces advanced search capabilities, including support for search groups. You can explore the documentation for this latest version here.
Additionally, we’ve launched dedicated APIs for attack surface discovery, currently available in BETA. These APIs are expected to reach full production readiness later this year. You can start testing them now using the online documentation.
Roadmap 2026
This past year was marked by significant developments and major advancements, positioning us as one of the leading players in the internet scanning market. And we’re just getting started. Here’s what we have planned for this year:
- New website featuring our product lineup and pricing;
- ASD APIs moving to production-ready status;
- 10,000 ports scanned in CTISCAN;
- Expanded UDP port scanning
- IPv6 scanning in CTISCAN;
- Increased ports scanned from China (CN);
- JARM support in CTISCAN, the latest key pivot for CTI;
- For “ASM Edition“:
- An Inventory API
- The ability to add tags to assets via the web interface
- The ability to add assets to a block list from the web interface
- Dedicated dashboards for alerts.
Some key metrics from the previous 12 months
- Number of ports scanned: from 1300+ to 2600+ per week;
- Number of banners collected: from 5 billion to 8 billion+ per month;
- Number of DNS queries: from 4 billion to 8 billion+per month;
- Storage capacity: from 300TB to 500TB;
- Known domain names: from 300M to 400M+;
- Known FQDNs: from 3 billion to 7 billion+;
- Critical CVEs identified: 110 to 160+
And that’s just a subset of what we collect:
Conclusion
We’re continuing our mission to establish ourselves as a key player in the specialized field of internet scanning. To see how far we’ve come in just a few years, check out our previous retrospective:
Another big piece of news: we’re hiring! Job descriptions are available here:
- CTI analyst (in French only)
- Technical Salesperson (in French only)
- Perl developer & FreeBSD sysadmin (in French only)
You can continue to rely on us to maintain our position as the European leader in ASD, ASM, and CTI—and to seriously challenge the American giant in the space. (We’re pretty sure they’re paying attention.)
Do you have any questions? Contact us at support[at]onyphe{dot}io
