Swarm Use Cases

Detect Targeted Attacks Against Your Infrastructure

Most internet-facing organizations are constantly scanned, but not all scanning is equal. Swarm lets you distinguish between broad, opportunistic scanning and activity that is specifically focused on your infrastructure.

Deploy sensors in your own IP space, then use Compare to measure what your sensors observe against GreyNoise's Global Observation Grid (GOG). IPs that appear on your sensors but are absent from the GOG represent potential targeted activity, attackers who are probing your environment specifically, not the internet at large.

Example workflow:

1. Deploy sensors across your external IP ranges
2. Assign device profiles that match your actual edge devices (firewalls, VPN concentrators, load balancers)
3. Open Compare to identify IPs unique to your workspace
4. Investigate unique IPs, ASNs, and tags to determine whether the activity is targeted reconnaissance, pre-exploitation scanning, or active attack

This is especially valuable for SOC teams, threat hunters, and incident responders who need to prioritize alerts based on attacker intent rather than volume.

Gain Perimeter Visibility Without Operational Risk

Running honeypots gives security teams direct visibility into what attackers are doing, but managing them is an infrastructure and operational burden. Swarm eliminates that burden.

Sensors forward traffic to GreyNoise's cloud infrastructure, where device profiles handle all attacker interaction, from protocol handshakes to full exploitation. Your sensor never runs vulnerable services locally. You get the intelligence value of honeypots without the risk of hosting exploitable services on your network.

Example workflow:

1. Deploy a sensor on any Ubuntu Linux system in under 5 minutes
2. Assign a vulnerable device profile (e.g., Palo Alto GlobalProtect, Citrix NetScaler, Fortinet FortiGate)
3. Monitor sessions in real time as attackers interact with the emulated device
4. Inspect payloads, credentials, and packets at the session level without any risk to your infrastructure

This is ideal for enterprise security teams and MSSPs who want deception-based intelligence without standing up and maintaining dedicated honeypot infrastructure.

Research Attack Techniques and Discover New Threats

Swarm provides researchers with raw, unfiltered access to real-world attack traffic — sessions, packets, payloads, and credentials — from sensors deployed across diverse environments and device profiles.

Unlike curated threat feeds or aggregated telemetry, Swarm gives you the full session: what the attacker sent, what the emulated device responded, and every packet in between. Unclassified sessions, traffic that doesn't match any known tag or signature, are often the most interesting, representing novel techniques, new exploit chains, or previously undocumented behavior.

Example workflow:

1. Access a workspace with active sensors (deploy your own or use shared community data)
2. Query sessions by protocol, port, payload content, or classification status
3. Filter for unclassified or anomalous sessions
4. Drill into individual sessions to inspect full packet captures and payload data
5. Use findings to publish research, write detection rules, or contribute to the threat intelligence community

This supports security researchers, academics, and threat intelligence analysts who need primary-source data to study attacker behavior at scale.

Monitor Threats to Specific Industries or Regions

Different industries and geographies face different threat profiles. Swarm lets you deploy sensors with device profiles that mirror your actual technology stack and observe what attackers are doing to infrastructure like yours.

An energy company can deploy sensors emulating industrial control system interfaces. A financial services firm can emulate the specific VPN and firewall products they run at the edge. A government agency can deploy sensors across sovereign IP space to monitor threats targeting national infrastructure.

Example workflow:

1. Deploy sensors in IP ranges relevant to your organization, industry, or region
2. Assign device profiles that match the technology commonly targeted in your sector
3. Use Compare to identify activity disproportionately targeting your sensors compared to the global baseline
4. Track trends over time — which countries, ASNs, or attack techniques are overrepresented against your infrastructure?

This is particularly relevant for government cybersecurity agencies, critical infrastructure operators, and organizations with regulatory obligations around threat visibility.

Deploy and Manage Sensors Across Client Environments

MSSPs and managed security providers can use Swarm to deploy sensor fleets on behalf of multiple clients, each in their own workspace with isolated data and tailored device profiles.

Sensors deploy in minutes with a single command, device profiles can be swapped without redeploying, and all analysis tools — Session Explorer, Compare, and detection rules — are available per workspace. This makes it practical to offer honeypot-based threat intelligence as a managed service without building and maintaining custom deception infrastructure for each client.

Example workflow:

1. Create a workspace for each client
2. Deploy sensors in the client's IP space with profiles matching their environment
3. Monitor each workspace for targeted activity and emerging threats
4. Deliver tailored intelligence reports based on what is specifically targeting each client

Collect Attacker Credentials, Payloads, and Artifacts

When attackers interact with Swarm sensors, they leave behind artifacts such as login credentials, exploit payloads, malware droppers, and tool signatures. Swarm captures all of this at the session level with full packet-level detail.

Example workflow:

1. Deploy sensors with vulnerable device profiles (SSH, RDP, Telnet, web login panels)
2. Monitor sessions for credential brute-force attempts, exploit delivery, and post-exploitation activity
3. Inspect captured credentials, payloads, and command sequences
4. Cross-reference findings with your own environment to validate whether compromised credentials or observed techniques pose a real risk

This supports threat hunting, credential hygiene validation, and proactive defense, giving security teams direct evidence of what attackers are attempting in the wild.