Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition

This report analyzes benign internet scanning activity observed in November 2024, focusing on the speed and coverage of legitimate scanning services such as Shodan, Censys, and ONYPHE. Researchers deployed sensors across multiple geographies and autonomous systems to measure discovery times. Results indicate that most scanners identify new internet-facing assets within five minutes of deployment, with ONYPHE demonstrating the fastest initial contact rates. While no malicious threat actors or malware families were identified in this study, the findings highlight the rapid visibility of new infrastructure to public scanning services. Organizations should assume immediate exposure upon launching assets and implement robust hardening measures prior to connection. Security teams must monitor scanning activity to distinguish between benign enumeration and adversarial reconnaissance. This intelligence underscores the necessity of proactive asset management and continuous monitoring to mitigate risks associated with premature exposure of sensitive services.

A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners found new nodes within 5 minutes, with ONYPHE leading in first contacts.

This report analyzes benign internet scanning activity observed in November 2024, focusing on the speed and coverage of legitimate scanning services such as Shodan, Censys, and ONYPHE. Researchers deployed sensors across multiple geographies and autonomous systems to measure discovery times. Results indicate that most scanners identify new internet-facing assets within five minutes of deployment, with ONYPHE demonstrating the fastest initial contact rates. While no malicious threat actors or malware families were identified in this study, the findings highlight the rapid visibility of new infrastructure to public scanning services. Organizations should assume immediate exposure upon launching assets and implement robust hardening measures prior to connection. Security teams must monitor scanning activity to distinguish between benign enumeration and adversarial reconnaissance. This intelligence underscores the necessity of proactive asset management and continuous monitoring to mitigate risks associated with premature exposure of sensitive services. A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners found new nodes within 5 minutes, with ONYPHE leading in first contacts. A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners found new nodes within 5 minutes, with ONYPHE leading in first contacts.