Compromised Asset Detection

Detect Compromised Assets

Detect outbound traffic probing GreyNoise sensors or talking with malicious IPs

Get a Demo

Overview

Today's threat actors use botnets to scan for vulnerable systems and launch mass, automated attacks. To do this, compromising edge systems are critical to their operations.

Compromised devices often behave like attacker infrastructure, making it likely that a compromised device will probe the GreyNoise sensor network or interact with a known malicious IP.

GreyNoise can help you quickly spot if you have a compromised host on your network edge.

How GreyNoise Helps You
Find Your Compromised Assets

Identify Abnormal Outbound Traffic

GreyNoise detects when your internal system contacts our global sensor network or is talking with a known malicious IP, both are strong indicators of compromise.

Faster Containment

Early visibility into compromised assets allows defenders to contain hosts, halting lateral movement.

Strengthen Incident Investigations

GreyNoise helps to establish a timeline of when a compromised device began scanning and exploitation.

Stop Outbound Connections to Malicious IPs

GreyNoise provides query-based, dynamic blocklists that prevent devices on your network from outbound communications with malicious IP addresses.

How it Works

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
Destination Countries Count
Count of IPs targeting specific countries. Supports geo-threat monitoring.
Actor Count
Aggregated count of IPs per actor. Supports statistical analysis of actors.
Category Count
Aggregated count of IPs per category (hosting, ISP, etc.). Highlights infrastructure trends.
Classification Count
Aggregated count of IPs per classification. Useful for threat landscape analysis.
Spoofable
Shows whether the IP completed a valid TCP handshake. If false, traffic may be spoofed or fake.
Tor
Identifies if the IP is a Tor exit node. Tor traffic often indicates obfuscation or anonymization.
Source Country Code
ISO country code for the IP’s registration country.
Source Country
Country where the IP is registered. Provides attacker infrastructure location context.
Organization
Organization responsible for the IP. Adds enrichment for attribution.
Single Destination
True if the IP only scanned one country. Suggests targeted reconnaissance.
Region
State/province where the IP is registered. Adds sub-country geolocation context.
RDNS
Reverse DNS value for the IP. May reveal hostnames tied to services or campaigns.
RDNS Parent
Parent domain of the reverse DNS. Useful for clustering infrastructure.
Mobile
Indicates if the IP belongs to a mobile/cellular network.
Domain
Domain tied to the ASN owner. Provides higher-level ownership context.
Destination Country Codes
ISO codes for countries targeted by scanning. Supports correlation with geo-based IOCs.
Destination Countries Count
Count of IPs targeting specific countries. Supports geo-threat monitoring.
Actor Count
Aggregated count of IPs per actor. Supports statistical analysis of actors.
Category Count
Aggregated count of IPs per category (hosting, ISP, etc.). Highlights infrastructure trends.
Classification Count
Aggregated count of IPs per classification. Useful for threat landscape analysis.
Spoofable
Shows whether the IP completed a valid TCP handshake. If false, traffic may be spoofed or fake.
Tor
Identifies if the IP is a Tor exit node. Tor traffic often indicates obfuscation or anonymization.
Source Country Code
ISO country code for the IP’s registration country.
Source Country
Country where the IP is registered. Provides attacker infrastructure location context.
Organization
Organization responsible for the IP. Adds enrichment for attribution.
Single Destination
True if the IP only scanned one country. Suggests targeted reconnaissance.
Region
State/province where the IP is registered. Adds sub-country geolocation context.
RDNS
Reverse DNS value for the IP. May reveal hostnames tied to services or campaigns.
RDNS Parent
Parent domain of the reverse DNS. Useful for clustering infrastructure.
Mobile
Indicates if the IP belongs to a mobile/cellular network.
Domain
Domain tied to the ASN owner. Provides higher-level ownership context.
Destination Country Codes
ISO codes for countries targeted by scanning. Supports correlation with geo-based IOCs.

Don't become a botnet.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo