It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? 

In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. 

This recurring behavior led us to ask: 

Could attacker activity offer defenders an early warning signal for vulnerabilities that don’t exist yet — but soon will? 

The Six-Week Critical Window

Across 216 spikes observed across our Global Observation Grid (GOG) since September 2024, we found: 

  • 80 percent of spikes were followed by a new CVE within six weeks.
  • 50 percent were followed by a CVE disclosure within three weeks. 
  • These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools — the same kinds of systems increasingly targeted by advanced threat actors. 

Why This Matters

Exploit activity may be more than what it seems. Some spikes appear to reflect reconnaissance or exploit-based inventorying. Others may represent probing that ultimately results in new CVE discovery. Either way, defenders can take action. 

Blocking attacker infrastructure involved in these spikes may reduce the chances of being inventoried — and ultimately targeted — when a new CVE emerges. Just as importantly, these trends give CISOs and security leaders a credible reason to harden defenses, request additional resources, or prepare strategic responses based on observable signals — not just after a CVE drops, but weeks before. 

What’s Inside the Report

The full report includes: 

  • A breakdown of the vendors, products, and GreyNoise tags where these patterns were observed.
  • Analysis of attacker behavior leading up to CVE disclosure. 
  • The methodology used to identify spikes and establish spike-to-CVE relationships. 
  • Clear takeaways for analysts and CISOs on how to operationalize this intelligence. 

This research builds on our earlier work on resurgent vulnerabilities, offering a new lens for defenders to track vulnerability risk based on what attackers do — not just what’s been disclosed. 

READ THE FULL REPORT

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account