Sign in Subscribe
9 min read AI Security

What Censys's OpenClaw Count Reveals That February's Headlines Did Not

A ginger cat viewed from behind, sitting in front of a blurred monitor displaying code
Autonomous agents that can read your files, run commands, and install third-party skills deserve more scrutiny than most teams are giving them. - Photo by Volodymyr Dobrovolskyy / Unsplash

31st March 2026

OpenClaw's internet-facing exposure has fallen sharply since the February 2026 peak. Public scrutiny, repeated security warnings, and operational changes by some operators appear to have had a real effect. That is good news, and it is worth saying clearly before anything else.

It is also roughly half the story.

Censys application-layer fingerprinting confirmed 63,070 live OpenClaw instances on 31 March 2026, with scan times verified on the day. Those hosts responded to active probes. They are live. Across those machines, SSH is open on the majority of hosts, web servers on roughly half, and database services including MySQL, PostgreSQL, and Redis on thousands more. An operator who closed port 18789 removed their instance from the headline count. They might not have removed OpenClaw from a machine sitting alongside a production database.

That is the gap between "cleaned up" and "secured", and it is an important distinction to note post-incident.

Closing a port removes an instance from an internet scan. It does not change what OpenClaw can do once it is running, what permissions it holds, or what sits on the same machine. A security team that scans, finds nothing, and marks the risk resolved is measuring visibility. Visibility and safety are not the same thing, and for AI agents with broad system access the gap between them is wider than it is for most software.

If your organisation has evaluated its OpenClaw exposure and drawn a conclusion, the question worth asking is: what exactly was measured?

The Exposure Has Fallen. What That Does and Does Not Mean.

The February SecurityScorecard figure of 135,000 exposed instances represented the peak of public internet exposure. By 31 March 2026, Censys application-layer fingerprinting confirmed 63,070 live instances, a reduction of roughly 53% over six weeks when comparing the two methodologies directly. That drop is consistent with real behaviour change: patching, localhost rebinding, firewall updates, and operators choosing safer configurations after seeing the vendor and research coverage.

Exposure at scale rarely falls this fast without something changing operationally.

What changed is visibility, not architecture. The hosts that dropped out of the count mostly stopped advertising themselves to the public internet. The permission model that gives any loaded OpenClaw skill system-level access is unchanged. The ClawHub trust problem is unchanged. The prompt injection risk that Snyk found in 36% of all available skills is unchanged (Snyk, 2026).

Closing a port is not the same as fixing the thing behind it.

The Censys data makes the co-located picture concrete. One instance in Malaysia runs on a Synology NAS alongside RDP and a PPTP VPN. One in China runs OpenClaw on the same machine as OpenVPN, L2TP, and PPTP. An operator who closed port 18789 removed their instance from the headline count.

The Censys data cannot tell us exactly what data sits alongside OpenClaw on those machines, but it does show database services co-located on thousands of the confirmed hosts. Whether those databases are empty test instances or carry live data is unknown. The point is that the exposure count and the actual risk profile are different measurements.

Why No Two Sources Report the Same OpenClaw Number

SecurityScorecard reported 135,000 in February. Censys confirmed 63,070 on 31 March 2026. Both figures are methodologically sound. They are measuring different things, at different times, using approaches that are closer to each other than either is to a raw port scan.

Censys uses application-layer fingerprinting: HTTP headers, TLS certificate patterns, and response signatures that identify the application regardless of whether it self-identifies in its banner. Censys was founded on the ZMap research project at the University of Michigan and its scanning data is used across government security research and enterprise security teams as primary research. When Censys published its own OpenClaw exposure analysis in January 2026, it became the reference source for the early count trajectory.

SecurityScorecard's STRIKE team uses a comparable methodology with their own continuous scanning infrastructure, which is why their February figure and the March Censys figure sit in the same order of magnitude.

For comparison, Shodan's banner-matching query against the same ports returns a fraction of either figure. Banner matching only finds hosts that explicitly identify the software in their service response, a conservative method that understates real exposure. It is a useful corroboration check rather than a primary measurement tool for this type of research.

The table below shows the three-source picture:

Tool Method Result Date
Censys Application-layer fingerprint, confirmed scan_time 63,070 31 March 2026
SecurityScorecard Application-layer fingerprint (peak) 135,000 February 2026
GreyNoise Active probe traffic, port 18789 9,993 scanning IPs 31 March 2026

The GreyNoise figure adds a dimension that exposure counts alone cannot capture. Port 18789 continues to be actively probed by malicious infrastructure. Port 18789 is not OpenClaw-exclusive, so this is not evidence of targeted hunting. But it tells you that an operator who rebinds to localhost disappears from the Censys count. They don't disappear from the attacker's sweep.

When your security team reports the scan came back clean, the follow-up is: which tool, which query, and did the scan cover infrastructure outside your registered IP ranges? The Censys data includes OpenClaw instances on DigitalOcean, Hetzner, Oracle Cloud, and Google Cloud. Those providers host everything from potential enterprise shadow IT deployments to individual developers running side experiments.

The security implication is the same in either case: if someone is running OpenClaw on a personal or unregistered cloud account that has access to work credentials, APIs, or data, a corporate scan of your registered address space will not find it. Whether that is deliberate shadow IT or a developer testing something on their own account, the exposure is real and the scan will miss it.

What the Geographic Breakdown Reveals About the Remaining Exposure

The geographic breakdown in the Censys data is the finding that has not been updated since the February peak. Early reporting, including Censys's own blog post and SecurityScorecard's disclosure, noted Chinese concentration at that time, with Alibaba Cloud hosting a significant share. The 31 March scan provides a current picture.

Approximately half of the 63,070 confirmed live instances sit on Chinese hyperscaler infrastructure: Tencent (14,000 hosts), Alibaba (approximately 12,000), and Baidu (5,400). The remainder is distributed across European and US cloud providers, with smaller concentrations in Singapore, Japan, and Germany.

On 11 March 2026, Chinese authorities issued restrictions preventing state-run enterprises and government agencies from installing OpenClaw on office devices (Bloomberg, March 2026). Bank employees were directed to declare existing installations for security review. The restrictions extended to personal phones connected to company networks.

The Censys data covers a different population. The hosts in the Tencent, Alibaba, and Baidu ranges are cloud VMs, developer deployments, and startup infrastructure, not government or state enterprise systems. SecurityScorecard noted that China's OpenClaw usage is almost double that of the US.

Reports from early March described mass install events outside Tencent's headquarters in Shenzhen, with local governments in Shenzhen and Wuxi actively subsidising companies building on OpenClaw (Fast Company, Tom's Hardware, March 2026).

For practitioners tracking exposure, the geographic concentration has a specific security implication. OpenClaw security coverage in Chinese-language media has not reached the depth of the English-language disclosure from SecurityScorecard, Antiy CERT, and Snyk. The configuration changes and hardening guidance that followed that coverage reached operators who encountered it. The data suggests many operators on Chinese cloud infrastructure have not.

Why This Case Keeps Getting Cited

The exposure spike is being cleaned up. The underlying problem has not been solved. The reason the industry has not moved on from OpenClaw as a reference case is that these two things are easy to confuse, and the confusion has real consequences for how teams assess their own risk.

NemoClaw, NVIDIA's enterprise security layer announced at GTC 2026, addresses this directly. Its architecture tackles sandboxing, policy enforcement, and network egress at the infrastructure level rather than patching individual CVEs. The implication is explicit: the CVE-by-CVE approach does not fix the trust model. That is a significant concession, and one the industry needed to make out loud.

OpenClaw keeps getting cited because it compresses several unresolved questions of agentic AI into one concrete example: what happens when a system with broad permissions, a community registry with no meaningful vetting, and a design philosophy that prioritises capability over containment encounters an adversary who understands all three. The exposure count falling does not answer that question.

For the broader MCP and AI agent risk landscape, the AI agent security risks guide covers the structural issues that OpenClaw made visible but did not invent.

FAQ

How many live OpenClaw instances are currently confirmed on the internet?

