---
title: Attack Tool
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Attack Tool
---

# Attack Tool
Tactic:[TA0043-reconnaissance](https://attack.mitre.org/tactics/TA0043)Technique:[T1595-active-scanning](https://attack.mitre.org/techniques/T1595) 
### Goal{% #goal %}

Detects when a known security tool performs a scan against your services.

### Strategy{% #strategy %}

The detection rule identifies known security scanners by using common fingerprints associated with the scanners.

The signal severity is set to `LOW` because those tools are mostly used during the [discovery](https://attack.mitre.org/tactics/TA0007/) phase.

The severity is raised to `MEDIUM` if multiple distinct security tools are detected. This may indicate broader [reconnaissance](https://attack.mitre.org/tactics/TA0043/) against your systems.

If the tool discovers a vulnerability, a `HIGH` severity signal is emitted.

### Triage and response{% #triage-and-response %}

1. Block the attacking IP(s) temporarily to limit vulnerability discovery and service load.
1. Review routes targeted, kinds of attacks performed, and possible application errors to assess the attacker's focus. Datadog Application Vulnerability Management can provide insight into risks of production vulnerabilities.