GreyNoise provides powerful ways to search and explore our data. It’s as simple as pasting an IP address into our search bar, or use our GreyNoise Query Language (GNQL) to construct more advanced searches against our tags and other attributes we’ve observed.

What’s in our datasets?

Checkout what’s under the hood!


Internet-wide scanning and exploitation

Some researchers scan in good faith to help uncover vulnerabilities for defense. Others scan and exploit with malicious intent. GreyNoise collects and labels this activity.


Common business services

RIOT labels activity associated with common business services like Google and Slack, so defenders can quickly identify this traffic in their events, speeding up investigation and incident response.

IP lookup

The easy button for the answer to: Is this noise? Simply enter an IP address into our search bar to see if it is associated with common business service activity, or was seen by GreyNoise performing internet-wide scan, or attack.

Screenshot showing the IP Details page in the GreyNoise Visualizer. The IP in the example is, which is classified with a malicious intent.

GreyNoise Query Language (GNQL)

Want to dig in more? Use our powerful GreyNoise Query Language (GNQL) to explore our data set for activity associated with specific attacks, CVEs, and more.

Click a query below to try it at in the Visualizer.

Return all compromised devices that are geographically located in Belgium.

Returns all devices crawling the Internet with a matching client JA3 TLS/SSL fingerprint.

Bulk analysis

Need to analyze a bunch of IPs all at once?  Use our Bulk Analysis tool! Copy and paste an entire page of data containing IPs, or upload a file of structured data, and GreyNoise will return analysis for all IPs discovered within our dataset, plus statistics on what we found including tags, regions and classifications.

A screenshot of the bulk analysis feature in the GreyNoise Visualizer.


Documentation guides

Featured content