Important Trends Among Masked Identities

This year, the VPN industry alone is expected to grow beyond $31 billion. And among the 4.33 billion active Internet users around the world, over 31 percent have used a VPN.

As popular as VPNs are, they only represent a small percentage of IP masking methods. Others include proxies, tor, relay usage, or a connection via a hosting provider, which can potentially be used to tunnel traffic.

And while some masked IPs are simply trying to protect their online personal information, many others hide their identity for malicious purposes such as exploiting server vulnerabilities, executing MITM attacks, stealing sensitive data, and more.

A recent study by IPinfo identified some interesting trends among masked IP addresses. Among these findings are some important takeaways for high-risk IP ranges, allowlisting/denylisting IPs, preventing IP spoofing, and ultimately securing cloud infrastructure by reducing your attack surface.

Here are the important metrics we’ll consider, from which we’ll draw applications for infrastructure security.

  1. IPv4 versus IPv6 usage among masked identities
  2. Comparison of most common IP masking methods 
  3. Deep dive into the most-widely-used VPN services 

IPv4 versus IPv6 Usage Among Masked Identities 

The team at IPinfo tracked IP masking on IPv4 and IPv6 addresses separately by running two separate queries in the database. For IPv4: 

select SUM(func.f_rough_range_size(`range`)) 
from ipinfo.privacy 
where func.f_ip_family(`range`) = 4; 

We then ran a similar query on all IPv6 addresses. 

Of IPv4 addresses, around 308,824,804 users hide their identities. Approximately 1.1239648737961904 x 10-33 IPv6 addresses mask their IP address. 

As you may have expected, the difference in these numbers is due largely to the massive pool of IPv6 addresses available. But as IPv6 adoption continues to grow, we expect to see even more masked IPs using IPv6. Here’s how IPv6 has grown over the past few years.

Graph showing an increasing trend in IPv6 address adoption among Google users.
IPv6 adoption among Google users (courtesy of

Percentage-wise, 0.000330304% of all IPv6 addresses hide their identity, and approximately 7.190387789% of all IPv4 addresses hide their identity. 

A comparison chart of IPv4 vs IPv6 masked identities among the top 10 countries.
Comparison of IPv4 and IPv6 masked identities

It’s important to remember that IPv6 addresses have some added layers of security. Built into IPv6 are IPSec – IETF security protocols that promote authentication, security, and data integrity. While IPSec can be added to sites, servers, and routers using IPv4 addresses, the implementation is more expensive and therefore not widely used.

Table comparing IPv4 addresses to IPv6 addresses.
(Source: Cybernews)

That being said, IPv4 addresses have a higher risk from malicious bots and spammers. But IPv6 security protocols don’t necessarily insulate these IPs from masked identities either. 

When it comes to cloud penetration testing, identifying and tracking IPs is a very important component. 

Chart indicating findings of IP addresses in a cloud penetration testing.

Comparison of Most Common IP Masking Methods

Among the many methods that exist for masking IPs, we found that the most common is hosting services – over 95 percent in fact. VPNs come in second place with around 5.24 percent.

Comparison table between most common IP masking methods.

Hosting providers often help bots and spammers hide their IPs. Plus, VPNs can also be operated through hosting services. This contributes to the large number of masked IPs attributed to hosting providers. 

Another interesting stat is that Apple Private Relay (APR) is currently the third most popular method for masking IPs. While it only consumes 0.12 percent of all anonymous IPs, its ranking has significantly grown since APR’s release in 2021. 

Chart indicates the increasing traffic of Apple Private Relay (APR) in 2021.

APR traffic growth is also important because it’s geo-aware. Users can’t tunnel their IP to a different location using APR. While APR protects personal identifiers such as IP addresses, it still provides accurate, generalized location data. Ultimately this led to IPinfo working with Apple to create a geo-aware feature within our Privacy Detection dataset. 

Deep Dive into the Most Common VPN Services

All of these other metrics led our team to wonder what VPNs are used the most. We found that VPN Gate outranks all other services. There are several probable reasons for this ranking. Most importantly, VPN Gate is free, and it’s open-source. 

A list of most common VPN services.

For VPN users these seem like upsides, but on the penetration testing side, VPN Gate’s free, open-source infrastructure may be vulnerable to MITM attacks due to misuse of the SSL certificate. Because VPN Gate lacks SSL certificate verification at the client site, a MITM attacker can hijack an IP by modifying the IP destination address and then implementing a TLS MITM attack.  

Graphic showcasing MITM attacker hijacking a VPN gate.
(Source: Hindawi journals)

Needless to say, this introduces vulnerabilities to both the VPN user and the sites, servers, and other infrastructure they access, leading to information theft, data breaches, compromised infrastructure security, and more. 

For instance in 2013, Apple’s Fairplay – a digital rights management system – was attacked by a MITM attack, leading to pirated distribution of proprietary content. Since then, Fairplay MITM attacks have been used by other malicious entities to steal Apple IDs and passwords. 

Graphic of the Fairplay MITM attack stealing Apple IDs and passwords.
How AceDeceiver exploits Fairplay vulnerabilities (Source: Infosec)

What You Should Know About Geo-aware Services

As was mentioned in the previous section, APR is gaining traction among VPNs. Currently, it ranks fourth in our IP count below NordVPN and PureVPN. 

ServiceNumber of IPs
VPN Gate3021604
Apple Private Relay90839

Separating APR traffic from other VPN users can be useful. APR users differ from VPNs because they seem to be more concerned about protecting their personal information than hiding their general location.  

For instance, here’s a comparison of responses from IPinfo’s Privacy Detection database. The first is a typical response for IPs that aren’t masked by VPNs, tor usage, or hosting providers. 

IPInfo’s Privacy Detection Database shows typical responses for Comcast IP address.

Shown below is what a typical Privacy Detection response reveals about masked IPs: 

IPInfo’s Privacy Detection Database shows typical responses for ExpressVPN IP address.

And finally, here’s what Privacy Detection queries show for APR users. 

IPInfo’s Privacy Detection Database shows typical responses for Apple Relay IP address.

In contrast to the masked identity example, the APR response shows that this IP is located near Seattle, Washington. APR data, even though it’s masked, still contains useful information for penetration testing.  

The fact that APR is one of the most-used privacy services means that there’s more threat intelligence to be gained from this somewhat anonymous data. As more geo-aware services come onto the market, IPinfo is ready to implement them into our Privacy Detection datasets. 

Chart comparison of the most commonly used privacy services.

For industries with high stakes – such as Fintech, Cybersecurity, Healthcare, and others – security issues from VPNs can introduce additional vulnerabilities. Privacy Detection data is one tool that can help digital rights management and digital infrastructure security develop mature application security programs, reduce attack surfaces, secure your networks, and more. 

Try IPinfo’s Privacy Detection data for free. Sign up for a weeklong free trial of all our APIs. 

NetSPI leverages IPInfo’s geolocation data set to identify new and changing IP addresses in our Attack Surface Management platform. Learn more about the platform capabilities:   


Data Center Knowledge: Bugs in the Data Center: How Social Engineering Impacts Physical Security

On June 9, 2022, NetSPI Security Consultant, Dalin McClellan, was featured in an interview on Data Center Knowledge called Bugs in the Data Center: How Social Engineering Impacts Physical Security. Read the preview below or view it online.


One data center management team learned the hard way that bugs can be a menace – or, to be more specific, the people who hunt them. And we’re talking about real, six-legged bugs, not the computer kind.

It started last November when NetSPI, a Minneapolis-based penetration testing firm, was hired to do a test by a company that owned several colocation facilities. NetSPI’s job was to use social engineering to physically breach the data center, with the objective to get into one of their facilities and into a position where they could access the networks.

“This was a highly secured facility,” said Dalin McClellan, senior security consultant at NetSPI. “All the doors have retina scanners and badge readers. And there are man traps. You go through the door into a small room and wave to wait for the first door to close before you can open the second door and come in.” That means that McClellan’s team couldn’t just follow someone into the building. Worse yet, there are only two employees who work at the facility, plus a security guard. Strangers would immediately stick out. “Plus, we only had a week to prepare,” said McClellan.

Normally, what NetSPI would conduct deep research on the facility, find out about all the external visitors who are allowed in, collect copies of stationary and get sample email, and connect with the employees via social media or other channels. They typically start with Google, the company’s own website, LinkedIn, and then proceed to learning anything and everything they can about the facility and about the people who work there.

