15 days ago by Fernanda Donnini 5 min read

Zero Trust Architecture and IP Data

Zero Trust Architecture and IP Data

Remember when cybersecurity meant just keeping hackers outside your office firewall? Those days are long gone. Today's security teams face a perfect storm: employees working from coffee shops, fraudsters hiding behind legitimate-looking residential IPs, and nearly a third of Americans using VPNs, not always for the reasons you'd expect. As attack surfaces expand, so do blind spots, especially in how organizations validate trust across devices and networks.

Enter zero-trust architecture: the security model that treats every connection as guilty until proven innocent. Instead of the old-school approach of trusting anyone inside your network (like assuming everyone in your office building must belong there), zero-trust verifies every connection, every time.

But here's the catch: when everything looks suspicious, how do you spot what's actually dangerous? Security teams are getting thousands of alerts daily—like having a smoke detector that goes off every time you make toast. Meanwhile, real threats slip through disguised as legitimate traffic.. Meanwhile, fraudsters use services like residential proxies and VPNs to execute attacks that appear legitimate. Alert fatigue is worsening while cyber threats are becoming more sophisticated. 

Context is more important than ever.

Filling the Signal Gap in Modern Security

Security professionals don’t just need more data. They need better signals. That’s where IP address intelligence plays a critical role.

An IP address is often the first, and sometimes the only, observable indicator of compromise (IoC) in a system. But raw IPs aren't useful without enriched context. That’s why companies like Nethone rely on IPinfo:

Getting the same quality data as IPinfo with an in-house team is actually quite difficult. That’s why we chose IPinfo. - Fraud Intelligence Team, Nethone

To gain the visibility they need at scale, cybersecurity teams can get a wealth of contextualized data from IP addresses, making zero-trust architecture easier than ever. 

Indicators of Compromise in IP Data

There are several valuable indicators of compromise (IoCs) derived from IP data.

Geolocation

IPinfo’s geolocation data provides: 

  • Country, region, city
  • latitude/longitude
  • Postal code and timezones
  • Accuracy radius 
  • Last-changed timestamps

These fields help identify location mismatches, impossible travel, and suspicious login behavior. They also power DDoS mitigation by mapping inbound traffic sources.

GreyNoise, a log management solution, uses IPinfo geolocation data, along with ASN data, IP ranges, and hosted domains, to support efficient threat analysis and detection.

“IPinfo is absolutely essential to our business. The data is rock solid, the API is dead simple, and the price is unbeatable. I constantly recommend it to all of my friends in the industry.” -Andrew Morris, Founder & CEO, Greynoise Intelligence

IP and Domain Reputation

IP data also contributes to risk analysis, threat intelligence, and efficient incident response. Compromised networks or servers are often leveraged for botnets, phishing, DDoS attacks, and spam. Rather than offering reputation scores, IPinfo provides contextual signals, such as ownership metadata, ASN, hosted domains, and change tracking, that analysts can combine with their own reputation or blacklist feeds.

Organizations can also watch for external references to their infrastructure, such as IPs or domains showing up in breach disclosures or paste sites, as a potential sign of compromise.

To enrich this view, Host.io aggregates DNS records, scraped homepage metadata, outbound links, backlinks, redirects, and co-hosted domain information. Analysts can use these details to uncover related infrastructure, map shared hosting environments, and monitor high-level domain attributes or DNS changes. For specifics on available endpoints and parameters, see Host.io’s API documentation and read this helpful article.

ASN Insights

ASN data links an IP address to its operating network (ISP, hosting provider, enterprise, university, etc.). This helps teams:

  • Spot traffic from high-risk or suspicious ASNs (e.g., bulletproof hosts or anonymizing services).
  • Differentiate consumer ISPs from data centers or cloud infrastructure.
  • Trace suspicious behavior back to the responsible network operator.

Privacy Detection

Here's a sobering fact: nearly one-third of Americans use a VPN. While your remote employee might be using one to access company resources from a hotel, so might a fraudster trying to look like that same legitimate employee. The line between privacy tool and attack vector has never been blurrier.

Anonymizing tools like VPNs, relays, Tors, and residential proxies are now ubiquitous.

