Scanner Rate Limiting and Throttling: A Production Scanning Guide

Rate is a coverage decision, not a speed decision

Most scanner failures attributed to rate are coverage failures wearing a different label. A scanner that hits a per-IP rate limit halfway through an injection-class module produces an empty result for the second half of the module and a clean-looking scan record for the first half. The aggregate output reads as completed scanning. The actual coverage is whatever fraction of the test corpus made it through before the limit fired. The defensible read is that absence of findings under a rate-limited scan is a coverage drop dressed as a clean scan, not a negative result.

The same logic applies to WAF blocking, CDN burst rules, and origin-side connection pool exhaustion. Each one converts a subset of scanner requests from informative responses into inconclusive ones. The scanner that does not record the inconclusive-response rate per module produces output that looks complete and is actually partial.^5,8,14

The discipline that survives is to read scanner output paired with rate-feedback telemetry rather than as an isolated finding list. A scan that completed its modules with under 1 percent inconclusive responses is a defensible coverage claim; a scan that completed its modules with 30 percent inconclusive responses is a coverage gap that no severity calibration or finding deduplication exercise will fix downstream.

Starting rate by target class

The starting rate is a guess; the operating rate is the one feedback signals settle on after the first ramp. The starting rate matters because picking too high triggers burst-detection rules in the first sixty seconds, and picking too low pushes scan duration into the next maintenance window. The table below sets reasonable starting ranges per target class. Teams should adjust based on the asset criticality, the infrastructure tier, and the historical scan record.

Two operational rules make the starting rate easier to defend. First, document the starting RPS and concurrency in the scan policy so the rate decision is auditable rather than a tester preference. Second, treat the starting rate as a hypothesis the ramp tests, not as the final operating rate. The page on scan scoping and target selection covers the upstream decisions that shape what the rate operates against.

Use a ramp profile, not a flat-rate open

A ramp profile increases scanner request rate from a low baseline to the target rate over a defined interval rather than opening at full rate. The ramp surfaces three operating signals that a flat open hides.

Handling HTTP 429 and Retry-After

HTTP 429 (Too Many Requests, RFC 6585) is the canonical signal that the scanner has exceeded the target throttle. The Retry-After header (RFC 7231) carries the wait either as a delta-seconds integer or as an HTTP-date. The disciplined response is to back off, honour the Retry-After value, and reduce the operating rate by a configurable factor (commonly 0.5 to 0.75 of the prior rate).^1,2,3

The scan record should capture the back-off event, the Retry-After value (when present), the affected module, and the new operating rate so the audit trail shows where the scan adapted. Scanners that ignore 429 produce noisy or destructive output; scanners that record the adaptation produce defensible coverage at a slightly slower clock.^5,8

WAF and CDN rate limits change the calculus

WAFs and CDNs sit between the scanner and the application and apply their own rate baselines that are usually narrower than the application rate budget. A WAF challenge page (CAPTCHA, JavaScript redirect, IP block) returned in place of the application response converts every subsequent test into an inconclusive answer regardless of the application state. The blocking question is operationally upstream of the rate question: a scan that runs at a perfectly tuned rate against a WAF that is silently blocking still produces inconclusive output.

• Allowlist the scan source IP range: the WAF inspects but does not block, the rate operates against the application, and the scan output reflects application behaviour. The allowlist should be narrow (specific IPs, time-bounded, audited) rather than broad.
• Lower the rate to under the WAF baseline: if allowlisting is not available, the operating rate has to stay under the rule fire threshold. The ramp profile finds the threshold; the operator sets the rate just below it.
• Run from inside the network perimeter: for assets where the WAF is the perimeter, scanning from inside bypasses the WAF and the rate question reverts to the origin-side budget. The trade-off is reduced perimeter coverage; some findings only surface on the externally reachable surface.
• Coordinate the maintenance window: brief WAF rule pause for the scan duration is sometimes safer than a permanent allowlist. The pause should be time-bounded, scoped to the scan source, and recorded in the change log so the audit trail shows the WAF state during the scan.

The page on scanner blocking and WAF allowlisting covers where blocks land in a typical stack, how to write a narrow allowlist rule that survives audit, and how to detect partial blocks before the report ships.

Authenticated scan rate is a different budget

Authenticated scans run with valid credentials against the surface behind login and tend to need much lower rates than external scans. Every authenticated request creates session state, may write data, and may trip per-account rate limits that apply only to logged-in traffic. Authenticated scanners also need to respect login-flow throttling: a scanner that re-authenticates aggressively triggers anti-credential-stuffing defences (CAPTCHAs, account locks, security alerts to the operations team).

