Identifies correlation between spikes in malicious activity several weeks prior to the disclosure of new vulnerabilities
Washington, DC – July 31, 2025 – GreyNoise Intelligence, the cybersecurity company providing the most actionable intelligence on perimeter threats, today released a research report exploring the correlation between spikes in attacker activity and subsequent disclosures of Common Vulnerabilities and Exposures (CVEs) in edge technologies. The research report, entitled “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” offers predictive value for all cyber defenders. It also provides recommendations on what defenders can do to proactively protect their networks, before vulnerabilities are even disclosed.
“This report provides a new source of actionable intelligence for defenders — from frontline security analysts to CISOs,” said Bob Rudis, VP of Data Science at GreyNoise Intelligence. “This pattern of attacker activity before new vulnerabilities carries significant early warning value — helping to improve readiness and reduce exposure even before new CVEs become public knowledge.”
For this research, GreyNoise analyzed all of its tags (CVSS 6+ CVEs) associated with edge technologies to determine whether there was a consistent, repeatable pattern of significant spikes in opportunistic attacker activity (e.g. scanning, brute forcing, and exploitation attempts) against edge technologies preceding the disclosure of new vulnerabilities. GreyNoise only observed this pattern across a specific subset of enterprise edge products from eight vendors, though it did not limit its analysis to enterprise technologies.
Key findings from the new GreyNoise research report include:
- Spikes in attacker activity often precede new cyber vulnerabilities.
In 80 percent of cases we analyzed, significant spikes in opportunistic attacker activity against edge technologies were followed by the disclosure of a new CVE affecting the same technology within six weeks. This recurring pattern may offer early warning value.
- These spikes give defenders a defined window to prepare.
The clustering of new CVEs within six weeks of attacker spikes provides defenders with a concrete timeframe to increase monitoring, harden systems, and preemptively act — even before a vulnerability is known. CISOs can use this window to justify early planning or investment.
- Blocking early reconnaissance may keep systems off attacker inventories.
Spikes may reflect exploit-based reconnaissance designed to identify exposed systems. Blocking the associated IPs during these phases may prevent inclusion in attacker inventories — reducing the likelihood of being targeted later, even if different IPs are used for exploitation of the new CVE emerging weeks later.
- Enterprise edge technologies show the strongest patterns.
After filtering out ambiguous cases and noise, all spike-CVE pairs we observed involved internet-facing assets commonly deployed in enterprise environments such as VPNs, firewalls, and products from vendors like Cisco, Fortinet, Citrix, and Ivanti.
- Most spikes involved real exploits — not scanning.
The majority of activity leading up to CVEs was not generic scanning but exploit attempts against previously known vulnerabilities. This supports two likely motives: testing inputs that may lead to new CVE discovery, or inventorying systems for future exploitation when a new flaw becomes known.
- State-sponsored actors have repeatedly targeted edge infrastructure.
Nation-state groups like the Typhoons have reportedly focused on enterprise-focused edge devices for pre-positioning, surveillance, and access persistence. All products studied in this analysis are enterprise-focused edge systems, highlighting both enterprise and national security stakes.
“These findings give defenders a rare chance to act early — before vulnerabilities are even disclosed,” said Glenn Thorpe, Senior Director of Security Research and Detection Engineering, GreyNoise Intelligence. “If defenders leave with one takeaway, it’s that attacker activity appears to not just react to vulnerabilities — it often precedes them. This finding challenges the conventional reactive security model and introduces a new class of preemptive threat intelligence.”
To request a copy of the GreyNoise Intelligence report “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” please visit here.
About GreyNoise Intelligence
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing real-time, verifiable perimeter-based threat intelligence. This allows security teams to reduce noise in security operations, perform in-depth threat hunting campaigns, and focus on the most critical threats to their network. Our patented sensor technology enables us to collect and analyze unique threat data at-scale that no one else can. We provide the most actionable threat intelligence against mass internet scanning and exploitation, so that no attack works twice. For more information, please visit https://www.greynoise.io/, and follow us on Twitter, Mastodon and LinkedIn.
