94% of Security Incidents Now Involve Anonymized Infrastructure, Survey Finds

Security teams are drowning in IP data but starving for context, according to a new industry study from Spur Intelligence. The survey of more than 200 security practitioners found that anonymizing infrastructure, including VPN services and residential proxy networks, now appears in nearly every security incident, yet most organizations still lack the visibility and operational workflows needed to act on that information. Nearly half of respondents reported significant operational or financial impact from account takeover attempts and credential abuse routed through VPNs and residential proxies, where the offending IP often belongs to a legitimate ISP and carries no prior malicious reputation.

The rise of residential proxy networks has fundamentally changed the attacker playbook. These services route malicious traffic through genuine consumer internet connections, blending attack activity with normal user behavior, while VPN services add another layer of anonymity with rapid location switching. As a result, static reputation lists and basic geolocation checks are increasingly insufficient. The study highlights that security teams need deeper context, including infrastructure classification, VPN and proxy attribution, behavioral indicators, and bot signals, to distinguish a legitimate remote employee from an attacker staging a credential-stuffing campaign. Security teams can begin profiling suspicious connections using a VPN and proxy detection tool to classify traffic sources, while a WHOIS lookup can help validate whether an IP's registered ownership matches its apparent use case.

The data points to a broader, persistent trend: a reactive posture toward IP-based risk. Instead of proactively classifying traffic and enriching decisions with context, many teams investigate only after an incident occurs, wasting precious response time chasing anonymized endpoints. The study's authors argue that closing the context deficit requires layering signals such as device and session correlations, historical usage patterns, and automated bot detection on top of traditional IP attributes. For practitioners looking to assess their own exposure, a browser fingerprint test can reveal how easily an attacker could mimic a trusted user session, offering a practical starting point for hardening detection workflows before the next incident lands in the SOC queue.