The script kiddie typical nmap/zmap scans are easily detectable. There are some forks that use different headers / window sizes though but they aren't that popular as far as I can tell from my experience.
You would probably want a honeypot to lure them in. But I wouldn't expect the output to go through an LLM, although I wouldn't be surprised if I was wrong.
This stuff is just low level automated scanning looking for well known, easy exploits. Default credentials and stuff like that. A lot of it is trying to recruit hosts for illegal VPNs / proxies, DDOS service, and more scanning / propagation. My advice is to block it (maybe with an expiration time on the block), log it, and ignore it. But it can be fun to see what they do with a honeypot.
