If you defend an enterprise network, you almost certainly trust an IP blocklist somewhere in your stack. That blocklist was almost certainly built for a different threat landscape than the one you are defending against today.

We measured it. On a single day, May 14, 2026, the GreyNoise Global Observation Grid recorded 119,842 malicious, non-spoofable IPs targeting edge infrastructure. We compared that set against eleven of the most widely deployed OSINT and commercial IP feeds in the industry. The average coverage was 2.0%. The strongest individual feed closed less than five percent of the gap.

That is not a flaw in any single feed. It is the cost of static curation in 2026.

What the Numbers Look Like

Feed List Size Coverage of Source Gap
FireHol Level 2 16,242 4.30% 95.70%
Blocklist.de (All) 22,404 3.91% 96.09%
FireHol Level 3 14,306 3.51% 96.49%
CINS Army List 15,000 2.97% 97.03%
FireHol Level 4 78,104 2.53% 97.47%
Avastel 1-Day Proxy/Bot IPs 500,000 1.85% 98.15%
ShadowWhisperer Malware/Hackers 6,894 1.40% 98.60%
FireHol Level 1 4,456 1.18% 98.82%
Binary Defense Ban List 2,719 0.32% 99.68%
Palo Alto High Risk EDL 2,776 0.28% 99.72%
Palo Alto Known Malicious EDL 4,000 0.24% 99.76%

Eleven feeds tested. None broke five percent. The list with the largest absolute size (Avastel, half a million IPs) caught fewer than two percent of the malicious traffic we observed in the same window. The vendor-curated EDLs that ship by default in many enterprise firewalls came in under half a percent.

This is not because those feeds are bad. They are doing the job they were designed to do, which is to flag IPs that meet a high bar for confidence. The problem is that "high bar" is often the result of a manual and slow review process.

Why Static Lists Are Losing Ground

The pace of attacker infrastructure has changed. Three forces are compressing the useful life of an indicator faster than any curated list can keep up.

1. AI-assisted scanning

Automated reconnaissance no longer requires a human in the loop. Threat actors can spin up scanners at a scale and speed that was operationally impractical even two years ago, then rotate the source infrastructure once it gets noisy.

2. Residential proxy botnets

A growing share of malicious traffic now originates from compromised consumer devices and rented residential IP pools. These IPs do not look like traditional badness. They sit inside ISP ranges that you cannot blanket-block without breaking legitimate traffic, and they recycle constantly.

3. Ephemeral cloud and hosting infrastructure

Attackers stand up VPS instances, run a campaign, and tear them down before most curation pipelines have rotated through their next refresh cycle. The same IP that was scanning Cisco IOS XE on Monday belongs to someone else's WordPress blog by Friday.

The result: list turnover at most curated feeds is measured in dozens of IPs per day. The threat infrastructure those feeds are trying to track is churning by the tens of thousands. A list refreshed weekly, or even daily, is staring at yesterday's attackers.

What GreyNoise Actually Is

GreyNoise is primary-source intelligence. Every IP in our dataset was observed by a GreyNoise sensor doing the thing we say it was doing. We do not aggregate other vendors' lists or infer from reputation. We have the receipts: raw session data captured at the moment of the event, whether that was a scan, an exploit attempt, or a brute-force payload.

The Global Observation Grid is a globally distributed sensor network specifically designed to attract and classify internet-wide scanning and exploitation activity. When an IP shows up in our 1D / Malicious / Non-Spoofable feed, it is there because we watched it do something malicious in the last 24 hours, and we can show the evidence behind the verdict for any IP, tag, or CVE in the dataset.

This matters for two reasons. 

First, the data is primary-source. We are not synthesizing a confidence score from third-party reports. The classification is grounded in observed traffic on infrastructure we control.

Second, the IPs are non-spoofable. The GreyNoise sensor architecture eliminates the class of IPs that look malicious in scan logs but are actually forged source addresses in reflection or amplification attacks. When we tell you an IP was scanning your edge, that IP was scanning your edge.

That combination is what makes the data viable for the use cases the static lists were built for, and a lot of use cases they were never designed to support.

Turning the Data Into a Blocklist You Can Actually Deploy

Closing the 98% gap is only useful if the intelligence can get into the box that does the blocking. GreyNoise offers two ways to do that, and they are intentionally separate products built for different audiences and different levels of customization.

