Network scans may be either legitimate or illegitimate. In the first case, certain network services may perform network scans to discover devices in the network, for purposes of ensuring network security, and for other legitimate reasons. For example, a network management system (NMS), identity service engine (ISE), or the like, may perform legitimate network scans. In the latter case, a malicious node in the network is may perform network scans to identify security vulnerabilities (e.g., ports, applications, etc.) in the network that can be exploited for purposes of distributing malware, performing social engineering, or for other malicious reasons.