Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools network recon ·threat intelligence GreyNoise
GreyNoise logo

GreyNoise Review

Internet noise classifier that separates mass-scanning background traffic from targeted activity so you can stop chasing ghosts in your SIEM.

3.7/5
freemium Free / $299/mo / Enterprise Professional Standard review Reviewed 2026-04-02
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

SOC analysts and threat hunters who need to filter internet background noise from SIEM alerts before deciding what to investigate.

Pros

  • + Continuously scans the IPv4 space and classifies IPs as benign scanner, malicious, or unknown — the distinction alone cuts SIEM false positive rates significantly
  • + RIOT dataset identifies major trusted infrastructure (Google, AWS, Cloudflare, Office365) so you can immediately rule out background noise from known providers
  • + ~200 tags covering specific scanner tools, malware families, and CVE-targeted scanners — lookups tell you exactly what tool or campaign an IP is associated with
  • + Community free tier with 50 API lookups/day is genuinely usable for manual IP triage without a paid subscription
  • + Clean REST API and GNQL make it straightforward to integrate into SIEM enrichment pipelines on Hunter tier

Cons

  • Narrow use case — only classifies internet-wide scanning activity; won't help with identity OSINT, targeted intrusions, or C2 IPs that don't conduct mass scanning
  • Hunter plan at $299/mo is expensive for individual analysts who only need occasional IP triage; there's no mid-tier between free (50/day) and Hunter
  • No CVE mapping natively — you get scanner tags and malware family labels, not vulnerability context tied to exposed service versions
  • IPs associated with targeted attacks that don't also conduct mass scanning return 'unknown' — the classification only covers what GreyNoise's sensors observe
  • Community GNQL access is limited; full query language and bulk enrichment require Hunter tier
Visit GreyNoise →

What GreyNoise Is

GreyNoise operates a sensor network across IPv4. Sensors collect unsolicited connections, and source IPs get classified. This feeds a database of IPs doing mass scans.

GreyNoise helps analysts who waste time on false positives. Most IPs hitting your firewall are not targeting you; they are automated scanners sweeping the internet. GreyNoise labels these IPs: Benign, known good scanners; Malicious, associated with threats; Unknown, no data.

The RIOT dataset lists major infrastructure providers, such as Google, AWS, and Cloudflare. If an IP in your logs matches, RIOT flags it as benign.

What It's Good For

GreyNoise filters SIEM alerts. It looks up an IP and helps you determine if it's a harmless scanner or something malicious.

GreyNoise helps deprioritize benign traffic, saving you time. You can then focus on real threats.

GreyNoise is useful for threat hunting. It identifies and tags scanner behavior, making it searchable. You can find IPs tied to specific tools or campaigns, such as ZMap scans on port 22 or a specific CVE scanner.

When new CVEs are released, GreyNoise quickly detects spikes in scanning activity. Within hours, it shows up, and you can query those IPs to see who's exploiting them.

GreyNoise boosts automated enrichment by filtering out benign scanners. Your workflow becomes more efficient.

Getting Started

The Community tier is free, offering 50 IP lookups per day, API and web UI access, and limited GNQL queries.

The free tier allows users to try it out by grabbing 10-20 IPs from recent SIEM alerts and looking them up, often finding benign scanners.

The API counts a lookup as one GET call.

GET https://api.greynoise.io/v3/community/{ip}
Headers: key: YOUR_API_KEY

The response contains a few key fields. The noise field is a boolean that indicates if the IP is mass scanning. The riot field is a boolean that marks known safe infrastructure. You receive a classification, which can be benign, malicious, or unknown. The name field tells you the specific scanner or service.

GNQL Filter Reference

GNQL cuts through the noise, filtering the entire internet scan dataset. Hunter tier users get full access, community users get partial. Key filters comprise IP address, port, protocol, country, city, organization, OS, service, vulnerability. Users query these fields to obtain precise results.

Filter Example Purpose
ip: ip:45.33.32.156 Look up a specific IP directly
tag: tag:Shodan Filter by scanner tool or malware tag
tag: (CVE) tag:CVE-2021-44228 Find IPs scanning for a specific CVE
classification: classification:malicious Return only malicious-classified IPs
country: country:CN Filter results to a specific country
asn: asn:AS14061 Filter by ASN (e.g., DigitalOcean)
os: os:Windows Filter by detected operating system
last_seen: last_seen:>2026-03-01 IPs observed scanning after a specific date
size: size:>1000 Return IPs seen at scan scale (large datasets)
metadata.organization: metadata.organization:Amazon Filter by registered organization name

frontmatter unchanged

Combining Filters for Precise Results

You can refine your search by combining filters. Use boolean operators to create complex queries. A query like classification:malicious tag:Mirai country:RU returns IPs from Russia that are conducting Mirai-related scanning and are classified as malicious.

