Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms.
Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and what action should follow.
Case in point: a recent industry study of more than 200 security practitioners conducted by Spur Intelligence found that anonymizing infrastructure – including VPNs and residential proxy networks – now appears in nearly every security incident.
At the same time, the study showed that many organizations admit they lack the visibility, context, and operational workflows needed to make effective decisions based on that IP data.
The findings support a broader industry trend: a reactive approach to managing IP-based risks.
The Rise of Anonymized Infrastructure
The widespread availability of VPN services, residential proxy networks, and other anonymization tools has fundamentally changed how cybercriminals operate. Residential proxies route traffic through consumer internet connections, making malicious activity blend in with normal user behavior. VPN services provide additional layers of anonymity while allowing rapid switching between locations and network identities. As a result, traditional approaches based solely on reputation or static blocklists are becoming less effective.
Security teams are increasingly encountering attacks where the IP address itself provides little immediate insight into intent.
The Spur study showed that nearly half of companies reported significant operational or financial impact from account takeover attempts and credential abuse via VPNs and residential proxies. In these incidents, an address may appear residential, belong to a legitimate ISP, and exhibit no prior malicious reputation while still being part of an active attack campaign.
The Context Deficit
One of the most significant obstacles facing security operations today is a lack of contextual information to help determine who is actually behind a connection.
The Spur study reinforces this observation, with nearly half of respondents saying a lack of context is the biggest challenge for their security teams analyzing IP activity.
Basic IP attributes, such as geolocation and network ownership, remain useful, but they often fail to explain the intent behind activity.
Security teams increasingly need additional layers of context, including infrastructure classification, VPN and proxy attribution, behavioral indicators, historical usage patterns, device and session correlations, and automation and bot signals.
Without this context, analysts are forced to make decisions based on incomplete information. With context, they can understand not only where traffic is coming from, but also why it may represent elevated risk.
Reactive Security Remains the Norm
Although organizations recognize the value of IP intelligence, many still use it primarily during investigations. IP enrichment is commonly applied after alerts have already been generated, helping analysts review historical events and investigate incidents. While this approach provides value, it limits the strategic impact of IP intelligence.
A growing number of security teams are exploring ways to move IP intelligence earlier into the decision-making process. Rather than using IP data solely to investigate incidents, they want it to influence security outcomes in real time.
The Spur study examines this dichotomy, with the majority of respondents indicating that they leverage IP intelligence for basic use cases but want workflows to be more predictive and intelligence-led. Examples include applying IP intelligence for adaptive authentication, risk-based access controls, fraud prevention workflows, automated policy enforcement, and session risk scoring.
The goal of proactively applying IP intelligence is to make better decisions before incidents escalate.
The Overlooked Internal Risk of Anonymization
External threats receive most of the attention in discussions about anonymized infrastructure, but many organizations face a second challenge much closer to home. Bring-your-own-device policies, consumer applications, and personal VPN usage have expanded the number of pathways through which anonymizing traffic can enter enterprise environments. Nation-state actors posing as legitimate employees in high-concentration remote work environments is another.
In many cases, organizations have limited visibility into whether employees are using proxy services, residential networks, or VPN tools while accessing corporate resources. This creates blind spots that traditional perimeter-focused security strategies may not address.
The Spur study validates this concern, with a surprisingly high 61% of respondents reporting being moderately, slightly, or not at all concerned about the potential exposure of their internal network via residential proxies on employee devices or consumer apps.
As zero-trust architectures continue to mature, security teams must treat internal proxy activity as a potential risk signal rather than assuming trusted users and trusted devices automatically imply trusted network behavior.
Quantifying the Effectiveness of IP Intelligence
Many organizations invest in IP intelligence technologies but struggle to quantify their effectiveness. Historically, success has often been measured using indicators such as blocked threats or enrichment coverage. However, these metrics may not fully capture operational value.
The Spur study shows that organizations are less mature in how they measure their IP intelligence efforts, and a full third of companies aren’t measuring it at all.
Increasingly, security leaders are focusing on outcomes such as investigation time, false positives, and costs. These metrics align more closely with business impact and help justify investment in security intelligence capabilities.
As budgets remain constrained, demonstrating measurable operational improvements will become increasingly important.
The Future of IP Intelligence
The next phase of IP intelligence will likely be defined by three trends. First, organizations will demand richer context rather than larger volumes of raw data. Analysts need attribution, behavioral insight, and infrastructure intelligence, not just additional indicators.
Second, automation will become a priority. Security teams increasingly want IP intelligence integrated directly into detection, prevention, and access-control workflows rather than isolated in investigative tools.
Third, IP intelligence will become more closely tied to decision-making. Instead of acting solely as an enrichment layer, it will increasingly serve as a foundation for risk-based security controls.
The organizations that succeed will be those that move beyond simply identifying suspicious IPs and focus on gaining an understanding of the infrastructure, behavior, and intent behind them. In an environment where anonymized infrastructure has become a routine component of cybercrime, the ability to make the leap from detection to decision will ultimately determine how effectively security teams can respond to modern threats.
