Investigator Use
GreyNoise is a cybersecurity intelligence platform that analyzes internet-wide background noise — the constant, automated scanning and probing traffic generated by security researchers, bots, and threat actors. By identifying which IP addresses are conducting mass internet scanning, GreyNoise helps investigators distinguish intentional targeted activity from opportunistic background noise.
For OSINT investigators and security analysts, GreyNoise's core value is context: when an IP address appears in security logs, GreyNoise tells you whether that IP is widely scanning the entire internet (background noise), specifically targeting your network or industry (targeted activity), or operating as known-good infrastructure (security researcher tools, scanner operators). This context dramatically changes the investigative priority and response appropriate for each IP.
IPs classified as "noise" in GreyNoise are typically mass scanners — Shodan bots, vulnerability scanners, research tools, and opportunistic exploit scanners. While not malicious in the traditional sense, understanding that an IP is a mass scanner rather than a targeted attacker changes the incident response calculus entirely.
IPs classified as "RIOT" (Rule It Out) are confirmed benign infrastructure — Google DNS, Microsoft CDNs, Cloudflare, and other known-good services. Removing these from investigation significantly reduces analyst workload when reviewing large IP datasets.
For threat intelligence investigations, GreyNoise's data reveals which IPs are actively scanning for specific vulnerabilities — a signal that allows organizations to prioritize patching based on what is actively being probed by attackers. GreyNoise's tags system categorizes IPs by the specific behaviors observed, including which CVEs are being exploited or scanned for.
The visualization dashboard at viz.greynoise.io allows geographic and temporal analysis of scanning activity, helping investigators understand attack campaign timing and geographic origin patterns.
GreyNoise API access enables integration into SIEM and SOAR workflows for automated enrichment and noise reduction. Free API access provides limited daily queries.
Document GreyNoise classification, relevant tags, first/last seen dates, and query timestamp for all IP lookups used in investigation analysis.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
APNIC
IP Address OSINT
A global, open, stable, and secure Internet that serves the entire Asia Pacific community
Abuse IP DB
IP Address OSINT
AbuseIPDB provides IP reputation data and community abuse reports for identifying malicious hosts in network and threat investigations.
Censys Search
IP Address OSINT
Internet-wide search interface for hosts and certificates with large-scale host, service, and virtual host coverage plus API access.
Cloudflare IP Finder
IP Address OSINT
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
Criminal IP
IP Address OSINT
Criminal IP delivers AI-powered IP threat intelligence, attack surface data, and fraud detection for cyber threat investigations.
DNS dumpster
IP Address OSINT
Free domain research tool to discover hosts related to a domain. Find visible hosts from the attackers perspective for Red and Blue Teams.