If you defend an enterprise network, you almost certainly trust an IP blocklist somewhere in your stack. That blocklist was almost certainly built for a different threat landscape than the one you are defending against today.
We measured it. On a single day, May 14, 2026, the GreyNoise Global Observation Grid recorded 119,842 malicious, non-spoofable IPs targeting edge infrastructure. We compared that set against eleven of the most widely deployed OSINT and commercial IP feeds in the industry. The average coverage was 2.0%. The strongest individual feed closed less than five percent of the gap.
That is not a flaw in any single feed. It is the cost of static curation in 2026.
What the Numbers Look Like
Eleven feeds tested. None broke five percent. The list with the largest absolute size (Avastel, half a million IPs) caught fewer than two percent of the malicious traffic we observed in the same window. The vendor-curated EDLs that ship by default in many enterprise firewalls came in under half a percent.
This is not because those feeds are bad. They are doing the job they were designed to do, which is to flag IPs that meet a high bar for confidence. The problem is that "high bar" is often the result of a manual and slow review process.
Why Static Lists Are Losing Ground
The pace of attacker infrastructure has changed. Three forces are compressing the useful life of an indicator faster than any curated list can keep up.
1. AI-assisted scanning
Automated reconnaissance no longer requires a human in the loop. Threat actors can spin up scanners at a scale and speed that was operationally impractical even two years ago, then rotate the source infrastructure once it gets noisy.
2. Residential proxy botnets
A growing share of malicious traffic now originates from compromised consumer devices and rented residential IP pools. These IPs do not look like traditional badness. They sit inside ISP ranges that you cannot blanket-block without breaking legitimate traffic, and they recycle constantly.
3. Ephemeral cloud and hosting infrastructure
Attackers stand up VPS instances, run a campaign, and tear them down before most curation pipelines have rotated through their next refresh cycle. The same IP that was scanning Cisco IOS XE on Monday belongs to someone else's WordPress blog by Friday.
The result: list turnover at most curated feeds is measured in dozens of IPs per day. The threat infrastructure those feeds are trying to track is churning by the tens of thousands. A list refreshed weekly, or even daily, is staring at yesterday's attackers.
What GreyNoise Actually Is
GreyNoise is primary-source intelligence. Every IP in our dataset was observed by a GreyNoise sensor doing the thing we say it was doing. We do not aggregate other vendors' lists or infer from reputation. We have the receipts: raw session data captured at the moment of the event, whether that was a scan, an exploit attempt, or a brute-force payload.
The Global Observation Grid is a globally distributed sensor network specifically designed to attract and classify internet-wide scanning and exploitation activity. When an IP shows up in our 1D / Malicious / Non-Spoofable feed, it is there because we watched it do something malicious in the last 24 hours, and we can show the evidence behind the verdict for any IP, tag, or CVE in the dataset.
This matters for two reasons.
First, the data is primary-source. We are not synthesizing a confidence score from third-party reports. The classification is grounded in observed traffic on infrastructure we control.
Second, the IPs are non-spoofable. The GreyNoise sensor architecture eliminates the class of IPs that look malicious in scan logs but are actually forged source addresses in reflection or amplification attacks. When we tell you an IP was scanning your edge, that IP was scanning your edge.
That combination is what makes the data viable for the use cases the static lists were built for, and a lot of use cases they were never designed to support.
Turning the Data Into a Blocklist You Can Actually Deploy
Closing the 98% gap is only useful if the intelligence can get into the box that does the blocking. GreyNoise offers two ways to do that, and they are intentionally separate products built for different audiences and different levels of customization.
The Primary Path: GreyNoise Platform Blocklists
The GreyNoise Platform, best suited for large security teams, enterprises, and governments, includes advanced blocklist functionality built directly into the Visualizer. These Query-Based Blocklists are built using GNQL: you write or refine the query yourself, validate the results, and convert that query into a managed blocklist with one click.
This is the right path for teams that already live in the Visualizer and want full GNQL expressiveness without leaving the platform. The workflow is:
- Run a GNQL query in the search bar. For example,
last_seen_malicious:1d AND spoofable:false AND
tags:Cisco
will block recently malicious IPs hitting Cisco gear. - Review the returned IPs to confirm the list looks right.
- Click "Create Blocklist," name it, set an IP limit, and submit.
- Wait 1-3 minutes for provisioning, then pull the tokenized URL (or use header-based auth with your API key) into your firewall. The list refreshes hourly from there.
Common starting queries documented by GreyNoise include recent malicious or suspicious activity, vendor-tagged activity (Cisco, Palo Alto, Fortinet, and so on), CVE-specific exploitation attempts, and geographic scoping. Anything you can express in GNQL, you can turn into a deployable list.
A configuration walk-through for Palo Alto Networks External Dynamic Lists is published here, and the same pattern applies to most NGFW vendors that support URL-based dynamic lists.
Try the GreyNoise Platform free — explore query-based blocklists and enterprise-grade threat intelligence firsthand. Request a trial >
The Alternative: GreyNoise Block for SMBs
GreyNoise Block is a separate product built specifically for small and mid-sized organizations that only need blocking capabilities.
Block gives you two ways to define a list:
- Templates. Pre-built blocklists curated by GreyNoise, ready to deploy with a click. You pick the template, name the list, set an IP limit that matches what your firewall can ingest, and Block produces a URL. The template handles the GreyNoise Query Language (GNQL) behind the scenes. For a firewall admin who wants a small, targeted blocklist running by lunch, this is the path.
