MSSP, Network Security, SIEM, XDR, SOAR

Silent Push Targets the Blind Spot in Identity Security With Traffic Origin, Gives MSSPs a Clear Way to Act on Hidden Identity Risk

Identity-based attacks are getting harder to spot because they no longer look suspicious on the surface. Residential proxies, VPNs, and laptop farms allow attackers to appear local, compliant, and low risk at the moment of access. That disconnect between appearance and reality is what Silent Push is addressing with Traffic Origin, a capability that reveals where traffic actually originates and makes that insight usable inside real security workflows.

From more data to clearer decisions

Many security tools enrich alerts but still leave analysts to interpret risk manually. Traffic Origin is built to reduce that burden by providing what Silent Push calls origin certainty.

Kasey Best, Director of Threat Intelligence at Silent Push, explained to MSSP Alert that the intent is to support action, not just investigation.

“Traffic Origin is designed to provide origin certainty that allows for automated decision-making rather than manual investigation,” Best said. “It integrates directly into identity, fraud, and SOC workflows via API, feeding into SIEM, SOAR, and authentication policy engines.”

Some signals call for immediate action. Best points to cases where traffic looks like it’s coming from London or New York but is actually controlled from sanctioned regions such as Russia, Iran, or North Korea. The same is true for residential proxy services and laptop farms used by fake employees. When those signals appear, teams can act right away with step-up authentication, account lockouts, or transaction holds.

Other signals are used for enrichment rather than blocking. “When a login is flagged as suspicious by standard tools, Traffic Origin helps validate whether it’s a harmless traveler or a proxy network,” Best said. “That prevents false positives and helps analysts focus on genuine threats.” For incident response teams, upstream attribution also makes it easier to link activity to known threat actor behavior instead of chasing a clean-looking entry IP.

Why standard IP intelligence falls short

Traditional IP intelligence relies heavily on static registration data and reputation feeds. That approach breaks down when attackers deliberately route through clean residential or ISP infrastructure. Best describes this as a last-mile visibility problem.

“Traditional tools see the entry point, the visible IP address,” she said. “If an attacker uses a clean residential proxy or a legitimate ISP address, those tools validate the session as legitimate because they can’t see past the immediate connection.”

Traffic Origin focuses on what sits behind that entry point. “Silent Push analyzes inbound signatures, host density, and traffic diversity to identify the countries connected to an IP,” Best said. “That reveals the true physical origin of the traffic, not just where the proxy server is located.”

This approach also aims to reduce noise. Instead of flagging all VPN usage, Traffic Origin distinguishes between legitimate privacy tools and residential proxy services commonly used in fraud. Best notes that this results in a clear true-or-false risk signal rather than probability scores that still leave room for doubt.

Making it practical for MSSPs and regulated teams

For MSSPs and organizations in regulated industries, Traffic Origin is designed to be operationalized as a managed service. Best outlines three common service models.

The first is sanctions and AML compliance. “MSSPs can offer a sanctions guardrail that provides geographic truth for KYC and KYE processes,” Best said. “That helps prevent regulatory breaches by identifying illicit activity masked by multi-hop proxies.”

The second focuses on insider threat and remote workforce risk. “Traffic Origin can act as a digital identity verification layer for large remote workforces,” she said. “It helps detect invisible insiders, including state-sponsored actors using fake personas and laptop farms, where device trust controls fall short.”

The third is SOC efficiency. By validating IP risk automatically inside the SIEM, Traffic Origin supports triage automation. “When IPs are instantly classified as VPNs, sinkholes, or proxies, low-risk alerts can be dismissed automatically,” Best said. “That can reduce investigation time from 20 to 30 minutes per alert to seconds, which protects margins and reduces analyst burnout.”

As attackers get better at hiding in plain sight, the ability to see upstream and act without hesitation becomes more important than adding yet another alert. For security teams and service providers, the value lies in closing the gap between what traffic looks like and what it actually is, before that gap turns into a breach.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds