A more complete picture: How IP reputation adds further insight to cyber underwriting

For cyber underwriters, assessing risk involves understanding what an organisation exposes to the internet and how effectively it governs and protects that exposure. Indicators such as misconfigured domains, weak email authentication, open ports and outdated software remain central to this process, offering reliable insight into cyber hygiene and the presence of protective measures at the point of risk selection.

But as cyber attacks accelerate and automation scales, incorporating additional indicators can help reveal more hidden exposure that is increasingly relevant to the scale of automation reshaping the internet.

For the first time in over a decade, automated traffic has surpassed human activity, accounting for 51 percent of all web traffic. Of that, malicious bots alone represent more than a third of total traffic. In practical terms, the majority of what interacts with an applicant’s infrastructure today is not human, and a significant proportion of it is actively hostile.

For underwriting, this can shift the baseline. When traffic is predominantly automated and a substantial share is malicious, exposed services are probed continuously. Login portals are tested. Misconfigurations are scanned at scale. The question is no longer simply whether an organisation appears vulnerable, but whether its infrastructure is actively being tested, misused or leveraged in ways that increase loss probability.

In this environment, configuration and control indicators remain essential, but curated insight drawn from IP reputation data can introduce an additional layer of risk intelligence. It highlights when an organisation’s IP addresses show patterns associated with suspicious or malicious activity, enabling clearer risk differentiation and more defensible underwriting decisions.

But what exactly is IP reputation, and what does it mean for an underwriter in practice?

What curated IP reputation data reveals about organisational risk

IP reputation looks at how an organisation’s internet-facing infrastructure behaves once it is live and interacting with the wider internet.

Every organisation uses IP addresses to run email, host websites and applications, enable remote access, and connect cloud services. Over time, those IP addresses build a history based on how they are seen behaving. Security providers, internet service providers, and threat intelligence networks monitor patterns such as spam activity, scanning behaviour, malware hosting, or communication with known malicious systems.

When an IP address is repeatedly linked to suspicious or abusive behaviour, it may be listed in reputation databases or blocklists that other security tools reference. There is no single global ‘score’, but many filtering systems rely on shared intelligence feeds when deciding whether to trust traffic from a particular source.

These mechanisms have clear operational implications. Email gateways, firewalls, and cloud platforms often use reputation data to decide whether to allow, filter, or block traffic. If an organisation’s IP space develops a poor reputation, it may experience email delivery issues, connection restrictions, or additional scrutiny from third-party systems. Reputational degradation can therefore create operational disruption in its own right.

For cyber underwriters, the value lies not in the operational impact itself, but in curated IP reputation insight that highlights observable activity associated with an applicant’s infrastructure, filtered for relevance to loss potential rather than day-to-day network management.

For example, if IP addresses associated with an applicant are observed performing brute-force attacks – repeated automated attempts to guess login credentials – this may suggest compromised systems attempting to access other networks. If infrastructure is communicating with known command-and-control (C2) servers – systems used by attackers to remotely control infected machines – this can indicate active malware inside the environment. If domains linked to the organisation are hosting phishing pages designed to steal credentials, that introduces not only technical exposure but potential regulatory and reputational consequences. If mail servers appear on spam blocklists, this often points to botnet activity or weak email security controls.

These signals do not automatically prove a breach has occurred. However, they are consistent with control failure, insufficient internal monitoring, or infrastructure misuse.

In practice, IP reputation signals tend to fall into two categories that matter for cyber underwriters:

• Inbound signals show that an organisation is being actively targeted. For instance, repeated scanning from known malicious IP ranges suggests that exposed services are visible and being tested. Similarly, inbound traffic originating from proxy networks, Tor exit nodes, or suspicious hosting providers may indicate attempts to mask identity or bypass controls. This is not evidence of compromise, but it increases the likelihood that vulnerabilities will be identified and exploited quickly.
  
  

• Outbound signals are more concerning. When infrastructure associated with an applicant is observed sending spam, launching brute-force attempts, scanning other networks, or communicating with confirmed C2 infrastructure, the probability of active compromise rises significantly. At that stage, the focus shifts from theoretical exposure to containment capability and monitoring effectiveness.