“And we would do physical reconnaissance, where we sit in a car outside the building and watch employees go in and out, and watch vendors go in and out,” he said. “Normally, this could take up to several weeks.”

But the client only gave them a week.

Read the full story online to discover how the social engineering engagement fared!


2022 RSA Conference: What Makes Us the Most Innovative Pentesting Company?

The RSA Conference is one of the largest cybersecurity events in the world, offering a multitude of opportunities for members of the cybersecurity community to gain valuable insights and network with one another. And this week, the NetSPI team packed their bags and flew out to San Francisco for the conference after a two-year hiatus. 

Not only is this a big week for the cybersecurity industry, but also for team NetSPI as we take home the Global InfoSec Award for “Most Innovative in Penetration Testing.” Prior to their arrival at RSA, we asked our team to answer a few questions: 

  1. What are you looking forward to most during the 2022 RSA Conference?
  2. What does NetSPI’s recognition as “Most Innovative in Penetration Testing” mean to you and what do you think makes NetSPI the most innovative pentesting company? 

Continue reading for responses from our product, services, and sales leadership – all of which were clearly excited to see many of our clients and customers in-person.

What are you looking forward to most during the 2022 RSA Conference?  

Cody Chamberlain, Head of Product  

“The security community isn’t very large and bringing everyone together is extremely valuable. This is an opportunity for connecting, sharing stories, and further building relationships across companies. 

Talking with clients and prospects about the NetSPI story is the most exciting thing for me. We are in a unique position in the market with our combination of industry-leading talent and technology and I’m excited to share that with people at the conference, especially those unaware of us.” 

Charles Horton, Chief Operating Officer 

“The RSA Conference has always had an impressive lineup of speakers and sessions. Having a hiatus like many conferences have had, I think there will be a tremendous amount of energy coming into the conference as people are eager to collaborate in person with clients, colleagues, and vendors. As the landscape continues to move and shift, and clients go through different investment levels and cycles of their security programs, it is an opportune time to evaluate who and where they are investing their dollars given the number of sponsor organizations at the event.”

Chad Peterson, Managing Director  

“I am most excited about getting the opportunity to speak with our clients and industry face-to-face again. Any time we have the chance to interact in person, it always seems to foster great conversations and thought leadership. 

Having a group of experts throughout the industry under one roof again allows us to exchange ideas on how to better the security community and holistically help our shared client base.” 

Robert Richardson, VP of Enterprise Sales 

“The opportunity to connect face-to-face and spend time with our clients and meet new people is what I’m most excited about. It’s been too long. I’m really glad the turnout is exponentially larger than 2020.” 

Alex Jones, Chief Revenue Officer  

“I’m absolutely most excited about seeing all of our amazing customers. It has been such a long time since our last in-person RSA conference and the event presents such a great opportunity to connect with a high volume of people in such a short time. A huge plus is that we get to enjoy seeing our customers while also doing a lot of events with our NetSPI team. 

From a presentation perspective, I am most intrigued about Bruce Schneier’s keynote, ‘What Matters Most.’ There is so much change occurring at such a rapid pace within our industry that we need to challenge conventional thinking and start trying to solve problems in a different way.” 

Nabil Hannan, Managing Director 

“With the RSA conference being an in-person event this year, I’m most excited to re-connect with people in the industry in person. After two plus years of the pandemic, it’ll be really nice to re-connect with colleagues and catch up in person and learn from them about their current areas of focus, challenges, and the industry trends that they’re observing.” 

What does NetSPI’s recognition as most innovative in pentesting mean to you and what do you think makes NetSPI the most innovative pentesting company? 

Cody Chamberlain, Head of Product  

“It means we’re getting third-party validation of what we already know – that we have the best talent in the industry and the investments we’ve made into our technology are meeting the market’s need of high-touch customer service. As a result, we’re able to identify more vulnerabilities of a higher severity for our clients. 

Our people make NetSPI the most innovative pentesting company. As the person who works everyday building and executing a technology roadmap, that might sound counter intuitive, but I see my job as finding the best ways to scale and maximize the effectiveness of our humans. At the end of the day, humans are the key to our success!” 

