Spur’s 2026 IP Intelligence Study found widespread use of VPNs and residential proxies in modern cyberattacks, creating new challenges for detection and response.
Spur Intelligence has released findings from its 2026 IP Intelligence Study, highlighting the growing role of anonymizing infrastructure such as VPNs and residential proxies in modern cyberattacks and the challenges organizations face in detecting and stopping them.
Based on a survey of more than 200 security practitioners, the study found that 94% of organizations reported VPNs or residential proxies were involved in security incidents. According to the report, attackers increasingly route malicious activity through infrastructure that resembles legitimate user traffic, allowing them to evade traditional detection methods and avoid immediate suspicion.
The study said this shift has changed how organizations must approach detection, as malicious activity is becoming harder to distinguish from legitimate user behavior. Despite the widespread use of anonymized infrastructure in attacks, only 30% of organizations said they understood the issue before experiencing an incident.
“Attackers have figured out how to blend in,” said Riley Kilmer, co-founder of Spur. “What used to stand out as suspicious now looks like normal behavior. Unfortunately, most organizations still don’t have a clear understanding of how anonymized infrastructure is being used against them.”
Blind Spots Increase Exposure
The report also pointed to weak controls around internal access paths, particularly in organizations with remote work and bring your own device (BYOD) policies.
Nearly half of surveyed organizations reported high-impact credential abuse tied to IP-based activity, which the study said demonstrates how attackers are leveraging anonymizing infrastructure to bypass defenses.
At the same time, only 38% of organizations said they strongly control access from personal devices, limiting visibility into how unmanaged endpoints connect to internal systems.
The study also found that 61% of organizations reported being only moderately, slightly, or not at all concerned about residential proxy exposure on employee devices, suggesting many organizations underestimate the risks associated with anonymized traffic originating inside their networks.
According to the report, these visibility and control gaps create compounded risk for security teams attempting to identify and respond to threats moving through environments with limited oversight.
IP Intelligence Remains Largely Reactive
The study found that anonymized IP activity has become a routine part of attacks, yet many organizations still lack a practical understanding of how anonymizing infrastructure operates in real-world incidents.
As a result, many security teams remain reliant on reactive workflows rather than real-time prevention strategies. The report said the most common use of IP intelligence, cited by 44% of respondents, is enriching logs during investigations after an incident occurs rather than preventing attacks as they happen.
Organizations also reported challenges operationalizing available data. Nearly half of respondents, 47%, identified lack of context surrounding IP addresses — including understanding who is behind an IP and why it is being used — as their biggest challenge, leading to manual and time-consuming workflows for analysts.
The report noted these limitations are contributing to operational delays, with 44% of organizations reporting increased incident response times due to ineffective IP intelligence.
Spur said the findings reinforce the need for organizations to apply IP context earlier in workflows to support real-time decisions related to access, authentication and fraud prevention. Download the full report to learn more.