Resources
>
White Paper

Ten Days Before Zero: How Activity Surges in GreyNoise Data Precede Vulnerability Disclosure

April 20, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...

The internet changes before the advisory drops. GreyNoise found that activity surges in sensor data precede vulnerability disclosures by a median of 11 days β€” a pattern that held across 33 CVEs and 16 vendor families, confirmed by rigorous statistical testing.

The study tracked 147.8 million sessions across 18 vendors over 103 days, identifying 68 pre-disclosure surges and documenting the countdown compression patterns, infrastructure concentration shifts, and attack-type progressions that precede public CVE advisories.

What's Inside

  • Countdown case studies: Cisco CVE-2026-20127 β€” 8 surges compressing from 39 to 2 days before a CVSS 10.0 zero-day; SonicWall peaking at 69x median volume; Fortinet with 1 day of warning
  • ‍Signal analysis: Session volume carries the early warning; IP count alone does not β€” with direct implications for which metrics to monitor
  • Infrastructure mapping: 11 ASNs appeared across 3+ vendors; concentrated hosting sources cut lead time from 21 days to 7.5
  • Actionable framework: How to integrate pre-disclosure signals into patch prioritization

Why Download

  • A new input for patch prioritization: Empirical lead times across 33 CVEs β€” not just which to patch, but when to start staging, based on session-volume surge patterns
  • Collection priorities for intelligence teams: 11 cross-vendor ASNs, infrastructure concentration signals, and the phase transitions that shorten lead time from 21 days to 7.5
  • Triage framework: Countdown compression thresholds, escalation triggers, and vendor-specific action items
Read the transcript

The internet changes before the advisory drops. GreyNoise found that activity surges in sensor data precede vulnerability disclosures by a median of 11 days β€” a pattern that held across 33 CVEs and 16 vendor families, confirmed by rigorous statistical testing.

The study tracked 147.8 million sessions across 18 vendors over 103 days, identifying 68 pre-disclosure surges and documenting the countdown compression patterns, infrastructure concentration shifts, and attack-type progressions that precede public CVE advisories.

What's Inside

  • Countdown case studies: Cisco CVE-2026-20127 β€” 8 surges compressing from 39 to 2 days before a CVSS 10.0 zero-day; SonicWall peaking at 69x median volume; Fortinet with 1 day of warning
  • ‍Signal analysis: Session volume carries the early warning; IP count alone does not β€” with direct implications for which metrics to monitor
  • Infrastructure mapping: 11 ASNs appeared across 3+ vendors; concentrated hosting sources cut lead time from 21 days to 7.5
  • Actionable framework: How to integrate pre-disclosure signals into patch prioritization

Why Download

  • A new input for patch prioritization: Empirical lead times across 33 CVEs β€” not just which to patch, but when to start staging, based on session-volume surge patterns
  • Collection priorities for intelligence teams: 11 cross-vendor ASNs, infrastructure concentration signals, and the phase transitions that shorten lead time from 21 days to 7.5
  • Triage framework: Countdown compression thresholds, escalation triggers, and vendor-specific action items
Products
Partners
Resources
Company
Β©
2026
GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it