Just Released! GreyNoise 2026 State Of The Edge Report
.png){kind=spacer}
Analysis Period: February 23 – March 2, 2026
Global scanning volume cratered 37% in a single day as major operations went dark. But Sophos exploitation surged 435%, RDP scanning hit 9.1 million sessions, and VPN credential campaigns entered their sixth consecutive week — confirming dedicated infrastructure independent of the broader scanning ecosystem.
Combined CVE-2022-1040 exploitation and user portal probing reached 276,358 sessions — a fivefold increase targeting enterprise perimeter infrastructure that provides direct access to internal networks.
A dedicated MEVSPACE scanning operation dominated sensor traffic for the second straight week, pushing port 3389 from the 13th to the 3rd most-targeted destination port. Exposed RDP remains the primary ransomware entry vector
Scanning pressure against Cisco and Palo Alto portals climbed while SonicWall activity declined 86% following GreyNoise's published analysis. Sophos emerged as a significant new rotation target.
A custom SYN scanner collapsed 86%, UCLOUD declined 63%, and ColoCrossing nearly disappeared — yet enterprise targeted campaigns intensified against the declining backdrop, revealing which operations run on dedicated infrastructure.
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
Analysis Period: February 23 – March 2, 2026
Global scanning volume cratered 37% in a single day as major operations went dark. But Sophos exploitation surged 435%, RDP scanning hit 9.1 million sessions, and VPN credential campaigns entered their sixth consecutive week — confirming dedicated infrastructure independent of the broader scanning ecosystem.
Combined CVE-2022-1040 exploitation and user portal probing reached 276,358 sessions — a fivefold increase targeting enterprise perimeter infrastructure that provides direct access to internal networks.
A dedicated MEVSPACE scanning operation dominated sensor traffic for the second straight week, pushing port 3389 from the 13th to the 3rd most-targeted destination port. Exposed RDP remains the primary ransomware entry vector
Scanning pressure against Cisco and Palo Alto portals climbed while SonicWall activity declined 86% following GreyNoise's published analysis. Sophos emerged as a significant new rotation target.
A custom SYN scanner collapsed 86%, UCLOUD declined 63%, and ColoCrossing nearly disappeared — yet enterprise targeted campaigns intensified against the declining backdrop, revealing which operations run on dedicated infrastructure.
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
