.png)
Here at GreyNoise, we’ve spent years building one of the most advanced deception networks on the internet. Our Global Observation Grid has over 5,000 sensors across 80 countries processing more than 500 million sessions per day, allowing us to see the internet's attack traffic before it reaches your doorstep. We've used that visibility to alert the world to mass scanning surges, vuln exploitation waves, and early reconnaissance patterns that signal what's coming next.
But there's a class of adversaries we can't catch alone.
The Perimeter Was Never “Dead”
The most advanced threat actors, state-sponsored adversaries like the Typhoon groups, have figured something out: the network edge is still a blind spot. Firewalls, VPN gateways, routers, load balancers — these devices can't run EDR agents. They often don't even support basic telemetry like logging. And they sit at the most critical exposure point: the network edge.
These adversaries have made edge devices their preferred point of initial access. They exploit vulnerabilities in firewalls and VPN gateways, hijack built-in tools on perimeter devices to maintain persistence, and send quiet, targeted probes designed to blend into the background. The Typhoon actors have demonstrated the most sophisticated version of this approach, building massive residential botnet proxies by compromising edge devices with little-to-no monitoring. APT41 has exploited zero-days in Fortinet VPNs, Cisco routers, and Citrix appliances. And well-funded ransomware crews are increasingly following the same path. The edge is where advanced adversaries go first, because it's where defenders see least.
Meanwhile, the exposure window keeps widening. The average patch time for edge devices is roughly 32 days, but exploit time is often near zero. For an entire month, your critical internet-facing infrastructure sits exposed to adversaries who are already watching.
The perimeter was never dead — it's the hardest attack surface to defend, and threat actors know it.
Deception Is the Best Answer
When the adversary specializes in staying quiet, you have to change the game. We believe deception is the best way to provide visibility into edge attacks — you can’t detect the threat; but you can make the threat reveal itself.
GreyNoise deploys sensors that emulate the exact assets attackers are looking for. When an adversary probes a sensor, they believe they've found a real target. Instead, they've exposed their tools, their payloads, their behavioral fingerprints, and their intent.
But here's the problem: no single organization can build the deception infrastructure needed to cover the internet's entire attack surface. We need more IP diversity, more device profiles, and faster detection rules than any one company can produce on its own.
That's why we're opening up our platform.
Announcing Project Swarm
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community.
Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform. We're inviting security researchers, universities, non-profits, ISPs, and OEM manufacturers to contribute to three pillars that make edge deception work at scale:
- IP Coverage — Deploy sensors on your infrastructure to expand the geographic and network diversity of the Global Observation Grid.
- Device Coverage — Bring device profiles for the edge assets you know best — firewalls, routers, VPN gateways — so sensors look like real, high-value targets to attackers.
- Detection Velocity — Contribute detection rules and tags to identify attacker TTPs faster than GreyNoise can alone.
What You Get
When you deploy a GreyNoise sensor through Project Swarm, you get visibility into all the traffic hitting that sensor, and everything your sensor captures is yours to work with.
Every session is recorded with full fidelity: raw PCAPs, payloads, HTTP headers, TLS metadata, and behavioral artifacts. That means you're not just seeing that something probed you — you're seeing exactly what it did, what it sent, and how it behaved.
For researchers, this opens up a world of possibilities. Here are some ideas to get you started:
- Analyze captured payloads to reverse-engineer exploit attempts and study attacker tooling in the wild.
- Track how scanning and exploitation campaigns evolve over time by watching the same vulnerability get targeted with different techniques over time.
- Study the behavioral patterns that distinguish targeted reconnaissance from opportunistic noise — timing, sequencing, header fingerprints, TLS characteristics.
- Correlate early-stage recon activity against eventual CVE disclosures to build predictive models for what's coming next.
- Write and contribute detection rules based on what you observe, improving the GreyNoise tag library for the entire community.
- Compare your sensor traffic against the GreyNoise global baseline to identify what's specifically targeting your sensor versus what's hitting the broader internet.
The possibilities are limited only by what IPs, emulators, and devices you can bring to Project Swarm.
Join the Collective
We believe deception is the best and only way to gain real visibility on the edge. You can't install agents on embedded systems. You can't rely on logs that don't exist.. But you can put something in the attacker's path that looks real enough to make them show their hand. When they probe a deceptive asset, they reveal themselves — their tools, their intent, their techniques — without ever knowing they've been caught.
The challenge is scale. To see the full picture, deception infrastructure needs to span more IP space, emulate more device types, and develop detection rules faster than any single organization can manage. That's what Project Swarm is about — turning the security community's collective reach into the world's most advanced deception network.
The era of defending in isolation is over. The adversaries targeting the edge are patient, precise, and well-resourced. But together, we can be everything, everywhere, all at once. Security is a collective team sport.
.png)
