Attack activity often precedes advisories
- GreyNoise found that malicious scanning and attacker activity typically ramps before public vulnerability advisories appear. - The median lead time for attacker activity was about 11 days ahead of disclosures. - This suggests defenders cannot rely solely on advisory-driven patching for internet-facing systems and need faster detection, isolation and mitigation strategies (scworld.com).
Attackers are often probing internet-facing gear days before vendors tell customers a new security flaw exists. (greynoise.io) GreyNoise said April 20 that it analyzed 147.8 million sessions targeting 18 edge-device vendors between Dec. 14, 2025, and March 27, 2026. In that data, activity surges linked to 33 Common Vulnerabilities and Exposures, or CVEs, across 16 vendor families appeared a median 11 days before public disclosure. (greynoise.io) An edge device is the internet-facing box at the front door of a network, such as a firewall, virtual private network gateway, or router. GreyNoise tracks the background scanning and exploit traffic hitting those systems and looked for spikes that lined up with later vendor advisories. (greynoise.io) The company said about half of all observed spikes were followed by a CVE disclosure within three weeks, a rate 36% higher than chance would predict. Mean lead times differed by attack type: 12.1 days for scanning, nine days for remote-code-execution attempts, and 7.8 days for brute-forcing. (scworld.com) GreyNoise’s case studies show the pattern compressing as disclosure gets closer. Before Cisco disclosed a CVSS 10.0 flaw, GreyNoise said its sensors saw eight surges of targeting activity, starting 39 days before disclosure and tightening to two days beforehand. (greynoise.io) Cybersecurity Dive reported GreyNoise also saw pre-disclosure exploitation 36 days before a critical VMware flaw was disclosed and 24 days before a major MikroTik bug. The same report said GreyNoise found similar early activity around flaws affecting Juniper, SonicWall and Ivanti products. (cybersecuritydive.com) That sequence leaves defenders with a gap between when attackers move and when patch guidance arrives. GreyNoise said the signal is strongest for internet-exposed systems, where organizations can block, isolate, or monitor targeted products before a vendor publishes an advisory. (greynoise.io) The report does not say every traffic spike points to a hidden flaw, and GreyNoise frames the data as an early-warning signal rather than proof of a new zero-day. But the company said the pattern was statistically significant across the vendors and CVEs it studied. (greynoise.io) The practical change is timing: waiting for the advisory means attackers may already be inside their window. GreyNoise’s finding is that the internet often starts telegraphing trouble first. (greynoise.io)
