Beyond the Risk Score: Correlating IP Intelligence for Evidence-Based Security

In modern cybersecurity, relying on a single signal or a static "risk score" is increasingly ineffective. Threat actors constantly evolve their tactics, rotating through infrastructure and masking their identities to bypass simple filters. Effective cybersecurity comes from correlating multiple IP intelligence signals to understand intent.

That distinction matters. 

Rather than providing a definitive judgment, our data delivers evidence-based signals that security teams interpret within their unique operational contexts to assign perceived risk and determine an overall risk profile.

To use a culinary metaphor, IPinfo provides world-class ingredients; it is up to the security professional to "bake the cake.” 

To meet the needs of demanding security environments, I encourage teams to utilize a combination of datasets, such as IPinfo Plus and Residential Proxy data, to answer critical questions about traffic by looking at several key dimensions of an IP address.

Core Cybersecurity Use Cases

In my experience as a solutions engineer, I find that security practitioners get the most value when they cross-reference various datasets to identify anomalies that a single metric would miss.

Impossible Travel and Location Anomalies

Using geolocation data, teams can enforce a basic geolocation access control list (ACL), forbidding access to virtual resources based on geolocation. That’s the most widely used scenario I've seen. 

They can implement "impossible travel" detection. This technique calculates whether sequential login attempts from different locations are physically possible within the time elapsed between them. Teams also look for location stability; an IP that remains in the same geographic area over time is generally considered more trustworthy than one that frequently shifts. (One exception, however, is malicious actors who are often concentrated in small geographic areas that can be identified and blacklisted, such as "Scam Centers.”)

Geolocation also supports compliance requirements, where policy restrictions or data handling obligations vary by jurisdiction.

Anonymized vs. Automated Traffic

The privacy dataset allows teams to distinguish between different types of anonymized traffic. While VPNs and Tor nodes are often flagged as high-risk due to their ease of access and lack of "Know Your Customer" (KYC) requirements, private relays from major providers like Apple or Google are often used by privacy-conscious legitimate users and may warrant a lower risk score. 

The hosting flag identifies data center traffic, a strong signal for automated traffic or anonymized traffic. Bots account for over half of internet traffic (51%), so every site is incentivized to establish rules for handling bot traffic.

Network and ASN-based Risk Patterns

ASN data enables professionals to trace activity back to source organizations. Security teams can identify high-risk networks where malicious actors are concentrated and evaluate AS Type. For example, traffic from government or educational institutions is typically viewed as more trustworthy than traffic originating from hosting providers.

Mobile Carrier and KYC Risk Signals

Carrier data focuses on mobile ISPs, identifying networks with weak KYC or postpaid SIM policies that are often exploited. Due to IPv4 address scarcity, many mobile carriers deploy carrier-grade NAT (CG-NAT), which teams must also account for, because it means hundreds of users are sharing a single IP. Understanding this signal is vital to avoid the "collateral damage" of blocking hundreds of legitimate users when attempting to stop a single malicious actor.

Explore more ways cybersecurity professionals use IP data.

Uniquely Evasive Residential Proxies

Residential proxies are among the most difficult threats to detect because they use legitimate residential IP addresses, effectively mimicking real users to mask large-scale attacks.

To combat this without high false-positive rates, we provide temporal signals that allow teams to move beyond static blacklists:

1. Last Seen Timestamp: Because residential proxy IPs have extremely short lifespans, this field tracks the most recent date the IP was active in a proxy pool. This helps teams avoid the "cardinal sin" of residential proxy detection: blocking an IP that has already returned to legitimate residential use.
2. Percent Days Seen: This provides context on how often an IP appears in a proxy pool over a 30-day period.
   • High percent_days_seen (60%+): Stable proxy infrastructure, likely a dedicated residential proxy node or consistently infected device. High risk for persistent fraud.
   • Medium percent_days_seen (20-60%): Rotating or intermittently active proxy. Common in P2P residential networks.
   • Low percent_days_seen (<20%): Newly added to pool or highly transient. It could be a legitimate user occasionally sharing a connection, or rapid IP rotation for evasion.

IP data is most valuable when interpreting these signals together. For example, an IP with an old "last seen" date and a low "percent days seen" is generally less concerning than an IP that was observed very recently and has been active consistently across many days. The latter suggests sustained, likely automated, malicious activity.

Moving Beyond Risk Scores

From my perspective, the true power of IP intelligence is not in assigning a number, but in understanding intent.

Static risk scores reduce complex infrastructure behavior into a single value that rarely holds up under scrutiny. By contrast, evidence-based IP intelligence allows security teams to explain why a decision was made, adjust logic as threats evolve, and align enforcement with real-world risk.

I encourage security teams to ask, “What does this combination of signals tell us about the infrastructure and intent behind this connection?”

That shift to evidence-based decision-making is what makes IP intelligence truly actionable.