Back to All Scenarios
PASSEDinfrastructure / client_onboarding_discovery_scan
Client Onboarding Discovery Scan Failure — Incomplete Asset Inventory
During a new client onboarding, the automated network discovery scan fails to complete due to aggressive IDS/IPS rules on the client firewall. The scan times out after 4 hours with only 30% of the network discovered. The MSP has an incomplete view of the client infrastructure.
Pattern
TIMEOUT
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | TIMEOUT | TIMEOUT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 25 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
New client onboarding for 500-device network. Nmap/Rumble discovery scan running from MSP jump box. Client IDS blocking scan traffic after 10,000 packets. Scan timeout after 4 hours. Only 150/500 devices discovered. Remaining 350 devices unknown.
Injected Error Messages (2)
Network discovery scan failure — scan of 10.70.0.0/16 timed out after 4 hours, timeout on subnet scan, only 150/500 estimated devices discovered (30%), client IDS blocking ICMP and TCP SYN probes after threshold, scan timeout with incomplete results, 14 subnets not scanned
Jump box scan tasks stalled — all active scan threads returning timeout, client firewall IDS/IPS rate-limiting scan traffic from 10.70.0.5, connection timeout on remaining 350 devices, timeout exceeded on ARP discovery and service enumeration phases
Neural Engine Root Cause Analysis
The discovery scanner is experiencing a network discovery timeout due to client IDS (Intrusion Detection System) blocking ICMP and TCP SYN probes after reaching detection thresholds. The IDS is interpreting the legitimate network discovery scan as a potential port scan or network reconnaissance attack, blocking further probe attempts and preventing the scanner from completing its discovery of the 10.70.0.0/16 network range. This security control interference is causing the scan to timeout after 4 hours with only 30% completion rate.
Remediation Plan
1. Contact security team to temporarily whitelist the scanner IP (10.70.0.10) in the IDS configuration 2. Reduce scan aggressiveness by lowering concurrent probe limits and adding delays between scans 3. Configure scanner to use authenticated scanning methods where possible to reduce reliance on ICMP/TCP probes 4. Implement scanner IP exclusions in IDS rules for legitimate discovery activities 5. Restart the discovery scanner service after IDS configuration changes 6. Monitor subsequent scans to ensure completion without triggering security controls
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjrup60445obqew9ny89za