Leverages Outbound Telemetry to Detect Compromises
Washington, DC – April 7, 2026 – GreyNoise Intelligence, the cybersecurity company providing real-time intelligence about network-based attacks, today introduced Command and Control (C2) Detection, a new intelligence module that unlocks valuable insights about cyber attack behavior, based on information contained in outbound network traffic logs. C2 Detection empowers security teams to detect active compromise earlier, prioritize response based on attacker progression, and accelerate investigation by surfacing malware hashes and family classifications tied to confirmed callback infrastructure.
"Edge devices have become the most targeted assets on the internet, and the industry's visibility into what happens after they're compromised has been dangerously limited,” said Ash Devata, CEO, GreyNoise Intelligence. “GreyNoise has always been one of the most authoritative sources on inbound network threats. With C2 Detection, our customers can not only identify who's probing their perimeter, but whether a device is already compromised and who it’s phoning home to."
Cyber adversaries frequently attack edge devices to exploit known vulnerabilities and gain access. GreyNoise utilizes the world’s most sophisticated deception network of over 5,000 sensors in 80 countries to observe internet traffic, and can determine whether activity is malicious in intent based on certain behavioral characteristics and patterns. In cases where an IP is attempting to initiate a download of malware onto a network, valuable insights can be found in the network’s outbound traffic log, since compromised devices often call out to Command and Control (C2) Servers to receive additional instructions. This information can provide valuable insights to help security teams determine whether their perimeter has been breached.
Has Your Device Already Been Compromised?
Powered by GreyNoise’s callback IP intelligence and malware hash data, C2 Detection provides post-exploitation, outbound-facing threat intelligence by surfacing active compromise through outbound communication with attacker-controlled infrastructure. It provides an end-to-end overview about how attacks actually work, including what payloads were delivered, what binaries were downloaded, which external servers were used for Command and Control, and what commands and behaviors were associated with those sessions.
By matching outbound egress traffic against a continuously updated dataset of confirmed malware-hosting IPs and C2 infrastructure, C2 Detection produces a signal that indicates exactly how serious each match is. Security teams can use this dataset of ‘phone home’ addresses that compromised devices communicate with for potential breach detection via outbound telemetry by matching it against their outbound logs. If an internal device has been communicating with malicious IPs, there is a high degree of likelihood that the device has been compromised.
“With C2 Detection, GreyNoise is effectively closing the visibility gap at the edge of the network,” said Corey Bodzin, Chief Product Officer, GreyNoise Intelligence. “Up until now, security teams have had a structural blind spot on post-exploitation activity, especially on edge devices like firewalls, VPN concentrators, and internet-facing IoT. These are now the most actively exploited assets on the internet, but Endpoint Detection and Response (EDR) can't be run on them, and their native telemetry is often too sparse to detect callback behavior. Our research shows that millions of edge devices are already infected and silently calling out to malware-hosting servers, C2 nodes, and associated file hashes. C2 Detection surfaces that activity, and empowers security teams to take action faster.”
For more information about GreyNoise C2 Detection, please visit: https://www.greynoise.io/products/compromised-asset-detection.
About GreyNoise Intelligence
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing fresh, verifiable threat intelligence about systems at the network edge. This allows security teams to reduce noise in security operations, perform in-depth investigations and threat hunts, and focus on the most critical threats to their networks. Our Global Observation Grid enables us to observe and analyze threat actor campaigns at global scale and share this intelligence with customers in real-time. For more information, please visit https://www.greynoise.io/, and follow us on Twitter, Mastodon and LinkedIn.