Charles Horton, Chief Operating Officer 

“The award is certainly flattering and is really a reflection of the purpose we have as an organization along with our passion and pursuit of excellence. NetSPI has achieved this recognition due to our unwavering commitment to our clients and our team members. Our mission is to combine elite talent and technology to provide a differentiated experience and outcome for our clients, and we take pride in that recognition. This award is based on our work and reputation for things already done, and we will continue to build on this as we go forward.” 

Chad Peterson, Managing Director  

“Winning this awareness is a testament to all the hard work and dedication our teams have put in. From the consultants, technicians, sales, and strategy teams to marketing and leadership – everyone has had their hand in making NetSPI what we are, and it shows in the work that we are being honored for. 

We have some of the most talented penetration testing experts in the industry. Without these people to shape the technology that we leverage –  Resolve, AttackSim, and the Attack Surface Management platform – to streamline our work and allow our pentesting consultants to spend their valuable time identifying, verifying, and providing guidance on how to address findings for our clients, we would not be the company that we are today.”  

Robert Richardson, VP of Enterprise Sales 

“The secret is out. We’ve been delivering game changing quality and consistency for years, so it’s really exciting to see our growth and brand be recognized. 

It’s a combination of our technology, people, and culture – the combination of those things creates consistency and quality in the depth of our services.” 

Alex Jones, Chief Revenue Officer  

“It is tough to truly articulate how much this award means to me. For me, this is the culmination of four years of incredibly hard work, so to see how far we have come as a company but then also be publicly recognized for it is such a testament to what we have accomplished thus far. Frankly, I feel like we are just getting started! I am such a small part in this puzzle, as my four years of hard work pale in comparison to the 10+ years of hard work so many of our technical and thought leaders have put in to build our incredible reputation. 

What makes NetSPI the most innovative in pentesting is our unique combination of industry-leading technical talent, sophisticated use of bleeding edge technology, unrelenting focus on customer experience, and a culture that promotes and rewards the highest levels of moral and ethical standards.” 

Nabil Hannan, Managing Director 

“It’s a true feeling of pride knowing that I am part of an organization that is being recognized for excellence in our space. This award is a great validation of the work we have been doing as a company and that we are truly having an impact on the world of penetration testing.” 

Connect With NetSPI at the 2022 RSA Conference 

It’s clear that the team cannot wait to see many new and familiar faces this week at the conference and discuss how we have seen the industry “transform” over the past two years, and where it’s headed next.  

Book a meeting with us to discuss penetration testing in-depth or explore our other services.


NetSPI Named “Most Innovative in Penetration Testing” in the Global InfoSec Awards

NetSPI honored in the coveted 10th Annual Global InfoSec Awards at the 2022 RSA Conference.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing and attack surface management, was awarded “Most Innovative in Penetration Testing” from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.  

NetSPI represents the key criteria that CDM and the Global InfoSec Award judges look for in cybersecurity winners: understanding tomorrow’s threats, today, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.  

Traditional pentesting has not kept pace with the realities of business agility and cybercriminal sophistication. NetSPI has revolutionized the Penetration Testing as a Service (PTaaS) delivery model to enable organizations to view penetration testing results in real time, scale to support innovation, orchestrate faster remediation, perform always-on continuous pentesting, and more. 

NetSPI’s Resolve penetration testing platform, backed by its global team of expert pentesters, helps clients improve vulnerability management and remediation processes, better understand and reduce risk, manage the evolving attack surface, and leverages automation to enable manual pentesting to find business critical vulnerabilities that tools alone cannot uncover.  

NetSPI continuously develops new solutions to meet evolving threats – most recently launching attack surface management and announcing enhancements to its breach & attack simulation services

“We’re thrilled to be honored by Cyber Defense Magazine,” said Aaron Shilts, President and CEO of NetSPI. “Our technology-powered services are disrupting the penetration testing industry, and this recognition is a true testament to our global team’s unwavering dedication to delivering world-class penetration testing services.” 

Global Infosec Awards Winner – Cyber Defense Magazine 2022

“NetSPI embodies what we look for in leading innovators within the cybersecurity industry,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine. “NetSPI’s platform driven, human delivered approach to offensive cybersecurity provides a unique opportunity for organizations to think strategically about their proactive security efforts, instead of viewing penetration testing as a check-the-box activity.” 

For more information on NetSPI, visit the company website or speak with the company’s penetration testing experts at booth #4605 at RSA Conference 2022. Learn more about this year’s Global InfoSec Award winners in this full list here.


