Goal

Detects when a commercial vulnerability scanner is performing a scan against your services.

Strategy

The detection rule leverages fingerprints from known security companies to identify activity as a commercial scanner.

The signal is set to LOW severity as the occurrence of spoofing commercial vulnerability scanners is rare, but possible. Detection results from authorized vulnerability scans are typically shared with the customer directly from the vendor or vulnerability management team.

Triage and response

Validate that the commercial vulnerability scanner is authorized to scan your systems and the scans are originating from an expected source IP address. Many commercial scans originate from a source IP address published by the vendor.

If the scan is not authorized:

1. Block the attacking IP(s) temporarily to limit vulnerability discovery and service load.
2. If the scans are originating from a vendor published source IP address, reach out to the vendor to determine the cause of the scan.