This presentation examines 12 months of internet-scale telemetry from GreyNoise’s Global Observation Grid, encompassing more than 3.3 trillion network observations, to understand how modern adversaries discover and exploit vulnerabilities. The findings show a fundamental shift in cyber operations: adversaries now function as industrialized, automated ecosystems rather than isolated actors. Exploitation unfolds at machine speed—sometimes within minutes of disclosure—while 40% of activity continues to target vulnerabilities more than four years old, particularly in edge devices such as VPNs, firewalls, and routers.

Most notably, attacker reconnaissance consistently precedes public vulnerability disclosure. Across hundreds of high-confidence activity spikes, malicious reconnaissance predicted related CVEs days to weeks in advance, with a median lead time of 22 days. These pre-disclosure signals represent a powerful early-warning capability for defenders with internet-scale visibility. The findings underscore the need to move from reactive, indicator-driven defense toward predictive, behavior-based security models.