GreyNoise Compromised Asset Detection identifies when internal systems on a network are compromised by monitoring outbound traffic patterns. The product detects when devices contact GreyNoise's global sensor network or communicate with known malicious IP addresses, both indicators of potential compromise. The system operates by analyzing outbound connections from network edge devices. When compromised devices behave like attacker infrastructure, they often probe external sensors or interact with malicious IPs. GreyNoise captures these behaviors to alert defenders. The product provides visibility into abnormal outbound traffic patterns and helps establish timelines of when compromised devices began scanning or exploitation activities. It includes query-based dynamic blocklists that prevent devices from establishing outbound communications with malicious IP addresses. The platform enriches IP address data with metadata including geolocation, organization ownership, reverse DNS information, VPN and Tor identification, and destination country targeting. It classifies IPs by intention (benign, malicious, suspicious, or unknown) and provides CVE associations for tagged behaviors. GreyNoise maintains a sensor network that detects mass scanning and automated attack traffic. The system tracks IP addresses engaging in reconnaissance, exploitation attempts, and botnet activities across the internet.