Shodan has a reputation as a script kiddie tool in some corners of the security world. Meh. When properly used, it can surface very interesting data. Say, the fact that a cyber security firm based outside the US and providing services worldwide, has a primary website currently returning 23 CVEs including two going back to 2010.
Qualys SSL Labs (yes, I primarily use freeware) returns an A+ rating on the site. PassiveTotal returns no obvious issues - though I didn't dig deep as this is another volunteer effort on my part. VirusTotal shows nothing of import. Neither does Netcraft. And yet...
The company has been notified; we'll see what happens.
Then there's the company I contacted a month ago regarding its' website's five active CVEs; they fixed that issue - temporarily. Their site returns six vulns as of last night.