Compromised Asset Detection

Detect Active Compromise on Your Network Edge

Gain visibility into compromised devices by analyzing inbound scanning activity and outbound communication with attacker-controlled infrastructure

Get a Demo

Overview

Threat actors target edge devices like firewalls, VPNs, and routers to build botnets, stage malware, and maintain command-and-control. Once compromised, these devices either scan for new targets or quietly call back to attacker infrastructure. Today's threat actors use botnets to scan for vulnerable systems and launch mass, automated attacks. To do this, compromising edge systems are critical to their operations.

GreyNoise helps you spot compromised edge hosts fast using two independent signals. If your IP shows up as a scanner in GreyNoise, it’s likely been pulled into a botnet. If your outbound traffic matches a confirmed callback IP, it’s calling home to an attacker. Both are high-confidence indicators of compromise, even where EDR doesn’t exist. Compromised devices often behave like attacker infrastructure, making it likely that a compromised device will probe the GreyNoise sensor network or interact with a known malicious IP.

How GreyNoise Helps You
Find Your Compromised Assets

Identify Abnormal Outbound Traffic

GreyNoise matches your outbound traffic against confirmed malicious and callback infrastructure derived from real exploit activity. A hit is a high-confidence signal that a device is calling out to attacker-controlled systems.

Faster Containment

Early visibility into compromised assets, from both scanning behavior and outbound callbacks helps teams isolate hosts and respond before damage spreads.

Strengthen Incident Investigations

Combine scanner IPs, callback infrastructure, and malware hashes to investigate suspicious activity across both inbound and outbound signals.

Block Malicious Outbound Connections

GreyNoise provides query-based, dynamic blocklists that prevent devices on your network from communicating with both known malicious scanner IPs and confirmed C2 infrastructure.

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
Actor Count
Aggregated count of IPs per actor. Supports statistical analysis of actors.
Destination Countries Count
Count of IPs targeting specific countries. Supports geo-threat monitoring.
Description
Human-readable explanation of what the tag represents. Adds analyst context.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
Updated At
Date/time when the tag was last updated.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
VPN Service
Name of the VPN service associated with the IP. Useful for attribution and filtering.
VPN
Flags if the IP belongs to a VPN provider. Suggests identity masking or evasive behavior.
Slug
Short identifier for the tag. Useful in queries and API lookups.
Callback IP
IP address identified as a callback destination embedded in exploit payloads. Indicates staging, malware delivery, or C2 infrastructure.
Attack Stage
Confidence classification for the callback IP: Unconfirmed, Stage 1 (File Downloaded), or Stage 2 (C2 Suspected). Drives alert severity and response prioritization.
Scanner IPs
IPs whose exploit payloads reference this callback destination. Links inbound scanning activity to post-exploitation infrastructure.
Associated Files Count
Number of malware files linked to a callback IP. Indicates the breadth of malicious activity tied to this infrastructure.
Malware Family
Classification label for the collected file (e.g., trojan.mirai/mozi). Supports rapid identification of known threat campaigns.
SHA256
SHA-256 hash of the collected malware file. Primary identifier for file-based enrichment and threat intel correlation.
SHA1
SHA-1 hash of the collected file. Supports legacy systems and additional correlation across threat feeds.
MD5
MD5 hash of the collected file. Enables compatibility with older detection tools and IOC matching workflows.
File Size
Size of the collected malware file in bytes. Useful for filtering and identifying payload variants.
VirusTotal Detections
Detection ratio from VirusTotal (e.g., 51/77 engines). Provides independent confirmation of malicious classification.
Detection Rate
Percentage of antivirus engines detecting the file. Quick-glance indicator of how widely recognized the threat is.
First Seen
Date the callback IP was first observed in exploit payloads. Establishes how long the attacker infrastructure has been active.
Last Seen
Most recent date the callback IP was referenced in a payload. Indicates whether the infrastructure is still in active use.

Don't become a botnet.

Get a demo
Search for free
Products
Partners
Resources
Company
©
2026
GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo