Home GreyNoise Intelligence
GreyNoise Intelligence
GreyNoise Intelligence collects and analyzes Internet-wide scan and attack traffic from a global network of sensors. Use GreyNoise to contextualize alerts, filter false positives, identify compromised devices, prioritize vulnerabilities by in-the-wild exploitation, and track emerging threats. The platform exposes a free Community API and a paid Enterprise API surface (IP Lookup, GNQL, RIOT/Business Services, Tags, CVE, Sessions, Callback, Recall, IP Timeline, Utility) plus an MCP server for AI workflows.
1 APIs10 Capabilities14 Features
Security Threat Intelligence Cybersecurity IP Reputation Vulnerability Management Network Telemetry SOC Automation Public APIs
Unified GreyNoise API surface spanning the free Community endpoint and the paid Enterprise endpoints. Covers IP intelligence, GNQL query language, sessions / packet telemetry, C...
Run Capabilities with Naftiko — Deploy and orchestrate these API capabilities using Naftiko Fleet.
Run with Naftiko
Callback surface of GreyNoise API. 4 operations. Lead operation: Export Callback IPs. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Community surface of GreyNoise API. 1 operations. Lead operation: Community API. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
CVE surface of GreyNoise API. 2 operations. Lead operation: Retrieve CVE Information. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
GNQL surface of GreyNoise API. 3 operations. Lead operation: GNQL V3 Query. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
IP Lookup surface of GreyNoise API. 2 operations. Lead operation: IP Lookup - Multi. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
IP Timeline surface of GreyNoise API. 1 operations. Lead operation: IP Timeline Field Summary. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Recall surface of GreyNoise API. 2 operations. Lead operation: GNQL V3 Recall. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Sessions surface of GreyNoise API. 10 operations. Lead operation: Get Sessions. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Tags surface of GreyNoise API. 1 operations. Lead operation: List Tags. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Utility surface of GreyNoise API. 1 operations. Lead operation: Ping. Self-contained Naftiko capability covering one GreyNoise business surface.
Run with Naftiko
Run Capabilities with Naftiko — Deploy and orchestrate these API capabilities using Naftiko Fleet.
Run with Naftiko
IP Lookup (Quick + Context)
Fast IP enrichment with classification, RIOT trust, ASN, geo, tags, and raw scan/web telemetry.
Multi-IP Lookup
Bulk IP enrichment up to 10,000 IPs per request.
GNQL (GreyNoise Query Language)
Lucene-style query language across the GreyNoise dataset with rich facets and time-window operators.
GNQL Stats + Recall
Aggregate statistics and hourly/daily time-series over a GNQL query window.
Sessions & PCAP
Session-level packet capture, connection graphs, time-series, and PCAP export from GreyNoise sensors.
CVE Exploitation Telemetry
Per-CVE in-the-wild exploitation evidence; bulk CVE lookup.
Callback IP Intelligence
Post-exploit / C2 callback IP enrichment and aggregate statistics.
Tag Trends
Trending, anomalous, most-active, and most-recent behavior tags over the GreyNoise dataset.
Business Service Intelligence (RIOT)
Identify benign business-operated traffic to filter false positives.
C2 Detection
Identify command-and-control infrastructure.
Vulnerability Prioritization
Prioritize CVE remediation by observed in-the-wild exploitation.
Alerts, Feeds, and Blocklists
Schedule alerts, generate query-based blocklists, and consume GreyNoise feeds.
Project Swarm (sensor program)
Deploy GreyNoise sensors on owned networks for tailored intelligence.
MCP Server for AI Agents
Expose GreyNoise enterprise capabilities to LLM agents via Model Context Protocol.
Alert triage
Drop alerts on IPs known to be benign internet noise to reduce SOC workload.
Incident response enrichment
Enrich indicators of compromise with classification, tags, and historical activity during investigations.
Threat hunting
Hunt across GreyNoise sensor telemetry for emerging campaigns or specific TTPs.
Vulnerability prioritization
Reorder remediation queues by which CVEs are actively exploited in the wild.
Perimeter defense
Generate query-based blocklists to ingest into firewalls and edge platforms.
AI-assisted SOC
Let LLM agents call GreyNoise through the MCP server during automated triage and reporting.
Splunk
SIEM enrichment via the GreyNoise Splunk app (SA-GreyNoise).
Microsoft Sentinel
TI Feed integration documented for Azure Sentinel.
Google SecOps (Chronicle) / SecOps SOAR
SIEM + SOAR integration via the greynoise-google-secops repository.
