Research Links Threat Actor Activity to Future Vulnerabilities

The data provides recommendations for proactively protecting networks before vulnerabilities are disclosed.

Aug 7, 2025
Computer Crime Concept 516607038 2125x1416 (1)

GreyNoise Intelligence, a provider of cybersecurity threat intelligence, recently released a research report exploring the correlation between spikes in attacker activity and subsequent disclosures of Common Vulnerabilities and Exposures (CVEs) in edge technologies. The research report, entitled “Early Warning Signals:  When Attacker Behavior Precedes New Vulnerabilities,” offers predictive value and recommendations on what defenders can do to proactively protect their networks, before vulnerabilities are even disclosed.

GreyNoise analyzed all of its tags (CVSS 6+ CVEs) associated with edge technologies to determine whether there was a consistent, repeatable pattern of significant spikes in opportunistic attacker activity (e.g. scanning, brute forcing, and exploitation attempts) against edge technologies preceding the disclosure of new vulnerabilities. GreyNoise only observed this pattern across a specific subset of enterprise edge products from eight vendors, though it did not limit its analysis to enterprise technologies. 

Key findings from the report include:

  • Spikes in attacker activity often precede new cyber vulnerabilities. In 80 percent of cases we analyzed, significant spikes in opportunistic attacker activity against edge technologies were followed by the disclosure of a new CVE affecting the same technology within six weeks. This recurring pattern may offer early warning value.
  • These spikes give defenders a defined window to prepare. The clustering of new CVEs within six weeks of attacker spikes provides defenders with a concrete timeframe to increase monitoring, harden systems, and preemptively act — even before a vulnerability is known. CISOs can use this window to justify early planning or investment.
  • Blocking early reconnaissance may keep systems off attacker inventories. Spikes may reflect exploit-based reconnaissance designed to identify exposed systems. Blocking the associated IPs during these phases may prevent inclusion in attacker inventories — reducing the likelihood of being targeted later, even if different IPs are used for exploitation of the new CVE emerging weeks later.
  • Enterprise edge technologies show the strongest patterns. After filtering out ambiguous cases and noise, all spike-CVE pairs we observed involved internet-facing assets commonly deployed in enterprise environments such as VPNs, firewalls, and products from vendors like Cisco, Fortinet, Citrix, and Ivanti.
  • Most spikes involved real exploits — not scanning. The majority of activity leading up to CVEs was not generic scanning but exploit attempts against previously known vulnerabilities. This supports two likely motives: testing inputs that may lead to new CVE discovery, or inventorying systems for future exploitation when a new flaw becomes known.
  • State-sponsored actors have repeatedly targeted edge infrastructure. Nation-state groups like the Typhoons have reportedly focused on enterprise-focused edge devices for pre-positioning, surveillance, and access persistence. All products studied in this analysis are enterprise-focused edge systems, highlighting both enterprise and national security stakes. 
Latest in Cybersecurity
B2B Digital-Assisted Selling at Its Best
Sponsored
B2B Digital-Assisted Selling at Its Best
August 7, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Research Links Threat Actor Activity to Future Vulnerabilities
August 7, 2025
Utility Metamorworks
Why AI Is Not a Silver Bullet for OT Infrastructure Security
August 7, 2025
Phishing Tadamichi
Report Shows Cybercriminals Personalizing Deception Tactics
August 7, 2025
Related Stories
Utility Metamorworks
Cybersecurity
Why AI Is Not a Silver Bullet for OT Infrastructure Security
Phishing Tadamichi
Cybersecurity
Report Shows Cybercriminals Personalizing Deception Tactics
Caseyellistn
Security Breach Podcast
Security Breach: The Keys to Being 'Proactively Paranoid, Not Paralyzed'
Strengthen Your Manufacturing Sales Resiliency
Sponsor Content
Strengthen Your Manufacturing Sales Resiliency
More in Cybersecurity
Strengthen Your Manufacturing Sales Resiliency
Sponsored
Strengthen Your Manufacturing Sales Resiliency
Discover manufacturing sales and marketing strategies for today’s volatile market. Get guide now!
August 1, 2025
Utility Metamorworks
Cybersecurity
Why AI Is Not a Silver Bullet for OT Infrastructure Security
AI can help, but not without knowledge of unique OT functions, risks and integration characteristics.
August 7, 2025
Phishing Tadamichi
Cybersecurity
Report Shows Cybercriminals Personalizing Deception Tactics
Low-cost, AI-enhanced phishing emails are being leveraged in numerous, nefarious ways.
August 7, 2025
Caseyellistn
Security Breach Podcast
Security Breach: The Keys to Being 'Proactively Paranoid, Not Paralyzed'
Using AI and other tools to prioritize and plan in responding to new attacks and legacy vulnerabilities.
August 7, 2025
Industrial Cyber
Cloud Computing
Cybersecurity's Expanding Footprint in the Industrial Renaissance
Progress forges complex vulnerabilities in a battle where the stakes are nothing less than global production.
August 6, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
What the Ingram Micro Hack Reinforces About Supply Chain Security
The attack is a wake-up call to reinforce collaboration and preparation across every link in the chain.
August 6, 2025
Cyber vulnerability detection rendering.
Cybersecurity
RTX to Optimize Cyber Vulnerability Detection for DARPA
RTX BBN Technologies to advance high-fidelity exploit chain testing and evaluation.
August 5, 2025
Illumina
Cybersecurity
Illumina Settles Cybersecurity Allegations
Illumina allegedly sold systems with cybersecurity vulnerabilities to federal agencies.
August 4, 2025
Hacktivist Peshkov
Cybersecurity
Increased Hacktivist Activity Impacting the ICS
The evolution of these groups raises unique concerns.
July 31, 2025
Cybersecurity In A Bubble
Cybersecurity
Top 5 Barriers to Cybersecurity Investment in Manufacturing
Overcoming unique issues in the face of escalating attacks.
July 31, 2025
Screenshot 2025 07 31 At 10 04 57 Am
Cybersecurity
CISA Updates Advisory on Scattered Spider Group
The ransomware group has targeted a number of industrial enterprises.
July 31, 2025
Ransomware
Cybersecurity
Study Reveals Relentless Ransomware Surge
81 percent of manufacturers have been targeted, with threats of physical harm if demands are not met.
July 31, 2025
Agentic Ai Parradee Kietsirikul
Cybersecurity
The Good, the Bad and the Ugly of Agentic AI Security
Manufacturers must rethink how they approach cybersecurity before agents outsmart the systems they were meant to enhance.
July 31, 2025
Manufacturing Infrastructure Cyber
Cybersecurity
The Dual Imperative: Security and Connectivity in Modern Manufacturing
Fragmented infrastructure, legacy systems, and surging cyberattacks are revealing the limits of traditional, siloed models.
July 30, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
The Real Issues of the Clorox Hack
Beyond the losses, lawsuit and blame-game lie vitally important lessons for industrial cybersecurity.
July 24, 2025