VPNs & proxies feature in 94% of security incidents

Spur Intelligence has published research finding that VPNs and residential proxies feature in 94% of organisations' security incidents. The study was based on a survey of more than 200 security practitioners.

The findings point to a growing problem for security teams, as attackers route credential abuse, bot activity and fraud through anonymising services that make malicious traffic look like ordinary user activity. Only 30% of organisations understood the issue before an incident took place.

Many companies are therefore relying on older detection methods even as online attacks become harder to distinguish from legitimate traffic. Basic IP signals and reactive investigation processes are proving insufficient when attackers can hide behind infrastructure that appears to belong to normal users.

Recent enforcement actions have brought added attention to the issue, including Google's takedown of IPIdea, the takedown of the SocksEscort proxy network, and an FBI Internet Crime Complaint Centre alert warning that cybercriminals are using residential proxies.

Blind spots

The study also identified internal weaknesses in how organisations manage access to corporate systems. Only 38% said they strongly control access from personal devices, suggesting many employers still have limited oversight of devices used in remote work and bring-your-own-device settings.

Concern about exposure through employee devices also appeared muted. Some 61% of respondents said they were only moderately, slightly or not at all concerned about residential proxy exposure on staff devices or consumer apps, despite the risk that anonymised traffic can originate from inside a company's network.

Nearly half of organisations reported high-impact credential abuse tied to IP-based activity. Together, these factors make detection and response more difficult, particularly when unmanaged devices connect to internal systems with limited visibility.

The survey also found that use of IP intelligence remains largely reactive. Its most common application, cited by 44% of respondents, was enriching logs for investigations after an incident rather than blocking or flagging suspicious activity in real time.

Security teams also reported a lack of usable context. Almost half, or 47%, said their biggest challenge was understanding the "who" and "why" behind an IP address, a gap that can push analysts into manual, time-consuming reviews.

That weakness appears to carry operational costs. The research found that 44% of organisations had seen incident response times increase because their IP intelligence tools or processes were ineffective.

Shift in use

The findings suggest a mismatch between broad awareness of anonymised infrastructure and practical readiness to respond. While VPNs and residential proxies are widely recognised as part of the threat landscape, many teams still use IP intelligence as a forensic tool rather than as part of day-to-day access control, authentication checks and fraud screening.

Respondents came from sectors including IT, telecommunications and financial services, and worked in areas such as security operations, incident response, threat intelligence, fraud prevention and compliance. That breadth suggests the issue is not confined to one part of the security function.

Riley Kilmer, Co-Founder of Spur, said the problem lies in how effectively attackers can conceal themselves within ordinary internet traffic.

"Attackers have figured out how to blend in. What used to stand out as suspicious now looks like normal behavior. Unfortunately, most organizations still don't have a clear understanding of how anonymized infrastructure is being used against them," Kilmer said.