There is a critical gap in defense: the window between when an attacker starts hammering a specific vendor’s infrastructure and when a specific CVE is assigned or a signature is written.

In that window, defenders are often flying blind, waiting for a vulnerability disclosure to tell them what to look for. But the network noise is often already there. The most dangerous threats don't always start with a named vulnerability—they start with a sudden, coordinated shift in attacker behavior toward a specific technology stack.

Today, we are closing that visibility gap by expanding GreyNoise Event Feeds with two new signals: Vendor CVE Spike and Tag Spike.

These new feed types allow you to monitor the behaviors and technologies that matter to your environment, without needing to manually track every individual vulnerability or signature.

1. Vendor CVE Spike

Individual CVEs and tags are continually added, updated, and deprecated as new research emerges. This creates significant overhead and potential blind spots if your team attempts to track these changes manually.

The Vendor CVE Spike feed reduces this complexity by alerting only when exploitation activity across a vendor meaningfully increases.

How it helps: This feed is designed to help you focus on when attacker interest spikes, rather than managing lists of specific CVEs. As vulnerabilities and tags associated with a vendor evolve, the feed updates its coverage to include them, ensuring you are monitoring the broader technology stack rather than just static indicators.

Use Cases:

  • Vendor-wide vulnerability monitoring: Monitor all CVE exploitation activity across a vendor's products without manually tracking individual CVEs as they are published.
  • Patch prioritization: Prioritize patching cycles based on vendor-level exploitation trends. A spike in activity for your firewall vendor signals it is time to accelerate remediation.
  • Proactive threat hunting: Use vendor spikes as an early warning signal to investigate whether associated CVEs have been attempted against your environment.

Real-World Context: The Fortinet & Palo Alto Surge

Attackers often target the technology stack, not just a single bug. In our analysis from the week of January 19, 2026, GreyNoise sensors observed a coordinated campaign targeting enterprise VPN infrastructure. Specifically, we saw a significant elevation in targeting of both Fortinet SSL VPNs and Palo Alto GlobalProtect portals.

This activity validates findings from our Early Warning Signals research: vendor-level spikes—whether from credential stuffing, scanning, or exploitation of older vulnerabilities—often precede the disclosure of new CVEs for that same vendor. A Vendor CVE Spike would have flagged this anomaly, providing the early warning needed to enforce tighter MFA controls or geo-blocking before the specific threat was fully characterized.

How It Works:

 Setting up a Vendor CVE Spike is designed to be a "set and forget" workflow that integrates directly into your existing Event Feeds. When you search for a vendor name (e.g., "Palo Alto"), the feed uses wildcard matching to find all tags containing that term. It then resolves those tags to their associated CVEs and monitors activity for those CVEs.

  1. Create a Feed: In the GreyNoise Visualizer, navigate to the Event Feeds section.
  2. Name Your Feed: Assign your feed a recognizable name (e.g., "Critical [Vendor] Monitor").
  3. Select Spike Type: Choose Vendor CVE Spike from the available signals.
  4. Define Threshold: Select the vendor you want to monitor and set the activity threshold that matters to you.
  5. Connect: Add your webhook link (SIEM, SOAR, etc.).
  6. Test & Save: Verify the connection and save the feed.

Example Payload:
{ "vendor": "Acme", "event_type": "Vendor CVE Spike Spike", "old_state": { "benign_ip_count_1d": 40, "threat_ip_count_1d": 40 }, "new_state": { "benign_ip_count_1d": 90, "threat_ip_count_1d": 90 }, "timestamp": "2025-04-30T08:10:00Z" } 

Watch the video below to see Vendor CVE Spike in action:

2. Tag Spike

Sometimes, the threat isn't a specific vulnerability—it is a behavior, a tool, or a botnet. Tag Spike feeds allow you to monitor for sudden increases in activity associated with specific GreyNoise tags directly.

How it helps: Tag Spike lets you monitor activity for specific threats, botnets, or scanning behaviors directly by tag name. Unlike Vendor CVE Spike, which resolves matching tags to their associated CVEs, Tag Spike tracks the tags themselves. This is essential for tracking threats where a CVE may not yet be assigned.

Use Cases:

  • Monitoring emerging exploit activity: Track activity for specific products or vendors before CVEs are assigned.
  • Tracking specific threats: Monitor botnets (e.g., "Mirai"), scanners, or malware families by tag name.
  • Early warning detection: Get notified when threat actors ramp up scanning for specific technologies.

How It Works:

You define a tag or keyword (e.g., "Mirai," "Worm," or "Cisco"), and the feed uses wildcard matching to find all tags containing that term. GreyNoise then watches for significant changes in IP counts for tags matching your filter criteria over a rolling 2-hour window.

  1. Create a Feed: In the GreyNoise Visualizer, click Create Feed.
  2. Name Your Feed: Give it a clear name (e.g., "Mirai Botnet Tracker").
  3. Select Event Type: Choose Tag Spike.
  4. Define Threshold: Enter the tag or keyword you want to monitor (e.g., mirai) and set the percentage increase threshold.
  5. Connect: Paste your webhook URL.

Watch the video below to see Tag Spike feed in action:

💡 Quick Tip: Which feed should I use?

  • Use Vendor CVE Spike if you want to track exploits. (e.g., "Tell me if Palo Alto products are being exploited via any CVE.")
  • Use Tag Spike if you want to track behaviors or botnets. (e.g., "Tell me if the Mirai botnet is active" or "Tell me if worm behavior is spiking.")

Access and Availability

Vendor CVE Spike and Tag Spike are available now in the GreyNoise Visualizer.

  • Who has access: These feeds are available to Advanced and Elite platform customers with the appropriate data modules. 
  • Where to find it: Navigate to the Feeds tab in the Visualizer to configure your first alert.

Ready to get started?

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account