cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Scan velocity signal illustration
Annotator scan_velocity

Scan velocity

High request rate and broad endpoint coverage suggest scanning or automated enumeration.

Attack family · Enumeration and systematic scanning Phase · Reconnaissance Risk · High

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Rapid request cadence
  • Broad endpoint coverage within a short window
  • Compound scanning indicators summarized into one velocity score
Logic
  • It always emits a window summary plus up to a handful of strongest contributors.
  • Severity is derived from the combined score of rate, breadth, and pattern hints.
  • This is the tempo layer that explains systematic enumeration.
Attack Family
Enumeration and systematic scanning
Phase · Reconnaissance Risk · High
Velocity is one of the clearest differences between curiosity and campaign behavior. Fast, broad traversal means the client is trying to map the surface, not use it.
Damage Patterns
  • High-cadence scanning finds the weak endpoints that slower manual browsing would miss.
  • Velocity also compresses defender response time by letting one operator test many hypotheses before controls adapt.
Incident Lore
  • Mass exploitation waves usually had a scanning phase first, even if it lasted only minutes.
  • The biggest damage often comes from defenders treating rapid low-value misses as harmless, only to discover that the misses were target selection.
How To Read It
When this fires strongly, the client is behaving like an active scan rather than a human browsing session.
Defender Takeaway
When tempo spikes, think campaign. The question is what the client is trying to inventory before choosing the next step.
Catalog Definition
Flags clients that hit many endpoints quickly, sustain a cadence inconsistent with human browsing, or enumerate routes and resources systematically. This is a tempo-and-breadth signal: requests-per-minute, unique-path count, and burst patterns tend to be the most explanatory features. Legitimate crawlers/monitors can trigger this and should be handled with allowlists or policy context.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W17
Lookback
30 days
Total matched
10021
Latest sample
Apr 19, 2026 • 22:55
Top rules
scanv:window · 4 scanv:404_ratio · 3 scanv:ext_enum · 3
Top requester orgs
Microsoft Azure Cloud (southeastasia) · 3 Microsoft Azure Cloud (francecentral) · 2 Microsoft Azure Cloud (norwaye) · 2
Severity mix
informational · 4 12 · 2 10 · 2 22 · 2
Method mix
GET · 10
GET 404 12
Apr 19, 2026 • 22:55
/uploads/51611de631d3c/voice_inline/4bdfddb7-d87e-378f-f28c-ca8900896b62/548978c193d41.jpg
Scan-velocity indicator: scanv:404_ratio
IP 87.68.10.93 Subnet 87.68.10.0/24 Country Israel Rule scanv:404_ratio
GET 404 informational
Apr 19, 2026 • 22:55
/uploads/51611de631d3c/voice_inline/4bdfddb7-d87e-378f-f28c-ca8900896b62/548978c193d41.jpg
Scan-velocity window summary
IP 87.68.10.93 Subnet 87.68.10.0/24 Country Israel Rule scanv:window
GET 404 10
Apr 19, 2026 • 22:00
/1index.php
Scan-velocity indicator: scanv:ext_enum
IP 20.43.35.182 Subnet 20.43.35.0/24 Org Microsoft Azure Cloud (francecentral) Country France Rule scanv:ext_enum
GET 404 informational
Apr 19, 2026 • 22:00
/1index.php
Scan-velocity window summary
IP 20.43.35.182 Subnet 20.43.35.0/24 Org Microsoft Azure Cloud (francecentral) Country France Rule scanv:window
GET 404 10
Apr 19, 2026 • 21:59
/1index.php
Scan-velocity indicator: scanv:ext_enum
IP 20.100.174.202 Subnet 20.100.174.0/24 Org Microsoft Azure Cloud (norwaye) Country Norway Rule scanv:ext_enum
GET 404 informational
Apr 19, 2026 • 21:59
/1index.php
Scan-velocity window summary
IP 20.100.174.202 Subnet 20.100.174.0/24 Org Microsoft Azure Cloud (norwaye) Country Norway Rule scanv:window
GET 404 22
Apr 19, 2026 • 21:48
/class.php
Scan-velocity indicator: scanv:ext_enum
IP 4.193.168.228 Subnet 4.193.168.0/24 Org Microsoft Azure Cloud (southeastasia) Country Singapore Rule scanv:ext_enum
GET 404 22
Apr 19, 2026 • 21:48
/class.php
Scan-velocity indicator: scanv:404_ratio
IP 4.193.168.228 Subnet 4.193.168.0/24 Org Microsoft Azure Cloud (southeastasia) Country Singapore Rule scanv:404_ratio
GET 404 informational
Apr 19, 2026 • 21:48
/class.php
Scan-velocity window summary
IP 4.193.168.228 Subnet 4.193.168.0/24 Org Microsoft Azure Cloud (southeastasia) Country Singapore Rule scanv:window
GET 404 12
Apr 19, 2026 • 19:10
/auth/info/
Scan-velocity indicator: scanv:404_ratio
IP 192.253.248.169 Subnet 192.253.248.0/24 Org Secure Internet LLC Country United Kingdom Rule scanv:404_ratio