Scanning Predicts Most Security Flaws Within Weeks

A recent study by cybersecurity firm GreyNoise reveals a significant and actionable pattern in attacker behavior and security flaws, writes Bill Toulas, in BleepingComputer.

Spikes in malicious activity, i.e, reconnaissance, scanning, brute-force attempts, often precede the public disclosure of new security vulnerabilities (CVEs).

In approximately 80% of cases, these pre-disclosure spikes occur within six weeks of a new CVE being revealed, thus providing defenders a rare opportunity to prepare before vulnerabilities become widely known and exploited.

GreyNoise’s findings stem from its analysis of over 10 months of data from its Global Observation Grid, which monitors internet-wide activity.

After filtering out low-quality and ambiguous signals, researchers identified 216 meaningful “spike events” associated with edge networking devices from eight enterprise vendors.

Notably, half of those events were followed by a CVE disclosure within three weeks. Vendors whose devices showed stronger correlations include Ivanti, SonicWall, Palo Alto Networks, and Fortinet, all frequent targets of state-sponsored attackers.

The data indicates that spikes are often driven by attackers scanning for older, already known vulnerabilities. This activity helps attackers identify exposed endpoints or discover new exploitable weaknesses.

These scans aren’t noise. They are early signals of broader threat campaigns.

GreyNoise argues that defenders should leverage this behavior to anticipate and mitigate threats and security flaws proactively, rather than relying solely on post-disclosure patching.

Legal teams advising organizations in regulated industries should consider integrating pre-disclosure scanning activity into cybersecurity governance frameworks and contractual security requirements.

This shift toward anticipatory defense aligns with emerging standards of care in cyber risk oversight.