Allowing scanner traffic from your domain, IP ranges, and User-Agent
In order for Detectify to properly discover and assess your attack surface, you must ensure access to your assets.
As a first line of defense, we recommend not to allow unwanted or potentially dangerous Internet traffic to your assets by blocking out requests containing unusual content, or requests going to paths and ports on which you do not provide any content. You can use Web Application Firewall (WAF) or bot protection services for such purposes. As Detectify intentionally tries to emulate attacks, much of our Internet traffic may be considered malicious by these systems, and our scanners can be blocked.
For both Surface Monitoring and Application Scanning, Detectify uses a dedicated user agent and source of network traffic to identify its requests to your assets. This allows you to allow Detectify access to your assets without inviting malicious attacks.
User agent
In all HTTP requests we send, we specify our user agent in the form of:
Mozilla/5.0 (compatible; Detectify)
with optionally specifying the functionality, for example:
Mozilla/5.0 (compatible; Detectify; subdomain-takeover)
In addition, for Application Scanning we also provide a link. Visiting the link gives information about who and when started the scan:
Mozilla/5.0 (compatible; Detectify) +https://detectify.com/bot/{token}For Application Scanning, it is also possible to specify a different user agent in the Scan Profile settings.
Source of network traffic
All Detectify traffic originates from scanner.detectify.com with dedicated IP addresses, which is hosted by Amazon Web Services (AWS) in the following geographic regions:
Ireland: 52.17.9.21, 52.17.98.131
USA (N. Virginia): 107.20.158.220, 3.234.180.95, 34.234.177.119
India (Mumbai): 13.126.5.12, 3.7.157.159, 3.7.173.162
By default, network traffic originates from Ireland. For specific customers of Application Scanning, it is possible to change the geographic region to either USA or India.
Please note that even if you change the geographic region for Application Scanning, as our core services are located in Ireland, your web application still needs to be accessible from Ireland.
FAQ
Q: Should I use the user agent, the domain name or the IP address to add an exception in my firewall rules?
A: We recommend using the IP addresses in every case, which you can combine for example with the user agent. By itself, the user agent is not secure, as it is possible for malicious actors to use the same user agent, spoofing our identity.
Q: Is it possible to change the user agent in some way to add unique identification?
A: For Application Scanning, it is possible to change the default user agent for a custom one. Read more about how Application Scanning identifies itself to your website.
Q: I updated my firewall rules, still I don’t get any results in Detectify, what’s the problem?
A: It is possible that some 3rd party, such as your hosting provider is still blocking our traffic. Please contact any 3rd party services that regulate traffic to your assets to ensure they are not blocking Detectify traffic. You can also contact us at support@detectify.com to get help.