Why is my scan taking so long?
  • 24 Jan 2023
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

Why is my scan taking so long?

  • Dark
    Light

Article summary

External Sentry

The External Sentry performs different tasks behind the scenes to deliver the detailed results visibles on the dashboard. These tasks will depend on the type of seed data being used during the onboarding (root domains, subdomains or CIDR ranges). All domains go through a stage called Subdomain Enumeration, where subdomains based on the original domain are found following different techniques. After that, a DNS resolution is performed over those results to obtain the corresponding IP addresses. Additionally, only root domains are used to perform Dark Web Monitoring, in order to bring results from our own databases. Once this is done, the process is pretty similar to the one with a CIDR range: the assets are listed, the ports scanned, the technology stack enumerated, the screenshots taken, the corresponding CVEs detected, the exploits tested and the dashboard populated.

Assuming 25-50 assets are listed, regardless of the type of seed data, this whole process should take 45-60 minutes. What could cause a delay?

Large number of targets

Definitely one of the main reasons for a slow scan is a large number of targets. We're speaking about the seed data inputs. If there more than 10 inputs (adding up domains and CIDR ranges) then probably the scan will take 15-30 minutes longer depending on the amount of targets.


High total of assets listed

After the reconnaissance phase, a list containing all of the assets (host:port combination) will be used for later phases, so a high amount of open ports equals more time spent on detecting the technology stack, taking screenshots, and so on.


Defense mechanisms

Firewalls or Intrusion Prevention Systems (IDPs) might cause false positives during our reconnaissance stage, potentially leading to a longer exploitation phases given that tests will be performed on either closed or filtered ports.


Cloud Sentry

The Cloud Sentry performs different tasks depending on the type of provider used. Interaction with the APIs of Google Cloud, Microsoft Azure and Amazon Web Service and the corresponding processing of the responses take different times.

Assuming an average environment with 20-40 active users, 1-3 applications deployed, 1 storage object and some VPCs set up, a complete scan should take 30-45 minutes. What could cause a delay?

Multiple active regions

If the given environment has different active regions, the configuration lookup and the security checks are performed once per region. So more regions, more time it should take proportionally.


Custom permission settings

Sometimes, when the scan is run with permissions settings different than the ones documented, the Sentry might experience unexpected delay due to the corresponding API responses. 


Provider API changes

Cloud providers might perform changes on their APIs requests/responses structure over time, that could affect our systems generating delays during the information processing.


Internal Sentry

The Internal Sentry works in a quite similar way compared to the external one except for a few details. In this case, there are no subdomains to enumerate or Dark Web Monitor, but instead other types of tasks are performed, like an Active Directory query to enumerate and perform different kinds of exploits. 

An average environment comprising a single /24 subnet takes about 2-3 hours to complete. Some reasons why it might take more than that are:

Large number of targets

Like /16 CIDR ranges or multiple CIDR ranges.


Size of the environment

Similar to the External Sentry, environment size is not only a matter of the seed data entered during the onboarding, but also of the assets listed (as host:port combinations). More open ports means more technology stack to detect, more screenshots to take, more CVEs to look for, etc.


Client-side issues

If the machine is turned off during the scan, or if there's a defense mechanism enabled affecting our Active Directory and port scanning services, this will also translate in a possible delay in the result.


We hope you found this article helpful!


Was this article helpful?

What's Next