GreyNoise Tags

GreyNoise Tags is a signature-based detection method used to capture patterns and create subsets in our data. Tags cover six primary categories: Activity, Tool, Actor, Worm, and Search Engine. These sets are not just limited to CVE based activity. They include behaviors, attribution, and unique traffic characteristics.

Activity Tags

Activity tags include crawlers, vulnerability checks & exploitation, authentication attempts, and other behaviors observed from interactions with our sensors. This is the most common tag category in GreyNoise. These tags can be classified as "Unknown" or Malicious."

Tool Tags

Tool tags can be anything from open-source scanning tools to programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and Go HTTP. Tool category tags can be classified as "Unknown."

Actor Tags

Actor tags describe the actor behind the activity, including commercial/enterprise entities, researchers, and universities. GreyNoise does not tag Advanced Persistent Threats (APT) or known threat actors. Actor tags are classified as either "Benign" or "Unknown."
Examples include Google, Censys, Shodan, BinaryEdge.

Worm Tags

Worm tags describe computer Worms, including Mirai, Eternalblue, and SSH worm. These will always be classified as "Malicious."

Search Engine Tags

Search Engine tags specifically identify crawlers such as Yandex, Bingbot, Baidu Spider. Search Engines are classified as "Benign" or "Unknown."

Request a Tag

If you have a request for a tag, would like to ask a question, or report an issue with an existing tag, please reach out to [email protected]


Did this page help you?