I am afraid those bots and online tools are using predefined list of paths to test out probing and look for any possible clue of the vulnerability.
Unfortunately, without using Cloudflare, quite a good portion of Website owners aren’t aware of those
Pro plan has got great stuff like Manged Rules and Super Bot Fight Mode.
You could also block some known ASN via IP Access Rules to prevent those requests coming from them at least.
For testing purpose, consider checking Security tab → Events for next few days.
Therefrom, determine the ASN from the event and block some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts via Custom Rules and IP Access Rules, since these can always be adjusted for your case and with Pro Plan it’s a good combination:
May I ask if it is a WordPress or some other kind of?