Threat Hunting

Needle in the haystack. Found

Quickly identify anomalous behavior and catch targeted threats

Get a Demo

Overview

Effective threat hunting isn't just about finding more data, it’s about finding the right data. GreyNoise empowers your hunt team to adopt the PEAK Framework by correlating your internal traffic against our real-time map of internet-wide mass scanning.

By using GreyNoise to filter out opportunistic probes, benign scanners, and botnet noise, you reveal the statistically significant anomalies that represent targeted attacks. Stop chasing false positives and focus on the signals that actually threaten your perimeter.

How GreyNoise
Helps You Hunt Smarter

Focus effort on highest risks

Eliminate time-consuming research of benign and opportunistic scanning, allowing hunters to focus on infrastructure actually used by threat actors.

Supports threat research and hypothesis development

Hunters can use GreyNoise to conduct threat research, validate assumptions, and explore attack vectors in order to develop hypotheses.

Correlate isolated incidents

GreyNoise helps threat hunters link isolated incidents to larger campaigns by mapping attacker infrastructure and patterns, connecting logged IPs to those exploiting relevant vulnerabilities.

How GreyNoise Maps to the PEAK Hunting Framework

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
Slug
Short identifier for the tag. Useful in queries and API lookups.
Source Bytes
Number of bytes sent from source IP. Useful for traffic analysis.
Source Country
Country where the IP is registered. Provides attacker infrastructure location context.
Source Country Code
ISO country code for the IP’s registration country.
Source Country Count
Count of IPs originating from each country. Useful for geo-distribution of attacks.
Source Latitude
Latitude of IP’s registered location. Useful for geo-mapping.
Source Longitude
Longitude of IP’s registered location. Useful for geo-mapping.
Spoofable
Shows whether the IP completed a valid TCP handshake. If false, traffic may be spoofed or fake.
Spoofable Count
Count of spoofable vs. non-spoofable IPs. Highlights volume of potentially fake traffic.
TLS Cipher
TLS cipher suites used. Adds context for attacker SSL/TLS configurations.
TLS JA4
JA4 TLS fingerprint values. Useful for higher-fidelity TLS fingerprinting.
Tags Count
Count of IPs associated with specific tags. Helps identify common behaviors at scale.
Timeline
Key timeline details about when the CVE was published, updated, and added to CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). Useful for understanding how long the issue has been known.
Timeline CISA KEV Date Added
Date the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Vulnerabilities in KEV should be prioritized for remediation per federal guidance.
Timeline CVE Last Updated Date
The last date the CVE entry was updated in the database. Useful for tracking changes in severity, affected products, or exploit status.
Timeline CVE Published Date
The date the CVE was first published. Helps determine how long attackers have potentially been aware of the vulnerability.
Exploitation Activity Threat IP Count (10d)
Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days.
Exploitation Activity Threat IP Count (1d)
Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability today.
Exploitation Activity Threat IP Count (30d)
Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days. Useful for long-term prioritization and trend analysis.
Exploitation Details
Exploitation-related details pertaining to attack vector category, EPSS score (Exploit Prediction Scoring System), available exploits, and KEV (Known Exploited Vulnerabilities) registration. Guides whether to prioritize based on real-world attacker use.
Exploitation Details Attack Vector
The method attackers use to exploit the vulnerability (e.g., network, local, adjacent). Helps assess exposure across internet-facing vs. internal assets.
Exploitation Details EPSS Score
EPSS score (Exploit Prediction Scoring System) associated with the exploitation.
Exploitation Details Exploit Found
Indicates whether a working exploit is publicly available. Confirms attacker capability and should increase remediation priority.
Exploitation Details Registered in KEV
Whether exploitation has been registered in the KEV (Known Exploited Vulnerabilities) database.
Exploitation Stats
Statistical data about exploitation, including number of exploits available, and number of threat actors and botnets exploiting the vulnerability.
Exploitation Stats Number of Available Exploits
Total number of exploits available (public + commercial).
Exploitation Stats Number of Botnets Exploiting Vulnerability
Total number of botnets exploiting the vulnerability.
Exploitation Stats Number of Threat Actors Exploiting Vulnerability
Total number of known threat actors exploiting the vulnerability.
First Seen
Date the IP was first observed by GreyNoise. Indicates activity lifetime.
HTTP Cookie Keys
HTTP cookie keys observed in scanning activity. Useful for identifying web scanners/exploit kits.
HTTP Host
HTTP Host headers observed. Provides web attack targeting clues.
HTTP MD5
MD5 hash of observed HTTP payloads. Useful for malware identification.

Find your needle.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo