Updated:
GreyNoise Intelligence
GreyNoise Intelligence, founded by Andrew Morris, filters internet background noise for enterprise security teams using a global passive sensor network.
GreyNoise Intelligence
GreyNoise Intelligence was founded in 2016 by Andrew Morris, a security researcher who saw that most alerts flooding enterprise SOCs were triggered by mass internet scanning, botnets, and research crawlers—not targeted adversaries. The company emerged from the startup studio and early-stage fund DataTribe, which backs founders with deep expertise in cybersecurity and data science from the U.S. intelligence community and national labs. GreyNoise's origin is tied directly to that operational frustration: hours spent triaging benign events that looked identical to reconnaissance activity. GreyNoise deploys a planetary-scale network of passive honeypot sensors that collect connection attempts, scans, and exploit probes across hundreds of IP addresses. The data is tagged and categorized into two streams: benign noise from known services like Shodan, Censys, and university research projects, and malicious activity from opportunistic worms, botnets, and mass-exploitation campaigns. Customers access this intelligence through an API, native integrations with platforms like Splunk, Microsoft Sentinel, and Palo Alto Networks Cortex XSOAR, or the community-facing "GreyNoise Visualizer." The firm provides context on IP addresses seen scanning the internet—a fundamentally different approach from threat intelligence feeds that blacklist IPs based on third-party reports. The core product sits at the intersection of cybersecurity, enterprise software, and applied AI/ML, trained to classify internet-wide traffic patterns. The firm has grown from a solo research project into an organization with roughly two dozen employees, concentrated in the Washington, D.C. area. GreyNoise secured a seed round from DataTribe and participation from service-provider heavyweights: in 2019, it launched its first commercial API; by 2024, integrations exceeded 30 distinct security platforms. In March 2024, GreyNoise released "Sift," an AI-powered analysis tool that automates threat-hunting queries and generates plain-language summaries of emerging internet-wide activity (per the firm, March 2024). The company does not operate adjacent philanthropic vehicles but contributes to the research community through free API tiers and detailed blog posts analyzing novel exploitation patterns. GreyNoise is structurally distinct from nearly every cybersecurity vendor in two ways. First, it does not sell a threat-feed subscription or a detection product—it sells an enrichment layer that makes existing tools smarter. Second, its asset is a purpose-built sensor network, not a pooled customer-telemetry data lake. That architecture gives GreyNoise an independent ground-truth perspective on internet-wide activity that no single enterprise could replicate, and it positions the company as a neutral data utility rather than a competitive platform.
General information
Firm type
Asset Manager
Year founded
2016
AUM
Undisclosed
Location
Region
North America
Country
United States
City
Washington
Corporate office
Washington, DC, United States
Principals
Andrew Morris
Founder & CEO
Sector focus
Frequently asked questions
How does GreyNoise source its data, and what makes it different from commercial threat intelligence feeds?
GreyNoise operates a network of passive honeypot sensors distributed across hundreds of IP addresses globally. These sensors simply listen to traffic directed at them—scans, exploit attempts, and crawler connections—without engaging. This generates a ground-truth data set of what the internet is doing broadly, not what any single customer sees. Commercial threat feeds typically aggregate IP blacklists from third-party incident reports; GreyNoise categorizes live internet traffic into "benign" and "malicious" based on observable, reproducible behavior, giving analysts context about whether an alert represents a targeted attack or just mass scanning noise.
Who runs investment decisions at GreyNoise Intelligence?
GreyNoise is a venture-backed technology company, and strategic and financial decisions rest with founder Andrew Morris as CEO. The firm raised seed funding from DataTribe, a Maryland-based venture studio and early-stage fund that specializes in cybersecurity and data-science startups. Commercial pricing, product priorities, and go-to-market execution are managed by Morris alongside his leadership team.
Is GreyNoise a security product company or a data provider?
GreyNoise operates as a data enrichment layer, not a standalone detection product. Its primary output is an API that returns IP context—whether an address scanning your network is a known benign crawler, a researcher, or associated with mass exploitation activity. This data integrates directly into SIEMs, SOARs, and threat-intelligence platforms that enterprises already run. The firm occasionally releases free analysis tools, such as the GreyNoise Visualizer and Sift, but its commercial model is selling access to the curated data stream.
What sectors or types of activity does GreyNoise explicitly cover, and what does it ignore?
GreyNoise focuses exclusively on opportunistic, internet-wide scanning and exploitation activity. It tags and classifies IP addresses observed scanning across its sensor network, covering mass worms, botnet reconnaissance, and automated exploit attempts against common vulnerabilities. It does not attempt to track targeted, bespoke intrusions or advanced persistent threat (APT) campaigns that do not generate broad internet noise. The firm is transparent about this scope limitation: its value is eliminating the 90 percent of alerts that are untargeted background radiation.
Does GreyNoise maintain philanthropic structures or free community access tiers?
GreyNoise provides a free community API tier and a publicly accessible tool called the GreyNoise Visualizer, which lets anyone query IP addresses observed scanning the internet. The firm also publishes detailed, technical research on mass-exploitation campaigns and emerging vulnerabilities on its blog. There is no separate philanthropic foundation, but the free-tier commitment anchors the company's community posture.
Profile maintained by Altss using OSINT (open-source intelligence), regulatory filings, licensed data partners, and verified direct submissions. Read the methodology. Last updated: . Continuous refresh with full update cycles at least every 30 days.
Need institutional-grade insight on family offices?
Altss delivers:
Prefer a guided tour?
We’ll walk you through: