The heart of our classification

GreyNoise tags identify actors, tools, and CVEs, and more in our data. IPs can be labeled with one or more tag, and each tag can have a variety of IPs associated with it. Tags are not just limited to CVE based activity. They include behaviors, attribution, and unique traffic characteristics.

Categories we track


Actor tags describe the actor behind the activity, including commercial/enterprise entities, researchers, and universities.

Search engine

Search Engine tags specifically identify crawlers such as Yandex, Bingbot, Baidu Spider. Search Engines are classified as "Benign" or "Unknown."


Tool tags can be anything from open-source scanning tools to programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and Go HTTP. Tool category tags can be classified as "Unknown."


Worm tags describe computer Worms, including Mirai, Eternalblue, and SSH worm. These will always be classified as "Malicious."


Activity tags include crawlers, vulnerability checks & exploitation, authentication attempts, and other behaviors observed from interactions with our sensors.

Understand classification and intent.

See the intent of the activity, associated CVEs, and Contextual information to help you understand the nature of the classification.

See changes over time.

View up to 30 days of history of observed IP activity matching the tag, and identify interesting changes.

View related IPs and block.

Pivot to see all IPs that have been tagged, or configure a dynamic blocklists to block activity hitting your perimeter.


Documentation guides

Related content