It is also important to recognise that attackers deliberately exploit reputation dynamics. Compromised legitimate infrastructure is often used to send spam or host malicious content because it initially appears trustworthy. In other cases, attackers rotate IP infrastructure frequently to avoid detection. Either way, the behavioural trace is often visible externally before an organisation realises something is wrong internally.

Examples of behavioural signals revealing hidden risk

To see how behavioural signals complement underwriting risk assessment, let’s take a look at real-world patterns where IP reputation adds important context to the overall risk profile.

• Hijacked or misused domains
  Organisations often register additional domains for marketing campaigns, defensive registration, or future projects, but those domains are not always actively managed. If a secondary domain has outdated DNS settings, which determine where its internet traffic is directed, or weak email authentication controls, attackers can exploit it to send spam or host phishing pages. In recent studies of malicious domain activity, researchers have identified thousands of newly registered or compromised domains used for phishing and other attacks, demonstrating how quickly overlooked or low-cost domains can be weaponised.
  
  In these situations, risk analysis may indicate that the organisation’s registered domains and core systems are correctly configured at a point in time. Behavioural signals, such as an IP address, linked to a secondary domain appearing on phishing or spam blocklists, can surface issues as those assets are used or misused in practice.. That external activity brings attention to governance gaps across the broader digital estate, not just the flagship domain.

• Compromised infrastructure becoming part of a botnet
  Servers and devices that appear secure from the outside can still be compromised through stolen credentials, supply chain issues, or vulnerable third-party components. Once compromised, these hosts may be quietly enrolled into a botnet and start scanning external networks or launching brute-force attempts. Observable external activity would show unusual outbound behaviour from those IP addresses even if internal monitoring has not yet flagged anything. Botnet membership and related abuse have been studied for years and are a well-established driver of malicious traffic and reputation damage.
  
  

• Open resolvers and DNS abuse
  DNS can itself be a vector for misuse. A misconfigured DNS server can act as an ‘open resolver,’ responding to requests from anywhere. Attackers exploit open resolvers in amplification attacks, where a small query generates a large response that overwhelms a target, contributing to one of the largest distributed denial-of-service (DDoS) events in history. In a major DDoS attack against a global spam-tracking organisation, attackers leveraged vulnerable DNS resolvers to generate massive traffic floods.
  
  From an underwriting perspective, this isn’t just a technical oversight. It indicates gaps in ongoing control management and monitoring, and the behavioural footprint can appear on abuse databases long before anything else is noticed internally.

• Early signals of phishing and credential theft
  Attackers increasingly use newly registered or compromised domains to support phishing campaigns that harvest credentials or deliver malware. In recent research into malicious domain usage, analysts identified hundreds of phishing sites that sat just ahead of credential-stealing forms, often hosted on domains that seemed innocuous at first glance.
  
  This kind of behaviour – where infrastructure associated with an organisation is being used to funnel traffic into scams – can be picked up in IP reputation feeds even when risk assessments show few vulnerabilities.

These examples illustrate a broader truth: individual configuration issues may seem isolated or low-priority on their own. But when the infrastructure begins to behave in ways associated with abuse – spam, scanning, brute-force activity, phishing hosting, or DNS exploitation – that external footprint provides additional valuable signals of risk.

By layering IP reputation onto asset-level risk analysis pre- and post-bind, underwriters gain additional visibility of how the organisation actually performs when exposed to real-world threat activity.

Focusing on insight that supports decision-making

As cyber activity becomes increasingly automated and infrastructure-driven, highly curated and focused IP reputation intelligence can provide underwriters with additional risk signals, without leaving them overwhelmed by data that does not translate into action.

By surfacing observable misuse that correlates with control breakdowns, monitoring gaps, or active compromise, it brings relevant behavioural signals directly into the underwriting process and helps focus attention on indicators with a demonstrable link to loss.

At KYND, our focus has always been on identifying the external signals that demonstrably correlate with cyber loss, not just theoretical exposure. Integrating curated IP reputation insight into underwriting workflows strengthens that approach by adding observable behavioural context to traditional control assessments. As automation continues to reshape the threat landscape, underwriters who combine configuration analysis with behavioural intelligence will be better positioned to differentiate risk, price accurately and defend their decisions with confidence.