Which indicates suspicious activity in a User-Agent?

The key idea is that the User-Agent header identifies the client software sending the HTTP request. In normal web traffic, you’ll see strings that look like a web browser, such as Chrome or Firefox, which is typical user activity. When the User-Agent explicitly mentions security tools or scanners, it signals automated probing or security testing rather than a regular user, which is a red flag for suspicious activity. TLS isn’t a User-Agent; it’s a transport-layer protocol used to encrypt traffic, so it doesn’t describe the client application. A Browser string by itself isn’t suspicious, as it simply reflects standard browsing software. While a specific tool like Wfuzz would also indicate automated activity, the indicator that best signals suspicious behavior in the User-Agent is the reference to security tools or scanners.