GreyNoise
Guides
Start typing to search…

Swarm FAQs

Getting Started / Prerequisites

What are the system requirements for deploying a sensor?

Sensors require a server running Ubuntu 22.04 or 24.04, with at least 1GB RAM and 1–2 CPU cores. The server must have a public internet-facing IP address and SSH access. Root access is required during installation. Most cloud VMs and bare-metal servers meeting these specs will work. See the full Sensor Installation Guide for details.

How long does it take to deploy a sensor?

Installation takes approximately 3-5 minutes using a single installation command. After installation, the sensor begins collecting traffic automatically. You can switch profiles at any time after deployment without redeploying or re-imaging the sensor.

Does my sensor need to be on a cloud provider, or can I run it at home or on physical hardware?

Sensors can be deployed anywhere that meets our system requirements — cloud VMs, bare-metal servers, home networks, university or enterprise environments, on a Raspberry Pi, etc....

My Data / IP Ownership

Who owns data collected by my sensors?

GreyNoise owns 100% of the data collected by sensors deployed through Swarm. Users are free to use the data for research, blog posts, and publications, but the data may not be commercially re-sold or redistributed without prior authorization from GreyNoise.

Is my IP space / internal network information exposed to others?

No. Sensor IP addresses and workspace-specific details are never exposed in the community dataset or to other users. Workspace isolation prevents cross-workspace data contamination. If you want to share specific findings with someone, you can do so deliberately using the Copy Share Link feature — nothing is shared passively.

How is community-dataset data anonymized?

Identifiable information (including sensor IP addresses, workspace details, and any opsec-sensitive attributes) is stripped before data enters the community dataset. The complete list of anonymized fields are:

Pricing & Access Tiers

Is Swarm free to use?

Yes, Swarm is free to use. A one-time $1 payment verification (via credit card) is required before sensor deployment — this is not a recurring charge and serves as an identity verification mechanism, not a subscription.

What do I get as a Swarm user?

Swarm users get:

  • Unlimited sensor deployments
  • Ability to analyze/visualize your data directly in the GreyNoise UI
    • Query your data, analyze packets, payloads, binaries, and more...
  • Download PCAPs in bulk
  • Use our Swarm API
  • Access our library of 200+ profileswith the ability to create your own
  • Compare what is hitting your sensor vs. the greater GreyNoise fleet
  • Write your own tags/detection rules
  • access to the community dataset
  • and much more...

How long is my session data retained?

Data retention depends on your subscription tier:

  • Free users with a consumer email (Gmail, Proton, etc...) get access to the last 2 days of data
  • Free users with a business email have access to the last 10 days of data
  • GreyNoise customers get up to 90 days of data depending on the platform tier

Can multiple team members manage the same sensors / workspace?

Multi-user workspace collaboration is on the roadmap but not fully self-serve at launch. If you need multiple users provisioned to the same workspace (e.g., an enterprise security team, or a group of Researchers), reach out to [email protected] to get this set up manually.

Legal / Privacy / Policy Constraints

What if my sensors generate abuse complaints?

GreyNoise continuously monitors outbound traffic from all Sensors for anomalous behavior and flags potential compromise. When we identify that a Profile that is mapped to your Sensor is compromised, we may automatically rotate the profile host to prevent abuse targeted at public infrastructure. If GreyNoise receives an abuse complaint from one of our infrastructure providers, we will rotate the Profile host mapped to your sensor to prevent further abuse and resolve the abuse complaint.

In the event that you receive an abuse complaint from your provider or ISP, consider the following steps:

  1. Rotate your sensor to the Default Profile or another Profile to facilitate cleanup of the compromised Profile host
  2. Respond to the abuse complaint with text similar to the following:

For a hosting provider:

Hello,

Thank you for providing notice of this abuse activity. The source of the behavior has been identified and remediated as part of my investigation. The infrastructure that you noticed as responsible for this activity is a honeypot sensor powered by GreyNoise. The sensor host itself is a light-weight proxy responsible for forwarding traffic to, and from, the GreyNoise platform which provides the infrastructure to emulate software and expose it via the sensor host. To remediate the source of this activity, the infrastructure in the GreyNoise platform that was responsible for this activity has been terminated. Because the sensor host does not run the software responsible for the activity noted in this report, no action is required on that host.

Thank you

For an ISP

Hello,

Thank you for providing notice of this abuse activity. The source of the behavior has been identified and remediated as part of my investigation. The infrastructure that you noticed as responsible for this activity is a honeypot sensor powered by GreyNoise. The sensor host itself is a light-weight proxy responsible for forwarding traffic to, and from, the GreyNoise platform which provides the infrastructure to emulate software and expose it via the sensor host. This sensor is running on my network, but it only acts as a point of presence on the internet for the emulated software. To remediate the source of this activity, the infrastructure in the GreyNoise platform that was responsible for this activity has been terminated. Because the sensor running on my network does not run the software responsible for the activity noted in this report, no further action is required.

Thank you

Compromise Risk & What Happens When a Sensor Gets Popped

Can my sensor be compromised? Under what conditions?

The physical sensor machine itself is never compromised — it only forwards traffic over an encrypted WireGuard tunnel to GreyNoise's cloud infrastructure. It is the cloud-side profile, on the GreyNoise infrastructure, that can be exploited. High interaction/vulnerable profiles are expected to be compromised; shallow and medium-interaction profiles are not expected to be compromised, and a compromise of one of those profiles would constitute a vulnerability in the profile software itself, not the emulated product.

What happens if a profile is compromised?

A profile being compromised means the honeypot is working — this is referred to as "collecting mode". When detected, you'll receive a notification. The recommended response is to remap the sensor to a non-vulnerable profile to halt outbound traffic, then optionally remap back to the same or a different vulnerable profile to continue collecting data.

What risks does a compromise pose to my organization?

Profile Types / Interaction Levels

What is the difference between shallow / medium / high interaction profiles, and why does it matter?

Swarm supports roughly 200+ device profiles across multiple interaction levels:

  • Low/Shallow: responds to pings and port scans; no exploitable services
  • Medium: handles protocol handshakes and basic service emulation
  • High/Vulnerable: fully exploitable; can be compromised and execute payloads

Full detail on profile types is available in the published documentation: docs.greynoise.io/docs/profiles.

When should I use non-vulnerable profiles vs. vulnerable/high-interaction ones?

Use shallow/non-vulnerable profiles when you want to capture initial access behavior — scans, port enumeration, fingerprinting, and login attempts — with minimal operational risk. Use high-interaction/vulnerable profiles when you want to capture full exploits, post-exploitation payloads, and binary downloads.

Data Visibility / Swarm vs. GreyNoise Core Dataset

What exactly goes into the community dataset?

The community dataset consists of traffic collected by all customer and community-deployed sensors (i.e., any non-GreyNoise sensors).

Who can see community-dataset events vs. what stays private to my workspace?

All new users receive a 30-day preview of the community dataset. Users with at least one active deployed sensor get full, ongoing access. Private workspace data — including your specific session details, sensor configurations, and sensor IP addresses — is never included in the community dataset and remains visible only to your workspace.

Deployment Friction / Technical Support

Please visit our troubleshooting page


Updated about 4 hours ago

What’s Next