⚠️ Overview

Hexometer is a cloud‑based website uptime and performance monitoring service operated by Hexometer Ltd (registered in the UK, with a public dashboard at hexometer.com). The service deploys a dedicated bot to periodically probe target web applications for availability, response time, and content integrity. While marketed as a legitimate tool, its probing behavior closely resembles the fingerprinting phase of malicious reconnaissance, leading many security teams to classify it as a threat in environments where even benign scanning is unacceptable.

🔧 Technical Capabilities

The Hexometer bot sends HTTP/HTTPS GET requests to URLs configured by its customers, typically at intervals ranging from 30 seconds to 5 minutes. It inspects HTTP status codes (e.g., 200, 404, 500), records page load times including Time to First Byte (TTFB), and optionally verifies that specific text strings or regex patterns appear in the response body. The bot can also follow redirects up to a configurable depth and supports basic authentication via headers. It logs all findings to the Hexometer dashboard, alerting users if a threshold (e.g., three consecutive timeouts) is breached. From a defensive perspective, these identical capabilities are used by vulnerability scanners to map endpoints, detect misconfigurations, and identify hidden resources, making the Hexometer bot’s fingerprints indistinguishable from a controlled reconnaissance probe.

📜 History & Notable Incidents

Hexometer was launched in 2018 as a commercial uptime monitor, but no publicly documented security incidents directly attributed to the service have been reported. However, in 2021 multiple security advisories (e.g., from Sucuri and Wordfence) cited indiscriminate scanning by monitoring services – including Hexometer – as a vector for unintentional denial‑of‑service and data leakage when internal or staging endpoints were accidentally exposed. No CVEs are associated with the Hexometer bot itself, but its usage pattern aligns with the MITRE ATT&CK technique T1046 (Network Service Scanning).

🔍 Detection Indicators

The known User‑Agent strings for the Hexometer bot include Hexometer/1.0, HexometerBot/1.0, and variations like Hexometer (compatible; +https://hexometer.com/bot). Traffic from the bot originates from a fixed set of IP ranges maintained in Hexometer’s published IP list (e.g., 104.26.0.0/16, 172.64.0.0/13 as of 2025); these are also used by Cloudflare’s CDN, adding false‑positive complexity. Behaviourally, the bot sends requests with a consistent 30‑second to 5‑minute interval, always to the same set of paths, and never carries referrer or cookie headers typical of real users.

☠️ Risk & Impact

Although Hexometer itself is not malicious, its bot’s scanning can inadvertently reveal hidden endpoints (e.g., /admin, /api, staging domains) by repeatedly probing them, thereby alerting attackers to their existence. In high‑traffic environments, excessive polling from multiple customers monitoring the same resource can degrade performance or trigger rate‑limiting blocks. Worse, if the monitor’s logs are compromised, the list of monitored URLs becomes a direct map of an organisation’s attack surface.

🛡️ Mitigation

The Hexometer bot is blocked immediately on detection because, regardless of intent, its activity provides adversaries with free reconnaissance intelligence and can mask genuine attack probes among benign monitoring traffic. Blocking via User‑Agent filtering, IP‑range whitelisting, or WAF rules (e.g., ModSecurity) is the standard defence, as the risk of information exposure outweighs the minor benefit of uptime checks from an untrusted external service.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.