Risky Business Podcast: Soap Box with GrayNoise – How Early Internet Scanning Predicts New Vulnerabilities
Podcast: Risky Business
Episode: Risky Biz Soap Box: Greynoise knows when bad bugs are coming
Host: Patrick Gray
Guest: Andrew Morris (Founder of GrayNoise)
Date: November 20, 2025
Episode Overview
This sponsored "soapbox" episode dives deep into how GrayNoise detects early warning signals of big, damaging vulnerabilities before they’re publicly disclosed. Host Patrick Gray sits down with Andrew Morris from GrayNoise to explore the company’s unique perspective on Internet-wide scanning, how it provides three-month heads-ups on major bugs, and the broader challenges of attack surface management—especially as the world drags its feet toward IPv6. The conversation also touches on the real-world limitations of threat intelligence, the rising challenges posed by proxy networks and NAT, and GrayNoise's latest advancements in AI-powered traffic analysis.
Key Discussion Points & Insights
1. GrayNoise’s “Precog” Ability – Spotting Bad Bugs Before Disclosure
-
Correlating Internet Scanning Activity with Upcoming Vulnerabilities
- GrayNoise collects global honeypot and scanning data; unusually coordinated spikes in traffic targeting specific software are almost always a precursor to significant vulnerability disclosures (02:18 – 04:57).
- Quote:
“There's a certain size of spike that we only see when a very big scary vulnerability is going to be disclosed. And it's within 90 days, right? ...It happens every time.” — Andrew Morris (03:41) - Example given: Large coordinated scans for Cisco ASA devices or Palo Alto products, followed by timely public bug announcements.
-
Who’s Doing the Scanning?
- Typically well-resourced actors, possibly with access to thousands of IPs (compromised devices or leased addresses).
- These actors often demonstrate tight coordination in their scans (05:06).
- The scanning may be done by attackers, defenders (vendors), or independent researchers, but always when a high-value target is involved.
-
Are These Actions Based on Early Insider Knowledge?
- Spikes in interest often start when a vulnerability is reported to a vendor or reserved by MITRE, but before public disclosure (10:01 – 11:03).
- Quote:
“Somebody all of a sudden has a massive interest in figuring out where every single XYZ device [is] around the Internet. And they're doing that for one of two reasons. There is no third reason.” — Andrew Morris (10:08)
2. The (Limited) Actionability of Early Warnings
-
Cynicism About Response
- At first, organizations rarely acted on such early warnings. Over time, GrayNoise’s confidence in their predictive capability has grown due to repeated accuracy (06:36).
- Quote:
“At this point, you need to take all those security controls that you think you have on these edge devices, you better double check those.” — Andrew Morris (06:46)
-
Suggested Defensive Actions
- Double-check configs on relevant devices, conduct manual audits, and even consider rebooting edge devices to clear in-memory implants (referencing ASD’s Bad Candy report) (07:21 – 08:34).
-
Responsible Disclosure Timelines
- The 90-day spike pattern aligns with standard responsible disclosure intervals set by major entities like MITRE.
3. Why Don't Attackers Just Use Shodan or Censys?
- Direct Scanning vs. Third-Party Tools
- Attackers (or even vendors) often perform their own large-scale scans rather than querying Shodan or Censys, despite those being comprehensive internet-wide scanners (12:56).
- Reasons:
- Direct control and instant results
- Need for highly specific, sometimes custom probing
- Avoid leaving an audit trail or logs with third-party services
- Sometimes benign scanners (like Shodan) are blocked, so attackers need to roll their own (14:25 – 15:46).
- Quote:
“You're always gonna get better mileage when you do the scanning yourself.” — Andrew Morris (14:52)
4. Attack Surface Management: Enterprises’ Real State of Security
-
Misplaced Confidence
- Many organizations overestimate the security of their external attack surfaces; basics are often still neglected (19:20).
- Quote:
“They kind of forget the basics and they assume they’re better off than they are.” — Andrew Morris (19:51) - Common issues include weak passwords and old misconfigurations still working for attackers.
-
Security as a Collective Problem
- Securing your network is not enough; reliance on ISPs, vendors, and the larger ecosystem is essential (20:54).
- “It doesn't work, man. ...Just being like, good luck everybody, update those firewalls, right? The firewalls are the ones getting popped, right?” — Andrew Morris (21:22)
5. Residential Proxy Networks and the NAT Nightmares
-
Rise of Residential Proxies
- Attackers increasingly use residential proxies — compromised home devices or large-scale CG-NAT gateways — making attribution and detection much harder (22:48 – 24:02).
- Quote:
“They can pop out of some compromised residential machine. ...From a GrayNoise perspective, like that's hard.” — Patrick Gray (23:15)
-
NAT as a Double-Edged Sword
- Originally intended as a stopgap to IP exhaustion, NAT is now a significant security and attribution hurdle (25:13 – 25:24).
