Spur IP Intelligence Study:​ Nearly Every Modern Cyberattack Now Leveraging Anonymizing Infrastructure and Victims Are Blind to It

Study reveals a growing gap between awareness and action as attackers exploit outdated defenses while organizations remain unequipped to address this challenge

LAKE MARY, Fla — May 13, 2026 — Spur Intelligence released findings from its 2026 IP Intelligence Study, revealing that anonymizing infrastructure, such as VPNs and residential proxies, is now embedded in nearly every modern cyberattack, yet most organizations are unequipped to stop it.

Based on a survey of more than 200 security practitioners, the study found that 94% of organizations report VPNs or residential proxies are involved in security incidents. By routing malicious activity through infrastructure that appears to be legitimate user traffic, attackers can bypass traditional detection methods and operate without raising immediate suspicion.

This creates a fundamental shift in detection. When malicious activity is indistinguishable from real users, security teams can no longer rely on basic IP signals or reactive workflows to identify threats before damage occurs. More alarming: only 30% of organizations reported understanding the problem before an incident occurred.

“Attackers have figured out how to blend in,” said Riley Kilmer, co-founder of Spur. “What used to stand out as suspicious now looks like normal behavior. Unfortunately, most organizations still don’t have a clear understanding of how anonymized infrastructure is being used against them.”

Blind spots amplify risk

Anonymizing infrastructure is only part of the problem. Many organizations lack strong controls over internal access paths, particularly in environments with remote work and bring your own device (BYOD) policies.

• Nearly half of organizations report high-impact credential abuse tied to IP-based activity, underscoring how effectively attackers are using anonymizing infrastructure to bypass defenses.
• Only 38% of organizations strongly control access from personal (BYOD) devices, limiting visibility into how unmanaged endpoints connect to internal systems.
• At the same time, 61% report being only moderately, slightly, or not at all concerned about residential proxy exposure on employee devices, suggesting many teams underestimate the risk of anonymized traffic originating from inside the network.

Together, these gaps create compounding risk. When malicious activity blends into normal traffic and moves through environments with limited visibility, detection and response are significantly more difficult.

Widespread exposure, limited understanding

Anonymized IP activity is now a routine part of attacks, but most organizations lack a clear view of how it works in practice. Without that understanding, security teams are forced into reactive workflows, responding after the fact rather than stopping threats in real time.

• IP intelligence is still primarily used after an incident occurs. The most common use case (44%) is enriching logs for investigation, rather than preventing attacks in real time.
• While security teams have more data than ever, they struggle to operationalize it. Nearly half (47%) cite lack of context (the “who” and “why” behind an IP) as their biggest challenge, forcing analysts into manual, time-consuming workflows.
• These limitations have a tangible impact: 44% of organizations report increased incident response times due to ineffective IP intelligence.

These findings reinforce that IP intelligence can no longer be treated as a back-end investigative tool. Security teams need to apply IP context earlier in workflows to inform real-time decisions on access, authentication, and fraud. Those that make this shift will move faster, reduce operational overhead, and close gaps that attackers are actively exploiting.

See the Full Findings

Download the 2026 IP Intelligence Study to learn how security teams use IP intelligence to detect threats, reduce false positives, and speed investigations.

Get your copy

Methodology

The Spur 2026 IP Intelligence Study surveyed more than 200 security practitioners between February and March 2026 across industries, including IT, telecommunications, and financial services. Respondents represent roles in security operations, incident response, threat intelligence, fraud prevention, and compliance.

About Spur Intelligence

Spur delivers the highest-fidelity IP intelligence available to detect anonymized, proxied, or otherwise obscured internet traffic, empowering you to stop fraud, fake users, and threats. Designed by expert security researchers and engineers, Spur elevated VPN attribution, bot detection, and residential proxy tracking to protect the most mission-critical government and commercial systems in the world.

Media Contact

Jennifer Tanner, Look Left Marketing, spur@lookleftmarketing.com