GreyNoise’s Andrew Morris on Internet Background Noise as Data episode artwork

EPISODE · Sep 23, 2025 · 29 MIN

GreyNoise’s Andrew Morris on Internet Background Noise as Data

from Ahead of the Breach · host Sprocket

What if you could predict major security vulnerabilities weeks before they're publicly disclosed? Andrew Morris, Founder & Chief Architect at GreyNoise Intelligence, built a global sensor network that does exactly that by tracking internet-wide scanning patterns that spike 3-4 weeks before critical vulnerabilities become public knowledge. This transforms the chaotic noise of billions of daily internet scans into precise threat intelligence that helps organizations focus on real attacks. Andrew walks Casey through how he created what he calls the "opposite of Shodan." Instead of cataloging what's scannable on the internet, GreyNoise tracks who's doing the scanning and why. The technical challenge required learning new programming languages and building infrastructure across hostile network environments globally, but the result is a system that functions like noise-canceling headphones for cybersecurity.  Topics discussed: The methodology behind building internet-wide sensor networks across multiple cloud providers and regional hosting environments. How network fingerprinting techniques using MTU overhead, TLS signatures, and protocol implementations reveal the true origins of scanning traffic through VPNs and proxies. The correlation between massive scanning spikes for specific software or hardware and vulnerability disclosures that follow 3-4 weeks later. Why embedded systems and edge devices represent the most vulnerable attack surface on the internet. Technical challenges of processing and indexing billions of daily network sessions while applying pattern matching and classification rules at line rate performance. The operational realities of maintaining distributed infrastructure in hostile network environments. How threat actors use geographic and software-specific targeting patterns that become visible only through comprehensive internet-wide monitoring capabilities. The discovery of zero day vulnerabilities through automated classification pipelines that identify previously unknown attack patterns. Why traditional threat intelligence approaches fail to distinguish between legitimate research scanning and malicious reconnaissance activities targeting organizations. Strategic approaches to handling sensor network detection and fingerprinting by adversaries, including infrastructure rotation and traffic obfuscation techniques. Listen to more episodes:  Apple  Spotify  YouTube Website

What if you could predict major security vulnerabilities weeks before they're publicly disclosed? Andrew Morris, Founder & Chief Architect at GreyNoise Intelligence, built a global sensor network that does exactly that by tracking internet-wide scanning patterns that spike 3-4 weeks before critical vulnerabilities become public knowledge. This transforms the chaotic noise of billions of daily internet scans into precise threat intelligence that helps organizations focus on real attacks. Andrew walks Casey through how he created what he calls the "opposite of Shodan." Instead of cataloging what's scannable on the internet, GreyNoise tracks who's doing the scanning and why. The technical challenge required learning new programming languages and building infrastructure across hostile network environments globally, but the result is a system that functions like noise-canceling headphones for cybersecurity.  Topics discussed: The methodology behind building internet-wide sensor networks across multiple cloud providers and regional hosting environments. How network fingerprinting techniques using MTU overhead, TLS signatures, and protocol implementations reveal the true origins of scanning traffic through VPNs and proxies. The correlation between massive scanning spikes for specific software or hardware and vulnerability disclosures that follow 3-4 weeks later. Why embedded systems and edge devices represent the most vulnerable attack surface on the internet. Technical challenges of processing and indexing billions of daily network sessions while applying pattern matching and classification rules at line rate performance. The operational realities of maintaining distributed infrastructure in hostile network environments. How threat actors use geographic and software-specific targeting patterns that become visible only through comprehensive internet-wide monitoring capabilities. The discovery of zero day vulnerabilities through automated classification pipelines that identify previously unknown attack patterns. Why traditional threat intelligence approaches fail to distinguish between legitimate research scanning and malicious reconnaissance activities targeting organizations. Strategic approaches to handling sensor network detection and fingerprinting by adversaries, including infrastructure rotation and traffic obfuscation techniques. Listen to more episodes:  Apple  Spotify  YouTube Website

NOW PLAYING

GreyNoise’s Andrew Morris on Internet Background Noise as Data

0:00 29:09

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of Ahead of the Breach?

This episode is 29 minutes long.

When was this Ahead of the Breach episode published?

This episode was published on September 23, 2025.

What is this episode about?

What if you could predict major security vulnerabilities weeks before they're publicly disclosed? Andrew Morris, Founder & Chief Architect at GreyNoise Intelligence, built a global sensor network that does exactly that by tracking internet-wide...

Can I download this Ahead of the Breach episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!