The Six-Week Window: New Report Finds 80% of Cyberattacks Begin Before CVE Disclosure
The GreyNoise team has uncovered a disquieting pattern: in 80% of cases, anomalous spikes in suspicious internet activity occur prior to the official disclosure of new vulnerabilities (CVEs). These are not coincidences or random fluctuations—they are recurring, statistically significant signals that point to security breaches poised on the brink of public revelation.
The analysis was based on a comprehensive dataset collected via GreyNoise’s Global Observation Grid beginning in September 2024. The methodology employed rigid quantitative thresholds designed to eliminate manipulation or confirmation bias. From over one million signals, 216 spikes were identified after being filtered for noise, ambiguity, and low fidelity. Each was linked to eight vendors whose products typically reside at the edge of enterprise networks.
Remarkably, in half of the cases, a new vulnerability was disclosed within three weeks of the spike, and in 80% of instances, within six weeks. The correlation was particularly pronounced for products from Ivanti, SonicWall, Palo Alto Networks, and Fortinet. While vendors like Cisco, Citrix, and MikroTik exhibited less predictable behavior, discernible trends were nonetheless observed.
The typical behavior of attackers in such instances includes aggressive scanning, brute-force login attempts, and exploitation of long-known vulnerabilities. However, these assaults seldom aim to breach systems immediately. Rather, they serve as reconnaissance—mapping vulnerable targets for subsequent deployment of previously unknown exploits released shortly after the CVE disclosure.
GreyNoise emphasizes that most of these attacks do not rely on novel techniques. On the contrary, threat actors deliberately employ outdated exploits to assess which systems are externally accessible and how robust their defenses are. This probing lays the groundwork for launching sophisticated attacks once a new vulnerability enters public awareness.
Traditionally, defensive countermeasures are activated only after a CVE is published. GreyNoise advocates for a shift in this paradigm. If pre-disclosure activity spikes align so closely with forthcoming vulnerabilities, they can serve as an early-warning system. This affords administrators the critical opportunity to bolster monitoring, isolate high-risk nodes, and restrict access from suspect subnets. Even absent specific threat intelligence, the presence of anomalous traffic alone should prompt a defensive response.
The company also advises swift blacklisting of IP addresses involved in scanning—particularly those probing for outdated or deprecated vulnerabilities. These attacks should not be dismissed as failures; rather, they signal that a system has entered an attacker’s scope. It is only a matter of time before follow-up attempts occur.
In parallel, Google Project Zero has revised its own disclosure protocol. The team will now share the existence of a vulnerability, the product name, date of discovery, and planned disclosure timeline—within a week of identification. This announcement omits technical specifics and poses no risk of exploit leaks but significantly shortens the window between discovery and remediation.
Ultimately, while the offensive side of cybersecurity has long employed pre-CVE reconnaissance, GreyNoise urges defenders to do the same—but in reverse. In a landscape where attacks begin before the world even knows a vulnerability exists, proactive defense is no longer a luxury—it is a necessity.
