Grey Noise

We're launching C2 Detection — a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.

Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.

Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection.

GreyNoise's new and improved integration with Google SecOps delivers standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and ready-to-deploy playbooks.‍

GreyNoise intelligence is now available across the CrowdStrike Falcon platform, bringing internet-wide scanning context to SIEM queries, SOAR workflows, and AI-driven triage.

84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.

GreyNoise analyzed 2.97 billion malicious sessions over 162 days — and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings.

A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.

The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.

GreyNoise introduces Vendor CVE Spike and Tag Spike. Learn how to detect coordinated vendor targeting and botnet surges before a CVE is assigned.

Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.

In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.

Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly how scanner activity looked at any given hour.

Dive into the scientific methods GreyNoise uses to separate internet noise from real threats, providing defenders a clearer, more accurate view of malicious activity.

Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.

Over four days in December, one operator scanned the internet for vulnerable systems, testing 240+ exploits and logging confirmed vulnerabilities that could power targeted intrusions in 2026.

Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks GlobalProtect services.

GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.

GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.