CrowdStrike NG-SIEM
Native enrichment integration.
Cribl
GreyNoise enrichment pipeline in Cribl Stream.
Cortex XSOAR (Demisto)
SOAR playbook content for incident enrichment.
Splunk SOAR (Phantom)
SOAR integration and playbooks via greynoise-splunk-soar.
FortiSOAR
SOAR connector via connector-greynoise.
Swimlane
SOAR integration via greynoise-swimlane.
Tines
SOAR integration documented for Tines.
Anomali ThreatStream
TIP integration via greynoise-anomali.
MISP
TIP integration via misp-modules.
Recorded Future
TIP integration documented.
ThreatQ
TIP integration documented.
OpenCTI
TIP connector via the OpenCTI connectors repo.
Maltego
Analyst transforms via greynoise-maltego.
Polarity
Analyst overlay integration.
Palo Alto Networks PAN-OS
GreyNoise blocklists consumable as External Dynamic Lists (EDLs).
fail2ban
Open-source enrichment plugin (greynoise-fail2ban).
Microsoft Copilot for Security
AI/ML integration plug-in for Copilot for Security.
Model Context Protocol (MCP)
Native MCP server for LLM agent integration.
Terraform
Manage alerts and blocklists declaratively (terraform-provider-greynoise).
Community (Free)
Free tier for individual researchers; Community API only.
Standard
Entry-level paid tier with Enterprise + GNQL API access.
Advanced
Most-popular tier with 30-day lookback and 2-hour freshness.
Elite
Premium tier with hourly freshness, 90-day lookback, and unlimited alerts/feeds/blocklists.
81 classes · 186 properties
JSON-LD
33 rules ·
15 errors
15 warnings
3 info
SPECTRAL
Sources
aid: greynoise
name: GreyNoise Intelligence
description: >-
GreyNoise Intelligence collects and analyzes Internet-wide scan and attack
traffic from a global network of sensors. Use GreyNoise to contextualize
alerts, filter false positives, identify compromised devices, prioritize
vulnerabilities by in-the-wild exploitation, and track emerging threats. The
platform exposes a free Community API and a paid Enterprise API surface
(IP Lookup, GNQL, RIOT/Business Services, Tags, CVE, Sessions, Callback,
Recall, IP Timeline, Utility) plus an MCP server for AI workflows.
url: https://www.greynoise.io
humanURL: https://docs.greynoise.io
baseURL: https://api.greynoise.io
image: https://www.greynoise.io/hubfs/Greynoise%20Logo.svg
specificationVersion: '0.20'
created: '2026-05-28'
modified: '2026-05-30'
x-type: company
x-category: Security
x-source: public-apis/public-apis
x-tier: 3
x-tier-reason: bulk-registered-from-public-apis
tags:
- Security
- Threat Intelligence
- Cybersecurity
- IP Reputation
- Vulnerability Management
- Network Telemetry
- SOC Automation
- Public APIs
apis:
- name: GreyNoise API
description: >-
Unified GreyNoise API surface spanning the free Community endpoint and
the paid Enterprise endpoints. Covers IP intelligence, GNQL query
language, sessions / packet telemetry, CVE exploitation telemetry,
callback IP intelligence, tag taxonomy, IP timelines, and recall
time-series queries.
