Google is for recipes and stock tickers. Shodan is for autopsies. You don't ask it questions. You biopsy the internet with it and read the tissue samples. The raw search bar is a scalpel — `apache` will hand you 14 million hosts and tell you to figure it out yourself. Facets are the MRI. They don't just show you what exists. They show you the patterns, the clusters, the systemic failures hiding in plain sight.

If you're still running searches without `facet:` you're looking at pixels and calling it a picture.

Why Facets Are the Only Way to Use Shodan Seriously

A search without facets is a body count. A search with facets is a cause of death.

Run `port:502` and you'll get a wall of modbus devices. That's trivia. Run `port:502 facet:org` and you get a ranked list of the companies running industrial control systems exposed to the raw internet. Run `port:502 facet:org facet:city facet:ssl.version` and you're suddenly holding a map of critical infrastructure, its owners, its locations, and whether it's encrypted with ciphers that were broken before the last election.

Facets don't just filter. They interrogate. They take the internet's monotone confession and force it into verse. The output isn't data. It's a diagnostic report, and the patient is always the entire IPv4 space.

The Grammar You Need Before You Start

Shodan's query syntax is blunt. It has no patience for natural language. Learn the nouns and the filters or you'll spend your credits on noise.

`port:` is obvious. `port:23` is telnet. `port:47808` is BACnet. `port:20000` is DNP3. If you know the ports, you know the industry. If you don't, you will after the first hundred results.

`product:` is fingerprinting. `product:"nginx"` is a baseline. `product:"nginx" facet:http.favicon.hash` is profiling. Most nginx servers use the default favicon. The hash for it is `-335242539`. Fortinet is `-1272064736`. If you memorize a dozen hashes, you can identify the vendor before the banner even loads. That's not search. That's digital phrenology.

`vuln:` is the loaded query. `vuln:CVE-2021–44228 facet:org` means "show me every organization that hasn't patched Log4Shell, then sort them by who should be most embarrassed." The result isn't a list. It's a subpoena.

`ssl.cert.expired:true` is for finding the companies driving with expired tags. Add `facet:org` and you get a ranked list of operational negligence. Add `facet:ssl.version` and you'll see how many are still negotiating TLS 1.0, which is a cryptographic way of saying "we have given up."

`has_screenshot:true` combined with `port:554` or `port:37777` is the fastest way to end up staring into a warehouse in Jakarta or a gas station in Ohio. It's not illegal. It's just impolite. And it's indexed.

`os:`, `hostname:`, `city:`, `org:` — these are the metadata that turn a flat search into a 3D model. A facet on any of them is a cross-section. Stack three and you have a CAT scan.

Reading the Facet Output Like It Owes You Money

Run this: `apache facet:org facet:city facet:os`

You get back three tables.

Top Organizations
Amazon.com, Inc. 1,203,112
DigitalOcean, LLC 890,441
Chinanet 774,002
Top Cities
Ashburn 442,091
Singapore 301,884
Beijing 299,002
Top Operating Systems 
Unix 2,101,443
Windows 3,112

Translation: The modern web is outsourced, centralized in Northern Virginia, and running on Unix systems that predate half the engineers maintaining them. Windows is a rounding error. Ashburn is where the cloud lives, and the cloud is where the misconfigurations breed.

That's one query. Three facets. A complete thesis on infrastructure monoculture.

Now make it mean something. `port:445 facet:smb.version`

SMBv1 is the protocol equivalent of taping your house key to the front door. The facet result:

1 98,441
2 412,003
3 1,204,112

Ninety-eight thousand devices are still advertising SMBv1 in 2026. The EternalBlue patch shipped in 2017. These boxes have survived three administrations, two hardware refresh cycles, and every "zero trust" initiative their companies announced on LinkedIn. They are still online. Still vulnerable. Still indexed.

That's the poetry. Not the number. The fact that the number exists.

Queries That Hit Like Case Files

You don't need a huge list. You need five queries that each tell a story. Here's the starter pack:

1. The Unpatched Hall of Shame

vuln:CVE-2021–44228 facet:org facet:product facet:country

Log4Shell never died. It just got jobs in middle management. This query shows you who, running what, where. The `product` facet is key — it separates the `VMware Horizon` installs from the `Minecraft servers`. Both are bad. One is worse.

2. The Expired Certificate Census

ssl.cert.expired:true port:443 facet:org facet:ssl.issuer

Expired certs are a canary for operational health. If they can't automate cert renewal, what else are they not doing? The `ssl.issuer` facet tells you if it's Let's Encrypt laziness or enterprise PKI rot.

