GreyNoise Findings: What This Means for AI Security

GreyNoise Findings: What This Means for AI Security

Late last week, GreyNoise published one of the clearest signals we have seen that AI systems are no longer just research targets. They are operational targets. Their honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026, revealing two distinct campaigns systematically mapping AI deployments at scale.

This is a meaningful inflection point. As our CTO Michael Bargury noted, this represents the first public confirmation of threat actors actively targeting AI infrastructure, and it fundamentally changes how defenders need to think about AI security.

What GreyNoise Observed

GreyNoise’s analysis uncovered two campaigns with different objectives.

Campaign 1: Forcing Servers to Phone Home

The first campaign exploited server-side request forgery vulnerabilities to make servers connect to attacker-controlled infrastructure. Attackers targeted two specific vectors:

• Ollama model pulls, injecting malicious registry URLs that forced servers to make outbound HTTP requests
• Twilio SMS webhooks, manipulating parameters to trigger outbound connections

The campaign spiked dramatically over Christmas, generating 1,688 sessions in 48 hours. Attackers used automated tooling, likely Nuclei, and infrastructure spread across 27 countries. While GreyNoise assessed this activity as probably security researchers, the scale suggests grey-hat operations pushing boundaries.

Campaign 2: Systematic Mapping of AI Endpoints

This is the campaign that should concern every security team.

Starting December 28, 2025, attackers launched a methodical probe of more than 73 LLM model endpoints. In eleven days, they generated 80,469 sessions, systematically hunting for misconfigured proxy servers that might leak access to commercial APIs.

The attackers tested every major model family, including OpenAI, Anthropic, Meta, Google, DeepSeek, Mistral, Alibaba, and xAI. They relied on deliberately innocuous queries to fingerprint which models responded without triggering security alerts. The infrastructure behind this activity has a history of broad CVE exploitation, suggesting this enumeration feeds into a larger exploitation pipeline.

In the most general sense, professional threat actors are building target lists of exposed AI infrastructure.

Zenity’s Read: AI Systems Are the Target

Based on GreyNoise’s reporting, the reconnaissance activity appears to focus on AI systems and deployments that sit between applications and model providers. In practice, this includes:

• API proxies and wrappers in front of commercial model APIs
• Internet-exposed LLM endpoints used by internal applications
• Code-first deployments that expose model routes for convenience or testing

This aligns with GreyNoise’s framing around misconfigured proxy servers and systematic endpoint enumeration.

The takeaway is straightforward. Attackers are inventorying exposed AI infrastructure the same way they once hunted exposed VPNs, Elasticsearch clusters, and CI servers. The difference now is that downstream impact can include access to agent workflows, credentials, and real business actions.

What Zenity Did Within Hours of the Report

Immediately following the GreyNoise findings, Zenity’s threat hunting team validated that none of our customers’ agents, where we had visibility, were directly impacted. We checked the published indicators across all customer telemetry, including:

• IP addresses associated with the activity
• Fingerprinting prompts such as “How many states are there in the United States?” and the “strawberry” test
• Callback domains used for validation

Across all data, we found zero matches.

In parallel, we deployed new deterministic detections aligned to the published indicators. If an agent communicates with known campaign infrastructure or reaches known callback domains, Zenity will alert or block accordingly.

For readers who want a deeper technical breakdown of the attack activity, our analysis, and what this could signal about the evolution of AI-focused attacks, Zenity Labs has published a detailed analysis.

How Zenity Detects Recon Before an Incident

Beyond responding to known indicators, Zenity is built to surface this kind of activity early, while it still appears as low-signal probing. Zenity analyzes traffic with full identity context, correlating originating IP addresses, authentication details, and user identity. This allows security teams to identify access from suspicious or unexpected sources and generate high-confidence alerts, rather than treating reconnaissance as background network noise.

Zenity also provides visibility into the full agentic workflow, not just individual requests. This makes it possible to detect interactions with suspicious or attacker-controlled domains, including domains commonly used for out-of-band testing in SSRF and similar attacks. By alerting on these domain interactions as they occur, Zenity helps teams catch reconnaissance and early exploitation attempts before they escalate into full-scale incidents.

Why Reconnaissance Matters Even Without Exploitation

Reconnaissance is not the end state, It is the setup. The goal of enumeration is to build a target list: which endpoints respond, which expose functionality, which appear unprotected, and which can be abused later. GreyNoise stated this directly. Mapping at this scale represents investment, and investment usually implies intent to use the map.

Once an organization’s AI endpoints are identified, the next phase often looks familiar:

• Continued reconnaissance and probing attempts
• Credential stuffing against weakly protected endpoints
• SSRF and egress abuse against tool-enabled systems
• Prompt injection against agentic workflows
• Data exfiltration
• Data poisoning
• Data destruction

Even if the first wave is “just scanning,” it signals that AI infrastructure is entering the same threat cycle seen for other high-value services.

What Security Teams Should Do Now

GreyNoise included defensive guidance that aligns closely with how Zenity helps teams operationalize AI security.

Treat AI Systems as production infrastructure. Inventory AI proxies and API layers. Confirm authentication, logging, and rate limits. If something is internet-accessible, assume it will be found. Zenity provides this inventory automatically across SaaS, cloud, and endpoints, showing what exists, what it accesses, and how it behaves.

Lock down model pulls and outbound connectivity. If you run local model infrastructure like Ollama, restrict model pulls to trusted registries and tighten egress controls. Zenity’s runtime detection identifies when agents attempt unauthorized outbound connections or pulls from untrusted sources.

Look for behavioral indicator, not just exploit strings.. GreyNoise published examples of low-noise prompts used for reconnaissance. Zenity monitors agent transcripts and tool calls for these patterns and surfaces them with context.

Block known callback domains. GreyNoise identified widespread use of OAST domains for validation. Zenity flags resolution of these domains in real time as part of its runtime monitoring.

Above all, assume AI adoption will outpace manual governance. When AI systems scale faster than teams can track them, a security solution which maps agents, tracks their attack surface (AISPM) and tracks their use over time (AIDR) needs to be in place.

How Zenity Helps Teams Stay Ahead

Chris Hughes, VP of Security and Strategy at Zenity, put it plainly:

“While this marks the first public confirmation of attackers targeting AI systems, it certainly won't be the last, as the information they gained, along with others to follow, will be used in malicious activities against organizations. This makes it critical for security teams and leaders to understand what AI systems, including agents, are in place, where they're exposed or vulnerable and be in a position to respond accordingly.

Zenity gives security teams this capability by providing unified visibility into every AI agent across SaaS, cloud, and endpoints. They can see what exists, what it accesses, and how it behaves. Security teams can enforce policy and stop risky actions before they execute. As attackers build target lists of exposed AI infrastructure, the real question is whether organizations can see and secure their agents before someone else finds them first.”

GreyNoise’s report is an alarm that we all knew was coming.. It shows what early targeting looks like and how attackers are approaching AI systems today.

Zenity will continue turning signals like these into detection coverage, threat hunts, and practical controls customers can use. If you want to validate your exposure, confirm coverage, or understand what your AI footprint looks like today, connect with our team.