An automated web scanner used by Detectify’s SaaS platform to map assets, crawl applications, and probe for vulnerabilities (e.g., OWASP Top 10), misconfigurations, subdomain takeovers, and exposed services. It identifies as Detectify and operates from Detectify-owned IP ranges.
Legitimate use cases:
– External Attack Surface Management and asset discovery
– Continuous web app/API vulnerability scanning in CI/CD
– Post-deploy regression/security checks
– Compliance evidence and third-party risk assessment
– Bug bounty finding validation and mapping shadow IT
Known misuse/abuse patterns (non-exhaustive):
– Reconnaissance: adversaries emulate/spoof Detectify UA/IP reputation to blend in or bypass WAF rules
– Opportunistic crawling to map endpoints and parameter spaces before exploitation
– Content scraping/intelligence gathering on exposed dashboards or misconfigured storage
– Signal laundering: using “legitimate” scanner patterns to mask pre-attack activity
Note
– Block/allow via IP verification with Detectify’s published ranges and require auth/rate limits to reduce risk.
Detectify
What is Detectify?
Why is Detectify crawling my site?
– Someone (your security team, vendor, pentester, or bug-bounty researcher) scheduled a scan against your domain.
– Your assets were auto-discovered (DNS/WHOIS/subdomains) and added to a scan scope.
Potential negative impacts
– Load/API cost spikes from aggressive requests.
– SIEM/WAF/log noise and alert fatigue; increased ingest costs.
– Triggered rate limits, captchas, or account lockouts affecting real users.
– State-changing actions (form submits, emails/SMS, cart/orders) if test safety isn’t enforced.
– Skewed analytics and monitoring baselines.
– Exposure of weak auth/authorization flows under forced browsing.
– Possible policy/compliance issues if scanning wasn’t authorized.
Threat research insights on Detectify
All data in this section are produced by DataDome's Galileo Threat Research team from our proprietary detection network and reviewed by human analysts.
Traffic origins
Top 15 countries by bot traffic
Most used autonomous system (AS)
Top 5 by traffic share
On average, occupy <0.1% of the traffic from bots in the directory
Businesses decide to authorize this bot 0% of the time
How to block Detectify?
1) Block by User-Agent
– Deny requests that advertise Detectify or have empty UAs.
– Nginx example:
if ($http_user_agent ~* (detectify|^$)) { return 403; }
2) IP/ASN blocking
– Maintain Detectify scanner IP ranges and drop at firewall or web server.
– iptables example:
iptables -A INPUT -s <CIDR> -j DROP
– Keep ranges updated; consider allowlisting only known networks.
3) Reverse DNS with forward-confirmed rDNS (FCrDNS)
– For each client IP, perform PTR lookup; if hostname matches Detectify patterns, resolve it back to the same IP to confirm, then block (return 403).
– Implement via middleware/proxy hooks to avoid DNS spoofing.
4) Rate limiting and behavioral rules
– Throttle high request rates, concurrent connections, and bursts; block on suspicious patterns (e.g., many 404s, rapid path enumeration).
– Nginx example:
limit_req zone=bot burst=10;
if ($limit_req_status != "") { return 403; }
See which bots and AI agents bypass your defenses
Create your account to start analyzing and mitigating malicious bots and AI-drive threats in real-time