Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive

Security teams are struggling to identify the perpetrators behind cyber incidents, with 94% of investigated events involving anonymized infrastructure, according to a survey by security firm Cyble. The research, which analyzed 1,500 security incidents over a six-month period, found that attackers increasingly leverage anonymization techniques such as VPNs, proxies, and Tor to obscure their origins. This makes it difficult for security analysts to attribute attacks and understand the threat actor's motives or capabilities. The survey highlights a persistent reactive posture within security operations, where teams primarily respond to incidents after they occur rather than proactively identifying and mitigating threats. Despite access to vast amounts of IP data, including enrichment feeds, geolocation, reputation scores, and threat intelligence, the sheer volume of information often overwhelms analysts, making it challenging to distinguish genuine threats from noise. This data overload contributes to the difficulty in pinpointing the source of attacks, as legitimate traffic and malicious activity become harder to differentiate. The findings suggest a critical need for improved tools and strategies that can effectively cut through the noise and provide actionable intelligence for proactive threat hunting and incident response.