When Good IPs Go Bad: Why Traditional Reputation-Based Detection Is Failing

Editor’s Note: This guest post was written by Dave Shackleford, owner and principal consultant of Voodoo Security, senior instructor with SANS, and faculty member at IANS Research.

—

For years, cybersecurity teams relied heavily on a simple assumption: malicious activity comes from obviously malicious infrastructure. SOCs built detections around known bad IPs, suspicious geographies, TOR exit nodes, and hostile autonomous systems. Firewalls, SIEMs, and fraud platforms became highly effective at identifying traffic that looked clearly malicious.

That assumption no longer holds.

Modern attackers increasingly operate through infrastructure that appears legitimate at first glance. Residential proxy services, mobile carrier networks, commercial VPNs, cloud providers, SaaS platforms, and compromised consumer devices allow threat actors to blend seamlessly into normal internet traffic. In many cases, the same infrastructure used by legitimate users is also being used to conduct credential stuffing, fraud, account takeover, reconnaissance, and malware delivery operations.

The result is a growing crisis in signal quality for defenders. Traditional IP reputation models are struggling because “clean-looking” traffic no longer means safe traffic. Reputation can show whether an IP has been associated with suspicious activity before, but it often fails to explain what the IP is, how it is being used, and whether the surrounding infrastructure pattern is consistent with abuse.

Poor Signal Quality Creates a Trust Problem for the SOC

This shift is having a major impact across cybersecurity operations, fraud prevention, and identity security. SOC teams are seeing increased false positives and false negatives as attackers leverage trusted infrastructure to bypass traditional controls.

Poor signal quality does not just create missed detections; it erodes analyst trust. When teams cannot explain why a residential, mobile, or proxy-associated connection was flagged, they either ignore the signal or overcorrect with rules that create unnecessary friction for legitimate users.

Fraud teams face similar challenges as bot traffic increasingly routes through residential IPs assigned by legitimate ISPs. Even identity-based detections like impossible travel and geo-anomaly analysis are becoming less reliable in environments shaped by remote work, mobile device churn, and cloud-delivered services.

At the same time, AI is accelerating the problem. Threat actors are increasingly using automation and AI-assisted tooling to dynamically select infrastructure with the lowest likelihood of detection. Rather than relying on static infrastructure, attackers can continuously rotate through residential proxies, cloud regions, mobile networks, and VPN providers while optimizing for success rates and evasion.

This means organizations must rethink how they evaluate trust. IP reputation alone is no longer enough. Modern detection requires context that helps teams understand network origin, anonymization method, hosting or residential characteristics, geo consistency, and whether activity is part of a broader coordinated pattern.

Improving Signal Quality Means Improving Context with Layered Enrichment

Security teams need to correlate network-origin signals with identity, privilege, device posture, session behavior, and behavioral analytics to make better decisions. A login from a residential Xfinity IP may look perfectly normal in isolation. But when combined with unusual session velocity, a privileged account, impossible ASN changes, or suspicious behavioral patterns, the risk picture changes dramatically.

The future of detection is therefore moving toward layered enrichment and adaptive trust models. Rather than treating an IP address as a definitive signal, organizations should enrich connections with signals such as:

• Residential proxy and mobile carrier intelligence
• VPN, proxy, and hosting attribution
• ASN and carrier analysis
• Device posture signals
• Identity context
• Behavioral analytics
• Session-level risk indicators

This enables defenders to improve detection quality without dramatically increasing user friction. The core challenge is no longer simply identifying “bad IPs,” but recognizing malicious behavior hiding behind infrastructure that appears legitimate. In today’s distributed, cloud-first, identity-centric environments, effective detection depends on combining identity, behavioral, and infrastructure intelligence into a unified view of risk.

Watch the Webinar to Learn More

As attackers continue abusing trusted infrastructure and AI-driven evasion techniques evolve, organizations that rely solely on static IP reputation models will increasingly struggle to distinguish normal activity from real threats. The organizations that adapt successfully will be those that give analysts the context needed to explain risk, validate suspicious activity, and act with confidence.

To learn how to evaluate “clean” IPs more effectively and apply network-origin context in real investigations, watch the webinar I’m hosting with Spur.