Grey Noise

GreyNoise compared 119,842 malicious IPs against 11 major threat feeds. The average coverage: just 2%, exposing the limits of static blocklists.

A new SonicWall scanning surge mirrors the pattern that preceded CVE-2026-0400. GreyNoise details the activity and what defenders should watch.

Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.

Before Cisco disclosed a CVSS 10.0 zero-day, GreyNoise sensors had already observed eight surges of targeting activity compressing from 39 days to 2 days. A new study finds this pattern repeated across 33 CVEs and 16 vendor families — with a median lead time of 11 days. Read the full findings.

GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.

We're launching C2 Detection — a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.

Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.

Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection.

GreyNoise's new and improved integration with Google Security Operations delivers standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and ready-to-deploy playbooks.‍

GreyNoise intelligence is now available across the CrowdStrike Falcon platform, bringing internet-wide scanning context to SIEM queries, SOAR workflows, and AI-driven triage.

84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.

GreyNoise analyzed 2.97 billion malicious sessions over 162 days — and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings.

A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.

The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.

GreyNoise introduces Vendor CVE Spike and Tag Spike. Learn how to detect coordinated vendor targeting and botnet surges before a CVE is assigned.

Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.

In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.

Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly how scanner activity looked at any given hour.

Dive into the scientific methods GreyNoise uses to separate internet noise from real threats, providing defenders a clearer, more accurate view of malicious activity.

Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.