I believe one of the important shifts in cybersecurity over the past several years is how attackers are hiding in plain sight.
According to the 2026 IP Intelligence Study released by Spur Intelligence, anonymizing infrastructure, such as virtual private networks (VPNs) and residential proxies, are now involved in nearly every modern cyberattack.
These tools allow malicious actors to disguise their activity as legitimate user behavior, making detection more difficult for security teams.
The study highlights a growing gap between the amount of IP data organizations collect and their ability to operationalize that data effectively in real time.
“Most teams already have plenty of IP data, but that doesn’t mean they know what they’re looking at,” said Riley Kilmer, co-founder of Spur Intelligence in an email to eSecurityPlanet.
She explained, “If you can’t tell who is behind a connection or why it looks suspicious, you’re left piecing things together after something has already happened.”
Riley added, “Security teams need to close that gap by using IP context earlier, before attackers have already blended into normal traffic.”
Key Takeaways of the IP Intelligence Study
- 94% of organizations reported VPNs or residential proxies were involved in security incidents.
- Attackers are increasingly disguising malicious activity as legitimate user traffic.
- Only 30% of organizations understood residential proxy risks before experiencing an incident.
- Nearly half of organizations experienced credential abuse tied to IP-based activity.
- Many security teams still rely on reactive IP intelligence workflows.
Attackers Are Blending into Legitimate Traffic
For years, many organizations relied on the assumption that malicious IP addresses would stand out from normal traffic.
I see that assumption rapidly disappearing.
The study found that 94% of organizations reported VPNs or residential proxies were involved in security incidents.
Attackers are no longer relying solely on obvious indicators of compromise. Instead, they are routing activity through infrastructure that resembles legitimate consumer traffic.
Riley Kilmer, co-founder of Spur, explained that attackers have learned how to “blend in,” making suspicious activity appear normal.
I believe this creates a challenge for defenders because traditional IP reputation checks and reactive workflows are no longer enough to identify threats early in the attack cycle.
The report also revealed that only 30% of organizations understood the risks associated with anonymized infrastructure before experiencing an incident.
Blind Spots Continue to Increase Organizational Risk
Another major issue highlighted in the study involves internal visibility gaps, especially in remote work and bring your own device (BYOD) environments.
I think some organizations underestimate how vulnerable unmanaged devices can become when connected to corporate systems.
The study found that only 38% of organizations strongly control access from personal devices.
Additionally, 61% reported being only moderately, slightly, or not at all concerned about residential proxy exposure on employee devices.
These findings suggest organizations may not fully understand how anonymized traffic originating from inside the network can bypass traditional security controls.
Credential abuse remains a serious concern as well.
Nearly half of surveyed organizations experienced high-impact credential abuse tied to IP-based activity.
When attackers combine stolen credentials with anonymized infrastructure, they can often evade detection while appearing to be legitimate users.
IP Intelligence Is Still Primarily Reactive
One finding that stood out to me was how organizations are still using IP intelligence mainly as an investigative tool rather than a preventive control.
According to the study, 44% of organizations primarily use IP intelligence to enrich logs after incidents occur.
This reactive approach creates operational inefficiencies. Security teams are forced to investigate alerts manually while attackers continue moving through environments undetected.
Nearly half of respondents stated that their biggest challenge was understanding the “who” and “why” behind IP activity.
Without contextual intelligence, analysts spend valuable time correlating information across multiple platforms.
As a result, 44% of organizations reported increased incident response times due to ineffective IP intelligence processes.
I believe this demonstrates that simply collecting more telemetry is not enough. Organizations must transform IP data into actionable intelligence that supports real-time decision-making.
Organizations Are Demanding Better IP Intelligence Capabilities
Despite these challenges, the study also revealed a growing desire for modernization.
Many organizations are actively evaluating new IP intelligence platforms that provide richer context, automation, and predictive decision-making capabilities.
IP intelligence is evolving beyond static reputation feeds and post-incident enrichment.
Security teams want tools that can dynamically assess intent, behavioral signals, and authentication risk before access is granted.
The organizations making progress are shifting IP intelligence earlier in the security workflow.
Instead of relying solely on post-breach investigations, they are using contextual IP data to influence authentication, fraud prevention, and access control decisions in real time.
This becomes especially important as threat actors continue leveraging AI in their attacks.
Bottom Line
I believe the findings from Spur Intelligence demonstrate that anonymized infrastructure is no longer a niche problem.
VPNs and residential proxies have become standard tools for cybercriminals seeking to evade detection and blend into legitimate network traffic.
Organizations that continue relying on outdated IP intelligence strategies may struggle to keep pace with modern attack techniques.
The future of cybersecurity will depend on how effectively security teams can apply contextual IP intelligence in real time, automate decision-making, and identify malicious behavior before incidents escalate.
As attackers continue hiding in plain sight, the true advantage will not come from collecting more signals.
It will come from turning those signals into fast, informed, and scalable security decisions.
As threat actors continue adapting their tactics, organizations are adopting zero trust solutions to help reduce blast radius.
