A new survey reveals that 94% of security incidents involve anonymised infrastructure such as VPNs, proxies, and hosting services, making it difficult to attribute attacks to real threat actors. Despite access to large volumes of IP enrichment and threat intelligence data, most security teams remain reactive rather than proactive. The core problem is signal-to-noise ratio — too much data, too little actionable context.

Security Architect’s Take: Review your threat intelligence pipeline for coverage of anonymising infrastructure (e.g. Tor exit nodes, residential proxies, bulletproof hosting ASNs) and ensure your SIEM or SOAR rules treat traffic from these sources with elevated suspicion by default. Consider integrating purpose-built IP context providers that specialise in anonymisation detection rather than relying solely on generic reputation feeds.

Original advisory: Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive