NISHAWN Smagh, Director of Intelligence at GreyNoise, argues that AI should be trained with a broader view of threat sources, not just past actors. According to GreyNoise's 2026 State of the Edge report, 52% of remote code execution exploitation traffic originated from IPs that had not appeared in common threat feeds, 38% of authentication bypass attempts involved previously unseen IPs, and for basic reconnaissance, 29% of IPs had no scanning history.
A key pattern is that the more severe the activity, the more likely it is to involve new infrastructure, with attackers using fresh cloud instances, short‑lived VPSs, and residential proxies to avoid reusable IP history. The article notes a timing gap: edge-related spikes detected in September 2024 were followed by new CVE disclosures within three to six weeks in many cases, suggesting attacker intent can surface before formal vulnerability disclosures.
It concludes that defence should incorporate pre‑exploitation telemetry alongside post‑compromise data to shift AI detection closer to reconnaissance and early attack signals.