humanURL: https://docs.greynoise.io
baseURL: https://api.greynoise.io
tags:
- Security
- Threat Intelligence
- IP Reputation
properties:
- type: Documentation
url: https://docs.greynoise.io
- type: APIReference
url: https://docs.greynoise.io/reference/getcommunityip
- type: OpenAPI
url: openapi/greynoise-openapi.yml
- type: Authentication
url: https://docs.greynoise.io/docs/using-the-greynoise-api
- type: GettingStarted
url: https://docs.greynoise.io/docs/getting-started
- type: Quickstart
url: https://docs.greynoise.io/docs/using-the-greynoise-api
- type: NaftikoCapability
url: capabilities/greynoise-community.yaml
- type: NaftikoCapability
url: capabilities/greynoise-ip-lookup.yaml
- type: NaftikoCapability
url: capabilities/greynoise-gnql.yaml
- type: NaftikoCapability
url: capabilities/greynoise-recall.yaml
- type: NaftikoCapability
url: capabilities/greynoise-ip-timeline.yaml
- type: NaftikoCapability
url: capabilities/greynoise-sessions.yaml
- type: NaftikoCapability
url: capabilities/greynoise-tags.yaml
- type: NaftikoCapability
url: capabilities/greynoise-cve.yaml
- type: NaftikoCapability
url: capabilities/greynoise-callback.yaml
- type: NaftikoCapability
url: capabilities/greynoise-utility.yaml
common:
# ── Portal & web ─────────────────────────────────────────────────
- type: Website
url: https://www.greynoise.io
- type: DeveloperPortal
url: https://docs.greynoise.io
- type: Console
url: https://viz.greynoise.io
- type: SignUp
url: https://viz.greynoise.io/signup
- type: Login
url: https://viz.greynoise.io/login
- type: Pricing
url: https://www.greynoise.io/pricing
- type: Plans
url: plans/greynoise-plans-pricing.yml
- type: RateLimits
url: rate-limits/greynoise-rate-limits.yml
# ── Support & status ────────────────────────────────────────────
- type: Support
url: https://support.greynoise.io
- type: StatusPage
url: https://status.greynoise.io
- type: Contact
url: https://www.greynoise.io/contact
- type: FAQ
url: https://docs.greynoise.io/docs/vulnerability-prioritization-faq
- type: Glossary
url: https://docs.greynoise.io/docs/swarm-glossary
# ── Legal & compliance ──────────────────────────────────────────
- type: TermsOfService
url: https://www.greynoise.io/terms
- type: PrivacyPolicy
url: https://www.greynoise.io/privacy
- type: TrustCenter
url: https://trust.greynoise.io
# ── Knowledge & content ─────────────────────────────────────────
- type: Blog
url: https://www.greynoise.io/blog
- type: ChangeLog
url: https://docs.greynoise.io/changelog
- type: Academy
url: https://www.greynoise.io/university
- type: Training
url: https://docs.greynoise.io/docs/greynoise-university-series-list
- type: Tutorials
url: https://docs.greynoise.io/docs/api-and-cli-training-modules
- type: Webinars
url: https://docs.greynoise.io/docs/community-resources
# ── Source & ecosystem ──────────────────────────────────────────
- type: GitHubOrganization
url: https://github.com/GreyNoise-Intelligence
- type: GitHubRepository
url: https://github.com/GreyNoise-Intelligence/api.greynoise.io
- type: LinkedIn
url: https://www.linkedin.com/company/greynoise-intelligence
- type: X
url: https://x.com/GreyNoiseIO
# ── SDKs & CLI ──────────────────────────────────────────────────
- type: SDK
name: pygreynoise (Python SDK + CLI)
url: https://github.com/GreyNoise-Intelligence/pygreynoise
- type: SDK
name: GreyNoisePS (PowerShell module)
url: https://github.com/GreyNoise-Intelligence/GreyNoisePS
- type: SDK
name: greynoiselabs (Python client for the Labs GraphQL API)
url: https://github.com/GreyNoise-Intelligence/greynoiselabs
- type: CLI
name: greynoise (bundled with pygreynoise)
url: https://github.com/GreyNoise-Intelligence/pygreynoise
# ── Generated artifacts ─────────────────────────────────────────
- type: SpectralRules
url: rules/greynoise-spectral-rules.yml
- type: Vocabulary
url: vocabulary/greynoise-vocabulary.yml
- type: JSON-LD
url: json-ld/greynoise-context.jsonld
# ── Tools (MCP / agentic) ───────────────────────────────────────
- type: Tools
name: GreyNoise MCP Server
description: Official Model Context Protocol server for the GreyNoise Enterprise API. Exposes IP reputation, RIOT/business-service checks, tag and CVE intelligence, GNQL stats, and more as MCP tools.
url: https://github.com/GreyNoise-Intelligence/greynoise-mcp-server
- type: Tools
name: Terraform Provider for GreyNoise
description: Manage GreyNoise alerts and blocklists via Terraform.
url: https://github.com/GreyNoise-Intelligence/terraform-provider-greynoise
- type: Tools
name: GreyNoise Splunk App (SA-GreyNoise)
description: Splunk integration enriching events with GreyNoise data.
url: https://github.com/GreyNoise-Intelligence/SA-GreyNoise
# ── Features ────────────────────────────────────────────────────
- type: Features
data:
- name: IP Lookup (Quick + Context)
description: Fast IP enrichment with classification, RIOT trust, ASN, geo, tags, and raw scan/web telemetry.
- name: Multi-IP Lookup
description: Bulk IP enrichment up to 10,000 IPs per request.
- name: GNQL (GreyNoise Query Language)
description: Lucene-style query language across the GreyNoise dataset with rich facets and time-window operators.
