Traffic Origin shifts cybersecurity from reactive to proactive by exposing the true upstream origins of IP traffic, even when adversaries hide behind residential proxies, VPNs, laptop farms, or other obfuscation techniques.
Derived from real-world detection events, it unmasks the “masking layer” used by state-sponsored actors and cybercriminals, revealing:
Upstream countries and routing sources connected to an IP
High-confidence risk indicators, such as traffic routed from sanctioned or high-risk regions (e.g., DPRK, Iran, Russia) via residential proxies
Full contextual visibility in the Silent Push platform, correlating surface flags (e.g., US/UK) with hidden high-risk upstream links
Access Traffic Origin Data in Total View
Traffic Origin is integrated into the Total View section of the Silent Push platform, providing two complementary ways to access upstream origin insights for any IP address — one for quick triage and one for in-depth analysis.
Highlights Section – Quick Glance (Upper Right Corner)
Located in the upper-right corner of the Highlights panel in Total View, this compact widget provides instant visibility. It provides a prioritized list of upstream countries where the IP was detected, ordered by detection rate (highest to lowest). It instantly reveals true geographic origins behind proxies, VPNs, or residential obfuscation — even when surface geolocation appears benign (e.g., US/UK).
Dedicated Traffic Origin Tab – Full Details
For a comprehensive investigation, switch to the dedicated Traffic Origin tab in Total View. This displays a complete historical detection of the IP in a table or a map view. It provides granular per-detection context for tracing movements, identifying patterns (IP hopping, APTs, botnets), and correlating with other indicators.
Note: The Traffic Origin tab is visible only if your organization has the feature enabled. Advanced map zoom (beyond level 10) requires GeoIP permissions.
How to Access Both Views
On the Silent Push landing page, enter an IPv4/IPv6 address (or URL) in the search bar.
Press Enter or click Total View.
In Total View:
Look in the upper right corner of the Highlights section for the quick Traffic Origin summary (countries by detection rate).
Click the Traffic Origin tab (in the tab bar next to Threat Feeds, Infrastructure Variance, etc.) for detailed table and map views.
Why is Traffic Origin Important?
In today’s threat landscape, static IP information is insufficient. Cyber adversaries often use dynamic IPs, proxies, or VPNs to mask their origins. Traffic Origin addresses this by:
Detecting Suspicious Activity: Identify whether an IP address originates from an unauthorized region, such as a sanctioned country, to assess potential risks, including data exfiltration or compliance violations.
Enforcing Policies: Ensure IPs are active only within approved operational areas to support geofencing and access controls.
Enhancing Investigations: Provide contextual evidence for incident response, allowing analysts to trace IP movements and correlate with other indicators.
Improving Threat Intelligence: Reveal patterns such as IP hopping across countries that could indicate botnets, phishing campaigns, or advanced persistent threats (APTs).
For example, if your organization doesn't operate in certain regions, detecting an IP address from your network in those regions could trigger immediate alerts.
Practical Benefits
By integrating Traffic Origin, users can reduce false positives in alerts, prioritize high-risk detections, and align with regulatory requirements such as GDPR and export controls. It’s particularly valuable for enterprise teams handling global operations.