Heimdall assumes that when a new vulnerability is disclosed, and an exploit goes public, criminals build scanners in order to detect the machines reachable on the internet which are affected by the new vulnerability. If these machines are found and compromised, they are often used by criminals for other activities (C&C panel, redirect to cloned sites, cloned sites, etc.). The goal of Heimdall is to track and monitor as many machines as possible on the internet that are affected by specific vulnerabilities. The data gathered by Heimdall is used to create time series statistics of the vulnerability’s life cycle and to further track the affected machines that could become new sources of attacks. Heimdall is integrated with Google’s dork engine as well as with the Shodan APIs. Since Hiemdall’s structure is modular, it can easily integrate new scanners allowing a community to track new threats.