How ziggiz Uses IP Intelligence to Power Consistent Security Detection

Security detection systems have a consistency problem that rarely gets discussed openly.

Every log source in a typical enterprise environment reports IP-related context slightly differently. A firewall says the connection came from Orlando. An authentication provider says Miami. A proxy log says Florida, no city. All three are describing the same session, but the data doesn't agree.

For a SOC analyst investigating an alert, this creates ambiguity. For an automated detection rule, especially something like impossible travel, it creates noise. Shifting baselines, false positives, and alerts that get tuned into silence or ignored entirely.

This is the daily reality for security teams managing large, multi-source telemetry environments. And it's the problem that ziggiz, a cybersecurity startup building what they call a "Cyber Lakehouse" platform, set out to solve.

The Core Issue: Enrichment Happens Too Late

Most traditional SIEM architectures treat IP enrichment as something that happens after a detection fires. An alert triggers, then a SOAR playbook kicks off, then an enrichment step runs to add geographic or network context. By that point, the detection has already made a decision based on incomplete or inconsistent data.

The result is predictable. Detection engineers write rules against fields that report different values depending on which log source generated the event. Analysts receive alerts that look suspicious but turn out to be artifacts of inconsistent enrichment rather than actual threats.

Ryan Faircloth, Head of Product at ziggiz, has described this as the difference between enrichment and detection architecture. In a recent blog post, he put it bluntly: the problem isn't just accuracy, it's consistency. Two geo providers can both return technically correct answers for the same IP address and still produce conflicting signals that break detection logic.

What ziggiz Built

ziggiz's platform takes a different approach. Their Cyber Lakehouse architecture ingests security telemetry from across an organization's environment, authentication events, firewall logs, endpoint data, network flows, and applies IP enrichment during ingest, before detections run.

The key architectural decision is a semantic data model. Rather than requiring security teams to manually map every IP-containing field across every log source (where one vendor calls it “src_ip”, another calls it “source_address”, another calls it “client_ip”), the platform understands what fields represent regardless of naming conventions.

This means enrichment is applied consistently across all data sources. Every IP address gets the same context (geolocation, ASN, network type, hosting classification, and more) before any detection rule evaluates it. The result is a normalized telemetry environment where detection engineers can write rules against reliable, consistent fields rather than fighting log format fragmentation.

Their platform is designed for scale. Security telemetry from large enterprises can generate massive datasets, and enrichment needs to happen at ingestion speed without becoming a bottleneck. This is why ziggiz works with local database deployments rather than API-based enrichment: the volume and latency requirements of streaming security data demand it.

Where IPinfo Fits

ziggiz selected IPinfo as their external IP intelligence provider after evaluating alternatives including MaxMind. Their enrichment pipeline uses a decision tree that prioritizes internal network data first: if the organization knows what a particular IP address maps to within their own infrastructure, that takes precedence. When the platform needs external context for public IP addresses, it falls back to IPinfo's datasets.

The signals ziggiz pulls from IPinfo include geolocation, ASN, network type (hosting vs. residential vs. mobile), and company data. These attributes feed directly into detection logic. For example, an employee authenticating from a hosting provider IP when their normal pattern is residential broadband is a weak signal on its own. But combined with other behavioral indicators like unusual access patterns, session timing anomalies, and device changes, it becomes an investigation-worthy event.

This is the kind of multi-signal correlation that modern security analytics platforms need, and it depends on the enrichment layer being both accurate and consistent; otherwise, the entire detection chain inherits that inconsistency.

IPinfo's approach to building datasets through direct internet measurement, rather than relying on shared third-party registries, is part of what makes this architecture work. When the enrichment source operates independently from the same data supply chains that other providers draw from, the result is a more differentiated signal.

Why This Matters

The pattern ziggiz has implemented reflects a broader shift in how security platforms consume IP intelligence.

Traditional SIEM integrations treat IP data as a lookup, something you query when you need it, usually during investigation. The next generation of security analytics platforms treats it as a foundational enrichment layer, applied at ingest, before any human or automated system makes a decision.

This has implications for how IP intelligence providers think about their products. When your data is being applied to every event in a multi-petabyte telemetry pipeline, consistency across updates matters as much as point-in-time accuracy. Schema stability matters. Update predictability matters. And the ability to deploy as a local database rather than an API becomes an architectural requirement, not a convenience.

For IPinfo, partnerships like this validate the investment in maintaining high-frequency database updates, comprehensive IP-to-network classification, and a data methodology that operates independently from legacy industry consensus.

What's Next

As the partnership develops, we expect to collaborate on deeper technical content exploring specific detection use cases, including how residential proxy detection, VPN classification, and infrastructure-level IP context contribute to reducing alert noise and improving investigation workflows.

For security teams evaluating how IP intelligence fits into their detection architecture, the ziggiz approach offers a useful reference: enrich first, detect second. And make sure the enrichment layer is consistent enough that you can trust it.