While VPNs support privacy and remote access, they also complicate trust scoring. Without knowing who operates the anonymizer, or when an IP was last reassigned, it's easy to misclassify legitimate or malicious sessions.

IPinfo’s privacy detection data helps by providing:

  • Named privacy providers (e.g., NordVPN, Surfshark, Tor)
  • Boolean flags for VPN, proxy, relay, and Tor exit nodes
  • Residential Proxy IPs with last seen timestamp and stability metric
Almost every single fraud method involves some form of VPN. It’s a crucial parameter to detect when someone is about to commit a crime. - Marcin Zubrycki, Senior Product Manager of Fraud Intelligence Team, Nethone

Adcash, a global adtech platform, used IPinfo’s data to separate real users from bots and non-human traffic.

There are just a few other providers that actually serve VPN detection data, but those are completely incorrect based on what I tested and compared. It’s just not true what they’re offering. We tested Maxmind - another data source - but only IPinfo actually had accurate data. - Yonko Tsonev, Head of IT at Adcash

Other Contextual Signals

IPinfo tags are contextual signals applied to IP addresses that classify their behavior, role, or infrastructure. They go beyond simple geolocation (city or country) to give zero-trust systems and threat investigators actionable context. 

Key examples include:

  • Hotel – Shared hotel Wi-Fi where many unrelated users exit behind a single IP
  • Airport – Transient connections from public airport Wi-Fi
  • Airplane – In-flight Wi-Fi IPs
  • Bittorrent – IPs participating in peer-to-peer file sharing
  • Cloud / CDN – Traffic from major cloud providers or CDNs
  • Crawler – Automated web crawlers performing reconnaissance or scraping
  • Mailserver / Nameserver / Router / Webserver / SSH – Indicators of specific infrastructure roles that help analysts distinguish normal service traffic from compromised hosts
  • Hosting / Data Center – Non-consumer infrastructure often used by bots or malicious scripts
  • Honeypot – IPs actively caught by IPinfo’s own ProbeNet honeypots, indicating suspicious or malicious scanning or probing activity
  • Port-scan – IPs observed scanning multiple ports across multiple targets

By combining these tags with geolocation, ASN insights, privacy detection, and historical ownership changes, security teams can:

  • Spot anomalous or higher-risk traffic patterns earlier
  • Reduce false positives by understanding the true nature of connections
  • Strengthen zero-trust policies with granular, context-rich signals

Why Fresh, Accurate Data Matters for Zero Trust

Think of IP addresses like phone numbers. They get reassigned, recycled, and repurposed constantly. That clean IP from yesterday? It might be part of a botnet today. That's why real-time intelligence isn't just nice to have. It's the difference between catching threats and chasing ghosts. Historical change tracking uncovers recycled IPs and fast-flipping infrastructure so security teams can spot risks before they escalate.

IPinfo ingests and processes billions of records daily and validates them with ProbeNet, our internet measurement platform, which:

  • Operates a global vantage network of 1,100+ PoPs across 140+ countries and 469 cities
  • Performs 175M+ active checks every day and refreshes full IPv4/IPv6 coverage weekly
  • Delivers 61B+ data points from 300+ sources
  • Measures the internet continuously on a rolling basis, ensuring that ownership, geolocation, and privacy indicators stay current and evidence-backed

This constant, distributed measurement, combined with rapid ingestion and change tracking, empowers teams to:

  • Detect fraud patterns with fewer false positives
  • Identify emerging anonymizers or infrastructure shifts early
  • Maintain compliance with data-sovereignty and auditing rules
  • Strengthen zero-trust policies with the most up-to-date IP context available

Trust No IP Without Context

Remember: in a zero-trust world, you're only as secure as your ability to understand who's knocking at your door. Raw IP addresses are just numbers, but with the right context, they become your first line of defense. That's what IPinfo delivers: not just data, but the story behind every connection, turning data into actionable insights with location precision, privacy detection, ownership metadata, and change tracking.

IP Data for Zero-Trust Architecture

Ready to enrich your zero-trust stack with high-confidence IP data?

Get Started for Free

About the author

Fernanda Donnini

Fernanda Donnini

As the product marketing manager, Fernanda helps customers better understand how IPinfo products can serve their needs.