The Core Problem: Recognizing Impact Instead of Intent
Artificial intelligence has become the backbone of modern security operations. Detection models are routinely trained on labeled breach logs, malware samples, threat intelligence feeds, and post-incident investigations — datasets that deliver validated ground truth and make reliable classification possible. But according to Nishawn Smagh, Director of Intelligence at GreyNoise, these sources share a critical structural flaw: they only reflect attacker behavior after malicious activity has already been confirmed.
That gap raises a pointed question for every security team relying on AI-driven detection: are we training models to recognize impact, or are we training them to recognize intent? The distinction matters enormously, and the answer is visible in the IP-level patterns that accompany high-severity exploitation.
The Fresh Infrastructure Problem
Internet-scale telemetry collected by GreyNoise paints a concerning picture about the infrastructure adversaries use to carry out their most damaging operations. According to the company's 2026 State of the Edge report, a striking portion of high-impact exploitation originates from addresses that have never appeared in any common threat feed:
- 52% of remote code execution (RCE) exploitation traffic originated from IPs with no prior history in common threat feeds.
- 38% of authentication bypass attempts involved previously unseen IP addresses.
- For lower-severity reconnaissance activity, such as information disclosure probing, the share of IPs with no scanning history fell to 29%.
The pattern is unmistakable: the more severe the attack behavior, the more likely the adversary is to use brand-new infrastructure. Threat actors appear acutely aware of how reputation-based systems operate, and they are deliberately countering them by spinning up new cloud instances, short-lived virtual private server (VPS) environments, and residential proxy networks that carry no reusable IP history.
Reputation-based defenses retain value, but they are inherently retrospective. When AI models heavily weight historical indicators and post-compromise artifacts, they risk inheriting precisely the same temporal lag that makes those approaches limited in the first place. Infrastructure novelty — particularly when paired with high-impact behavior — is itself becoming a meaningful risk signal.
Attacker Activity Precedes Vulnerability Disclosure
The timing problem may begin even earlier than most defensive workflows assume. GreyNoise analyzed edge-related activity starting in September 2024 and, after applying strict anomaly thresholds, identified 216 statistically significant spike events. When those spikes were cross-referenced against subsequent CVE disclosures affecting the same technologies, the results were striking:
- 50% of spikes were followed by a new CVE disclosure within three weeks.
- 80% were followed by a new disclosure within six weeks.
This pattern held across eight enterprise-focused, edge-facing systems, including VPNs, routers, firewalls, and internet-facing management platforms. While correlation does not prove causation, the recurring temporal relationship strongly suggests that attacker intent can surface in observable telemetry before formal vulnerability disclosure takes place. Most spike activity involved exploit attempts against previously known vulnerabilities, consistent with adversaries inventorying exposed systems or stress-testing exploit paths ahead of a coordinated campaign.
Why Edge Systems Demand Special Attention
Edge-facing systems have become strategic access points, and large language model (LLM) inference servers represent an especially acute version of the problem. A compromised inference endpoint is not merely a foothold — it is a position from which adversaries can manipulate model outputs, exfiltrate training data, or pivot to internal systems that query it. Reconnaissance targeting inference ports is already underway, making this one of the most sensitive and under-defended attack surfaces in the modern enterprise.
This concern is not limited to AI infrastructure. CrowdStrike's 2026 Global Threat Report reinforces the emphasis adversaries place on edge devices, noting that nation-state and ransomware operators have targeted network perimeter devices as strategic entry points. China-nexus actors, the report highlights, favor edge exploitation specifically because it provides immediate access while limiting defender visibility.
The result is a structural asymmetry. Adversaries exploit the edge precisely because visibility there is constrained. At the perimeter, defenders can observe probing, exploit attempts, and infrastructure rotation — signals that may not map to a confirmed compromise but frequently precede one. Yet most AI detection systems are trained on artifacts that appear only after edge access has already succeeded.
The Visibility Gap Becomes a Training Gap
Detecting the 216 spike events that GreyNoise identified required internet-scale baselining. A single enterprise organization might observe exploit attempts against its own systems, but it has no practical way to determine whether that activity represents routine background noise or a coordinated global deviation from baseline. Limited visibility at the organizational level translates directly into limited training data — and ultimately into AI models that are blind to early-stage coordinated behavior.
Post-incident artifacts remain essential. They provide reliable labels and serve as anchors for supervised detection systems. But when training datasets emphasize confirmed compromises and post-disclosure exploitation while excluding pre-exploitation behavioral telemetry, the resulting models are structurally skewed toward reactive signals.
Two Measurable Opportunities for AI Teams
Smagh's analysis points toward two concrete, data-supported opportunities for organizations looking to shift AI detection earlier in the attack life cycle:
- Infrastructure novelty as a risk signal: There is a measurable association between first-seen IP addresses and higher-impact exploitation categories, suggesting that novel infrastructure deserves elevated scrutiny regardless of whether a specific threat is confirmed.
- Behavioral spikes as pre-disclosure indicators: The recurring relationship between anomalous scanning spikes and subsequent CVE disclosures in edge technologies means that behavioral anomalies can serve as early warning signals before formal vulnerability advisories are published.
Incorporating features such as first-seen IP timing, anomaly-detection outputs, infrastructure churn rates, and pre-disclosure spike behavior into AI training pipelines could meaningfully shift detection closer to attacker reconnaissance — rather than to attacker success.
Shifting the Training Window Without Abandoning Validated Data
The recommendation is not to discard confirmed compromise data. Post-incident artifacts provide indispensable ground truth that no pre-exploitation signal can fully replace. The goal is to expand the signal set — to incorporate internet-scale pre-exploitation telemetry alongside traditional post-compromise labels, rather than relying exclusively on the latter.
As infrastructure rotation accelerates and edge systems remain high-value targets for both nation-state actors and ransomware operators, defensive advantage will increasingly depend on how effectively AI integrates both types of data. Organizations that close the timing gap between attacker reconnaissance and defensive awareness move from reacting to breaches toward recognizing coordinated malicious behavior before a breach occurs at all.
The signals exist. They are measurable. The question is whether defenders will train their models to see them.
Source: Dark Reading