Provides defenders with early warning signals ahead of vulnerability disclosure on edge devices
WASHINGTON, April 20, 2026 /PRNewswire-PRWeb/ -- GreyNoise Intelligence, the cybersecurity company providing real-time intelligence about network-based attacks, today released a new report pointing to a correlation between surges in scanning and exploit activity and subsequent disclosures of Common Vulnerabilities and Exposures (CVEs) in edge technologies. Entitled "Ten Days Before Zero: How Activity Surges in GreyNoise Data Precede Vulnerability Disclosure," the report outlines common trends in attacker behavior patterns, with significant early warning value for cyber defense. This report builds upon GreyNoise's 2025 research, as outlined in the report entitled "Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities, and further cements the correlation between spikes in malicious activity several weeks prior to the disclosure of new vulnerabilities.
For this report, GreyNoise analyzed internet traffic via the GreyNoise Global Observation Grid (GOG) over 103 days and across 147.8 million sessions. Measuring daily activity on 276 GreyNoise tags associated with 18 of the most common edge device and network infrastructure vendors, it flagged days when activity spiked far above its normal level. GreyNoise found that over half of identified activity surges were followed by a vendor-matched CVE disclosure within three weeks. The median lead time was 11 days.
"For defenders, every day of advance notice matters, especially when exploitation is taking place before vulnerabilities are officially disclosed," said Ash Devata, CEO, GreyNoise Intelligence. "This report has significant early warning value for defenders – ten days is enough time to brief leadership, stage a patch, and harden exposed systems before most of the world learns the vulnerability exists."
The GreyNoise findings correlate with other industry research:
- Mandiant's M-Trends 2026 found that mean time-to-exploit has dropped to negative seven days, with exploitation routinely preceding disclosure of the vulnerability.
- VulnCheck recently documented that nearly three in ten KEVs in 2025 were exploited on or before the day of CVE publication.
- Google's GTIG counted 90 zero-days in the wild in 2025, with roughly half targeting enterprise technologies.
This advance warning creates a concrete operational window. Blocking the associated IPs during these phases may prevent inclusion in attacker inventories by reducing the likelihood of being targeted later, even if different IPs are used for exploitation of the new CVE emerging weeks later. CISOs can also use this window to justify early planning or investment.
"These findings are like pieces of a puzzle and the message is clear," said Andrew Morris, Founder and Chief Architect, GreyNoise Intelligence. "Attackers are blasting everyone, all the time, even before the vulnerabilities have been disclosed, and their activity patterns serve as an early warning of CVE disclosure. For defenders, having these earlier warning signals is critical, especially when exploitation is happening so fast."
To download the GreyNoise Intelligence report "Ten Days Before Zero: How Activity Surges in GreyNoise Data Precede Vulnerability Disclosure," please visit: https://www.greynoise.io/resources/ten-days-before-zero.
About GreyNoise Intelligence
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing fresh, verifiable threat intelligence about systems at the network edge. This allows security teams to reduce noise in security operations, perform in-depth investigations and threat hunts, and focus on the most critical threats to their networks. Our Global Observation Grid enables us to observe and analyze threat actor campaigns at global scale and share this intelligence with customers in real-time.
For more information, please visit https://www.greynoise.io/, and follow us on Twitter and LinkedIn.
Media Contact
Ruoting Sun, GreyNoise Intelligence, 1 202-630-2906, [email protected], https://www.greynoise.io/
Rebecca West, Helium Communications, 1 415-260-6094, [email protected], https://www.heliumcommunications.com/
SOURCE GreyNoise Intelligence
Share this article