cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Scan velocity signal illustration
Annotator scan_velocity

Scan velocity

High request rate and broad endpoint coverage suggest scanning or automated enumeration.

How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Rapid request cadence
  • Broad endpoint coverage within a short window
  • Compound scanning indicators summarized into one velocity score
Logic
  • It always emits a window summary plus up to a handful of strongest contributors.
  • Severity is derived from the combined score of rate, breadth, and pattern hints.
  • This is the tempo layer that explains systematic enumeration.
How To Read It
When this fires strongly, the client is behaving like an active scan rather than a human browsing session.
Catalog Definition
Flags clients that hit many endpoints quickly, sustain a cadence inconsistent with human browsing, or enumerate routes and resources systematically. This is a tempo-and-breadth signal: requests-per-minute, unique-path count, and burst patterns tend to be the most explanatory features. Legitimate crawlers/monitors can trigger this and should be handled with allowlists or policy context.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W13
Lookback
30 days
Total matched
119101
Latest sample
Mar 01, 2026 • 23:59
Top rules
scanv:unique_paths · 4 scanv:window · 3 scanv:rpm · 3
Top requester orgs
Anthropic, PBC · 10
Severity mix
10 · 7 informational · 3
Method mix
GET · 10
GET 200 10
Mar 01, 2026 • 23:59
/report_ipaddress/ip/160.152.62.28/
Scan-velocity indicator: scanv:unique_paths
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:unique_paths
GET 200 informational
Mar 01, 2026 • 23:59
/report_ipaddress/ip/160.152.62.28/
Scan-velocity window summary
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:window
GET 301 10
Mar 01, 2026 • 23:36
/report_subnet/subnet/78.121.50.0/24
Scan-velocity indicator: scanv:unique_paths
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:unique_paths
GET 301 10
Mar 01, 2026 • 23:36
/report_subnet/subnet/78.121.50.0/24
Scan-velocity indicator: scanv:rpm
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:rpm
GET 301 informational
Mar 01, 2026 • 23:36
/report_subnet/subnet/78.121.50.0/24
Scan-velocity window summary
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:window
GET 301 10
Mar 01, 2026 • 23:35
/report_subnet/subnet/184.22.181.0/24
Scan-velocity indicator: scanv:unique_paths
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:unique_paths
GET 301 10
Mar 01, 2026 • 23:35
/report_subnet/subnet/184.22.181.0/24
Scan-velocity indicator: scanv:rpm
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:rpm
GET 301 informational
Mar 01, 2026 • 23:35
/report_subnet/subnet/184.22.181.0/24
Scan-velocity window summary
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:window
GET 429 10
Mar 01, 2026 • 23:35
/report_subnet/subnet/85.144.217.0/24/
Scan-velocity indicator: scanv:unique_paths
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:unique_paths
GET 429 10
Mar 01, 2026 • 23:35
/report_subnet/subnet/85.144.217.0/24/
Scan-velocity indicator: scanv:rpm
IP 216.73.216.103 Subnet 216.73.216.0/24 Org Anthropic, PBC Country United States Rule scanv:rpm