By analyzing the activity/traffic of a large network, it is possible to spot scanning attempts potentially performed by threat actors. Scanning for the SAP NetWeaver JAVA default port increased significantly after the release of the patch for the RECON vulnerability.