When a firewall gets exploited, nothing happens, at least, nothing you can see. No EDR alert. No endpoint log. The device just quietly reaches out to an attacker-controlled server, downloads a payload, and waits for instructions. 

From the attacker's perspective, access is established. From yours, it's Tuesday.

Edge and perimeter devices, routers, firewalls, VPN concentrators, are the most actively exploited assets on the internet right now. They're also the ones your security stack has the least visibility into. EDR doesn't run on them. Their native telemetry is sparse. And when they're compromised, the only evidence is an outbound connection buried somewhere in your firewall logs. 

Today, we're launching C2 Detection, a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.

Detect Compromise Through Outbound Traffic

C2 Detection is a new GreyNoise intelligence capability that surfaces the attacker-controlled infrastructure, malware-hosting servers, C2 nodes, and associated file hashes that compromised devices phone home to after a successful exploit.

Here's how it works: GreyNoise reads the exploit payloads that attackers send to its global sensor network and extracts the callback destinations embedded in those payloads. It then collects the malware hosted at those destinations and analyzes it to map the next stages of the attack chain — from staging servers to command-and-control infrastructure. This is payload-derived intelligence. GreyNoise doesn't need to wait for an exploit to succeed. It reads the payload directly, observes the post-exploitation chain, and delivers the results as a continuously updated dataset of confirmed callback IPs and associated malware hashes.

In the Visualizer, you'll see this as callback IP intelligence and malware hash data — two new layers that extend GreyNoise beyond inbound scanning into outbound threat detection.

Turn Outbound Traffic Into a Detection Signal

  • Detect active compromise from outbound traffic. Export your egress logs from edge devices and match destination IPs against the GreyNoise callback dataset. If there's a hit, the attack stage tells you how serious it is and what to do next.
  • Enrich your SIEM and SOAR with callback context. Pull callback stage and metadata via the API and use it to branch your playbooks. A Stage 1 match (confirmed file download) opens a case. A Stage 2 match (suspected C2 activity) triggers immediate escalation and containment.
  • Investigate historically. Callback infrastructure persists for weeks or months, far longer than scanning IPs. Use time range filters and the callback_ips query parameter to trace when GreyNoise first observed the infrastructure and which scanner IPs are linked to the same attack network.

Three Stages, One Severity Framework

Every callback IP is classified into one of three stages based on what GreyNoise has confirmed:

Stage What It Means Recommended Action
Unconfirmed IP appeared in a payload, but no file was successfully downloaded. Investigate. Don't escalate yet.
Stage 1: File Downloaded GreyNoise confirmed this IP is actively serving file payloads. Treat contacting devices as potentially compromised. Open a case.
Stage 2: C2 Suspected Behavioral analysis including VirusTotal detections, sandbox network activity, and malware associations indicates active C2 infrastructure. Assume active exploit presence. Escalate immediately.

This stage-based model gives you a built-in severity framework. Instead of a binary "good or bad," you get a signal calibrated to where the attacker is in their kill chain so your response matches the actual risk.

Two Signals. One Answer: You’re Compromised

C2 Detection strengthens a use case GreyNoise customers already know, detecting compromised assets by adding a second, independent signal:

  • Signal A (existing): Your organization's IP appears in GreyNoise as a scanner. That device has been recruited into a botnet and is scanning the internet on the attacker's behalf.
  • Signal B (new): Your outbound traffic matches a confirmed callback IP. That device is calling home to attacker-controlled infrastructure.

C2 Detection expands GreyNoise coverage beyond inbound activity, bringing high-confidence visibility into outbound communication with attacker-controlled infrastructure.

What This Adds to GreyNoise

This is entirely net-new. GreyNoise previously tracked only IPs actively scanning the internet, inbound threat intelligence. C2 Detection is the first GreyNoise capability focused on post-exploitation, outbound-facing threat intelligence. It introduces:

  • A new dataset: Callback IPs
  • A new classification model: Three attack stages
  • New data types: Malware files and hashes (with VirusTotal correlation)
  • A new query parameter: callback_ips

None of these existed in GreyNoise before.

Same Workflow. Stronger Signal. 

If you're already enriching alerts with GreyNoise, the integration model doesn't change. The Callback IP dataset is accessed through the same API and Visualizer you already use. It's a different dataset, a different API call, but the workflow pattern is identical: take an IP, ask GreyNoise about it, act on the answer.

The difference is that Greynoise now extends beyond inbound activity to surface high-confidence signals from outbound traffic. What was once context is now a detection signal.

Start Using C2 Detection

C2 Detection is available as a dataset add-on for existing GreyNoise customers, with access delivered directly in the Visualizer and via API.

Already a customer? Contact your account team or email support@greynoise.io to enable access.

Not a customer? Get access with an Enterprise Trial.

Start Free Trial

(An existing GreyNoise Community Visualizer Account is required, create one free here.)

Want the technical details first? Explore the documentation:

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account