GreyNoise

What is it?

GreyNoise operates a distributed network of passive sensors and honeypots across hundreds of IP addresses in multiple cloud providers and geographies. These sensors observe unsolicited inbound traffic, mass scanning, crawling, and exploitation attempts, then classify the source IPs. The core query is simple: look up an IP, and GreyNoise tells you whether it is a known benign scanner (Shodan, Censys, security researchers), a known malicious mass-exploiter, or something unclassified. The platform exposes this through an API, a web-based query interface (the Visualizer), SIEM and SOAR integrations, and real-time blocklist feeds.

The sensors go beyond connection logging. GreyNoise can selectively port-forward incoming exploitation attempts to a data centre running actual instances of the targeted services, creating high-interaction honeypots on demand. This captures full exploit payloads, not just connection metadata. The classification pipeline tags IPs with observed behaviours (specific CVE exploitation attempts, port scanning patterns, protocol fingerprints) and categorises them using automated analysis and manual curation.

Why did they build it?

A significant percentage of SOC alerts are triggered by internet background noise: mass scanners, botnets spraying exploits, and benign research crawlers. Analysts waste time investigating IPs that are hitting every network on the internet indiscriminately. GreyNoise provides the context to immediately filter those out. If an IP is in the dataset and tagged as a mass scanner, the activity is not targeted and the alert can be deprioritised or suppressed.

Can customers deploy their own sensors?

GreyNoise’s Plasma product allows customers to deploy their own GreyNoise sensors inside their perimeters, DMZs, or internal networks. The sensors are lightweight (a Raspberry Pi works), install via a single command, and tunnel traffic back to GreyNoise via WireGuard. Customers choose a “persona” for each sensor, making it look like a specific product (Exchange server, for example). The data stays private to the customer’s dashboard but is enriched against GreyNoise’s global dataset, so customers can see which IPs hitting their sensor have also been observed globally versus which are targeting them specifically. Use cases include measuring the efficacy of perimeter blocking stacks, detecting internal lateral movement scanning, and identifying traffic patterns unique to the customer’s environment.

What does the integration model look like?

GreyNoise integrates with major SIEMs (Splunk, Microsoft Sentinel, Elastic), SOAR platforms, and firewalls. The primary pattern is IP enrichment: when an alert fires, the workflow queries GreyNoise for context on the source IP and deprioritises known mass scanners automatically. The Block product generates real-time query-based blocklists that push directly to firewalls and WAFs. A free community API provides basic IP lookup; the enterprise tier adds full API access, SIEM integrations, blocklists, historical data (Recall), and Plasma sensor deployment.

Risky Business appearances

Soap Box: Greynoise knows when bad bugs are coming (November 2025)
Sponsored: GreyNoise on 2024’s mass internet scan trends (March 2025)
Sponsored: GreyNoise launches private preview of Plasma sensors (September 2024)
Soap Box: How to dismantle Volt Typhoon-style relay networks (February 2024)
Risky Business #727 (November 2023)
Sponsored: Andrew Morris on the future of GreyNoise’s honeypot network (July 2023)
Soap Box: Greynoise has built the world’s biggest, and smartest, honeypot (February 2023)
Risky Business #648 (December 2021)
Risky Business #628 (2021)
Snake Oilers: Greynoise! MergeBase! Votiro! (April 2021)

Sources

Soap Box 102 (Nov 2025, Patrick Gray)
Sponsored RBNEWSSI74 (Mar 2025, Catalin Cimpanu)
Sponsored RBNEWSSI57 (Sep 2024, Catalin Cimpanu)
GreyNoise website

Disclosure

GreyNoise is a recurring Risky Business sponsor.