About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

About CDM InfoSec Awards 

This is Cyber Defense Magazine’s tenth year of honoring InfoSec innovators from around the Globe. Our submission requirements are for any startup, early stage, later stage, or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at 

About Cyber Defense Magazine 

Cyber Defense Magazine is the premier source of cyber security news and information for InfoSec professions in business and government. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry.  We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferences. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at and visit and to see and hear some of the most informative interviews of many of these winning company executives.  Join a webinar at and realize that infosec knowledge is power.

NetSPI Media Inquiries
Tori Norris, NetSPI
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI
(978) 201-2510 

CDM Media Inquiries

Contact: Irene Noser, Marketing Executive
Toll Free (USA): 1-833-844-9468
International: 1-646-586-9545


Techstrong: Data Breach Communication – Cody Chamberlain, NetSPI

On June 6, 2022, NetSPI Head of Product, Cody Chamberlain, was featured in an interview on TechStrong called Data Breach Communication – Cody Chamberlain, NetSPI. Read the summary below or listen to the interview online.


Data breaches are occurring more frequently than ever before – even with the best security precautions in place. While a cyber-attack may be out of an organization’s control, one thing it can and should control is how it communicates a breach to involved parties. Cody Chamberlain, NetSPI Head of Product, discusses the three key elements to implementing a successful data breach communication strategy: an incident response plan, open communication, and transparency. 


NetSPI’s New Breach and Attack Simulation Enhancements Help Organizations Achieve Behavior-Based Threat Detection

Organizations leverage the platform-driven, human-delivered service to measure and continuously improve the efficacy of detective controls and MSSP coverage.

Minneapolis, MNNetSPI, the leader in penetration testing and attack surface management, today announced new Breach and Attack Simulation (BAS) enhancements to meet increased market demand for improved threat detection. With the combination of the AttackSim cloud-native technology platform and hands-on counsel from NetSPI’s expert penetration testing team, organizations can continuously test their detective controls against real-world attack tactics, techniques, and procedures (TTPs). 

According to NetSPI data, only 20% of common attack behaviors are caught by out-of-the-box detective controls (EDR, SIEM, MSSPs) – leaving organizations with a false sense of security. The updates to NetSPI’s Breach and Attack Simulation allow detection engineers to measure their ability to detect common adversary behaviors and ultimately prioritize detection development as well as investments.  

Following the initial collaborative assessment with NetSPI’s experts, the AttackSim technology platform is provided to organizations for continuous testing and improvement. The platform features many new updates including: 

  • Seamless use, regardless of skill level: An enhanced user experience (UX) and a refined user interface (UI) can be used by experts and novices alike.
  • New automated plays and playbooks: Detailed manual procedures for reproducing attacker behavior, as well as consistently updated security playbooks, allow organizations to better strengthen their security posture. With the latest updates, NetSPI has nearly 300 attack plays that can be used to test detective controls.
  • Enhanced reporting: Security teams now have additional data and metrics to work with, such as peer comparison, year-over-year reporting, and telemetry flow analysis. New reports that support programmatic, tactic, technique, and procedure (TTP) summary metrics are also now available.  

“Indicators of Compromise have become less useful as the threat landscape evolves at a breakneck speed,” said Cody Chamberlain, Head of Product at NetSPI. “To stay ahead of malicious actors, organizations must shift their gaze to detect attackers before something bad happens. The NetSPI AttackSim platform, combined with the power of our skilled team of penetration testers, lets organizations continuously simulate real attack behavior, providing better insight into the efficacy of their detective controls.” 

“Small and medium-sized organizations with limited personnel often rely on MSSPs to implement detections and operate similarly to a security operations center (SOC),” said Scott Sutherland, Senior Director, Adversary Simulation and Infrastructure Testing at NetSPI. “We built Breach and Attack Simulation not only to improve detections, but also to enable organizations to validate MSSP coverage and better understand the scope of their agreements.” 

NetSPI will be demoing the AttackSim platform and its new capabilities during RSA Conference 2022 at booth #4605 in the North Expo Exhibit Hall. Schedule a meeting with the team

To learn more about Breach and Attack Simulation, email or visit


About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
(978) 201-2510 

Discover why security operations teams choose NetSPI.