Overview

Nmap timing templates (the -T0 through -T5 options) give an operator direct control over how aggressively the scanner probes a target. This article demonstrates, through a controlled laboratory experiment, how each template affects total scan duration against a single Linux host. It then extends the analysis to a stealth SYN scan across a wider port range, compares two timing profiles using their saved output, and closes with practical defensive measures. Every result shown here comes from live scans executed from a Kali Linux attack machine against a VMware-hosted target.

Table of Contents: 

• Introduction
• Understanding the Various Timing Scans
• The -T0 (Paranoid) Scan
• The -T1 (Sneaky) Scan
• The -T2 (Polite) Scan
• The -T3 (Normal) Scan
• The -T4 (Aggressive) Scan
• The -T5 (Insane) Scan
• Comparing Timing Templates Across a Wider Port Range
• Verifying the Results with diff
• Mitigation Strategies
• Conclusion

Introduction 

When a security professional scans a network, raw speed and stealth pull in opposite directions. A fast scan finishes quickly but generates a dense, easily detected burst of traffic; a slow scan blends into normal activity but can take hours to complete. Nmap resolves this tension with six built-in timing templates that bundle dozens of low-level timing parameters into a single, convenient flag.

The templates range from -T0 (paranoid), which spaces probes minutes apart to evade intrusion detection systems, up to -T5 (insane), which floods the target as quickly as the network allows. The middle values balance the two extremes for everyday use. To measure the real impact of each setting, this experiment scans ports 22 and 80 on the target host 192.168.1.9 and records the elapsed time reported by the Linux time utility. The sections below walk through each scan in sequence, present the command used, explain the observed result, and then display the captured terminal output.

Understanding the Various Timing Scans

Nmap’s timing templates — the -T flag that controls how fast and how aggressively the network scanner probes a target. Designed like a tactical console (scan_profiles.cfg), it presents the six presets as a single dial, trading stealth for speed.

Each row maps a flag to its codename, representative probe delay, ideal use case, and an intensity meter, with a cool-to-hot color ramp reinforcing the spectrum:

• -T0 Paranoid (5 min) — IDS evasion and stealth operations
• -T1 Sneaky (15 sec) — low-noise reconnaissance
• -T2 Polite (400 ms) — production systems, to avoid overloading them
• -T3 Normal (default) — general-purpose scanning
• -T4 Aggressive (10 ms) — CTFs, labs, and internal penetration tests
• -T5 Insane (5 ms) — LAN-only speed tests

The core idea: lower numbers wait longer between probes, making scans slower but quieter and gentler on the target; higher numbers fire rapidly, finishing fast but generating noise that intrusion-detection systems easily flag. The spectrum bar and the per-row meters both visualise this stealth-versus-speed trade-off at a glance.

The footer shows typical usage — nmap -T4 192.168.1.0/24 — a balance most practitioners reach for on networks they’re authorised to test.

The -T0 (Paranoid) Scan

The paranoid template represents the slowest and stealthiest option available. Nmap serialises every probe and inserts a long delay between each one, which dramatically reduces the chance that a defensive system will correlate the packets into a recognisable scan pattern. The operator runs the following command:

time nmap -T0 -p 22,80 192.168.1.9

As the captured output shows, the scan still correctly identifies both open ports, SSH on port 22 and HTTP on port 80, and fingerprints the VMware MAC address. However, the cost of this caution is severe: the scan consumes 900.77 seconds, roughly fifteen minutes, to probe just two ports. This result illustrates why analysts reserve -T0 for situations where avoiding detection matters far more than finishing quickly.

The -T1 (Sneaky) Scan

The sneaky template relaxes the timing slightly while still prioritising evasion. Nmap shortens the delay between probes, which preserves much of the stealth benefit but delivers results in a far more reasonable timeframe. The operator issues the command below:

time nmap -T1 -p 22,80 192.168.1.9

The scan returns the identical port and service information, yet it completes in only 45.67 seconds. Moving from -T0 to -T1 therefore cuts the runtime by roughly twenty times while retaining a cautious probing rate, which makes the sneaky template a more practical choice for evasion-focused engagements.

The -T2 (Polite) Scan

The polite template is designed to conserve bandwidth and reduce load on the target. It slows the scan enough to avoid overwhelming fragile systems but runs considerably faster than the two stealth profiles. The operator runs:

time nmap -T2 -p 22,80 192.168.1.9

Here, the experiment records a dramatic improvement: the scan finishes in just 1.82 seconds. The polite template marks the point at which Nmap shifts from deliberate, evasion-driven pacing toward normal operational speed, while still behaving courteously toward the target.