- Advanced Query Builder. A drag-and-drop interface for building custom queries against the GreyNoise Global Observation Grid's data. You can scope by classification (malicious, suspicious, benign, unknown), source country, tag, CVE, actor, CIDR block, first-seen window, and lookback period. Group conditions and NOT operators are supported, so you can build queries like "malicious activity in the last day, excluding US-based infrastructure and a specific CIDR you operate." The builder shows you the resulting query and the IP count in real time, and the same "Block These IPs" button turns it into a deployable URL.
Deployment is the same either way: copy the blocklist URL, paste it into your firewall's external dynamic list configuration, and authenticate with either an inline ?key=YOUR_API_KEY
parameter or a request header named key
. Lists refresh hourly after the initial 5–10 minute provisioning window.
Try GreyNoise Block for 14 days with a free trial. Try it free >
The Bottom Line
The blocklists that defended the perimeter for the last decade were good products built for a slower-moving adversary. They are still doing useful work today, and we are not suggesting anyone rip them out.
What we are suggesting is this: if 98% of the malicious activity hitting your edge on a given day is invisible to your current feeds, the right response is to add a source that can see it, not to keep waiting for static curation to catch up to something that has fundamentally changed.
GreyNoise enriches the tools you already run with continuously updated, primary-source intelligence. No list maintenance overhead. No second curation team. The customers who have done the integration get the benefit of seeing what we see, in the systems they are already running.
By the way, there is nothing special about May 14th. The 119,842 IPs we saw on that day are not a number that will hold tomorrow. By the time you read this, the count has already turned over. That is the point.
Data collected 2026.05.14. Source: GreyNoise 1D / Malicious / Non-Spoofable. Comparison destinations include FireHol Levels 1 through 4, Blocklist.de, CINS Army List, Palo Alto Known Malicious EDL, Palo Alto High Risk EDL, ShadowWhisperer Malware/Hackers, Binary Defense Ban List, and Avastel 1-Day Proxy/Bot IPs.
Facts Only
* GreyNoise Global Observation Grid recorded 119,842 malicious, non-spoofable IPs targeting edge infrastructure on May 14, 2026.
* Comparison against eleven OSINT and commercial IP feeds showed an average coverage of 2.0% for static lists.
* The largest list (Avastel) covered fewer than two percent of the observed malicious traffic in that window.
* Vendor-curated EDLs often covered less than half a percent of the malicious activity.
* Static lists are limited by manual review processes, resulting in slow updates relative to attacker infrastructure changes.
* Three forces compress the useful life of indicators: AI-assisted scanning, residential proxy botnets, and ephemeral cloud hosting.
* List turnover for curated feeds is measured in dozens of IPs per day while threat infrastructure churns by tens of thousands.
* GreyNoise data stems from raw session data captured by sensors observing activity.
* The sensor architecture eliminates non-spoofable source addresses found in reflection attacks.
* Two deployment paths exist: the GreyNoise Platform for large teams or GreyNoise Block for SMBs.
Executive Summary
Static IP blocklists often fail to keep pace with the rapid evolution of threat infrastructure due to slow curation processes. Observations from May 14, 2026, showed that comparisons between a single day's malicious IP observations and established commercial or OSINT feeds resulted in a significant gap, with static lists only covering a small percentage of the observed activity. This lag is exacerbated by three major shifts in attacker infrastructure: the rise of AI-assisted scanning, the increased use of residential proxy botnets for malicious traffic, and ephemeral cloud hosting infrastructure that allows attackers to quickly rotate IP addresses.
The source material differentiates primary-source intelligence from aggregated vendor lists, emphasizing that observed data is derived directly from sensor activity rather than inference. GreyNoise’s methodology focuses on tracking non-spoofable scanning activity, distinguishing it from forged reflection attacks. The solution presented involves deploying the platform's dynamic blocklist capabilities, which allow for custom queries against this primary dataset to create deployable lists, offering a path for organizations to incorporate real-time intelligence into perimeter defenses without manual curation overhead.
Full Take
The core tension presented is between the inertia of static, manually curated intelligence and the velocity of modern attacker infrastructure. The narrative successfully frames an obsolescence argument: traditional methods are built for a slower threat evolution and will inevitably lag behind automated, ephemeral threats unless the data source itself changes. This triggers a necessary shift from *curation* to *observation*.
The presentation effectively pivots from criticizing existing feeds to demonstrating superior data generation—primary-source observation rather than secondary aggregation. The implication is that retaining outdated lists is not just inefficient but introduces a material security deficit by excluding the majority of current threats operating via novel, high-velocity methods like residential proxies and ephemeral hosting. This structure compels the reader to question the fundamental assumption behind relying on static curation as a security control against dynamic adversary behavior.
The proposed solution—query-based blocklists—is not merely an added feature but a reflection of the shift toward operationalizing intelligence directly at the point of enforcement. It suggests that cognitive sovereignty in threat defense requires access to raw, context-rich data rather than relying on pre-packaged confidence scores. The systemic implication is that the cost of security lies less in list maintenance and more in the ability to observe phenomena that require real-time observation to track effectively.
Bridge Questions: If the observed churn rate continues to accelerate, what metrics should organizations prioritize when assessing intelligence lifecycle velocity over absolute coverage? How can static list integration be reconciled with the need for broad organizational policy consistency versus highly specific operational execution? What are the long-term consequences of outsourcing threat visibility from real-time observation to retrospective aggregation?
Sentinel — Human
The text presents a technically dense, evidence-based argument about the obsolescence of static threat lists and champions primary-source intelligence as the superior defense mechanism.
