IP Reputation Is Dead. GreyNoise Just Proved What Our Behavioral Engine Has Known Since December.

GreyNoise analyzed 4 billion malicious sessions over three months. The finding: 78% of them evaded IP reputation checks entirely.

Not because the attackers were sophisticated. Not because the blocklists were outdated. Because the traffic came from your neighbor's WiFi.

The Residential Proxy Problem

39% of the malicious sessions in GreyNoise's study originated from home networks. Real residential IP addresses. Real ISPs. Addresses that have never been on a blocklist because they belong to real people who unknowingly installed a free VPN or ad blocker that sells their bandwidth.

The attacker routes through Grandma's Comcast connection in Ohio. Your IP reputation system checks AbuseIPDB — clean. Checks Spamhaus — clean. Checks VirusTotal — clean. Passes. The scan completes. The credentials get stuffed. The next request comes from a different grandmother in a different state.

89.7% of these residential IPs stay active in malicious operations for less than a month. By the time the reputation databases flag them, the attacker has rotated to the next unwitting proxy node. 683 different ISPs. China, India, Brazil leading the source regions.

GreyNoise's conclusion: stop relying on IP reputation as a primary signal. Shift to behavioral detection.

We shifted in December.

5.37 Million Behavioral Decisions

Our OZ decision engine doesn't ask "is this IP on a list?" It asks "is this IP acting like an asshole?"

Sequential path probing — hitting /wp-login.php, then /wp-admin, then /xmlrpc.php in order. That's not a human browsing. That's a scanner. The IP might be clean on every reputation database in existence, but the behavior is a tell.

Login page fixation — 47 requests to /api/v1/auth with different credential pairs in 90 seconds. Residential IP, zero abuse score, never been blocked anywhere. But the behavior screams credential stuffing.

Timing signatures — requests arriving at perfectly regular intervals with zero jitter. Humans don't click every 2.000 seconds. Bots do. Even when they route through residential proxies, the timing is machine-precise.

5,374,056 autonomous decisions since we started. Each one a behavioral classification: is this traffic legitimate, suspicious, or hostile? Not based on where it comes from. Based on what it does when it gets here.

The Stealthy Outliers

We built an entire detection category for the gap GreyNoise identified. We call them "stealthy outliers" — sessions that score zero on AbuseIPDB and clean on traditional reputation, but exhibit hostile behavior.

The most dangerous cluster: VT-validated stealth threats. VirusTotal flags the IP (someone submitted it as malicious), but AbuseIPDB shows zero reports. The IP is known-bad by one system and invisible to another. That's a residential proxy that got caught by one researcher but hasn't made it into the crowd-sourced databases yet.

Our behavioral engine catches them regardless. The IP is clean. The behavior isn't.

What the Numbers Say

IP reputation is necessary. It catches the lazy 22%. But if it's your only signal, you're blind to everything that matters.

The Precursor Advantage

Our PreCog system takes behavioral scoring one step further — it identifies infrastructure activation patterns 1-5 hours before the attack materializes. When a residential proxy network starts spinning up new nodes in a specific geographic pattern, the precursor signal fires before the first scan hits your perimeter.

GreyNoise found that 89.7% of residential IPs churn within a month. We found that the churn itself is the signal. When a batch of new residential IPs appears from the same ISP in the same region within the same hour, something is staging. You don't need to know the IP is bad — you need to know the pattern is wrong.

1.97 Million Blocks

IP reputation feeds our blocklist. Behavioral scoring feeds our autonomous response. Together: 1,970,283 block events. Each one a threat stopped before it reached the network.

But 78% of those blocks aren't triggered by reputation. They're triggered by behavior. The residential proxy with the clean IP that started brute-forcing SSH at 3 AM gets blocked on the third attempt, not because we recognized the IP, but because the behavior pattern matched.

What GreyNoise Recommends (and What We Already Do)

We're not claiming GreyNoise is late. They did the research. They quantified the problem. 4 billion sessions is a dataset we can't match. What we're saying is: the solution has been running since December 2025, making millions of behavioral decisions, and the academic validation just arrived.

The Feed

Our STIX feed carries behavioral indicators alongside traditional IOCs. When we block a residential proxy for hostile behavior, that behavioral signature goes into the feed. Not just the IP (which will be useless in a month), but the pattern — the path sequence, the timing signature, the fingerprint cluster.

275+ organizations in 46 countries consume this feed. They're not just getting a list of bad IPs that expire in 30 days. They're getting behavioral signatures that work regardless of source IP.

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

IP reputation is dead as a primary signal. Behavior is the signal that survives rotation. We've been building on that thesis since day one.

GreyNoise studied 4 billion sessions and found 78% evade IP reputation. Our behavioral engine has made 5.37 million autonomous decisions since December without IP reputation as the primary signal. The stealthy outlier cluster — VT-flagged but AbuseIPDB-invisible — is the residential proxy gap in action. We catch them on behavior, not address.

The question isn't "is this IP bad?" The question is "is this IP acting like an asshole?" Our engine answers that 5.37 million times and counting.