3. The Industrial Exposure Map

port:102,502,47808 facet:city facet:org

102 is Siemens S7. 502 is Modbus. 47808 is BACnet. This is factories, power, and building automation. The `city` facet turns it into a map of physical risk. The `org` facet tells you if it's residential ISPs — and it usually is. The line between "critical infrastructure" and "Comcast DHCP" is thinner than anyone wants to admit.

4. The Favicon Fingerprint Audit

product:"nginx" facet:http.favicon.hash facet:org

Default favicons are a signal. Not of vulnerability, but of care. A custom favicon means someone touched the config. A default means it was installed and forgotten. Sort by `org` and you see which companies have fleets of forgotten nginx proxies. That's your attack surface.

5. The Telnet Graveyard

port:23 facet:ssh.version facet:org

If `ssh.version` even shows up in a port 23 search, something is deeply wrong. But the real value is in the `org` facet. It's always ISPs, always hotels, always the same three vendors who haven't shipped a firmware update since 2014. This query is how you find the devices that still think the internet is a friendly place.

How to Actually Use This Without Becoming an Incident Report

Step 1: Start with a behavior, not a keyword. Don't search `webcam`. Search `has_screenshot:true port:554`. One is a noun. The other is an artifact. Behaviors are harder to fake.

Step 2: Facet until the story appears. One facet is a clue. Two facets is a correlation. Three facets is a case file. `product:"MongoDB" Authentication:false facet:org facet:country` is not a search. It's a breach report waiting for a timestamp.

Step 3: Read the zeros. The most important facet result is the one that doesn't show up. Run `port:22 facet:ssh.version` and if you don't see `SSH-1.99` in the list, that's good news. It means someone, somewhere, did their job. Document the absence. Absence is data.

Step 4: Export and pivot. The web UI is for reconnaissance. The CLI is for analysis.

shodan download — limit 20000 exposed_rdp port:3389 has_screenshot:true
shodan parse — fields ip_str,port,org,city — facets org,city exposed_rdp.json.gz

Now you have a dataset. Open it in whatever tool you trust. Cross-reference with Censys. Feed it to your own scripts. This is how you build a picture of the internet that your employer would call "unauthorized monitoring" and you call "situational awareness."

Step 5: Don't touch. Scanning is research. Interacting is a crime. If your query returns a login page, you close the tab. You're mapping the terrain, not invading it. The moment you send a packet beyond the banner grab, you're not a researcher. You're evidence.

The Daily Query I Actually Run

I have a cron job. It's not complicated. It's not secret. It's just a sanity check.

shodan search — fields ip_str,port,org,hostnames \
 — facets org:10,city:10,ssl.version:10 \
"ssl.cert.expired:true port:443 -org:\"Shodan\" -org:\"Censys\""

Exclude the scanners so you don't just watch scanners scanning scanners. The output is my morning paper.

Today's top lines:

Top Organizations
Charter Communications 8,112
Comcast Cable 7,901
AT&T Services 6,443
Top SSL Versions
TLSv1.2 19,441
TLSv1.0 2,112
SSLv3 44

Forty-four devices are still negotiating SSLv3. That protocol was deprecated in 2015. It's not encryption. It's archaeology. And it's still answering on port 443, attached to real organizations, with real customer data behind it.

That's the point of all this. Not to scare you. Not to flex. To point out that the internet is a place built by people, and people forget, and people get busy, and people assume someone else renewed the cert. Facets make that forgetting visible. They turn entropy into a bar chart.

Final Thought: The Internet Is Flat and Everything Is Touching

Run `port:102 facet:org` one last time. Port 102 is Siemens S7, the protocol that runs factories and water plants and power distribution.

The top orgs are not Siemens. They're not utilities. They're `Comcast Cable`, `AT&T Internet Services`, `Verizon Business`.

Residential ISPs. Your home IP is one hop away from infrastructure that can open a valve or drop a grid segment. The boundary between "enterprise" and "consumer" and "industrial" is a routing table, not a firewall.

Shodan doesn't create that reality. It just indexes it. Facets don't hack anything. They just refuse to let you pretend it's not there.

If you work a corporate job and IT sees these queries in your history, you'll get a meeting. If legal sees your exports, you'll get a conversation.

But you don't work there. You work here. In the quiet spaces between banners and handshakes. And every day, you can open a terminal, ask the internet a hard question, and get an honest answer.

The only thing unethical is pretending you didn't see it.

If you want to be free, start by building a toolkit your boss would be afraid to understand. Then use it to look at the world as it actually is. Facets first.

If you're running queries like these, you need the rest of the toolkit. Guides below. No tracking. No newsletter. Just commands that work.