94% — that is the startling figure the industry is now working around: anonymizing infrastructure appears in nearly every security incident, according to a study by Spur Intelligence of more than 200 security practitioners.
A flood of IP data, and still little clarity
Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet that abundance has not translated into certainty. The central problem described in the Spur study is not a lack of indicators, but a shortage of context: analysts are awash in signals but often lack the operational workflows and correlated information needed to decide who is behind an IP and what to do next.
Anonymized infrastructure has become routine
The availability of VPN services, residential proxy networks, and other anonymization tools has shifted attacker tradecraft. Residential proxies route traffic through consumer internet connections, making malicious activity blend with normal user behavior, while VPN services allow rapid switching between locations and network identities. As a result, traditional approaches that rely on reputation lists or static blocks are becoming less effective.
The Spur study found that anonymizing infrastructure now appears in nearly every incident, and that nearly half of companies reported significant operational or financial impact from account takeover attempts and credential abuse conducted via VPNs and residential proxies. In those cases an address may look residential, belong to a legitimate ISP, and have no prior malicious reputation — and still be part of an active attack campaign.
The context deficit: behavioral and historical signals missing
Nearly half of respondents in the study said a lack of context is the biggest challenge for their security teams analyzing IP activity. Basic IP attributes such as geolocation and network ownership remain useful but frequently fail to explain intent. Security teams increasingly need additional layers of context: infrastructure classification, VPN and proxy attribution, behavioral indicators, historical usage patterns, device and session correlations, and automation and bot signals.
Without those layers, analysts are forced to make decisions from incomplete information; with them, teams can begin to understand not only where traffic is coming from, but why it may represent elevated risk.
Reactive security remains the norm; measurement lags
IP enrichment is commonly applied after alerts have already been generated, the study reports, used to review historical events and investigate incidents rather than to prevent or steer outcomes in real time. The majority of respondents indicated they leverage IP intelligence for basic use cases but want workflows to be more predictive and intelligence-led.
Organizations named several concrete aims for moving IP intelligence earlier into decision-making: adaptive authentication, risk-based access controls, fraud prevention workflows, automated policy enforcement, and session risk scoring. Yet measurement of IP intelligence effectiveness is immature — a full third of companies aren't measuring it at all — and many still rely on legacy metrics such as blocked threats or enrichment coverage rather than operational outcomes like investigation time, false positives, and cost reductions.
Internal blind spots and surprising complacency
External attackers receive the bulk of attention, but the study highlights a second, internal exposure: bring-your-own-device policies, consumer applications, and personal VPN usage expand the pathways through which anonymized traffic can enter corporate environments. Nation-state actors posing as legitimate employees in high-concentration remote work environments is cited as one additional risk vector.
Despite those vectors, the study records a noteworthy level of complacency: 61% of respondents reported being moderately, slightly, or not at all concerned about the potential exposure of their internal network via residential proxies on employee devices or consumer apps — an attitudinal gap many security teams will have to confront as zero-trust architectures mature.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams will need to prioritize richer context and automation: infrastructure attribution, behavioral signals, and session correlations must be integrated into detection and access-control workflows to move beyond after-the-fact enrichment.
- Procurement leaders and security buyers should demand measurable operational outcomes: focus spending on capabilities that reduce investigation time, lower false positives, and cut costs rather than on raw indicator volume alone.
- End users and IT operators must recognize internal anonymization as a risk signal: BYOD, consumer apps, and personal VPN use can introduce blind spots that perimeter assumptions will not catch.
The Spur study points to three trends that will define the next phase of IP intelligence: richer context rather than larger volumes of raw data, tighter automation that embeds intelligence into prevention and access workflows, and closer coupling of IP signals to decision-making. In the environment the study describes — where anonymized infrastructure is routine — the ability to make the leap from detection to decision will ultimately determine how effectively security teams can respond to modern threats.