Combining filters gives you specificity, which is the power of getting precise results. No more results.

Pricing

Plan Price API Calls Key Features
Community Free 50/day Web UI, single IP lookup, limited GNQL, RIOT dataset
Hunter $299/mo 1,000/day Full GNQL, all tags, bulk enrichment, integrations, export
Enterprise Custom Unlimited SLA, SSO, dedicated support, custom data delivery

Annual pricing available at a discount. Contact sales for a quote.

Limitations

GreyNoise only tracks IPs that scan the entire internet. If an IP only targets specific hosts or hosts C2 servers, GreyNoise labels it "unknown", they don't have a record of it hitting their sensors.

GreyNoise isn't for identity-based OSINT; it doesn't track individuals. It only provides network-layer classification, and only for mass-scanning IPs.

GreyNoise doesn't correlate CVEs with service banners; it flags IPs scanning for specific CVEs. Your asset's vulnerability is your responsibility.

The free tier offers 50 API calls daily, which is enough for manual checks. For automation, the cost is $299/mo for Hunter.

An "unknown" label from GreyNoise means no mass-scanning history, but it doesn't mean it's safe; further investigation is required.

Alternatives

  • Criminal IP — malicious activity scoring with CVE mapping. GreyNoise and Criminal IP complement each other: use GreyNoise to filter out confirmed benign scanner traffic, then use Criminal IP to assess malicious activity scores and vulnerability context.
  • Shodan — raw device discovery and service banner indexing. Shodan tells you what services are exposed across the internet; GreyNoise tells you which IPs are scanning that internet.
  • AlienVault OTX — free community threat intelligence feeds with IP reputation data. OTX covers more general threat indicators but lacks GreyNoise's continuous mass-scanning classification.
  • VirusTotal — file, URL, and IP reputation aggregation from dozens of AV and TI vendors. VirusTotal's IP reputation is broader in source count but shallower in scanning behavior classification.

Bottom Line

GreyNoise handles internet background noise. SOC analysts use it to sort through SIEM alerts. The Community tier works for manual checks. The Hunter tier adds automation and bulk data enrichment.

GreyNoise and Criminal IP complement each other. GreyNoise filters out noise, Criminal IP scores the rest. You get a clearer picture.

See Also

Threat Intelligence Platforms: A Reconnaissance Guide

Threat intelligence platforms track attackers. Companies use them to monitor their exposure, respond to incidents, and understand threat actor tactics.

What Threat Intelligence Platforms Do

These platforms collect data from various sources, such as OSINT, dark web chatter, and security blogs. They analyze it to identify patterns. Patterns help you anticipate attacks.

Key Features

The key features include data collection, ingesting threat feeds, vulnerability databases, and dark web chatter. Analysis applies machine learning, natural language processing to identify trends. Dashboards show threat heatmaps, timelines, and geographic distribution.

Top Threat Intelligence Platforms

The top threat intelligence platforms are Maltego, CrowdStrike Falcon Insight, and ThreatConnect. Maltego visualizes relationships between IP addresses, domains, and threat actors. CrowdStrike Falcon Insight offers real-time threat detection and response. ThreatConnect provides analytics and visualization for threat intelligence.

How to Choose

Consider your needs. Do you track specific threats or monitor overall exposure? Some platforms specialize; others offer broad coverage, such as Maltego, CrowdStrike Falcon Insight, ThreatConnect.

Threat Intelligence in Practice

Use these platforms to enhance your security posture. They help you stay ahead of attackers. Stay informed and adapt quickly.

Threat Hunting Tools: A Reconnaissance Guide

Threat hunting tools help you find what's hiding. These tools dig deeper into your network, uncovering threats that automated systems might miss.

What Threat Hunting Tools Do

Threat hunting tools query your network, searching for anomalies. They use various techniques, such as behavioral analysis and signature-based detection.

The key features include querying, which lets you ask specific questions about your network. Analysis applies various techniques to identify potential threats.

Top Threat Hunting Tools

The top threat hunting tools are Splunk, ELK Stack, and BloodHound. Splunk analyzes log data to detect threats. ELK Stack offers log analysis and visualization. BloodHound maps your Active Directory, identifying potential attack paths.

Think about your network. What tools will help you find threats there? Consider integration with existing security tools.

Threat Hunting in Practice

Threat hunting is proactive. You're looking for threats that automated tools might overlook. Stay vigilant and adapt your strategy as needed.

Further Reading

Tool Relationships

Complements Criminal IP 3.9/5 Complements Censys 4.1/5 Complements VirusTotal 4.5/5 Feeds into IntelOwl 4.2/5

Similar Tools

Shodan

Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.

4.7/5 freemium

urlscan.io

Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL

4.6/5 freemium

VirusTotal

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

4.5/5 freemium

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

4.3/5 free

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View GreyNoise on Wayback Machine →