GreyNoise Has a Free API — Find Out If an IP Is Scanning the Internet Right Now

The Story I was reviewing server logs and found dozens of IPs probing port 22 (SSH). Before panicking, I checked them against GreyNoise. Turns out: 90% were known internet scanners (Shodan, Censys, security researchers). The remaining 10%? Actual threats. GreyNoise tells you the difference. And they have a free API . What Is GreyNoise? GreyNoise monitors internet-wide scanning activity. They know which IPs are: Benign scanners (Shodan, Censys, Shadowserver) Known botnets (Mirai variants, cryptominers) Targeted attackers (not scanning broadly) Think of it as noise cancellation for your security alerts. The API # Quick check — no API key needed! curl -s "https://api.greynoise.io/v3/community/8.8.8.8" Response: { "ip" : "8.8.8.8" , "noise" : false , "riot" : true , "classification" : "benign" , "name" : "Google Public DNS" , "link" : "https://viz.greynoise.io/ip/8.8.8.8" , "last_seen" : "2026-03-24" , "message" : "Success" } riot: true = it is a well-known internet service. noise: false =