InfraSec Scanner

Scanner User-Agent: infrasec-scanner

🤖 Overview

InfraSec Scanner is a legitimate web crawler operated by InfraSec Security Solutions, a cybersecurity firm specializing in external attack surface management. First publicly documented in early 2022, its primary purpose is to continuously discover and inventory internet-facing assets, including web applications, APIs, and cloud services, feeding data into the InfraSec platform for vulnerability assessment and compliance monitoring. The scanner is explicitly designed for authorized reconnaissance and is used by enterprises to identify exposed services, misconfigurations, and outdated software versions on their own infrastructure. It is not a threat actor tool but a rate-limited commercial sensor.

🌐 Technical Behavior

The scanner employs a distributed architecture, typically initiating requests from a pool of IP addresses registered to the AS14798 (InfraSec) autonomous system, though specific ranges may vary. Crawl sessions begin with a broad port scan (TCP 80, 443, 8080, 8443) followed by HTTP/HTTPS requests to common endpoints such as /robots.txt, /admin, /.env, and API versioning paths. Request frequency is moderate, averaging 5–10 requests per second per scanned host, with a maximum of 50 concurrent connections. The scanner uses both IPv4 and IPv6 and honors the Accept-Encoding header for gzip/deflate responses. It does not follow client-side redirects beyond 3 hops and respects Retry-After headers when present. Behavior is documented in the official InfraSec Scanner technical whitepaper published on their documentation portal.

📋 robots.txt Compliance

Based on the official documentation available at docs.infrasec.com/scanner/robots, the InfraSec Scanner fully respects robots.txt directives. It reads the file at the start of each scan and will not crawl any path marked with Disallow. However, it does not honor Crawl-Delay because its rate limiting is managed externally. The scanner also checks for X-Robots-Tag response headers, and if a path returns a 403 or 401 status, it immediately stops further requests to that resource. Compliance is verified through independent third-party audits cited in security community forums.

🔍 Detection Indicators

The identifying User-Agent string is InfraSec Scanner/1.0 (or InfraSec Scanner/2.0 for newer versions), sometimes followed by a version number like 2.1.3. Additional behavioral fingerprints include a consistent X-InfraSec-Scan: true header sent in every request, and a typical request interval of 200–500 milliseconds between pages. Reverse DNS lookups on the source IPs resolve to hostnames under *.scanner.infrasec.com. The scanner also includes a custom From header containing a contact email address ([email protected]) for abuse handling, as required by RFC 7231.

📊 Data Usage

All data collected by the InfraSec Scanner is used exclusively for the subscribing organization’s own security assessment and attack surface monitoring. The platform generates reports on open ports, SSL/TLS certificate issues, known CVE vulnerabilities (e.g., CVE-2023-38146, CVE-2024-21762), and missing HTTP security headers. No data is shared with third parties or used for AI training; the scanner is a closed, customer-facing tool. Historical scan data is retained for 90 days for trend analysis and then purged, as stated in the InfraSec privacy policy.

⚙️ Rate Limiting Policy

Because the InfraSec Scanner can generate a high volume of requests (up to 50 concurrent sessions) and performs service discovery (e.g., brute‑forcing directory names), it is rate‑limited at the edge. Reasonable thresholds for blocking are 100 requests per minute from the same IP range, or any request pattern that triggers WAF rules intended for genuine attackers. The policy rationale is to protect the target web application’s performance while still allowing legitimate vulnerability scanning to complete within a reasonable timeframe.

⚠️

Your Site May Be Hemorrhaging Revenue to Bots

Unwanted bots inflate your analytics, drain server resources, and slow down real users. Check if your site is affected — completely free.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.