DEV Community

Alex Spinov
Alex Spinov

Posted on

GreyNoise Has a Free API — Find Out If an IP Is Scanning the Internet Right Now

#python #api #security #tutorial

The Story

I was reviewing server logs and found dozens of IPs probing port 22 (SSH). Before panicking, I checked them against GreyNoise. Turns out: 90% were known internet scanners (Shodan, Censys, security researchers). The remaining 10%? Actual threats.

GreyNoise tells you the difference. And they have a free API.

What Is GreyNoise?

GreyNoise monitors internet-wide scanning activity. They know which IPs are:

  • Benign scanners (Shodan, Censys, Shadowserver)
  • Known botnets (Mirai variants, cryptominers)
  • Targeted attackers (not scanning broadly)

Think of it as noise cancellation for your security alerts.

The API 

# Quick check — no API key needed!
curl -s "https://api.greynoise.io/v3/community/8.8.8.8"
Enter fullscreen mode Exit fullscreen mode

Response:

{
  "ip": "8.8.8.8",
  "noise": false,
  "riot": true,
  "classification": "benign",
  "name": "Google Public DNS",
  "link": "https://viz.greynoise.io/ip/8.8.8.8",
  "last_seen": "2026-03-24",
  "message": "Success"
}
Enter fullscreen mode Exit fullscreen mode

riot: true = it is a well-known internet service. noise: false = it is not scanning.

Practical Example: Filter Your Security Alerts 

import requests

def is_real_threat(ip):
    """Returns True if IP is actually malicious, False if just noise."""
    r = requests.get(f"https://api.greynoise.io/v3/community/{ip}")
    data = r.json()

    if data.get("riot"):  # Known good service
        return False
    if data.get("noise") and data.get("classification") == "benign":
        return False  # Known scanner (Shodan etc)
    if data.get("classification") == "malicious":
        return True
    return None  # Unknown — investigate manually

# Check IPs from your fail2ban or SIEM
alert_ips = ["185.220.101.1", "8.8.8.8", "45.33.32.156"]
for ip in alert_ips:
    threat = is_real_threat(ip)
    status = "THREAT" if threat else "NOISE" if threat == False else "UNKNOWN"
    print(f"{ip}{status}")
Enter fullscreen mode Exit fullscreen mode

Free Tier vs Paid

Feature Community (Free) Enterprise
IP Lookups 50/day Unlimited
Classification Yes Yes
RIOT (known services) Yes Yes
Timeline data No Yes
GNQL queries No Yes
Tags & metadata No Yes

50 lookups per day is plenty for small teams and personal servers.

The Security API Stack

Combine these free APIs for complete threat intelligence:

Layer API What It Does
IP Reputation AbuseIPDB Crowdsourced abuse reports
Noise Filtering GreyNoise Separate scanners from attackers
Device Fingerprint Shodan What services an IP runs
File/URL Scan VirusTotal Malware detection
Email Breach HIBP Check if credentials leaked

Full list: 200+ Free APIs

How do you handle noisy security alerts? Do you manually review every IP, or do you have an automated pipeline? Share your setup in the comments!

Follow me for daily free API discoveries and security tools.

Top comments (0)