Time is the one variable defenders can’t control. The gap between an exploit disclosure and a patch, or between an initial compromise and its discovery, is where attackers thrive. They automate everything—recon, scanning, and exploitation—shifting their infrastructure by the hour to stay ahead of static blocklists.

To keep pace, defenders need more than a snapshot of what is happening right now. They need to see how behavior evolves.

At GreyNoise, our standard GreyNoise Query Language (GNQL) has always provided a highly accurate, 90-day aggregated view of "the now." It tells you what an IP is doing today. But we realized that for incident responders and threat hunters, a summary isn't always enough. You need to know exactly what was happening during a specific window in the past.

Today, we are launching Recall to address these challenges.

What is Recall? 

Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly how scanner activity looked at any given hour.

Recall eliminates the need for manual data collection pipelines, acting as a time- and cost-saver by providing historical insights on-demand. This allows teams to move from observing "what is this IP doing now?" to understanding how that behavior has evolved.

What Recall Enables

Retrospective Incident Analysis

When investigating a compromise, Recall lets you reconstruct the attacker’s timeline. You can see when an IP first appeared in GreyNoise, whether it scanned your perimeter days earlier, and how its behavior changed before a successful exploit. This gives you context you cannot get from point-in-time enrichment.

Trend and Campaign Identification

Recall helps determine whether a surge is new or part of a recurring pattern. For example, you can compare a single-day spike in exploitation activity against prior weeks to understand if you are seeing the start of a coordinated campaign or a known cycle.

Pre-Disclosure Signal Detection

GreyNoise consistently observes scanning and exploitation activity against enterprise edge technologies before public CVE disclosure. Recall allows teams to look back and confirm when these early signals began, helping validate whether suspicious activity preceded an advisory or zero-day announcement.

Historical Benchmarking

Teams can compare traffic across regions, products, or time ranges to see how attacker focus shifts. This is especially useful for measuring changes in exposure or validating whether defensive actions had a real impact.

How It Works

Recall exposes two API endpoints. Use Stats to identify the spike, then Data to pull the raw records.

Recall Stats API — The Trend Line

Endpoint: GET /v3/gnql/timeseries/stats

Returns unique IP counts per hour or day for your query. Use this to visualize activity volume before pulling detailed records.

Parameter Required Description
query Yes GNQL query
start Yes Range start (ISO8601)
end Yes Range end (ISO8601)
interval Yes hour or day

Response: count (total unique IPs), min/max (bucket extremes), data (array of { date, count })

curl 'https://api.greynoise.io/v3/gnql/timeseries/stats?query=tags%3A*Scanner*&start=2025-08-08T06%3A00%3A00Z&end=2025-10-12T23%3A00%3A00Z&interval=day' \
  --header 'key: <your-api-key>'

Recall Data API — The Raw Records

Endpoint: GET /v3/gnql/timeseries

Returns full GreyNoise context for each IP, keyed by hour. Use this when you need the actual records—tags, ports, ASN, classification—as they appeared at each timestamp.

Parameter Required Description
query Yes GNQL query
start Yes Range start (ISO8601)
end Yes Range end (ISO8601)
limit No Max IPs to return
offset No Pagination

Response: JSON keyed by hour (yyyy-mm-dd-hh), each containing ip and internet_scanner_intelligence context.

curl 'https://api.greynoise.io/v3/gnql/timeseries?query=ip%3A212.18.104.107&start=2025-09-08T06%3A00%3A00Z&end=2025-10-23T12%3A00%3A00Z' \
  --header 'key: <your-api-key>'

Visibility for Every Workflow

Recall is built to integrate into the way modern security teams work:

  • SOC / Threat Intel: Perform retrospective analysis to see if a suspicious IP was active during a critical incident window.
  • Detection Engineering: Track how scanning and exploitation behaviors change over time to refine and tune detection logic.
  • Security Data Teams: Build dashboards and enrichment pipelines based on historical shifts, rather than just current state.

Availability

Recall is available now. Lookback window depends on your license tier:

License Lookback Window
Standard Platform 10 days
Advanced Platform 30 days
Elite Platform 90 days

Syntax note: Recall enforces stricter GNQL parsing for performance. Escape spaces with backslashes: tags:*Palo\ Alto* instead of tags:*"Palo Alto"*.

What's Next

We'll be publishing research built on Recall in the coming weeks—including a retrospective timeline of the React2Shell campaign and analysis of scanning patterns preceding recent zero-day disclosures.

For implementation details and query examples, see the Recall documentation.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account