IP data integration combines evidence-based IP geolocation with built-in residential proxy detection

IPinfo today announced the addition of residential proxy detection directly inside Splunk environments. The update extends IPinfo’s existing Splunk integration, already used to enrich IP addresses with geolocation, ASN, company, and other privacy signals.

Residential proxy abuse is accelerating, and traditional detection methods consistently fail to catch it because residential proxy traffic is designed to look like legitimate usage, all while churning too fast to establish reputations for abuse. Now security teams can solve this problem with a platform they already trust: residential proxy detection is available directly within Splunk.

IPinfo’s residential proxy detection data identifies IP addresses used by commercial residential proxy networks through direct observation, not inference. Delivered through the IPinfo app on Splunkbase, the integration works across Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES), supporting both real-time API enrichment and high-volume local database (MMDB) lookups.

What’s New: IPinfo Residential Proxy Detection in Splunk

Residential proxies route traffic through real consumer IP addresses, making malicious activity appear indistinguishable from legitimate users. They are widely used in account takeover, credential stuffing, ad fraud, and bot-driven abuse, and are often missed by traditional VPN and proxy detection.

IPinfo’s residential proxy data applies the same measurement-first methodology used across all its data with:

• Directly observed detection: IPs are identified through active participation in residential proxy networks, not inference or heuristics
• Coverage across 110+ providers: Continuous monitoring of commercial residential proxy ecosystems
• High-confidence signals: Designed for use in automated detection rules, not just investigation
• Recency and persistence context: “Last seen” and “percentage of days observed” signals help teams evaluate how actively an IP is participating in proxy networks

These signals allow teams to move beyond binary classifications and evaluate how actively an IP is being used as a residential proxy. An IP seen consistently over time represents a different level of risk than one observed briefly, enabling more precise and adaptable detection logic.

“Residential proxies have transformed how internet traffic appears,” said Ben Dowling, Co-Founder and Co-CEO of IPinfo. “They’re also notoriously hard to detect using legacy IP data methods. Our approach is to observe these networks directly and continuously. By bringing that data into Splunk, we’re giving security teams a signal they can trust, one that reflects how traffic actually behaves and can be built directly into their detection logic.”

Complete IP Intelligence in Splunk

The IPinfo Splunk app operates at the search and enrichment stage of Splunk workflows, where analysts query data, correlate events, and add external intelligence.

When an IP address appears in log data, such as authentication events, network traffic, or application logs, the IPinfo app enriches that IP during search queries with structured fields that describe its location, ownership, and behavior. With a single command, teams can access IP address data like:

• Geolocation: Measurement-based, physically plausible location data
• Privacy detection: VPN, proxy, Tor, and relay identification
• ASN data: Network ownership and routing context
• Registration data: Organizational attribution for IP infrastructure

This data is accessible directly within Splunk searches, allowing analysts to investigate alerts, build detection rules, and automate triage without context switching.

Built for How Security Teams Use Splunk

IPinfo’s Splunk Build Partner integration is designed to support real-world SIEM workflows at scale:

• Threat detection: Identify suspicious logins from anonymized or non-user infrastructure
• Alert enrichment: Add IP context to millions of alerts to support automated triage
• Fraud prevention: Detect proxy-based evasion and location spoofing in authentication and transaction logs
• Detection engineering: Build and refine rules using IP-based signals to reduce false positives
• Compliance: Enforce geo-based access policies and maintain audit trails

The integration supports both low-volume investigations and high-throughput environments:

• API enrichment for real-time queries
• Local MMDB database lookups for high-volume enrichment at Splunk-native speed

Customers use their existing IPinfo subscriptions, with no additional licensing or marketplace markup.

Evidence-Based IP Data for Security Workflows

IPinfo's methodology continuously collects, scores, and refreshes signals across multiple independent tiers, producing data that reflects how the internet actually behaves.

That makes the data trustworthy where it matters most. IPinfo’s geolocation is physically possible, validated by ProbeNet against the rules of physics and an understanding of network topology. ProbeNet, IPinfo's internet measurement platform, actively measures latency constraints across the network while also identifying patterns consistent with proxy routing rather than ordinary residential use.

IPinfo’s residential proxy detection is high-confidence and directly observed. Security teams can build on both with confidence.

Findings are cross-referenced against independent third-party intelligence sources, providing an additional validation layer and reducing reliance on any single signal.

That combination of direct participation, active measurement, and independent corroboration produces data that reflects how the internet behaves in practice. The result is IP intelligence that security teams can act on with confidence inside production SIEM environments.

As those environments grow more complex and ingest more data, IP intelligence becomes an even more critical layer. By bringing residential proxy detection directly into Splunk, IPinfo supports faster investigations, more accurate detections, and more efficient operations across the entire workflow.

About IPinfo

IPinfo is the internet data company, providing the world’s most accurate IP data that delivers highly contextual metadata on each IP address, from geolocation and mobile carrier to privacy detection and proxies. IPinfo is trusted by more than 500,000 users, from developers to Fortune 500 companies, who use IP data to make smarter decisions, mitigate security risks, ensure regulatory compliance, and drive better customer experiences. IPinfo’s robust and secure API processes more than 1 billion requests daily, with data also available through direct download and leading cloud platforms, all backed by a team of data experts who are committed to precision. Discover the power of better IP data at IPinfo.io.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260519913453/en/

We’re giving security teams a signal they can trust, one that reflects how traffic actually behaves and can be built directly into their detection logic.