GreyNoise is a Washington, DC based cybersecurity startup focused on understanding the background noise generated by the internet. Worldwide thousands of various entities – private firms, governments, independent teams, individuals – scan the internet looking to see what they might find, learn about, and gain access to by searching available global networks in real time. With 4.2 billion internet protocol (IP) addresses in the IPv4 space, imagine walking into neighborhoods at random, seeing which houses, cars and windows are available for entry, and you have a good sense of the internet landscape and the domain of GreyNoise.
CEO and founder Andrew Morris started the firm in 2017, but the company began several years earlier as a personal research project, technical challenge, and something big to work on. No one was evaluating all of the traffic activity holistically to provide a level of ground truth, nor was anyone reporting on it in meaningful ways. CEO Morris felt there were insights to uncover, products to be designed, and customers to serve, once he could characterize actors in the space, find data patterns, build market domain expertise, and create a beachhead product for an important customer segment.
GreyNoise absorbs unsolicited internet activity in all communication forms and builds understanding around it by IP address from the ground up. Category buckets – protocols, ports, device types, geography, hardware signatures, email addresses, blacklists, languages, codecs – all play an important role in building an actor’s profile. The firm never rejects a connection or exploitation demand and instead views any request as opportunistic.
The firm has established cloud based servers, virtual IoT devices, and other “sensors” in major geographies that spin up and down at varying intervals. Combined with a reporting and logging infrastructure, custom database system, and a set of APIs, those with an interest can contact the firm to view, analyze, contextualize and interrogate the company’s data. Each day the firm receives 100,000 unique IP connections, with a weekly IP turnover rate of 75%.
As many know, the cybersecurity industry is focused on telling customers what the largest threats are and the steps they need to make to mitigate them. Conversely, GreyNoise is about helping customers understand what they don’t need to worry about in their efforts to keep systems secure. As CEO Morris likes to say, GreyNoise is the anti-threat intelligence company.
Key customer segments include security operation center (SOC) analysts, security researchers, and the wider community, through early attack detection announcements. While each customer group has individual needs, together all three beachhead groups share a desire for clarity and insight into where GreyNoise is identifying patterns in the anti-threat landscape.
For SOC analysts, GreyNoise saves them time, effort, and money so they can focus limited resources on actual threats to the infrastructure they protect. By filtering out the noise, GreyNoise saves SOCs – such as Expel – significant effort. For security researchers, the firm’s free API provides access to an ever growing dataset no other company is building at the same scale. Finally, for anyone interested in protecting systems and being ahead of the next broad based attack, GreyNoise discloses what it sees developing and spreading into major internet domains.
Currently, the firm has three pricing tiers with enterprise customers paying $3,000/mo, smaller firms pay $500/mo, and a free API is available with some limits. As GreyNoise is currently five people, keeping their pricing approach simple and transparent is a priority. As the company grows, with a broader set of customers, a more sophisticated pricing model will emerge. The same will be true as they develop new lines of business and spread their cyber wings.
In March 2019 CEO Morris took the step of accepting outside capital for the first time – $600,000 – something he said he would never do back in the summer of 2018. But after hitting a wall and feeling he was not serving his customers as well as he could, Morris reconsidered the topic. His criteria was the following: ask for a small amount relative to what he could raise and keep the firm’s valuation low, retain firm control of the company, financial partners had to provide real value, and Morris needed to like and trust each person involved. In the end, he connected with several angel investors and local VC firms focused on cybersecurity investing.
His approach to transparency and cybersecurity evangelism has shaped his views on entrepreneurship in some significant ways. For example, the firm will not charge the maximum the market will bear. Instead, GreyNoise charges what it needs to in order to accomplish its goals and provide the biggest payback to its customers, while also making the firm’s datasets, broad insights and free tier services available to as wide an audience as possible. CEO Morris views GreyNoise as a company with a mandate to make its efforts and services available to everyone and expects to be an important clearing house for internet activity research in the cybersecurity space.
Their free tier is an example of this mission based approach, but it’s opportunistic too. The company has received helpful feedback, marketing ideas, inbound sales requests, feature enhancement recommendations, and speaking invitations too highly relevant audiences through this free channel.
Based on their research, due diligence, and analysis, GreyNoise has determined about 75% of all omnidirectional Internet background noise is malicious, 2% is benign, and 23% is unknown – meaning the company doesn’t have enough analytics on the connections and IP addresses to make a clear determination of intent. However, they believe their ability to successfully label unknown actors will improve significantly this year through further data training and enhanced tools.
As a strategist, I find GreyNoise compelling because they understand how the cybersecurity industry operates and are approaching the domain from the opposite direction as the anti-threat intelligence firm. In a sea of companies telling everyone the hundreds of things they should be fearful of now and in the future, GreyNoise is sharing with key stakeholders what people should not be worried about in their daily security work. GreyNoise is building unsolicited intelligence in ways no one else is doing in the space. Other companies evaluate internet activity and traffic, but for different purposes and markets. I could not find another firm doing what GreyNoise is working on and the firm isn’t aware of anyone either.
CEO Morris is one of the most evangelistic founders I have met to date and he reminds me of some in the open source space who are deeply passionate about developing technologies that genuinely enable others. Social entrepreneurs in global growth markets share similar qualities too. So for stakeholders – customers, current and future employees, volunteer developers, financial backers – the likelihood of mission creep, selling out, or losing track of the “why” behind GreyNoise is essentially impossible. There are potential risks with this approach, but they can be addressed with consistent values and transparency. GreyNoise will always be a company that shares information and insight aggressively with the broader cybersecurity community.
In CEO Morris’ view, the two biggest challenges for GreyNoise in 2019 are balancing revenue growth with expectations and values – highlighting the need for crisp execution – and developing creative ways to expand their free API, given how important it’s been during the firm’s evolution as a pipeline for ideas, feedback, customers, and brand awareness.
Finally, to put the firm’s work into context, GreyNoise argues that the total amount of money lost through alert fatigue and lost time comes close to the sums lost to security breaches each year. The 2018 Ponemon Institute’s study put the global figure at $3.86 million per breach and $148 per data record. Total breach costs globally are estimated in the trillions of dollars annually. Given the sums spent on IT and security infrastructure around the world each year, the company’s estimates are understandable. Combined with their unique approach to security and their focus on genuinely enabling everyone, GreyNoise has an opportunity to make a difference and create a sustainable and profitable company – in that order.
Like you, I look forward to seeing how GreyNoise grows over the next 12 months and beyond and getting back in touch for an update. Stay tuned.