GreyNoise Has a Free API — Find Out If an IP Is Scanning the Internet Right Now

The Story I was reviewing server logs and found dozens of IPs probing port 22 (SSH). Before panicking, I checked them against GreyNoise. Turns out: 90% were known internet scanners (Shodan, Censys, security researchers). The remaining 10%? Actual threats. GreyNoise tells you the difference. And they have a free API. What Is GreyNoise? GreyNoise monitors internet-wide scanning activity. They know which IPs are: Benign scanners (Shodan, Censys, Shadowserver) Known botnets (Mirai variants, cryptominers) Targeted attackers (not scanning broadly) Think of it as noise cancellation for your security alerts. The API # Quick check — no API key needed! curl -s "https://api.greynoise.io/v3/community/8.8.8.8" Response: { "ip": "8.8.8.8", "noise": false, "riot": true, "classification": "benign", "name": "Google Public DNS", "link": "https://viz.greynoise.io/ip/8.8.8.8", "last_seen": "2026-03-24", "message": "Success" } riot: true = it is a well-known internet service. noise: false = it is not scann