39% of unique IPs targeting the edge come from home internet connections. That is nearly double their 22% share of sessions — each residential IP averages fewer than 3 sessions before disappearing, and the median is just 1. They are everywhere, briefly. Over 90 days, we analyzed 4 billion sessions across 5.7 million unique IPs on the GreyNoise Observation Grid. This webinar presents the full findings — why IP reputation is structurally broken against this traffic, behavioral patterns consistent with compromised home PCs following the human sleep cycle, and what four separate threats hiding behind one label mean for detection strategy.

You'll learn:

• The Rotation Economy: why static blocklists are structurally ineffective against residential proxies. 78% of residential IPs are observed at most twice across the entire Global Observation Grid before rotating. 89.7% vanish within one month. We will walk through the 1.72x multiplier between session share and IP share, why MaxMind's geolocation-based classification detected 0% of residential proxy traffic, and why the rotation rate makes feed-based defenses structurally ineffective.
• The device owners are victims: behavioral signatures of compromised home PCs. Traffic from IPs geolocating to India drops 34% at night — peak 11,503 sessions per hour, trough 4,909 — because the most likely explanation is that the infected machines are physically powered off. Server traffic varies less than 3%. SMB was 84% residential, with zero overlap between SMB and Telnet populations among 2,487 IPs, pointing to four separate threats hiding behind one label.
• Scanning versus exploitation: residential IPs almost never exploit. Only 0.1% of residential sessions carry exploitation payloads, versus 1.0% from hosting infrastructure — a 10x gap. We will cover what 33 residential IPs targeting VPN login pages and 48 IPs with VPN client signatures (39 FortiClient, 6 GlobalProtect, 3 SonicWall) tell us about where this threat intersects enterprise attack surface.
• When one proxy network dies, another takes its place. IPIDEA maintained 9 to 11 million daily proxies before disruption. 911 S5 spanned 19 million IPs across 190 countries before FBI takedown. 46% of proxy IPs span multiple providers. Disruption buys time; it does not solve the problem. We will discuss what does.

Who should attend:

• SOC Analysts and Detection Engineers — Understand why residential proxy traffic rotates too fast for blocklists to track and what behavioral signals — temporal patterns, protocol separation, exploitation ratios — replace IP reputation as detection logic.
• Threat Intelligence Teams — Gain data on the scale of the rotation economy across 683 ISP organizations, the 46% provider overlap that defeats single-source blocking, and why detection must shift from "where is the traffic from?" to "what is the traffic doing?"
• Security Leaders and Architects — Evaluate the structural limitations of IP reputation in your current stack.