A method includes obtaining a dictionary, data for a set of web requests, and definitions of a first set of clusters associated with vulnerability scanners. The method includes identifying a set of clients that transmitted the second set of web requests. The method includes generating a second set of feature vectors, which each corresponds to one of the clients. Each element in each feature vector corresponds respectively to an entry in the dictionary. The method includes clustering the second set of feature vectors into a second set of clusters. The method includes, in response to a first distance between a selected cluster of the second set of clusters and one of the first set of clusters being less than a first predetermined distance, (i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert.