Black Hat Europe 2025: What We Learned About IP Intelligence in Modern Security

We just returned from Black Hat Europe 2025 in London, and wow, what a week. Over 4,500 security professionals packed the ExCeL venue for four days of keynotes, briefings, and some of the best hallway conversations we've had in years. 

(Also, shout out to whoever organized the lockpicking table, I learned a lot about physical security in the process. And yes, I may have spent way too much time at the Lego swag raffles.)

But beyond the fun, we were there to listen. To understand what's keeping security teams up at night, and how accurate IP intelligence fits into solving those problems. Here's what we heard.

The Accuracy Problem Is Real (And Getting Worse)

Let's just say it: if we had a dollar for every time someone mentioned they were "struggling with geolocation accuracy" or dealing with "too many false positives from our current vendor," we could have bought everyone at our booth a coffee.

Security teams told us they're frustrated with legacy IP data that hasn't been updated in months, leading to false positives that waste SOC time and create alert fatigue. One threat analyst mentioned their current solution's data quality issues and they've "been complaining" about it. Another team said they're "periodically evaluating" alternatives because the false positives are impacting their confidence in IP data altogether.

Here's the thing: in incident response and threat hunting, inaccurate IP data isn't just annoying, it actively misleads investigations. When you're trying to attribute an attack or block malicious traffic, you need to trust your data. If your geolocation says an IP is in one country when it's actually in another, you're making decisions based on fiction.

Our evidence-based approach using our ProbeNet internet measurement platform caught attention. A Japanese service provider specifically mentioned interest in our approach after experiencing challenges geolocating IPs from third-party hosting companies. A country/government defense organization, whose decisions can impact geopolitics, told us they don't currently trust IP data and need more precision. They were intrigued by the idea of leveraging ProbeNet to validate data on their own.

The message was clear: security teams are done with "trust us, it's accurate." They want evidence. They want verification with daily updates.

AI Security Is Here (And It Needs Network Visibility)

Black Hat's inaugural AI Security Summit was packed. Sessions covered everything from prompt injection attacks to securing AI agents, with the Model Context Protocol (MCP) flagged as "the next major battleground for AI security."

From our conversations at the booth, we're seeing AI introduce new challenges for network monitoring. One team is building cloud-based apps and exploring how to enrich security incidents to prevent wasted effort investigating false positives. 

The AI security question that keeps coming up: How do you track what your AI agents are connecting to?

As organizations deploy autonomous AI systems that make decisions and API calls without human intervention, understanding their network behavior becomes critical. Is your AI agent connecting to a legitimate cloud API, or has it been compromised? Is that training data source actually who they claim to be?

This is where IP intelligence becomes essential infrastructure for AI governance:

• Validating API connections: Confirming that external services AI agents contact are legitimate
• Detecting anomalous behavior: Spotting when an AI system suddenly connects to unusual hosting providers or geographic regions
• Establishing audit trails: Maintaining records of where AI systems accessed external resources for compliance and investigation

The conversation around AI security is still evolving, but one thing is certain: you can't secure what you can't see. Network-level visibility through accurate IP intelligence gives security teams the foundation to monitor and protect AI systems.

Read about fraud-as-a-service in the AI age > 

Zero-Trust Architecture Needs Better Data

Cloud security and zero-trust implementation were recurring themes throughout Black Hat. Multiple teams mentioned they're moving to zero-trust models but struggling with the data quality needed to make it work.

Zero-trust architecture is based on the principle of "never trust, always verify." That sounds great in theory, but verification requires accurate IP intelligence about every connection.

What IPinfo Brings to Zero-Trust

At its core, zero-trust means validating every connection, not just trusting that something inside your network perimeter is safe. Our IP data supports zero trust through several critical signals:

• Privacy Detection: Detect when connections are coming through VPNs, proxies, or privacy services like Apple's iCloud Private Relay. It's about understanding context: Is this VPN connection from a remote employee, or is it masking a threat actor?
• Geolocation Verification: Validate that login locations match expected patterns. If an employee's account shows a login from Singapore five minutes after logging in from New York, that's a red flag worth investigating.
• ASN and Hosting Intelligence: Understand what autonomous systems and hosting providers connections originate from. Legitimate SaaS tools typically come from known cloud providers. Random hosting companies in unexpected regions? That warrants a closer look.
• Real-Time Updates: Get current intelligence with IP data refreshed every 24 hours, not stale data that creates blind spots.

One financial services company we spoke with mentioned they're using geolocation data in their SIEM platform to check where employees are logging in from, but they've had false positives recently. An employee appeared to be logging in from the mainland US when they were actually in Puerto Rico. They were interested in our POI (Point of Interest) tags to reduce these false positives and better understand actual employee locations.

The key insight: zero-trust doesn't mean blocking everything: it means making intelligent, context-aware decisions. That requires high-quality, frequently updated IP intelligence.

VPN Detection Is the Most Requested Feature

If there was one theme that dominated our booth conversations, it was this: teams desperately need better VPN and residential proxy detection.

The problem showed up everywhere:

• "Hard to detect VPN/proxy traffic"
• "Struggling with VPN detection specifically"
• "Not currently using any Residential Proxy signals"

One CISO from a financial institution told us they're evaluating ways to improve fraud detection and finding limitations with their IP data provider. They're not getting residential proxy signals or VPN data at all. An MDR team using our free tier mentioned they want to add more context to threat detection, particularly around privacy services and residential proxies.

Why this matters: Sophisticated attackers increasingly use residential proxies to mask their activities. Unlike datacenter VPNs that are easier to spot, residential proxies route traffic through real home IP addresses, making them look like legitimate users. If your IP intelligence can't detect these, you're essentially blind to a major attack vector.

We talked about our privacy detection capabilities quite a bit: not just identifying VPNs, but specifically detecting residential proxies, hosting providers, and different types of anonymization services. Several teams mentioned interest in seeing "evidence" of our detection capabilities.

Platform Integration Is Now Table Stakes

Something interesting emerged from our conversations: the tolerance for imprecision has changed.

Multiple teams mentioned they use SIEM platforms for their SOC operations. Satisfaction didn’t hinge on the platform itself, but on the quality of the IP data feeding into it. As threats become more dynamic, driven by automation, AI-enabled abuse, and faster infrastructure churn, “good enough” IP data is no longer sufficient for security-critical decisions.

We also talked with teams from major security vendors looking at data integration for their XDR platforms, companies evaluating integration options, and several security tool vendors exploring partnerships.

The shift we're seeing: organizations don't want to manage multiple point solutions for IP intelligence. They want it natively integrated into their SIEM, SOAR, XDR, and other security tools, delivered via clean APIs and maintained at a level of accuracy that matches the stakes of today’s threat landscape.

What Security Teams Actually Want

After dozens of conversations, a few clear patterns emerged about what security teams need from IP intelligence in 2025:

1. Accuracy they can verify Not claims. Not marketing. Actual evidence. Teams want to understand how you get your data and why they should trust it.

2. Frequent updates Monthly batch updates create blind spots that attackers exploit. Daily updates are becoming table stakes.

3. Context, not just coordinates Knowing an IP is in "New York" isn't enough. Teams want to know: Is it a VPN? Residential proxy? Cloud provider? Hosting company? Mobile carrier? The more context, the better decisions they can make.

4. Detection of privacy services VPN detection, residential proxy identification, and privacy relay detection are must-haves for modern security operations.

5. Easy integration Security teams are overwhelmed. They don't have time for complicated integrations. Clean APIs, good documentation, and platform partnerships matter.

6. Evidence for compliance and investigations When regulators ask questions or incidents need investigation, teams need to show their work. IP intelligence that includes provenance and validation helps justify security decisions.

What's Next

Black Hat Europe reinforced something we already believed: accurate, real-time IP intelligence isn't a nice-to-have in modern security: it's fundamental infrastructure.

Whether you're implementing zero-trust architecture, securing AI agents, hunting threats, preventing fraud, or investigating incidents, it starts with understanding the network. And that understanding depends on having IP data you can actually trust.

We left London with a notebook full of feedback, a pile of follow-up meetings scheduled, and honestly, a renewed appreciation for how hard security teams are working to defend against increasingly sophisticated threats.

If you're struggling with IP data accuracy, frustrated with false positives, or looking for better VPN and proxy detection, we'd love to talk. The conversations we had at Black Hat were genuinely helpful in understanding what security teams need and we're excited to keep building solutions that actually solve those problems.

Want to chat about how IPinfo can support your security operations? Book a call with our team or create a free account to see the difference accurate IP data makes.

P.S. - Seriously though, if anyone has tips for lockpicking, let us know. We're committed to improving our skills before the next Black Hat.