Miles Jamison 
GreyNoise Intelligence has released a report indicating that artificial intelligence models in cybersecurity may be trained too late in the attack cycle, limiting their ability to detect emerging threats, Nishawn Smagh, director of intelligence at GreyNoise, said in a column Dark Reading published Wednesday.
What Is the Limitation in Current AI Training?
According to Smagh, detection systems are commonly built using validated data such as breach logs, malware samples, threat feeds and incident reports. However, these sources capture attacker activity only after malicious actions have been confirmed.
As a result, models often rely on historical indicators tied to known threats. GreyNoise’s “2026 State of the Edge” report shows that 52% of remote code execution exploitation traffic originated from IP addresses not previously flagged, while 38% of authentication bypass attempts came from unfamiliar infrastructure. For reconnaissance activity, the figure dropped to 29%. The data suggests adversaries are deploying new cloud instances to bypass reputation-based detection.
How Do Attacker Patterns Develop?
GreyNoise found that unusual activity targeting edge systems may appear well before vulnerabilities are publicly disclosed. Analyzing data from September 2024, the firm identified 216 significant spikes, with 50% followed by a related common vulnerabilities and exposures, or CVE, disclosure within three weeks and 80% within six weeks. While this pattern across systems such as VPNs, routers and firewalls does not prove causation, it suggests attackers may act on emerging weaknesses before they are formally reported.
Why Is the Edge Critical?
Edge systems, including large language model inference servers, are becoming strategic entry points. Reconnaissance against inference ports has already been observed, raising concerns that defenders are relying on outdated detection logic. CrowdStrike’s “2026 Global Threat Report“ also found that nation-state and ransomware operators favor edge exploitation due to limited visibility.
GreyNoise concluded that incorporating earlier signals, such as first-seen IP timing and anomaly-detection outputs, could help AI models detect attacker reconnaissance before compromise.
