Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive

Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and

The article reports on a Spur Intelligence study of 200+ security practitioners, finding that anonymized infrastructure such as VPNs and residential proxies is present in about 94% of security incidents, allowing attackers to blend in with seemingly legitimate traffic and undermining IP-based trust decisions.[1][2][6] It highlights that, despite abundant IP enrichment and threat intel data, many teams remain reactive and struggle to reliably attribute activity or distinguish benign from malicious use of such services.[1][5] For AI-driven security agents and automated decision systems that rely heavily on IP reputation, this pattern creates a significant abuse vector: attackers can systematically route prompts, API calls, and automated interactions through anonymizing networks to evade heuristics, rate limits, and geo-based controls. From a CyberSE.AI perspective, organizations should subject AI agents and their surrounding controls to continuous red teaming that explicitly tests resilience against traffic originating from VPNs and residential proxies, validating that detection, throttling, and attribution do not rely on IP signals alone.