Does Splunk Attack Analyzer respect robots.txt rules?

According to official documentation, Splunk Attack Analyzer does not respect robots.txt rules.

How can I verify Splunk Attack Analyzer traffic with live traffic data?

You can verify Splunk Attack Analyzer requests by checking your server access logs for the documented user-agent strings. For accurate verification, correlate user-agent patterns with IP ranges or verification methods provided by Splunk.

What is Splunk Attack Analyzer?

Direct Answer: Splunk Attack Analyzer is a security bot operated by Splunk, analyzing URLs for malicious content using a headless Chrome browser.

Operator: Splunk Type: Security Scanner Purpose: Malicious content detection and security threat analysis

Splunk Attack Analyzer, formerly known as TwinWave, visits URLs submitted by customers using a headless Chrome browser. It analyzes DOM, HAR, and other relevant data from these visits to determine if the page is hosting malicious content. This analysis helps in identifying potential security threats.

User-Agent Identification

The following user-agent strings identify Splunk Attack Analyzer in your live traffic data:

TwinWaveScanner

robots.txt Rules for Splunk Attack Analyzer

Respects robots.txt: No

This bot does not commit to following robots.txt

Splunk Attack Analyzer does not officially follow robots.txt directives. The only reliable way to control access is through server-side blocking (IP filtering, user-agent rules in your web server config) combined with log monitoring to verify effectiveness.

Need continuous verification across 500+ bots? Can AI See It automates this.

Crawl Behavior

Frequency:On-Demand

Request Pattern:Visits URLs Submitted By Customers

JavaScript Rendering:Yes — this bot can execute JavaScript and render pages.

Official Documentation Quotes

"Splunk Attack Analyzer (formerly known as TwinWave), visits URLs submitted by customers using a headless Chrome browser."
Source:Official Documentation

Crawl Activity Index

Relative crawl activity for Splunk Attack Analyzer over the past 28 days. Higher values indicate increased crawling intensity compared to the period baseline.

View recent activity data (last 7 days)

Date	Activity Index
Mar 26, 2026	88.0
Mar 27, 2026	82.7
Mar 28, 2026	83.1
Mar 29, 2026	81.8
Mar 30, 2026	87.3
Mar 31, 2026	90.2
Apr 1, 2026	88.8

Source: Cloudflare Radar

Why track Splunk Attack Analyzer traffic?

Identify and classify unknown crawler activity. Splunk Attack Analyzer may appear in your live traffic data with varying frequency. Tracking its behavior helps you decide whether to allow, throttle, or block it based on actual data.

Protect your crawl budget. Every bot request consumes server resources. Understanding what Splunk Attack Analyzer crawls helps you prioritize the crawlers that matter.

Log Verification

To verify Splunk Attack Analyzer traffic in your live traffic data:

Search access logs for the user-agent strings listed above
Check if the IP addresses match documented ranges (if provided by Splunk)
Verify the crawl pattern matches documented behavior
Use reverse DNS lookup for additional verification if available

Note: Observed behavior in production environments may differ from official documentation. Live traffic monitoring provides the only reliable verification of actual bot behavior.

Undocumented Information

The following information is not officially documented for Splunk Attack Analyzer:

crawl frequency details
IP verification method
JavaScript rendering details

Official Documentation

View Official Splunk Attack Analyzer Documentation →

Information sourced from official documentation. Content generated with AI assistance.