The -T3 (Normal) Scan

The normal template is Nmap’s default behaviour when no timing flag is specified. It applies a balanced set of parameters intended to suit most networks under typical conditions. The operator executes:

time nmap -T3 -p 22,80 192.168.1.9

The scan completes in 0.67 seconds and again reports the same open ports. Because this template represents the baseline, its result serves as a useful reference point against which the faster and slower profiles can be judged.

The -T4 (Aggressive) Scan

The aggressive template assumes a fast and reliable network and pushes the probing rate higher accordingly. Penetration testers commonly favour it because it delivers quick results without reaching the extreme behaviour of the final template. The command appears below:

time nmap -T4 -p 22,80 192.168.1.9

The scan finishes in 0.66 seconds, a marginal gain over the normal template for this small two-port test. The narrow difference highlights an important point: against a tiny port range on a fast local network, the higher templates produce only minor time savings, because the scan is already operating near its practical floor.

The -T5 (Insane) Scan

The insane template applies the most aggressive timing Nmap offers. It sacrifices accuracy and stealth entirely in exchange for maximum speed, and on congested or unreliable networks it can miss ports because it refuses to wait long enough for slow responses. The operator runs:

time nmap -T5 -p 22,80 192.168.1.9

On this fast, low-latency lab network, the scan completes in 0.65 seconds, essentially tied with the aggressive and normal templates. This outcome reinforces the lesson that the dramatic speed advantages of the higher templates appear only when scanning many ports or crossing slower links, not when probing a handful of ports on a local segment.

Comparing Timing Templates Across a Wider Port Range

The two-port tests show that timing templates barely diverge on a trivial workload. To expose a meaningful difference, the next experiment runs a stealth SYN scan (-sS) across the first one hundred ports and saves each result to a file with the -oN option. The operator executes both a polite and an aggressive scan in turn:

nmap -T2 -sS -p 1-100 -oN t2_scan.txt 192.168.1.9
nmap -T4 -sS -p 1-100 -oN t4_scan.txt 192.168.1.9

Both scans discover the same three open ports, FTP on 21, SSH on 22, and HTTP on 80, but the timing gap is now substantial. The polite -T2 scan takes 41.11 seconds, whereas the aggressive -T4 scan completes in only 0.67 seconds. Widening the port range reveals the true cost of slower templates, which the minimal two-port test had concealed.

Verifying the Results with diff

To confirm that the two scans differ only in timing and not in their findings, the operator compares the saved output files directly using the diff utility:

diff t2_scan.txt t4_scan.txt

The comparison confirms the expected outcome. The only meaningful differences lie in the command line that initiated each scan, the measured host latency, and the total scan duration, where -T2 records 41.11 seconds against the 0.67 seconds of -T4. Crucially, the discovered ports and services remain identical, which proves that on this reliable network the faster template loses no accuracy while saving enormous time.

Mitigation Strategies

Defenders cannot prevent an attacker from launching a port scan, but they can detect it, slow it down, and limit the information it yields. The following measures reduce the risk that reconnaissance, like the scans above, will succeed undetected:

• Deploy and tune intrusion detection systems such as Snort or Suricata to flag the rapid, sequential connection attempts that aggressive timing templates generate.
• Configure the host firewall, for example, iptables, to rate-limit incoming connections and drop probes that exceed a sane threshold, which forces an attacker into the slow templates that take far longer.
• Close every port that the business does not actively need, because each open service shown in these scans represents a potential entry point.
• Place sensitive systems behind network segmentation and access control lists so that an external scanner never reaches them in the first place.
• Enable verbose connection logging and centralise the logs, allowing analysts to spot even the slow -T0 and -T1 scans that are specifically designed to evade real-time alerts.
• Keep services patched and current, ensuring that even when an attacker identifies an open port, the software behind it offers no easily exploitable weakness.

Conclusion

This experiment demonstrates that Nmap timing templates trade speed against stealth along a clear and measurable spectrum. The paranoid -T0 scan took nearly fifteen minutes to inspect two ports, while the faster templates finished the same task in under a second. The wider hundred-port comparison exposed the real divide, with the polite template requiring more than forty seconds against the aggressive template’s fraction of a second, and the diff verification confirmed that this speed came at no cost to accuracy on a reliable network.

For practitioners, the lesson is to match the timing template to the objective: choose the slower profiles when evading detection is paramount, and the faster profiles when speed matters and the network is dependable. For defenders, the same results underline the value of detection, rate limiting, and disciplined service management. Understanding both sides of this dynamic turns a simple scanning option into a meaningful lens on the balance between offence and defence.