Rate Limit Hierarchy
Scan probe rates are governed by a three-level hierarchy: Scanner > Subnet > Port List. The dispatcher computes the effective rate for each job by taking the most restrictive (lowest non-zero) value across all three levels — a policy called slowest-wins. When a scanner group scans a subnet with multiple scanners, the subnet rate limit is divided equally among the participating scanners so the aggregate rate stays within the per-subnet cap.
Fields & Columns
| Name | Description |
|---|---|
| Scanner rate limit | Hardware capacity ceiling — the maximum probes per second this scanner's host can sustain. Set in Config > Scanners. 0 means unlimited. |
| Subnet rate limit | Target network sensitivity — the maximum aggregate probes per second for all scanners targeting this subnet. Set in Config > Subnets. 0 means unlimited. |
| Port list rate limit | Service sensitivity — the maximum probes per second when scanning any port in this list. Useful for slowing down scans of sensitive ports (databases, ICS). Set in Config > Port Lists. 0 means unlimited. |
| Effective rate | The minimum of all non-zero rate values. Sent to the scanner in the job payload as maxProbesPerSecond. |
How To
Understand the slowest-wins rule
- Gather the three rate limits that apply to a job: scanner rate, subnet rate, and port list rate.
- Remove any that are 0 (0 means no limit at that level).
- The effective rate is the minimum of the remaining values.
- Example: scanner=10,000 pps, subnet=0 (unlimited), port list=100 pps → effective rate = 100 pps.
- If all three are 0, the scanner runs at full speed (unlimited).
Understand subnet rate division in scanner groups
- When a scanner group targets a subnet, multiple scanners scan the same targets simultaneously.
- To keep the aggregate within the subnet cap, the dispatcher divides the subnet rate by the number of scanners.
- Example: subnet allows 600 pps, scanner group has 3 scanners → each scanner gets 200 pps (floor division).
- This ensures 3 × 200 = 600 pps total, not 3 × 600 = 1,800 pps.
Gotchas
- A rate of 0 at any level means no limit at that level — it does not override other limits. Only non-zero values participate in the slowest-wins calculation.
- When all rates are 0 (fully unlimited), scan duration estimation uses a default of 5,000 pps as a planning estimate. The actual rate depends on scanner hardware.
- The effective rate is computed at job dispatch time. Changing a rate limit after a scan has started does not affect in-flight jobs.
- The minimum valid non-zero rate is 1 pps; the maximum is 100,000 pps. Values outside this range are rejected at the API layer.
- Scanner group subnet division uses floor rounding: 600 / 7 = 85 (not 86). This ensures the aggregate never exceeds the subnet cap.
API Calls (3)
| Method | Path | Description |
|---|---|---|
| GET | /api/config/scanners | Returns scanner rate limits in maxProbesPerSecond field |
| GET | /api/config/subnets | Returns subnet rate limits in maxProbesPerSecond field |
| GET | /api/config/port-lists | Returns port list rate limits in maxProbesPerSecond field |
Related Pages
- Resource Limits — Resource count caps are a related constraint distinct from rate limits
- Scanners — Scanner rate limits are configured per scanner
- Subnets — Subnet rate limits protect target networks from overload
- Port Lists — Port list rate limits protect sensitive services