API rate management with published headers

APIs typically publish explicit rate limits in headers and apply them per token, per origin, per endpoint, or per user. The headers the scanner can read change the rate management model from feedback-driven (wait for 429) to budget-driven (track the remaining quota and stay inside it).^4,6

• Target 60 to 80 percent of the published cap so the scan leaves headroom for legitimate user traffic from the same token or origin.
• Quota-bearing endpoints (billing, search, write-heavy) usually warrant lower rates than read-only endpoints; the published cap is per the strictest endpoint policy.
• Per-token budgets and per-IP budgets are different; scans run under one or the other depending on auth model. Plan around whichever bound applies first.
• Record the published policy alongside the scan output so the audit trail can defend the rate the scan operated under.
• If the API publishes no rate-limit headers, the scanner falls back to feedback-driven adaptation through 429 and Retry-After.

Concurrency separately from per-worker rate

Concurrency is the parallel-worker count, separate from per-worker rate. Most rate-related scan failures come from concurrency rather than from raw RPS. A scan at 5 RPS across 1 worker behaves differently from a scan at 1 RPS across 5 workers even though aggregate RPS is identical: the parallel scan is more likely to trigger per-IP burst rules, exhaust short-lived connection pools, and saturate origin-side worker queues.

Off-hours scanning versus business hours

Off-hours scanning reduces the operational cost of a rate-related incident. A scan that strains an internal database is less likely to disrupt customers at 02:00 than at 14:00. The trade-off is detection latency for production-impacting changes and the operational cost of running infrastructure (pre-production fixtures, scanner workers, on-call review) outside business hours. The defensible split is per asset criticality rather than as a global policy.

• Customer-facing production assets: schedule recurring scans off-hours, run on-change scans whenever the change happens with the rate calibrated for the time of day. Off-hours rate can be higher than business-hours rate for the same asset.
• Internal pre-production assets: business-hours scanning is fine; the rate question reverts to the asset budget without the customer-impact overlay.
• Staging environments with synthetic data: continuous scanning is acceptable; rate can be high since the data is replaceable and the impact stays inside the test boundary.
• Coordinate windows with the asset owner: the asset owner has knowledge of business-cycle peaks (month-end batch, quarterly close, marketing campaigns) that the scan operator does not. Surface the schedule to the asset owner before it operates.

The cadence question is upstream of the rate question. The page on scan scheduling and baseline cadence covers how the schedule shapes the rate decision, including how to read the diff between two scan baselines so a coverage drop from rate-limit truncation is not misread as remediation.

Six failure modes that look like accurate scans

Rate-related failures rarely surface as obvious errors. They surface as scan output that looks plausible, passes through triage, and produces remediation evidence that does not survive audit. The six failure modes below recur across enterprise scanning programmes.

How compliance frameworks read rate-limited scanning

Auditors do not read rate as a separate evidence axis but they do read it through three indirect lenses. Programmes that operate rate as a documented decision pass the indirect read; programmes that operate rate as a tester preference fail when the audit asks why the scan record shows partial coverage.

The cross-cutting read is that rate decisions are documented operational evidence, not silent operator preferences. A scan record that shows the rate, the ramp, the feedback, and the adaptation reads as defensible scanning. A scan record that shows only the final findings list reads as scanning that may or may not have completed.

Operational checklist for a rate-respecting scan

For internal security, AppSec, and vulnerability management teams

Internal teams carry the rate discipline between scans and between assets. The patterns that survive scanner-stack changes, vendor swaps, and asset growth are the same: per-asset starting rate, ramp into the operating rate, honour back-off feedback, record adaptations, and pair findings with scan coverage so the queue reads truthfully.

• Set rate per asset class rather than as a single scanner default.
• Ramp into the operating rate so the first feedback signal arrives before the scan saturates.
• Halve the operating rate after sustained 429s, do not just pause and resume at the same rate.
• Coordinate WAF allowlists at the source-IP level rather than disabling rules globally.
• Hold authenticated scans to a single-session model so login-flow throttling does not multiply by worker count.
• Read API rate-limit headers when published; fall back to feedback adaptation only when the API does not publish.
• Document concurrency next to RPS so the parameter that actually drives failure rate is auditable.
• Pair findings with scan-coverage records so the diff reads coverage drops as coverage drops, not as remediation.

