Third party VPN usage inside corporate environments continues to be a growing concern for security teams. While VPN services are often marketed as privacy tools, their presence on enterprise networks introduces real risk. They obscure user activity, bypass corporate controls, complicate investigations, and are frequently abused for data exfiltration, policy evasion, and command and control communication. To address this challenge more cleanly and give customers greater operational control, ThreatSTOP has introduced two new protection bundles designed specifically for third party VPN traffic.
We have created two new bundles:
3rd Party VPNs IPs
3rd Party VPNs Domains
All existing third party VPN coverage has been consolidated into these two bundles. This change brings structure and clarity to how VPN related protections are deployed across environments, whether customers are using Protective DNS through DNS Defense Cloud or DNS Defense, or enforcing controls through IP Defense on firewalls, routers, IPS platforms, or cloud controls such as AWS WAF.
The following third party VPN services are now covered within these bundles:
IPVanish, AnchorFree and HotSpotShield, TunnelBear, Tailscale, Surfshark, Surfeasy, NordVPN, Private Internet Access, Proton VPN, SoftEther, Speedify, CyberGhost, Hola VPN, ExpressVPN, HMA VPN, AirVPN, Avast VPN, Easy Hide VPN, FastestVPN, FrootVPN, FrostVPN, IVPN, Mullvad VPN, OctoVPN, OVPN, VPNSecure, VPNTunnel, VyprVPN, PrivadoVPN, PrivateVPN, PureVPN, SlickVPN, StrongVPN, Turbo VPN, VPN Unlimited, and VPNGate.
This coverage spans both domain based and IP based infrastructure, allowing protections to be applied consistently regardless of how the VPN service operates or how traffic attempts to exit the network.
Third party VPN services fundamentally undermine enterprise visibility and policy enforcement. When users route traffic through external VPN providers, security teams lose insight into destinations, applications, and behaviors. This creates blind spots that attackers actively exploit.
Common risks include unauthorized data exfiltration, bypassing web filtering and acceptable use policies, hiding command and control traffic, evading geographic and compliance controls, and masking malicious activity behind trusted VPN brands. In regulated environments, unmanaged VPN usage can also create compliance exposure by allowing traffic to flow through jurisdictions or infrastructure that violate policy requirements.
Effective protection requires both visibility and control, not just detection after the fact.
By consolidating all third party VPN coverage into two clearly defined bundles, customers can now make intentional decisions about VPN usage on their networks. Organizations that want to explicitly allow a small number of approved VPN services can do so while blocking the rest. Others can take a stricter approach and prevent all unmanaged VPN traffic entirely.
This structure simplifies deployment, reduces configuration errors, and aligns protections more closely with real world policy needs. Instead of managing dozens of individual targets, customers can apply a small number of well understood bundles and fine tune exceptions where necessary.
These protections are developed and maintained by the ThreatSTOP Security, Intelligence, and Research team. The team continuously analyzes infrastructure associated with VPN services, including hosting patterns, domain usage, IP churn, and abuse trends. Coverage is updated as services evolve, ensuring protections remain accurate and effective over time.
These VPN bundles complement existing ThreatSTOP protections for command and control, invalid traffic, peer to peer communication, data exfiltration, phishing, spam, and Distributed Denial of Service activity. Together, they help organizations maintain control over how their networks are used and protected.
Unmanaged VPN usage does not have to be a permanent blind spot. With the new Third Party VPN IP and Domain bundles, organizations gain clearer control, easier configuration, and stronger protection across all environments.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a meaningful difference in your security posture. We offer pricing for organizations of all sizes. Get started with a demo today.
Connect with Customers, Disconnect from Risks
|
MITRE ATT&CK Technique |
Description |
Relevance |
|---|---|---|
|
T1071 |
Application Layer Protocol |
VPNs commonly use standard application protocols to blend in with legitimate traffic |
|
T1090 |
Proxy |
Third party VPN services act as external proxies to obscure traffic origin and destination |
|
T1041 |
Exfiltration Over C2 Channel |
VPN tunnels are frequently abused to exfiltrate data outside monitored paths |
|
T1572 |
Encrypted Channel |
VPN encryption reduces visibility into malicious or policy violating traffic |
|
T1020 |
Automated Exfiltration |
VPN infrastructure enables large scale, automated data movement without detection |