Censys application-layer fingerprinting, with scan times confirmed on 31 March 2026, identified 63,070 live OpenClaw instances. This is the most methodologically current public figure available. SecurityScorecard's February figure of 135,000 used a comparable approach and represents the population before six weeks of patching, localhost rebinding, and firewall changes reduced the visible footprint. The two figures are comparable because both use application-layer fingerprinting rather than banner matching.

Why do different security tools report such different OpenClaw exposure numbers?

Tools that use application-layer fingerprinting, including Censys and SecurityScorecard, identify OpenClaw through HTTP headers, TLS certificate patterns, and response signatures regardless of whether the service self-identifies. Tools that use banner matching only find hosts that explicitly name the software in their response. Running both methods on the same day can return figures that differ by a factor of 1,000 for the same underlying question. Neither is wrong. They are precise answers to different questions, and understanding the difference is the most useful thing a security team can take from this analysis.

Did public disclosure reduce OpenClaw's attack surface?

The confirmed live count fell from approximately 135,000 in February to 63,070 on 31 March 2026, a reduction of roughly 53% over six weeks. This is consistent with patching, localhost rebinding, firewall changes, and operators avoiding public exposure after seeing the security coverage. Whether the reduction reflects genuine security hardening or configuration changes that leave the underlying trust model intact is a separate question. The visible footprint has shrunk. The architectural risk has not changed.

What does the geographic concentration of exposed OpenClaw instances reveal?

Approximately half of the confirmed instances in the 31 March data are on Chinese hyperscaler infrastructure: Tencent, Alibaba, and Baidu. Early February reporting noted Chinese concentration at the peak, but no post-restriction analysis had examined whether commercial deployment continued. The 31 March Censys data shows it has. The Chinese government's March 11 restriction targeted state institutions specifically. The commercial and consumer deployment layer, which is what the Censys data captures, is a different population and has not slowed.

Research note: 31 March 2026

Primary research: Censys

Base query run against ports 18789, 18791, 18792, and 18793:

host.services: (port: 18789 and software.product: "openclaw" and endpoints.scan_time>"2026-03-30")

PortConfirmed live instances
1878963,005
1879137
187928
1879320
Total63,070

Primary research: GreyNoise

Query: port:18789. Result: 9,993 scanning IPs on 31 March 2026, of which 3,282 classified malicious.

Sources cited

  • SecurityScorecard STRIKE team, OpenClaw internet exposure analysis (February 2026)
  • Censys, OpenClaw in the Wild: Mapping the Public Exposure of a Viral AI Assistant (January 2026)
  • Bloomberg, China Moves to Limit Use of OpenClaw AI at Banks, Government Agencies (March 11, 2026)
  • Fast Company, China went crazy for OpenClaw. Now it's working to ban it (March 2026)
  • NBC News, In China, a rush to raise lobsters quickly leads to second thoughts (March 2026)

Published by:

Shakel Ahmed

You might also like...

18
Mar
Targeting Firewalls And VPN Appliances

Why Ransomware Groups Are Targeting Firewalls and VPN Appliances

Updated March 2026: Analysis of the Interlock ransomware campaign exploiting a zero-day in Cisco Secure Firewall Management Center, based on
9 min read
16
Mar
Microsoft Intune Security Hardening

Microsoft Intune Security: Hardening Privileged Access

Updated March 2026: Based on the Stryker incident and Microsoft's official hardening guidance published 13 March 2026. LinkedIn
9 min read
13
Mar
he Dead Internet Is a Security Problem

The Dead Internet Is a Security Problem: What Digg's Collapse Teaches Us

Published March 2026 Digg launched in January 2026 to challenge the idea that the internet is full of bots, by
4 min read
12
Mar
SOC Analyst Role is changing ?

Will AI Replace SOC Analysts?

March 2026 LinkedIn Post Copy Link Large language models cannot yet be trusted to make autonomous security decisions. That is
10 min read
01
Mar
AI Agent Attack Surface

AI Agent Security Risks in 2026: A Practitioner's Guide

Gartner predicted in 2021 that 45% of organisations would experience software supply chain attacks by 2025. The reality exceeded their
14 min read

Member discussion