For internal security teams, AppSec teams, vulnerability management teams, cloud security teams, and security engineering teams, the operating commitment is to keep rate decisions on the engagement record so the audit conversation reads from the same source as the operator conversation. The scanner result triage workflow and the vulnerability SLA management workflow both assume rate-respecting scans behind them; a scan that truncated under rate is a backlog item the SLA cannot honour even on paper.

How SecPortal handles scanner rate and throttling

SecPortal applies platform-level rate limits before any scan reaches the target. The rate-limit subsystem operates per workspace plan, per domain, and per tenant burst envelope. The platform does not bypass target-side rate limits, override Retry-After headers, or claim to test through WAFs that block the scan source.

The rate-and-throttling discipline lives next to the engagement record the operational work lives on, rather than as a static configuration document. Findings management holds each finding with the producing tool, CVSS 3.1 vector, severity band, affected asset, and evidence trail so the rate-coverage pairing reads at the finding level during triage. The compliance tracking feature maps findings to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST frameworks with CSV export so the audit-side read of cadence-and-rate evidence is one query against the same record.

Related scanner discipline

Rate operates inside a wider scanner discipline. The pages below cover the surrounding decisions that shape what the rate operates against and how the output gets read.

• Scan scoping and target selection covers the upstream decisions that determine which assets the rate operates against.
• Scanner coverage and limits covers what each scanner class structurally reaches so rate decisions do not paper over capability gaps.
• Scan scheduling and baseline cadence covers how the schedule shapes the rate decision and how the diff between scans reads coverage versus remediation.
• Scanner blocking and WAF allowlisting covers the WAF coordination model upstream of the rate question.
• Authenticated scanner failure modes covers the six failure classes that can interact with rate management on the auth endpoint.
• Vulnerability scanner false positives covers the suppression discipline that lets the diff stay clean across cycles even when rate decisions change.
• Scanner output deduplication covers cross-tool finding consolidation downstream of the per-scanner rate decision.
• Scanner result triage workflow covers the triage discipline that has to read rate-coverage pairings rather than raw finding lists.

For the wider operating model, the security tool coverage overlap research covers the catalogue-level coverage matrix that rate decisions sit inside, and the continuous security monitoring guide covers the programme-level discipline that rate-respecting scans feed into.

Scope and limitations of this guide

Scanner rate is one parameter inside the scanning programme. No rate decision makes the underlying scanner capabilities reach further than they structurally can, and no rate budget replaces the manual testing the scanner cannot reach. The rate question is what request volume keeps the target healthy, the WAF passive, the response classifier accurate, and the finding queue truthful. The answer is per asset class, per scanner class, per feedback channel, and per coordination model with the asset owner.

Rate claims that depend on a single global default almost always understate the target-class variation. Rate claims that decompose into starting rate, ramp profile, back-off model, concurrency model, and audit trail of adaptations are the claims that survive both the asset owner conversation and the audit read.

Frequently Asked Questions

Sources

1. IETF RFC 6585, Additional HTTP Status Codes (HTTP 429 Too Many Requests)
2. IETF RFC 7231, HTTP/1.1 Semantics and Content (Retry-After header)
3. IETF RFC 9110, HTTP Semantics
4. IETF Draft, RateLimit Header Fields for HTTP
5. OWASP, Web Security Testing Guide (WSTG) Rate Limiting Guidance
6. OWASP, API Security Top 10 (API4 Unrestricted Resource Consumption)
7. PCI Security Standards Council, PCI DSS v4.0 (Requirement 11.3 Vulnerability Scanning)
8. NIST, SP 800-115 Technical Guide to Information Security Testing and Assessment
9. NIST, SP 800-53 Rev. 5 (RA-5 Vulnerability Monitoring and Scanning)
10. ISO/IEC, ISO 27001:2022 Annex A 8.8 Management of Technical Vulnerabilities
11. AICPA, SOC 2 Trust Services Criteria CC7.1 Detection of Vulnerabilities
12. NCSC, Vulnerability Management Guidance
13. CISA, Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
14. OWASP, Vulnerability Scanning Tools Guidance
15. SecPortal, External Scanning Feature
16. SecPortal, Authenticated Scanning Feature
17. SecPortal, Code Scanning Feature
18. SecPortal, Continuous Monitoring Feature
19. SecPortal, Activity Log & Workspace Audit Trail
20. SecPortal, Encrypted Credential Storage