Just Released! GreyNoise 2026 State Of The Edge Report
.png){kind=spacer}
Analysis Period: March 2 – 9, 2026
AI infrastructure joined the attack surface this week as threat actors systematically mapped Ollama model servers, coding assistant credentials, and notebook environments — while ICS scanning hit three-week highs and legacy protocol worms surged 52.8 million sessions.
Ollama model server scanning reached 51,801 sessions (+37.9%), with the /api/tags model enumeration endpoint surging +374%. For the first time, GreyNoise observed scanning for AI coding assistant configuration files — Cline, Aider, and Cursor — targeting API keys, conversation histories, and cloud credentials. Specialized scanning tooling (ollama-audit/1.0) confirmed purpose-built AI reconnaissance.
Combined ICS sessions hit 828,696 (+513%), but the dominant DigitalOcean/Linode cluster (89–99.8% of Cisco Smart Install, Veeder-Root ATG, and iSCSI traffic) is consistent with benign internet scanning platforms. The genuinely malicious development: Chimay Red MikroTik exploitation exploded +1,103% as two command IPs directed 6,046 compromised routers.
SMBv1 (+197%), DCERPC (+199%), RFB/VNC (+250%), and Telnet (+207%) surged simultaneously. Thirty-nine of the top 50 source IPs are shared between SMBv1 and DCERPC — self-propagating Windows worm activity from residential ISPs in Vietnam, India, Russia, and Egypt.
Sophos CVE-2022-1040 RCE sessions reached 357,762 (+71.2%), marking three consecutive weeks of escalation. Enterprise VPN credential pressure hit 1,527,864 sessions (+28.5%) across five vendors. MEVSPACE — the dominant RDP brute-force operator — collapsed 99.8%.
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
Analysis Period: March 2 – 9, 2026
AI infrastructure joined the attack surface this week as threat actors systematically mapped Ollama model servers, coding assistant credentials, and notebook environments — while ICS scanning hit three-week highs and legacy protocol worms surged 52.8 million sessions.
Ollama model server scanning reached 51,801 sessions (+37.9%), with the /api/tags model enumeration endpoint surging +374%. For the first time, GreyNoise observed scanning for AI coding assistant configuration files — Cline, Aider, and Cursor — targeting API keys, conversation histories, and cloud credentials. Specialized scanning tooling (ollama-audit/1.0) confirmed purpose-built AI reconnaissance.
Combined ICS sessions hit 828,696 (+513%), but the dominant DigitalOcean/Linode cluster (89–99.8% of Cisco Smart Install, Veeder-Root ATG, and iSCSI traffic) is consistent with benign internet scanning platforms. The genuinely malicious development: Chimay Red MikroTik exploitation exploded +1,103% as two command IPs directed 6,046 compromised routers.
SMBv1 (+197%), DCERPC (+199%), RFB/VNC (+250%), and Telnet (+207%) surged simultaneously. Thirty-nine of the top 50 source IPs are shared between SMBv1 and DCERPC — self-propagating Windows worm activity from residential ISPs in Vietnam, India, Russia, and Egypt.
Sophos CVE-2022-1040 RCE sessions reached 357,762 (+71.2%), marking three consecutive weeks of escalation. Enterprise VPN credential pressure hit 1,527,864 sessions (+28.5%) across five vendors. MEVSPACE — the dominant RDP brute-force operator — collapsed 99.8%.
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
