A bad IP can be accurate and still tell the wrong story.
That is the uncomfortable part of ORB networks. The defender sees a source IP. The attacker may be using a rotating relay fabric built from compromised routers, IoT devices, small-office/home-office gear, and VPS nodes.
So “bad IP → block → close” can become a false win. The clue was real. The response was reasonable. But the durable object was not the IP. It was the relay system behind it.
That is where threat intelligence gets interesting. The analyst’s job is not just to collect observables. It is to ask what system produced them, who benefits from that system, and what would likely happen next if the system keeps working.
Read the full AlphaHunt analysis.