The Internet Changes Before the Advisory Drops

Recent research by GreyNoise highlights a critical trend where exploitation activity surges significantly before vendors publicly disclose zero-day vulnerabilities. Analysis of 33 CVEs across 16 vendor families reveals a median lead time of 11 days between initial targeting and official advisories. Notably, a recent CVSS 10.0 Cisco zero-day exhibited eight distinct surges in targeting activity, with the window compressing from 39 days down to just 2 days prior to disclosure. This pattern indicates that threat actors are actively scanning and exploiting vulnerabilities in the wild well before patches are available, leaving organizations exposed during the critical pre-disclosure window. The severity is critical due to the maximum CVSS score involved. Mitigation requires proactive threat hunting, network segmentation, and monitoring for anomalous traffic patterns associated with known vulnerability classes, as reliance on vendor advisories alone leaves a significant gap in defense posture against zero-day exploitation campaigns targeting public-facing infrastructure.

Before Cisco disclosed a CVSS 10.0 zero-day, GreyNoise sensors had already observed eight surges of targeting activity compressing from 39 days to 2 days. A new study finds this pattern repeated across 33 CVEs and 16 vendor families — with a median lead time of 11 days. Read the full findings.

Recent research by GreyNoise highlights a critical trend where exploitation activity surges significantly before vendors publicly disclose zero-day vulnerabilities. Analysis of 33 CVEs across 16 vendor families reveals a median lead time of 11 days between initial targeting and official advisories. Notably, a recent CVSS 10.0 Cisco zero-day exhibited eight distinct surges in targeting activity, with the window compressing from 39 days down to just 2 days prior to disclosure. This pattern indicates that threat actors are actively scanning and exploiting vulnerabilities in the wild well before patches are available, leaving organizations exposed during the critical pre-disclosure window. The severity is critical due to the maximum CVSS score involved. Mitigation requires proactive threat hunting, network segmentation, and monitoring for anomalous traffic patterns associated with known vulnerability classes, as reliance on vendor advisories alone leaves a significant gap in defense posture against zero-day exploitation campaigns targeting public-facing infrastructure. Before Cisco disclosed a CVSS 10.0 zero-day, GreyNoise sensors had already observed eight surges of targeting activity compressing from 39 days to 2 days. A new study finds this pattern repeated across 33 CVEs and 16 vendor families — with a median lead time of 11 days. Read the full findings. Before Cisco disclosed a CVSS 10.0 zero-day, GreyNoise sensors had already observed eight surges of targeting activity compressing from 39 days to 2 days. A new study finds this pattern repeated across 33 CVEs and 16 vendor families — with a median lead time of 11 days. Read the full findings.