Psychic

Psychic is a high-performance bitmask implementation, which is really just a fancy term for a data structure. Psychic reads from our bulk data files and crunches the data into tiny files that can be loaded in memory for super duper fast lookups, probably in SIEM integrations or maybe in network appliances at line-rate. Psychic currently benchmarks at 400,000 lookups per second. The heavy lifting in Psychic is done by implementing a handful of "rolling" Roaring bitmaps. Psychic also supports downloading bitmaps in MMDB format, but this causes the file to be 2x-3x larger.

Psychic supports 3 different models:

Model #1 - IPs and dates.

{"ip":"1.0.138.92","seen":true}
{"ip":"1.0.153.159","seen":true}
{"ip":"1.0.155.10","seen":true}

Model #2 - IPs, dates, three-way-handshakes (y/n), and classifications.

{"3wh_completed":true,"classification":"malicious","ip":"1.0.138.92","seen":true}
{"3wh_completed":false,"classification":"malicious","ip":"1.0.153.159","seen":true}
{"3wh_completed":true,"classification":"malicious","ip":"1.0.155.10","seen":true}

Model #3 - IPs, dates, three-way-handshakes (y/n), classifications, actor, tags, and CVEs.

{"3wh_completed":true,"actor":"unknown","classification":"malicious","cves":["CVE-2021-27144","CVE-2021-27145","CVE-2021-27146","CVE-2021-27148","CVE-2021-27149","CVE-2021-27150","CVE-2021-27151","CVE-2021-27152","CVE-2021-27153","CVE-2021-27154","CVE-2021-27155","CVE-2021-27158","CVE-2021-27159","CVE-2021-27162","CVE-2021-27163","CVE-2021-27164","CVE-2021-27165","CVE-2021-27166","CVE-2021-27168","CVE-2021-27169","CVE-2021-27172","CVE-2019-8950"],"date":"2025-08-04","ip":"1.0.138.92","seen":true,"tags":["Mirai TCP Scanner","Mirai","Telnet Login Attempt","Telnet Bruteforcer","Generic IoT Default Password Attempt","SMBv1 Crawler","D-Link Hardcoded Telnet Attempt","VStarcam C7824WIP Hardcoded Telnet Attempt","FiberHome Telnet Backdoor","Actiontec C1000A Telnet Backdoor","Dasan H665 Backdoor Attempt","WannaCry Variant SMB Connection Attempt","SSH Connection Attempt"]}
{"3wh_completed":true,"actor":"unknown","classification":"malicious","cves":[],"date":"2025-08-04","ip":"1.0.153.159","seen":true,"tags":["Mirai TCP Scanner","Telnet Login Attempt","Telnet Bruteforcer","Mirai","Generic IoT Default Password Attempt"]}
{"3wh_completed":true,"actor":"unknown","classification":"malicious","cves":["CVE-2021-27144","CVE-2021-27145","CVE-2021-27146","CVE-2021-27148","CVE-2021-27149","CVE-2021-27150","CVE-2021-27151","CVE-2021-27152","CVE-2021-27153","CVE-2021-27154","CVE-2021-27155","CVE-2021-27158","CVE-2021-27159","CVE-2021-27162","CVE-2021-27163","CVE-2021-27164","CVE-2021-27165","CVE-2021-27166","CVE-2021-27168","CVE-2021-27169","CVE-2021-27172"],"date":"2025-08-04","ip":"1.0.155.10","seen":true,"tags":["Mirai TCP Scanner","Telnet Login Attempt","Telnet Bruteforcer","Mirai","Generic IoT Default Password Attempt","FiberHome Telnet Backdoor"]}

Bitmaps can be downloaded from this REST API with the following syntax, where date syntax is YYYY-MM-DD and model ID is 1, 2, or 3:

Download a single day's bitmap - GET - https://psychic.labs.greynoise.io/v1/psychic/download/{date}/{model_number}

Download a date range's bitmap - GET - https://psychic.labs.greynoise.io/v1/psychic/generate/{start_date}/{end_date}/{model_number}

Curl Examples

# Download a single day's bitmap for model 1
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/download/2025-08-04/1 \
  -o model1-2025-08-04.bin

# Download a single day's bitmap for model 3
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/download/2025-08-04/3 \
  -o model3-2025-08-04.bin

# Generate a date range bitmap for 30 days (model 3)
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/generate/2025-07-01/2025-08-01/3 \
  -o m3-30-days.bin

Download in MMDB (Maxmind) Format

# Download a single day's MMDB for model 1
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/download/2025-08-04/1/mmdb \
  -o model1-2025-08-04.mmdb

# Download a single day's MMDB for model 3
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/download/2025-08-04/3/mmdb \
  -o model3-2025-08-04.mmdb

# Generate a date range MMDB for 30 days (model 3)
curl -H "key: your_greynoise_key_here" \
  https://psychic.labs.greynoise.io/v1/psychic/generate/2025-07-01/2025-08-01/3/mmdb \
  -o m3-30-days.mmdb

Psychic bitmask files are teeny tiny. GreyNoise bulk data is ~40 gigabytes per day uncompressed. Psychic datafiles lose a few fields, but they're are about 1/10,000 of this size:

A single day of GreyNoise data for model #1 is less than one megabyte.

A single day of GreyNoise data for model #2 is ~1 mb

A single day of GreyNoise data for model #3 is generally a few megabytes (generally 2-3 mb).

You can generate multi day psychic bitmasks for, for example, 30 days of GreyNoise data + tags. CVEs, classifications, etc, and it will download in ~3 minutes and probably end up less than 80mb.

$ time curl -H "key: $GN" https://psychic.labs.greynoise.io/v1/psychic/generate/2025-07-01/2025-08-01/3 > m3-30-days.bin

real    2m55.269s
user    0m0.891s
sys     0m1.102s

$ 
{"3wh_completed":true,"actor":"unknown","classification":"suspicious","cves":[],"date":"2025-07-03","ip":"157.65.32.23","seen":true,"tags":["SMBv1 Crawler"]}
{"3wh_completed":false,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-08-01","ip":"47.237.73.156","seen":true,"tags":[]}
{"3wh_completed":false,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-07-23","ip":"176.84.93.91","seen":true,"tags":[]}
{"3wh_completed":true,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-07-20","ip":"103.129.238.251","seen":true,"tags":[]}
{"3wh_completed":true,"actor":"unknown","classification":"malicious","cves":[],"date":"2025-07-26","ip":"189.164.104.56","seen":true,"tags":["Telnet Login Attempt","Telnet Bruteforcer","Generic IoT Default Password Attempt","VStarcam C7824WIP Hardcoded Telnet Attempt"]}
{"3wh_completed":true,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-07-20","ip":"200.68.170.134","seen":true,"tags":[]}
{"3wh_completed":true,"actor":"unknown","classification":"suspicious","cves":[],"date":"2025-07-13","ip":"92.119.59.188","seen":true,"tags":["Go HTTP Client","Web Crawler","Psiphon Tunnel Traffic"]}
{"3wh_completed":true,"actor":"unknown","classification":"suspicious","cves":[],"date":"2025-07-06","ip":"167.71.163.101","seen":true,"tags":["Carries HTTP Referer","Web Crawler","TLS/SSL Crawler","Favicon Scanner"]}
{"3wh_completed":true,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-07-16","ip":"5.210.128.94","seen":true,"tags":[]}
{"3wh_completed":true,"actor":"unknown","classification":"unknown","cves":[],"date":"2025-07-07","ip":"91.251.146.112","seen":true,"tags":[]}

$ ls -lah m3-30-days.bin
-rw-r--r--@ 1 andrew  staff    85M Aug  3 02:08 m3-30-days.bin

$ ./psychic2 parse -i m3-30-days.bin | wc -l
 4602446

Psychic data files are generated in less than 3 minutes on a machine with a relatively beefy GPU once per hour. The Psychic API is up here https://psychic.labs.greynoise.io and uses GN auth (curl -H "key: your_greynoise_key_goes_here" https://psychic.labs.greynoise.io/)

---

Important Notes

• Free Testing Period: For the next few months, all models will be available to all GreyNoise users for testing and feedback.
• Expanding Models: More models will continue to be added for different use-cases, including RIOT data and CVE data.
• Future Pricing: More premium models will start to be moved to only customers towards the end of the year, but models #1 and #2 will always be free.
• Get Started: Sign up for a free GreyNoise account at https://viz.greynoise.io to get an API key and start using this right now.
• Language Bindings: Language bindings can be found here https://github.com/GreyNoise-Intelligence/greynoise-psychic. We have shipped Python and are working on Go, C, Rust, Ruby, and R now.

---

Python Quick Start Example

In [1]: import greynoise_psychic

In [2]: client = greynoise_psychic.Client("YOUR_GREYNOISE_KEY_GOES_HERE")

In [3]: client.refresh_bitmap(model=3)
Out[3]: CachedBitmap(date='2025-08-20', model=3, age=0.0h)

In [4]: result = client.ip_lookup("69.160.29.242")

In [5]: result
Out[5]: LookupResult(ip='69.160.29.242', SEEN [MALICIOUS])

In [6]:   print(f"IP: {result.ip}")
   ...:   print(f"Seen: {result.seen}")
   ...:   print(f"Malicious: {result.malicious}")
   ...:   print(f"3-way handshake: {result.three_way_handshake_completed}")
   ...:   print(f"Tags: {result.tags}")
   ...:   print(f"CVEs: {result.cves}")
   ...:   print(f"Actor: {result.actor}")
   ...:   print(f"Date: {result.date}")
IP: 69.160.29.242
Seen: True
Malicious: True
3-way handshake: True
Tags: ['SSH Connection Attempt', 'TLS/SSL Crawler', 'Go SSH Scanner', 'Web Crawler', 'Weston Embedded µC/HTTP-server Heap Overflow CVE-2023-45318 Attempt', 'Xiongmai NVR URI CVE-2022-45460 Scanner']
CVEs: ['CVE-2023-45318', 'CVE-2022-45460']
Actor:
Date: '2025-08-31'