ELLIO U.S. Spring Roadshow: Unmasking recon threats and network fingerprinting.

Discover the key insights from the 2025 ELLIO Roadshow on mass exploitation and network reconnaissance.

Cybersecurity was a major focus in late April and early May 2025, when San Francisco became a hub for the global security community. Events like RSAC, BSides San Francisco, HackTheBay, and the AMTSO Networking Reception brought experts together to discuss the future of digital defense.

During this time, ELLIO launched a roadshow focused on a growing threat: mass scanning and network reconnaissance. From San Francisco to our final session at BSides Nashville, we explained how attackers scan the internet at scale and what defenders can do to stop them.

5 Takeaways from ELLIO U.S. Spring Roadshow

Mass scanning is no longer just background noise: What used to be considered harmless internet “chatter” has evolved into a structured, weaponized phase of modern cyberattacks. Mass scanning is now often the first step in identifying weak points across vast IP ranges, laying the groundwork for targeted exploitation.
Reconnaissance leaves a trail (if you know where to look): Sophisticated attackers use proxies, VPNs, and jump servers to hide their tracks, but they still leave behavioral signatures. By analyzing TLS handshakes, HTTP headers, and connection patterns, defenders can trace infrastructure reuse and link seemingly unrelated attacks.
Network fingerprinting reveals more than you think: Advanced network fingerprinting techniques like JA4, JA4+, and MuonFP can unmask the tooling, tactics, and infrastructure behind an attacker’s scans. From identifying specific malware families to distinguishing between human and automated behavior, fingerprints tell a deeper story.
Defensive fingerprinting has its limits: While fingerprinting is powerful, it’s not a silver bullet. Spoofed headers, encrypted traffic, and evolving attacker tactics can degrade its reliability. Successful use depends on contextual analysis and correlation with other threat intelligence sources.
At RSAC 2025: AI and identity take center stage: The major theme at RSAC 2025 was the intersection of AI and identity protection. From generative AI-powered phishing to deepfake-driven social engineering, identity has become the new perimeter – and it’s under constant siege.

Mapping the invisible: The power of network fingerprinting.

As scanning and reconnaissance tactics become more diverse - from public platforms like Shodan and Censys to stealthy probing by botnets and bulletproof hosting services - security teams need better tools to understand who is knocking on their digital doors.

Network latency comparison showing MuonFP tool performance - Ubuntu (1388ms) vs Ubuntu over Verizon (1460ms) with connection parameters displayed

During the roadshow, the ELLIO team presented its latest research on the evolving mass-scanning landscape and the risks it creates. Another topic that strongly resonated with the audience was modern network fingerprinting. Vlad Iliushin, Head of Cybersecurity at ELLIO, shared insights into the technique, explained how network fingerprinting has evolved over time, and provided practical guidance on how to interpret fingerprints, when to use them, and what their limitations are.

Collaboration matters.

Collaboration took center stage at the AMTSO Networking Reception during RSAC 2025 in San Francisco. The event brought together AMTSO members – including ELLIO – and special guests from across the industry, nonprofit sector, and government. A lively discussion on collaboration and data sharing in cybersecurity featured insights from Eva Galperin (Director of Cybersecurity, Electronic Frontier Foundation), Jon Baker (Director and Co-Founder, Center for Threat-Informed Defense at MITRE), and Sam Curry (VP & CISO in Residence, Zscaler), with moderation by Vlad Iliushin, ELLIO Founder and President of AMTSO.

A live discussion on collaboration and data sharing in cybersecurity featured insights from Eva Galperin (Electronic Frontier Foundation), Jon Baker (Center for Threat-Informed Defense at MITRE), Sam Curry (Zscaler), and Vlad Iliushin, (ELLIO)

At the heart of AMTSO’s mission is the belief that cybersecurity is stronger when we work together. The Real-Time Threat List (RTTL) is proof of that – a collaborative threat intelligence platform built to accelerate detection and improve malware defenses. Processing over 75,000 samples monthly, RTTL brings together contributions from AMTSO members, CERTs, and other partners to catch threats early, often before they’re seen anywhere else. With deep analysis capabilities and open access for qualified contributors, RTTL shows how shared data can lead to smarter, faster responses across the entire security ecosystem.

About ELLIO

ELLIO is a research-driven cybersecurity lab with a strong focus on mass exploitation and reconnaissance activity. ELLIO delivers IP-based threat intelligence, network fingerprints, and highly dynamic feeds for event prioritization and data enrichment across existing SIEM, SOAR, and other security tools. Beyond intelligence, ELLIO provides ultimate IP blocking for next-gen firewalls, a platform for centrally managing all multi-vendor blocklists and whitelists, and additional services such as network masking against scanners and eBPF-based filters that combine IP intelligence with modern network fingerprints to protect against active malicious and overly curious (promiscuous) traffic.

Enter the ELLIO Threat Platform and see mass exploitation and reconnaissance activity as they happen: https://platform.ellio.tech