How to Verify If Traffic Fuzzing Your Infrastructure Is Coming From Astra

Last updated: June 8, 2026

Introduction

If you are seeing unusual or automated traffic hitting your web application, APIs, or servers and suspect it may be from an Astra scan or pentest, this article walks you through how to confirm it. Verification typically takes a few minutes and can be done directly from your Astra dashboard.

Who Should Read This

DevOps engineers, security operations teams, and infrastructure administrators who have noticed unexpected traffic patterns and need to determine whether the source is Astra's scanner or a malicious actor.

Prerequisites

  • Access to your Astra dashboard

  • Access to your server or application access logs

  • Astra's scanner IP ranges

Instructions

Step 1: Check for an Ongoing Vulnerability Scan

  1. Log in to your Astra dashboard.

  2. Navigate to Scans from the left sidebar under your target scans.

  3. Look for any scan with a status of In Progress.

If a scan is actively running, there is a strong likelihood that the traffic you are seeing is being generated by Astra's scanner.

Step 2: Check for an Ongoing Manual Pentest

If no automated scan is running, check whether a manual pentest is in progress — pentest activity can also generate traffic that appears unusual in your logs.

  1. From the left sidebar, navigate to Pentests.

  2. Look for any pentest listed with a status of In Progress.

If a pentest is active, the traffic is likely coming from Astra's security engineers conducting their assessment.

Step 3: Verify the IP Addresses of Incoming Requests

For a definitive confirmation, cross-reference the IP addresses of the incoming requests against Astra's known scanner IP ranges.

  1. Access your server or application access logs.

  2. Identify the IP addresses generating the high-frequency or fuzzing-style requests.

  3. Compare those IPs against Astra's official IP ranges listed in Astra IP Ranges.

If the IPs match Astra's ranges, the traffic is confirmed as coming from Astra — not a malicious actor.

Step 4: Add Custom HTTP Headers to Identify Future Scan Traffic (DAST Only)

If you want a more reliable way to distinguish Astra's scanner traffic in the future, you can configure a custom HTTP header that will be attached to every request made by Astra's DAST scanner.

Note: This option is available for automated DAST scans only and does not apply to manual pentests.

  1. Go to your Target Settings page in the Astra dashboard.

  2. Navigate to Advanced Settings.

  3. Click Add HTTP Header.

  4. Enter a Header Name (for example: astra) and a secure, unique Header Value (for example, a UUID).

  5. Save your settings.

From the next scan onwards, all HTTP requests from Astra's scanner will include this custom header. You can then configure your server, WAF, or monitoring tools to recognize and tag this traffic accordingly.

Best Practices

  • Whitelist Astra's IP ranges in your firewall and monitoring tools before starting a scan so that scanner traffic is not flagged as an attack.

  • Set up a custom HTTP header for your DAST scans so your team can instantly identify Astra traffic in logs without needing to check the dashboard.

  • Notify your security operations team before a scan or pentest begins, so they are not caught off guard by unusual traffic patterns.

  • Check the dashboard first before escalating unexpected traffic as a security incident — a quick look at the Continuous Scans or Pentests page can save significant investigation time.

Troubleshooting

The IPs do not match Astra's ranges, but I have an active scan running. Astra's scanner exclusively uses the static IPs listed in [Astra IP Ranges]. If you are seeing traffic from other IPs during an active scan, those requests are not from Astra. Treat them as a separate matter and investigate accordingly.

I set up a custom header but my WAF is still blocking scan traffic. Ensure the custom header rule is configured in your WAF to explicitly allow requests containing that header. Also confirm the header name and value in your Astra target settings match exactly what you have configured in your WAF allowlist.

I cannot find any active scan or pentest in the dashboard, but the traffic looks like it is from Astra. Check with other members of your workspace — a colleague may have initiated a scan. You can review workspace activity or raise a support ticket and our team can help identify the source.

The traffic stopped on its own. Was it from Astra? Astra scanner traffic is time-bound and stops as soon as a scan completes. If the unusual traffic subsided and aligns with a scan completion time in your dashboard, it was almost certainly from Astra.