---
title: HTTP requests from security scanner
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > HTTP requests from security scanner
---

# HTTP requests from security scanner
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1190-exploit-public-facing-application](https://attack.mitre.org/techniques/T1190) 
## Goal{% #goal %}

Detect HTTP scanning behavior from user agents associated with common open-source or offensive security tools.

## Strategy{% #strategy %}

This rule monitors OCSF HTTP requests for tool-specific user agents and measures breadth of paths accessed, grouped by `@ocsf.src_endpoint.ip`.

## Triage and response{% #triage-and-response %}

- Confirm authorized security assessments versus unexpected external scanning from `{{@ocsf.src_endpoint.ip}}`.
- Prioritize review when many distinct paths return successful responses.