BENIGN scanners are automated systems that interact with publicly accessible internet infrastructure to collect metadata about services and devices, and they include internet-wide scanners like Shodan, Censys, BinaryEdge, and ZoomEye, web crawlers, vulnerability scanners, and monitoring or compliance scanners.
The article notes that attackers use the same tools for reconnaissance, with examples such as the Black Basta ransomware group’s leaked chats showing systematic queries across these platforms and Volt Typhoon targeting critical infrastructure, which means assets can be indexed and visible to potential attackers.
Because benign scanners trigger similar alerts as malicious activity, security teams face noise in firewalls, IDS/IPS, SIEMs, and other monitoring tools, making it hard to distinguish legitimate from threatening traffic. Rather than attempting to block all scanners, the piece advocates a classification-based approach and explains that many scanners rotate IPs and change infrastructure, making static blocklists quickly stale.
It also describes how security teams can operationalise benign scanner intelligence by using curated threat feeds, such as SOCRadar Premium Feeds, to auto-classify traffic within SIEM, XDR, and network monitoring platforms, thereby reducing alert fatigue while preserving visibility.