Exposure management depends on the ability to consistently observe and attribute externally reachable systems. Domains are commonly treated as stable identifiers, resolving to IP addresses that can be associated with specific assets and monitored over time.
In modern enterprise environments, this assumption increasingly fails. In many architectures, IP addresses function as routing mechanisms rather than stable identifiers, changing as traffic is distributed and infrastructure is rebalanced.
As a result, a domain can remain constant while the IPs it resolves to shift frequently, sometimes multiple times per week, even when the underlying service does not change. For exposure management, this breaks IP-based attribution: findings can lose connection to a stable owner, investigative history fails to carry forward, and asset and exposure trends shift without any real change in risk.
This research quantifies how often enterprise domains resolve to changing IP addresses and how that behavior affects consistent asset attribution over time. The goal is to surface a widespread but often overlooked infrastructure pattern that undermines continuous exposure tracking and day-to-day security operations.
Methodology
The analysis was conducted across 264 enterprise organizations. For each organization, we evaluated its externally observable domain footprint, resulting in a dataset of over four million distinct domains.
For each domain, we collected DNS A-record resolutions repeatedly over time and tracked how the resolved IP set changed. Domains were classified as ‘dynamically resolved’ when they exhibited recurring IP rotation over the observation period.
After classification, we characterized where dynamically resolved domains were hosted by identifying whether the resolving infrastructure was associated with a CDN, a load balancer, and/or a cloud IaaS or PaaS platform (a domain can fall into more than one category). We also measured the frequency of IP resolution changes to quantify volatility and assess its implications for continuous exposure monitoring.
Dynamic IPs and Security Operations Challenges
Security operations depend on being able to answer three basic questions reliably: what assets exist, who owns them, and how risk changes over time. Most workflows assume that the identifiers used for investigation and reporting remain stable long enough to support consistent decisions.
In environments where IP addresses change frequently, that assumption breaks. Several operational challenges emerge that affect day-to-day security work:
Breakdown of ownership and accountability
Findings often surface at the IP level, while remediation responsibility sits with application or infrastructure owners. When IPs rotate, the link between a finding and a responsible team breaks, increasing triage time and slowing remediation.
Repeated loss of investigative context
As IPs change, prior investigations, accepted risk decisions, and remediation status may no longer remain clearly associated with the same service. Teams are forced to re-establish context for what is effectively the same asset, consuming time without improving posture.
Operational noise and analyst fatigue
Routine IP reassignment can look like asset churn or new exposure, generating alerts and follow-up work that do not reflect meaningful change. Over time, this degrades analyst focus and reduces the signal-to-noise ratio of security operations.
Erosion of trust in reporting and metrics
When asset counts and exposure metrics fluctuate due to underlying infrastructure behavior rather than security posture, leadership loses confidence in trend reporting. This makes it harder to demonstrate progress, justify investment, or prioritize remediation with confidence.
Taken together, these effects turn dynamic IP behavior into a material operational risk. It degrades attribution, slows response, and distorts measurement, yet it remains under-discussed outside the teams that deal with it directly.
Key Findings
We approached this analysis in two stages. First, we set out to quantify how common dynamic IP resolution is across enterprise environments. Then, for the domains exhibiting this behavior, we examined how frequently IP associations change and how that volatility is distributed.
8.6% of Enterprise Domains Resolve to Dynamic IPs
The first question we examined was prevalence. Across the organizations analyzed, an average of 8.6 percent of domains were backed by dynamic IP ranges. In large enterprise environments, this corresponds to thousands of domains whose underlying infrastructure changes regularly even though the domain itself remains stable.
To understand where this behavior originates, we examined the infrastructure associated with these dynamically resolved domains:
- 53.9 percent were hosted on content delivery networks
- 55.6 percent were hosted behind load balancers
- 72.5 percent were hosted on cloud platforms (IaaS or PaaS)
Figure 2: Distribution of infrastructure linked to dynamically resolved domains
Importantly, these categories overlap. A single domain may be fronted by a CDN, terminate at a load balancer, and run on cloud infrastructure simultaneously. The distribution reflects standard enterprise deployment architectures rather than isolated or exceptional cases.
These numbers reinforce the notion that the use of dynamic IPs is not confined to a specific provider or deployment pattern. It is a routine characteristic of modern enterprise environments, with operational impact that most security teams should take into account.
IPs Shift Faster Than Most Teams Track
After establishing how common dynamic IP behavior is, we examined how frequently IP associations actually change.
Across all organizations in the dataset, the average was slightly more than 3 IP changes per month. However, this is not evenly distributed. A substantial share of enterprises experienced far more frequent IP changes:
- Top 50% of organizations: 4.8 IP changes per month
- Top 25% of organizations: 6.3 IP changes per month
- Top 10% most volatile organizations: 8.1 IP changes per month
Figure 3: Distribution of IP Change Frequency Across Organizations
In other words, at the high end of the range, dynamic IPs shift twice, or even three times, per week.
At that rate, static IP attribution becomes a liability. What’s needed is continuous observation of domain-to-IP changes and time-bounded attribution, so the same service stays recognizable as IP addresses rotate.
Final Thoughts
This analysis shows that IP volatility is not an edge case. It is a routine byproduct of modern delivery stacks, and it can quietly break IP-based attribution and continuity even when the service itself has not changed.
By measuring how prevalent dynamic resolution is and how quickly IP associations rotate, we aim to make an often under-instrumented operational risk visible and measurable, so teams can align monitoring and reporting to how enterprise exposure actually behaves.
The operational requirement here is to classify dynamically resolved domains as a distinct asset class, then monitor them on a continuous cadence that matches their rate of change.
That means frequent DNS tracking, higher-frequency scanning, and time-bounded attribution of findings so posture reflects the underlying service, not the IP assigned at a given moment.
We hope the research above puts concrete numbers behind a problem many teams encounter in practice, and clarifies why dynamic domains require continuous monitoring and validation aligned to how they actually behave.
Read this blog post to learn how CyCognito addresses dynamic IP behavior in its external exposure management platform.
