7 benefits of a GreyNoise paid plan

(And when you should stick with our free version)

Giving back to the cyber security community will always be a key part of the GreyNoise mission, so our free plan isn’t going anywhere. 

But there are a lot of benefits to a paid plan that may not be immediately obvious (benefits other than subsidizing Andrew’s tweets). Let’s dig into the top 7 reasons you should upgrade, and when a paid plan might not be a good fit for you. 

Increased Search limits

The most obvious reason for a user to upgrade from free to paid is the expanded Search limits. Search is at the core of our product, it’s the first thing users see when they land on our visualizer and the primary way most users interact with GreyNoise. Asking GreyNoise for data on an IP, a CVE, a tag, or a trend all counts as a Search. 

The Free limits are designed for hobbyists, independent users, or for someone who is just starting to explore the GreyNoise ecosystem. They aren’t high enough to tap into automation or large scale data enrichment. So if you’re a team who wants to save time by throwing out all the hay to get to the needles faster, a paid plan will give you the volume you need. 

Increased limits on alerts and dynamic blocklists

In addition to Search, all paid customers get increased limits for alerts and dynamic blocklists - the other two features that make up the core of the GreyNoise product. 

Alerts let you configure an email notification that will trigger anytime the response to a GreyNoise Query Language (GNQL) query changes. Use them to identify compromised devices on your network (or a vendor or third party supplier’s network), or get a heads up when attackers start exploiting a vulnerability in the wild. 

Dynamic blocklists give you a full list of IPs associated with a GreyNoise tag. The list is updated hourly, and can be plugged directly into your next gen firewall to keep your perimeter safe. When the next Log4j happens, you can use a dynamic blocklist to buy your team needed time to patch. 

A more robust API with full IP context

The Community API has 1 endpoint, it takes an IP and returns a simple response with some basic information about that IP. Is the IP in the GreyNoise Noise or RIOT datasets? What is its classification? And a link to the visualizer.

For some teams this is enough. But for teams that are stretched thin and need comprehensive answers fast, rely on automation to make their lives easier, or want to run more complex queries (like pulling back a list of IPs tagged with a specific CVE) access to our Enterprise API is a must. 

Our Enterprise API has 16 endpoints. Enterprise API users can: 

  • Get abbreviated IP info or full context (on up to 1,000 IPs in a single request)
  • Run full GNQL queries 
  • Get tag metadata
  • Check an IP against our RIOT dataset (a list of IPs known to be associated with common vendors)
  • Access our IP Similarity endpoints 
  • Access our IP Timeline endpoints

A full list of our Enterprise API endpoints

An example of a full context response, the response for this IP is 132 lines and includes full metadata, ports scanned, web paths and user agents, and fingerprints.

More integrations, and expanded integration options

We have 31 integrations that support using a Community API key. But these integrations are limited by what the Community API can return, so if you need full context on the IP (which most users do) you'll have to click into the Visualizer to get a full picture.

Full integrations and integration with some of the most popular security tools like Splunk, QRadar, LogStash, and Recorded Future are available to paid customers. You’ll also want the higher Search limits that come with our paid plans to maximize our integrations and automate more of your work.

For a full list of integrations check out the GreyNoise docs.

Exclusive paid features

While limited access to the core GreyNoise features will always be available to free users, there are a handful of features that are only available to Paid customers, with more being added this year. These features can be used for enhanced enrichment, threat hunting, and protecting your perimeter from mass exploitation. 

Premium data fields

Premium data fields like our IP Destination fields tell users even more about what an IP is doing on the internet, and open up new Search queries. IP Destination specifically tells users which countries our sensors observed an IP scanning, and let users narrow down their searches to geo-targeted traffic. All paid plans come with IP Destination. 

Export

Getting data out of the visualizer (or accessing full context in the API) is restricted to paying customers. You can export GNQL search results or analysis results to a CSV or JSON file. 

IP Timeline

IP Timeline lets security analysts and threat hunters look back at an IP’s behavior over time. Answer the question, “what was this IP doing 7 days ago?” Useful if you find an IP in your logs and want to know what it was doing the day it hit your system. 

Use our IP Timeline feature to understand how an IP’s behavior changes over time. 

IP Similarity

IP Similarity helps users identify potential actors and infrastructure associated with an IP you’re investigating. All users can see how many IPs GreyNoise has identified as similar to a given IP, but only paying customers can access the list of similar IPs and a breakdown of the factors that determine similarity. 

Use our IP Similarity feature to identify potential actors or infrastructure amongst internet scan data.

Feeds

Feeds are a useful way to enrich your existing data without blowing up your Search limit, or to narrow down a search into a big dataset. 

Enterprise support

Paying customers get direct access to our Customer Success team who have a deep knowledge of the GreyNoise product, integrations, and customer use cases. While we will always do our best to support all of our users, our Customer Success team goes above and beyond for our customers with onboarding, training sessions, and quarterly check-ins.

Convenience

One of the most important benefits of a paid plan is convenience, and our best customers get this. You’re strapped for time. You’re trying to keep up with changing tactics from the bad guys, training and hiring good analysts, and the latest demands from the rest of your org. Any time you can save has real value. 

GreyNoise has proven time and time again that we save our paying customers time, and generate a pretty significant ROI

Upgrade to a paid plan if…

There’s a lot of value unlocked when you move from a Free GreyNoise account to one of our paid plans. You probably want to upgrade if you fit into one or more of these buckets.

  • You have a mid-size or large team heavily leveraging the visualizer for manual alert triage 
  • You want to build automations or enrichments leveraging GreyNoise data into your workflows
  • You’re using Splunk, QRadar, Panther or one of the other tools supported by our paid integrations
  • You want an easy way to monitor large blocks of IP space for malicious behavior
  • You want to block IPs scanning for emerging threats from touching your perimeter entirely
  • You are doing advanced threat hunting 
  • You want to leverage GreyNoise data in your product or service
  • You need enterprise support
  • You value saving your analysts time anywhere you can

A GreyNoise paid plan isn’t necessary for everyone, we get that. Don’t worry about a paid plan right now if you fit into one of these buckets:

Your team has a manageable number of alerts

Look, if you’re a team of 1 or 2 analysts, and you can easily handle all of the perimeter-related alerts in your SIEM then you’re probably not going to get a ton of benefit from a GreyNoise subscription right now. You can always create a free account, and use it as needed when you have questions about a strange IP or hot, new CVE. 

You outsource your security program

If most or all of your security program is managed by MSSP/MDR partners, they can leverage GreyNoise on your behalf to provide you a better service more cost-efficiently. Some of our rockstar MSSP/MDR partners include:

You’re a student, academic, or independent researcher

If you’re a student, academic, or an independent researcher using GreyNoise for non-commercial purposes then you may actually qualify for our VIP program. VIP users get access to all of the same features and benefits as paying customers, at no cost. 

Check out our pricing to learn more

In the end it’s up to you. GreyNoise isn’t going to be a good fit for everyone, and that’s okay. You can always use GreyNoise for free, and reach out later when your security team has grown. But if these benefits resonated with you, then consider reaching out to our sales team. They’re here to help, not be pushy, and know a ton about GreyNoise. 

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account