Option 1: GreyNoise Block

GreyNoise Block is a standalone product at block.greynoise.io with its own UI, built for small and mid-sized teams that want a self-serve, fully configurable blocklist without a full GreyNoise Platform subscription. 

Block gives you two ways to define a list:

  1. Templates. Pre-built blocklists curated by GreyNoise, ready to deploy with a click. You pick the template, name the list, set an IP limit that matches what your firewall can ingest, and Block produces a URL. The template handles the GreyNoise Query Language (GNQL) behind the scenes. For a firewall admin who wants a small, targeted blocklist running by lunch, this is the path.
  2. Advanced Query Builder. A drag-and-drop interface for building custom queries against the GreyNoise Global Observation Grid's data. You can scope by classification (malicious, suspicious, benign, unknown), source country, tag, CVE, actor, CIDR block, first-seen window, and lookback period. Group conditions and NOT operators are supported, so you can build queries like "malicious activity in the last day, excluding US-based infrastructure and a specific CIDR you operate." The builder shows you the resulting query and the IP count in real time, and the same "Block These IPs" button turns it into a deployable URL.

Deployment is the same either way: copy the blocklist URL, paste it into your firewall's external dynamic list configuration, and authenticate with either an inline ?key=YOUR_API_KEY parameter or a request header named key. Lists refresh hourly after the initial 5–10 minute provisioning window.

Try GreyNoise Block for 14 days with a free trial. Try it free >

Option 2: GreyNoise Platform Blocklists

If you are already a GreyNoise Platform customer (Standard, Advanced, or Elite tier), you have a second option built directly into the Visualizer. Query-Based Blocklists are GNQL-native: you write or refine the query yourself, validate the results, and promote that query into a managed blocklist with one click.

This is the right path for teams that already live in the Visualizer and want full GNQL expressiveness without leaving the platform. The workflow is:

  1. Run a GNQL query in the search bar. For example, last_seen_malicious:1d AND spoofable:false AND tags:*Cisco* will block recently malicious IPs hitting Cisco gear.
  2. Review the returned IPs to confirm the list looks right.
  3. Click "Create Blocklist," name it, set an IP limit, and submit.
  4. Wait 1-3 minutes for provisioning, then pull the tokenized URL (or use header-based auth with your API key) into your firewall.

Common starting queries documented by GreyNoise include recent malicious or suspicious activity, vendor-tagged activity (Cisco, Palo Alto, Fortinet, and so on), CVE-specific exploitation attempts, and geographic scoping. Anything you can express in GNQL, you can turn into a deployable list.

A configuration walk-through for Palo Alto Networks External Dynamic Lists is published here, and the same pattern applies to most NGFW vendors that support URL-based dynamic lists.

Which One to Use

Block and Platform Blocklists overlap, but they are not the same product. The short version:

  • GreyNoise Block is purpose-built for IP blocklist creation and deployment, with templates that get a team productive without writing any GNQL. It is the path for teams that want a clean, focused workflow and pre-curated starting points.
  • GreyNoise Platform Blocklists live inside the platform you are already using for investigation and threat hunting, and they assume you are comfortable in GNQL. Tighter integration with the rest of the Visualizer, no separate UI to learn.

The Bottom Line

The blocklists that defended the perimeter for the last decade were good products built for a slower-moving adversary. They are still doing useful work today, and we are not suggesting anyone rip them out.

What we are suggesting is this: if 98% of the malicious activity hitting your edge on a given day is invisible to your current feeds, the right response is to add a source that can see it, not to keep waiting for static curation to catch up to something that has fundamentally changed.

GreyNoise enriches the tools you already run with continuously updated, primary-source intelligence. No list maintenance overhead. No second curation team. The customers who have done the integration get the benefit of seeing what we see, in the systems they are already running.

By the way, there is nothing special about May 14th. The 119,842 IPs we saw on that day are not a number that will hold tomorrow. By the time you read this, the count has already turned over. That is the point.

----

Data collected 2026.05.14. Source: GreyNoise 1D / Malicious / Non-Spoofable. Comparison destinations include FireHol Levels 1 through 4, Blocklist.de, CINS Army List, Palo Alto Known Malicious EDL, Palo Alto High Risk EDL, ShadowWhisperer Malware/Hackers, Binary Defense Ban List, and Avastel 1-Day Proxy/Bot IPs.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account