DET0867: Detection of Vulnerability Scanning

DET0867 is a detection strategy for identifying vulnerability scanning associated with ATT&CK technique T1595.002. For leaders, the practical value is earl...

EnterpriseDET0867Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0867 is a detection strategy for identifying vulnerability scanning associated with ATT&CK technique T1595.002. For leaders, the practical value is early warning: scanning is reconnaissance that may reveal which exposed hosts, applications, software versions, or configurations an adversary could use to choose a later exploit path. Because the ATT&CK object provides no official detection logic or platform scope, organizations should treat this as a validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this as part of external attack surface management, vulnerability prioritization, and incident triage. Security leaders should ask whether the organization can distinguish expected scanning, such as internal or authorized vulnerability management, from suspicious reconnaissance against exposed assets. The business decision value is in reducing surprise: if scanning against a critical internet-facing service is visible, correlated to asset criticality, and linked to patch status, teams can make faster risk decisions before exploitation is observed.

Technical view

This detection strategy detects T1595.002 Vulnerability Scanning, a reconnaissance behavior in the PRE platform context. SOC and detection teams should validate whether they can observe repeated probing for software, version, configuration, or known vulnerability indicators across externally reachable hosts and applications. Because no official detection text is supplied, engineering should avoid assuming coverage and instead map existing network, web, application, IDS/WAF, and vulnerability-management telemetry to scanning patterns and asset exposure context.

Likely telemetry

External-facing web server and application access logs showing repeated requests, unusual paths, or version/configuration probing
Network security telemetry such as firewall, IDS/IPS, WAF, reverse proxy, and load balancer logs
DNS and connection metadata that can show broad probing or repeated contact from the same source infrastructure
Asset inventory and internet-exposure data to identify which scanned systems matter most
Authorized vulnerability scanner schedules, source ranges, and scan records for allowlisting and false-positive reduction

Detection direction

Validate visibility at the internet edge and for externally exposed applications, since the related ATT&CK technique is reconnaissance against potential victim systems.
Correlate scan-like activity with asset criticality and known vulnerabilities rather than alerting only on volume.
Separate authorized internal or third-party vulnerability scans from unknown sources using approved scanner ranges, schedules, and change records.
Look for patterns that indicate vulnerability discovery, such as repeated checks for software/version/configuration indicators or broad probing across hosts and applications.
Tune for blind spots where edge devices, cloud-hosted services, SaaS front ends, or reverse proxies may not forward sufficient request detail to the SOC.

Mitigation priorities

Maintain an accurate inventory of externally reachable hosts and applications so scanning alerts can be tied to business ownership and criticality.
Integrate vulnerability management with detection workflows so observed probing can accelerate patching, exposure reduction, or compensating controls.
Document and govern authorized scanning activity to reduce false positives and preserve evidence for audits and incident reviews.
Ensure perimeter, web, and application telemetry is retained long enough to support incident response timelines.
Review internet-facing service hardening and exposure reduction where repeated scanning targets critical or vulnerable systems.

Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection guidance, and no platform list of its own. The only substantive context is its relationship to T1595.002 Vulnerability Scanning under reconnaissance with PRE platform context. Recommendations therefore focus on defensive validation, telemetry readiness, and operational decision-making rather than a specific analytic rule.

This take does not claim active exploitation, attribution, specific detection coverage, or vendor/tool capability. Local environment details are required to define thresholds, approved scanner allowlists, exposed asset scope, and incident response escalation criteria.

Official MITRE ATT&CK definition

Detection of Vulnerability Scanning

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1595.002	Vulnerability Scanning Sub-technique	This object detects Vulnerability Scanning.

Relationship explorer

All related ATT&CK context

detects · Technique T1595.002: Vulnerability Scanning Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: c9692203d508d3bb...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`c9692203d508…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0867
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use