DET0830: Detection of Active Scanning
DET0830 is a MITRE detection strategy for recognizing Active Scanning, a reconnaissance behavior where an adversary directly probes infrastructure with net...
Analyst context for executives and security teams
DET0830 is a MITRE detection strategy for recognizing Active Scanning, a reconnaissance behavior where an adversary directly probes infrastructure with network traffic before later targeting decisions. For leaders, the practical value is early warning: scanning does not prove compromise, but it can show that exposed services, cloud edges, or internet-facing assets are being evaluated by an outside party.
Executive priority
Prioritize this as an exposure-management and SOC-readiness control, not as a standalone incident verdict. Executives should ask whether the organization can see unsolicited probing of public-facing infrastructure, correlate it to known assets and owners, and use that evidence to drive vulnerability prioritization, firewall/access decisions, and incident triage. The business risk is missed early reconnaissance against externally reachable services, especially where asset inventory and logging are weak.
Technical view
The supplied ATT&CK relationship says this detection strategy detects T1595 Active Scanning under the reconnaissance tactic, with PRE platform context. Because MITRE did not provide official detection logic or platforms for DET0830, SOC and detection teams should validate coverage around inbound network probing of victim infrastructure and correlation to internet-facing assets. Focus on whether telemetry can distinguish broad or repeated probing from expected internet background noise, vendor monitoring, vulnerability scanning, and authorized security testing.
Likely telemetry
- Perimeter firewall and network security device logs
- IDS/IPS or network detection alerts
- Web server and reverse proxy access logs
- Cloud edge, load balancer, and ingress logs where applicable to the local environment
- DNS, TLS, and connection metadata for externally reachable services
Detection direction
- Validate that detections look for direct probing behavior against owned infrastructure rather than relying only on endpoint alerts.
- Tune for patterns such as repeated connection attempts, enumeration across ports or hosts, unusual protocol feature use, or probing of externally exposed services, while treating these as reconnaissance indicators rather than proof of compromise.
- Correlate scan-like activity with asset criticality, known exposure, and recent vulnerability context so alerts support prioritization instead of becoming internet-noise tickets.
- Maintain allowlists or context for approved vulnerability management, uptime monitoring, penetration testing, and vendor assessments to reduce false positives.
- Check blind spots around unmanaged internet-facing assets, cloud ingress points, temporary infrastructure, and logs that are not retained long enough for reconnaissance-to-incident correlation.
Mitigation priorities
- Maintain an accurate inventory of externally reachable assets and services so scan detections can be mapped to business owners and risk.
- Reduce unnecessary exposure through network access controls, service hardening, and removal of unused public services.
- Integrate scan observations with vulnerability management to prioritize exposed and high-risk services.
- Document authorized scanning sources and testing windows so SOC teams can separate expected activity from suspicious reconnaissance.
- Use detection outputs as triage evidence for incident response and risk review, not as a sole basis for declaring compromise.
Analyst notes and limits
This take is based on the official STIX fields for detection strategy DET0830 and its relationship to ATT&CK technique T1595 Active Scanning. The object has no official description, detection text, tactics, or platforms of its own; the technical framing is therefore derived from the related technique description and conservative defensive interpretation.
MITRE supplied no detection logic, analytics, data sources, or platform list for DET0830. Local environment evidence is required to determine whether relevant network, cloud edge, proxy, and asset telemetry exists and whether alert thresholds are appropriate for the organization’s normal internet exposure.
Detection of Active Scanning
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1595 | Active Scanning | This object detects Active Scanning. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 735cd31fbce1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0830Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.