US-based cybersecurity firm ziggiz today announced new IP data enrichment capabilities for its Cyber Lakehouse platform that address a critical industry problem: inconsistent location data creating excessive noise in security monitoring systems.

The new feature enables security teams to detect suspicious access patterns by providing consistent location analysis across multiple data sources before detections trigger, rather than enriching data after alerts fire.

"Most SOAR-based approaches enrich data post-detection, but that's too late in the workflow," said Ryan Faircloth, head of product at ziggiz. "As part of our shift left detection initiatives, we recognize this type of enrichment should happen before detection. This allows for much more efficient detection and opens up categories the legacy patchwork approach can't address."

The Consistency Problem

The announcement addresses what ziggiz calls the "impossible traveler" false positive problem. Current implementations often report conflicting location data for the same IP address.

A CEO in Orlando might trigger alerts when authentication providers report Florida while application providers report Miami. While both answers are geographically close, the inconsistency creates shifting baselines that make anomaly detection unreliable.

"The legacy approach relies on data provided by the original log sources, leading to inconsistency that creates both false positives and missed detections," Faircloth explained. "The problem isn't just accuracy. It's consistency."

Technical Implementation

ziggiz's solution uses a decision tree approach that prioritizes data sources based on context. The system checks internal network data first for known networks, then falls back to trusted third-party intelligence for external connections.

This semantic layer combines internal systems, cloud provider data from AWS and Azure, and third-party intelligence to deliver consistent enrichment across all connection sources. ziggiz selected IPinfo (https://ipinfo.io), the internet data company, as its trusted data partner after an exhaustive evaluation process. IPinfo provides highly contextualized IP address data that’s actively measured and continuously updated to ensure unmatched accuracy. "They provided the most consistent and reliable IP data we evaluated" Faircloth noted. "They also provided a commercial model allowing us to grow with our customers aligned to our cloud-first consumption-based approach to pricing." What distinguished IPinfo was their forward-thinking approach to innovation. "We were really impressed with their research team's recent innovations," Faircloth said. "They’re not just replicating what other providers offer. They’re tackling the challenge of truly understanding how the internet behaves and delivering accuracy that simply wasn’t possible before. At the same time, they’re evolving their datasets and introducing new capabilities at a remarkable pace. We’re excited to bring these advancements to our customers."

A key technical advantage is the platform's ability to perform both point-in-time and real-time analysis. This capability matters because IP addresses change ownership over time.

An IP that was a legitimate corporate VPN endpoint six months ago might be a residential ISP in Eastern Europe today. Without point-in-time analysis, hunt teams can't accurately investigate historical incidents.

“Security detections are only as reliable as the infrastructure data behind them. By integrating IPinfo’s datasets directly into their detection workflow, ziggiz gives security teams a consistent foundation for interpreting IP behavior across environments,” said Ben Dowling, Co-CEO and Founder of IPinfo. “That consistency is what allows security teams to investigate incidents faster and reduce the false positives that overwhelm analysts.”

Reducing Detection Noise

The feature also addresses the economic reality of SOAR systems, which typically charge per workflow or per step. Low-quality data sources cause detections to open and close immediately, creating unnecessary costs.

"Legacy solutions get 'login from embargoed country' detections wrong because they only rely on authentication data and geo data from services," Faircloth said. "Today's vendors try not to talk about it."

Faircloth believes security teams using consistent location enrichment pre-detection will realize they've been missing something fundamental: less noise and detections they don't just ignore.

"Security teams aren't ignoring detections because they're lazy," he added. "They're ignoring them because the signal-to-noise ratio is broken."

About ziggiz

ziggiz provides a Cyber Lakehouse platform designed to commoditize security data analytics through industry-standard semantic layers. The company serves cybersecurity teams, SOC operations, hunt teams, investigators, and security architects. Founded by Dr. George Webster and Zoe Von Pentz, ziggiz is headquartered in the United States.

About IPinfo

IPinfo is the internet data company, providing the world’s most accurate IP data that delivers highly contextual metadata on each IP address, from geolocation and mobile carrier to privacy detection and proxies. IPinfo is trusted by more than 500,000 users, from developers to Fortune 500 companies, who use IP data to make smarter decisions, mitigate security risks, ensure regulatory compliance, and drive better customer experiences. IPinfo’s robust and secure API processes more than 1 billion requests daily, with data also available through direct download and leading cloud platforms, all backed by a team of data experts who are committed to precision. Discover the power of better IP data at IPinfo.io.