Resources
>
White Paper

2026 State of the Edge Report

February 24, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...

Where Your Edge Defenses Fall Short

More than half of the most dangerous exploitation attempts observed across the internet came from IPs with no prior history in GreyNoise data. GreyNoise measured 212 exploitation attempts per second across H2 2025 β€” and the patterns inside that volume expose specific, measurable gaps in common edge defense strategies.

The 2026 GreyNoise State of the Edge Report analyzes 2.97 billion malicious sessions from 3.8 million unique source IPs. It shows exactly which vendors are targeted, where attack infrastructure concentrates, where reputation-based defenses have coverage gaps, and what defenders can do about it.

The Verizon 2025 DBIR documented an 8x increase in edge device exploitation β€” edge vulnerabilities jumped from 3% to 22% of all vulnerability exploitation breaches. Mandiant M-Trends 2025 found the top four most frequently exploited vulnerabilities were all in edge devices β€” Palo Alto PAN-OS, Ivanti Connect Secure, Ivanti Policy Secure, and Fortinet FortiClient EMS. CISA issued Binding Operational Directive 26-02, requiring federal agencies to address end-of-support edge devices. This report puts numbers behind those findings.

What's Inside

  • VPN Targeting at Scale β€” Palo Alto GlobalProtect: 16.7 million sessions, more than 3.5x Cisco and Fortinet combined. Vendor-by-vendor breakdown of what's absorbing the most traffic.
  • The Reputation Gap β€” 52% of remote code execution attempts came from IPs with no prior GreyNoise history. Where blocklist-based defenses fall short.
  • A 300,000-IP Residential Botnet β€” Grew from 2,000 to 300,000 IPs in 72 days. 73% residential. Why traditional perimeter controls miss it.
  • Legacy CVE Exploitation β€” Pre-2015 CVEs generated 7.3 million sessions β€” 4x more than 2023-2024 CVEs, with one 26-year-old vulnerability (CVE-1999-0526) accounting for the majority. Why the long tail of old vulnerabilities creates persistent exposure.
  • AI Infrastructure: Emerging Target β€” 91,403 sessions targeting LLM inference servers. 175,000 Ollama instances identified as internet-exposed (SentinelLABS/Censys, January 2026). The newest attack surface at the edge.

Why Download?

  • Understand what's actually hitting your edge β€” exact numbers, not estimates
  • Identify the control gaps that matter most, from reputation-based blocking to legacy CVE exposure
  • Get prioritized recommendations: what to do now, within 90 days, and within 180 days

Fill out the form to download your free copy.

Read the transcript

Where Your Edge Defenses Fall Short

More than half of the most dangerous exploitation attempts observed across the internet came from IPs with no prior history in GreyNoise data. GreyNoise measured 212 exploitation attempts per second across H2 2025 β€” and the patterns inside that volume expose specific, measurable gaps in common edge defense strategies.

The 2026 GreyNoise State of the Edge Report analyzes 2.97 billion malicious sessions from 3.8 million unique source IPs. It shows exactly which vendors are targeted, where attack infrastructure concentrates, where reputation-based defenses have coverage gaps, and what defenders can do about it.

The Verizon 2025 DBIR documented an 8x increase in edge device exploitation β€” edge vulnerabilities jumped from 3% to 22% of all vulnerability exploitation breaches. Mandiant M-Trends 2025 found the top four most frequently exploited vulnerabilities were all in edge devices β€” Palo Alto PAN-OS, Ivanti Connect Secure, Ivanti Policy Secure, and Fortinet FortiClient EMS. CISA issued Binding Operational Directive 26-02, requiring federal agencies to address end-of-support edge devices. This report puts numbers behind those findings.

What's Inside

  • VPN Targeting at Scale β€” Palo Alto GlobalProtect: 16.7 million sessions, more than 3.5x Cisco and Fortinet combined. Vendor-by-vendor breakdown of what's absorbing the most traffic.
  • The Reputation Gap β€” 52% of remote code execution attempts came from IPs with no prior GreyNoise history. Where blocklist-based defenses fall short.
  • A 300,000-IP Residential Botnet β€” Grew from 2,000 to 300,000 IPs in 72 days. 73% residential. Why traditional perimeter controls miss it.
  • Legacy CVE Exploitation β€” Pre-2015 CVEs generated 7.3 million sessions β€” 4x more than 2023-2024 CVEs, with one 26-year-old vulnerability (CVE-1999-0526) accounting for the majority. Why the long tail of old vulnerabilities creates persistent exposure.
  • AI Infrastructure: Emerging Target β€” 91,403 sessions targeting LLM inference servers. 175,000 Ollama instances identified as internet-exposed (SentinelLABS/Censys, January 2026). The newest attack surface at the edge.

Why Download?

  • Understand what's actually hitting your edge β€” exact numbers, not estimates
  • Identify the control gaps that matter most, from reputation-based blocking to legacy CVE exposure
  • Get prioritized recommendations: what to do now, within 90 days, and within 180 days

Fill out the form to download your free copy.

Products
Partners
Resources
Company
Β© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it