Compromised Asset Detection

Detect Compromised Assets

Detect outbound traffic probing GreyNoise sensors or talking with malicious IPs

Get a Demo

Overview

Today's threat actors use botnets to scan for vulnerable systems and launch mass, automated attacks. To do this, compromising edge systems are critical to their operations.

Compromised devices often behave like attacker infrastructure, making it likely that a compromised device will probe the GreyNoise sensor network or interact with a known malicious IP.

GreyNoise can help you quickly spot if you have a compromised host on your network edge.

How GreyNoise Helps You
Find Your Compromised Assets

Identify Abnormal Outbound Traffic

GreyNoise detects when your internal system contacts our global sensor network or is talking with a known malicious IP, both are strong indicators of compromise.

Faster Containment

Early visibility into compromised assets allows defenders to contain hosts, halting lateral movement.

Strengthen Incident Investigations

GreyNoise helps to establish a timeline of when a compromised device began scanning and exploitation.

Stop Outbound Connections to Malicious IPs

GreyNoise provides query-based, dynamic blocklists that prevent devices on your network from outbound communications with malicious IP addresses.

How it Works

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
VPN Service
Name of the VPN service associated with the IP. Useful for attribution and filtering.
VPN
Flags if the IP belongs to a VPN provider. Suggests identity masking or evasive behavior.
Updated At
Date/time when the tag was last updated.
Slug
Short identifier for the tag. Useful in queries and API lookups.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
Name
Display name of the tag. Analyst-facing label for quick recognition.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
ID
Unique tag identifier.
CVEs
CVEs tied to the tag behavior. Critical for identifying exploitation of known vulnerabilities.
Description
Human-readable explanation of what the tag represents. Adds analyst context.
Created At
Date the tag was first added. Indicates when this behavior was first observed.
Tags Count
Count of IPs associated with specific tags. Helps identify common behaviors at scale.
Spoofable Count
Count of spoofable vs. non-spoofable IPs. Highlights volume of potentially fake traffic.
Source Country Count
Count of IPs originating from each country. Useful for geo-distribution of attacks.
Organization Count
Count of IPs linked to each organization. Useful for assessing exposure by provider.
VPN Service
Name of the VPN service associated with the IP. Useful for attribution and filtering.
VPN
Flags if the IP belongs to a VPN provider. Suggests identity masking or evasive behavior.
Updated At
Date/time when the tag was last updated.
Slug
Short identifier for the tag. Useful in queries and API lookups.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
Name
Display name of the tag. Analyst-facing label for quick recognition.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
ID
Unique tag identifier.
CVEs
CVEs tied to the tag behavior. Critical for identifying exploitation of known vulnerabilities.
Description
Human-readable explanation of what the tag represents. Adds analyst context.
Created At
Date the tag was first added. Indicates when this behavior was first observed.
Tags Count
Count of IPs associated with specific tags. Helps identify common behaviors at scale.
Spoofable Count
Count of spoofable vs. non-spoofable IPs. Highlights volume of potentially fake traffic.
Source Country Count
Count of IPs originating from each country. Useful for geo-distribution of attacks.
Organization Count
Count of IPs linked to each organization. Useful for assessing exposure by provider.

Don't become a botnet.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo