GreyNoise analyzed 2.97 billion sessions over 162 days in H2 2025, and the patterns reveal where edge defenses hold up — and where they fall short. The data exposes specific concentration points in VPN targeting, infrastructure sourcing, and exploitation behavior that challenge conventional defensive assumptions.
What the Data Shows
Across the GreyNoise Global Observation Grid, several findings challenge conventional assumptions about where attacks concentrate:
Palo Alto GlobalProtect received 16.7 million sessions — more than 3.5x Cisco and Fortinet combined. This disproportionate concentration warrants investigation, though direct market share comparison was not part of this analysis. GlobalProtect deployments provide direct network access if compromised, making them high-value targets.
52% of remote code execution attempts came from IPs with no prior history in GreyNoise data. For remote code execution — widely considered the highest-severity exploitation category — GreyNoise had no prior record of more than half the attacking IPs. That means attackers are spinning up and burning through fresh infrastructure faster than any static threat feed can catalog it — and GreyNoise detected these IPs the moment they first appeared, before any other source had them.
Pre-2015 CVEs generated 7.3 million sessions — 4x more than 2023-2024 CVEs combined. One vulnerability — CVE-1999-0526, a 26-year-old X Server information disclosure — accounts for the majority. Even excluding it, Shellshock and PHP-CGI continue generating measurable traffic a decade later. Patching programs optimized for recency leave decade-old exposure unaddressed.
300,000 residential IPs participated in a single credential-spraying campaign — 73% classified as residential by ISP categorization, with no prior GreyNoise history. Geographic blocking, reputation scoring, rate limiting: would have limited effectiveness against this traffic pattern.
91,403 sessions targeted AI/LLM infrastructure. The same types of automated scanning patterns hitting VPNs and routers are now cataloging exposed LLM endpoints.
Why This Matters
The Verizon 2025 DBIR documented an 8x increase in edge device exploitation in a single year — edge vulnerabilities jumped from 3% to 22% of all vulnerability exploitation breaches. Mandiant M-Trends 2025 found the top four most frequently exploited vulnerabilities were all in edge devices — Palo Alto PAN-OS, Ivanti Connect Secure, Ivanti Policy Secure, and Fortinet FortiClient EMS. CISA issued Binding Operational Directive 26-02, requiring federal agencies to address end-of-support edge devices. The GreyNoise data is consistent with all of it — and quantifies the scale.
This isn't a theoretical shift. If your organization runs internet-facing VPN appliances, routers, or AI infrastructure, this traffic is reaching you.
What's Inside the Report
The full report includes:
- Vendor-by-vendor breakdown of VPN, router, and firewall targeting
- Infrastructure concentration analysis — how a single provider accounted for 14% of all observed sessions
- The residential botnet that grew from 2,000 to 300,000 IPs in 72 days
- CVE age distribution showing where exploitation actually concentrates versus where patching effort concentrates
- Infrastructure freshness analysis across attack severity categories
- An emerging campaign targeting AI/LLM inference servers
- Actionable recommendations for security leadership, operations, and vulnerability management