- name: GNQL Stats + Recall
description: Aggregate statistics and hourly/daily time-series over a GNQL query window.
- name: Sessions & PCAP
description: Session-level packet capture, connection graphs, time-series, and PCAP export from GreyNoise sensors.
- name: CVE Exploitation Telemetry
description: Per-CVE in-the-wild exploitation evidence; bulk CVE lookup.
- name: Callback IP Intelligence
description: Post-exploit / C2 callback IP enrichment and aggregate statistics.
- name: Tag Trends
description: Trending, anomalous, most-active, and most-recent behavior tags over the GreyNoise dataset.
- name: Business Service Intelligence (RIOT)
description: Identify benign business-operated traffic to filter false positives.
- name: C2 Detection
description: Identify command-and-control infrastructure.
- name: Vulnerability Prioritization
description: Prioritize CVE remediation by observed in-the-wild exploitation.
- name: Alerts, Feeds, and Blocklists
description: Schedule alerts, generate query-based blocklists, and consume GreyNoise feeds.
- name: Project Swarm (sensor program)
description: Deploy GreyNoise sensors on owned networks for tailored intelligence.
- name: MCP Server for AI Agents
description: Expose GreyNoise enterprise capabilities to LLM agents via Model Context Protocol.
# ── Use cases ───────────────────────────────────────────────────
- type: UseCases
data:
- name: Alert triage
description: Drop alerts on IPs known to be benign internet noise to reduce SOC workload.
- name: Incident response enrichment
description: Enrich indicators of compromise with classification, tags, and historical activity during investigations.
- name: Threat hunting
description: Hunt across GreyNoise sensor telemetry for emerging campaigns or specific TTPs.
- name: Vulnerability prioritization
description: Reorder remediation queues by which CVEs are actively exploited in the wild.
- name: Perimeter defense
description: Generate query-based blocklists to ingest into firewalls and edge platforms.
- name: AI-assisted SOC
description: Let LLM agents call GreyNoise through the MCP server during automated triage and reporting.
# ── Integrations ────────────────────────────────────────────────
- type: Integrations
data:
- name: Splunk
description: SIEM enrichment via the GreyNoise Splunk app (SA-GreyNoise).
- name: Microsoft Sentinel
description: TI Feed integration documented for Azure Sentinel.
- name: Google SecOps (Chronicle) / SecOps SOAR
description: SIEM + SOAR integration via the greynoise-google-secops repository.
- name: CrowdStrike NG-SIEM
description: Native enrichment integration.
- name: Cribl
description: GreyNoise enrichment pipeline in Cribl Stream.
- name: Cortex XSOAR (Demisto)
description: SOAR playbook content for incident enrichment.
- name: Splunk SOAR (Phantom)
description: SOAR integration and playbooks via greynoise-splunk-soar.
- name: FortiSOAR
description: SOAR connector via connector-greynoise.
- name: Swimlane
description: SOAR integration via greynoise-swimlane.
- name: Tines
description: SOAR integration documented for Tines.
- name: Anomali ThreatStream
description: TIP integration via greynoise-anomali.
- name: MISP
description: TIP integration via misp-modules.
- name: Recorded Future
description: TIP integration documented.
- name: ThreatQ
description: TIP integration documented.
- name: OpenCTI
description: TIP connector via the OpenCTI connectors repo.
- name: Maltego
description: Analyst transforms via greynoise-maltego.
- name: Polarity
description: Analyst overlay integration.
- name: Palo Alto Networks PAN-OS
description: GreyNoise blocklists consumable as External Dynamic Lists (EDLs).
- name: fail2ban
description: Open-source enrichment plugin (greynoise-fail2ban).
- name: Microsoft Copilot for Security
description: AI/ML integration plug-in for Copilot for Security.
- name: Model Context Protocol (MCP)
description: Native MCP server for LLM agent integration.
- name: Terraform
description: Manage alerts and blocklists declaratively (terraform-provider-greynoise).
# ── Solutions / product tiers ───────────────────────────────────
- type: Solutions
data:
- name: Community (Free)
description: Free tier for individual researchers; Community API only.
- name: Standard
description: Entry-level paid tier with Enterprise + GNQL API access.
- name: Advanced
description: Most-popular tier with 30-day lookback and 2-hour freshness.
- name: Elite
description: Premium tier with hourly freshness, 90-day lookback, and unlimited alerts/feeds/blocklists.
maintainers:
- FN: Kin Lane
email: [email protected]