- Quote:
“It was never meant to be a security control ever, right? It is not a firewall.” — Andrew Morris (25:15)
6. Looking Toward IPv6: Pros, Cons, and Future Security
-
IPv6 as an (Unrealized) Solution
- Moving to IPv6 could render much of today’s IP-related security complexity moot and would change how tools like GrayNoise could operate (24:32 – 28:46).
- Quote:
“If you architect the network the right way, it doesn't matter if you’re on the Internet or on the inside… it's all the same.” — Andrew Morris (25:30)
-
Why Aren’t We There Yet?
- Lack of economic drivers (“no incentive”), security inertia, and insufficient IPv6 support in security tools and the internet ecosystem (31:13 – 32:39).
- Quote:
“There is no economic incentive to move on from it [IPv4]. And because there’s no economic incentive… we’re not gonna do it.” — Andrew Morris (31:20) - Evidence: A basic home experiment shows much of the internet still doesn’t work reliably over v6.
-
Inevitable Transition?
- Chinese networks are ahead on IPv6 due to lack of IPv4 allocation, but for most, “we’re kicking the can down the road.” (29:09)
- Morris: “We have to [move to IPv6]. Of this I am certain. ...Forget about IPv6. ...You got to assume everything’s on the Internet.” (29:09 – 29:42)
7. GrayNoise’s “Multiplayer” Future and AI Experiments
-
Product Enhancements
- Making GrayNoise more collaborative: Sharing sensor data across customers to spot trends and threats at a wider scale (33:26).
-
AI for Line-Rate Packet Sorting
- Using labeled honeypot and traffic data to train AI models for network traffic filtering, with experimental NVIDIA Bluefield cards pushing 400Gbps (33:56).
- Quote:
“I've got basically a little box that says if you look like you're bad, you're going nowhere. If you look like you might be bad, you're gonna go slow, and if you look like you're good, you're gonna come on through.” — Andrew Morris (34:21)
-
Machine Learning, Not Just LLMs
- They use smaller models (not large language models), gradient-boosted trees, BERT, etc., to classify network traffic (“gray noisy or not?”) (36:17 – 36:49).
Selected Memorable Quotes and Moments
-
On Early Warning Predictive Scanning:
“It is going from a little bit of a voodoo art to kind of a little bit of a science. ...To someone, those devices are vulnerable. So you need to just assume that that’s the case, right?”
— Andrew Morris (08:02) -
On Security Complacency:
“I really never had to do any super... crazy Matrix voodoo stuff to get into networks. There’s just a handful of things that just work.”
— Andrew Morris (20:05) -
On the Futility of Outdated Mindsets:
“The Internet has to work. ...Let them [China] eat v6, I think, is what we said.”
— Patrick Gray (33:08) -
On AI’s Place in Security Tech:
“How gray noisy do you look? You look pretty gray noisy. You’re going real slow from now on.”
— Andrew Morris (36:36)
Notable Timestamps
- 02:18 – 05:06: Discovering and confirming the 90-day predictive pattern – scanning activity spikes as a precursor to major bugs.
- 06:36 – 09:54: On the (non-)actionability of early warning intelligence and the necessity of proactive audits.
- 12:56 – 15:46: Why attackers scan directly and don’t always use Shodan/Censys; details on scanning tactics.
- 19:20 – 21:57: The “border device problem” and why organizations are less secure than they think.
- 22:48 – 25:24: The challenges posed by residential proxies and NAT obfuscation.
- 24:32 – 29:09: IPv6 vs. IPv4: The limitations of today’s internet architecture and what a v6 world might look like.
- 31:13 – 32:39: The economic and technical blockers to IPv6 adoption.
- 33:26 – 36:49: GrayNoise’s “multiplayer” feature, AI use cases, and live network traffic training for security.
Tone and Style
The conversation is lively, candid, and occasionally irreverent—balancing deep technical insights with real-world cynicism and a touch of humor. Both Patrick and Andrew often veer into “soapboxing” about the bigger systemic problems facing security.
Summary for Non-Listeners
This episode offers a rare behind-the-scenes look at how Internet-wide scanning activity can predict the next major vulnerability disclosure months before the world hears about it. GrayNoise leverages global-scale honeypot data to spot coordinated, targeted scans and increasingly treats these as “smoke signals” for the next big fire. The discussion highlights not only technical details of this process but also the industry’s ongoing struggles with actionable early warning, the hard limitations brought by IPv4/NAT, the slow march to IPv6, and the evolving frontier of AI in network security. GrayNoise is also opening its data for the AI research community in a push to create more collaborative, “multiplayer” threat defense.
Whether you’re a practitioner looking for defensive inspiration, a skeptic of threat intelligence, or just curious about where large-scale security is headed, this episode is a fast, insightful listen.