Quadrant Analysis: Identifying Malicious IPs Through Traffic Behavior Patterns

Security teams spend an enormous amount of time answering a deceptively simple question: is this IP behaving normally? Log analysis gives you the raw data. SIEM queries give you aggregations. But neither gives you the immediate, visual clarity needed to distinguish a scanner from a customer, a credential stuffer from a lost user, or a DDoS participant from a spike in organic traffic.

The core problem is dimensionality. Every IP that interacts with your application produces a mix of HTTP response codes—200s, 301s, 404s, 401s, 500s—and the ratio between these codes is a behavioral fingerprint. Legitimate users generate mostly successful responses. Scanners generate mostly client errors. Attackers targeting vulnerable endpoints generate server errors. But when you're looking at thousands of IPs in a log table, these patterns are invisible.

SecureNow's Quadrant Analysis solves this by transforming HTTP response distributions into a two-dimensional scatter plot that makes behavioral patterns immediately visible. Each IP becomes a point on the chart, and its position reveals what kind of traffic it's generating—no queries, no filters, no manual correlation. You look at the chart, and the clusters tell the story.

The Two Axes: Mapping Behavior to Coordinates

Quadrant analysis works by reducing the complexity of HTTP response distributions to two meaningful dimensions.

X-Axis: Success Rate vs. Client Error Rate

The horizontal axis represents the ratio between successful responses (2xx status codes) and client errors (4xx status codes). An IP positioned to the right generates mostly successful responses—its requests hit valid endpoints with proper authentication. An IP positioned to the left generates mostly client errors—its requests hit non-existent paths, fail authentication, or violate authorization rules.

This single axis separates two fundamentally different classes of traffic:

• Right side (high success rate): Legitimate users, well-behaved API consumers, authorized integrations. These IPs know your application's structure and are using it correctly.
• Left side (high client error rate): Scanners, credential stuffers, path traversal attackers, unauthorized API probers. These IPs are guessing, brute-forcing, or systematically testing your application's boundaries.

Y-Axis: Redirect Rate vs. Server Error Rate

The vertical axis represents the ratio between redirect responses (3xx status codes) and server errors (5xx status codes). An IP positioned toward the top generates a higher proportion of redirects. An IP positioned toward the bottom triggers more server errors.

This axis captures a different behavioral dimension:

• Top (high redirect rate): Traffic that's being redirected—possibly hitting HTTP endpoints that redirect to HTTPS, legacy URLs that forward to new paths, or authentication flows that redirect to login pages. High redirect rates can indicate misconfigured clients, crawlers following redirect chains, or traffic hitting deprecated endpoints.
• Bottom (high server error rate): Traffic that's triggering application failures. This could indicate exploitation attempts that crash backend services, payload injection that causes unhandled exceptions, or resource exhaustion attacks that push endpoints past their capacity.

Together, these two axes create four quadrants that map to distinct behavioral archetypes.

Interpreting the Four Quadrants

Quadrant I: High Success, High Redirects (Top-Right)

IPs in this quadrant are generating mostly successful requests with a notable proportion of redirects. This is the typical pattern for legitimate web traffic—users browsing your site, following links, encountering redirects as part of normal navigation. Crawlers and SEO bots also appear here, as they systematically follow redirect chains.

Typical inhabitants: Real users, authorized API consumers, search engine crawlers, monitoring systems.

Action: Generally safe. Review outliers with unusually high redirect rates, which may indicate misconfigured integrations or automated tools that aren't handling redirects efficiently.

Quadrant II: High Client Errors, High Redirects (Top-Left)

IPs here are generating a mix of client errors and redirects. This pattern often indicates automated tools that are partially successful—they find some valid paths (generating redirects) but also probe many invalid ones (generating 404s). It can also indicate clients using outdated API schemas that reference deprecated endpoints.

Typical inhabitants: Outdated integrations, partially configured crawlers, low-sophistication scanners.

Action: Investigate. These IPs may be benign (broken integrations) or early-stage reconnaissance. Check the specific paths generating errors to determine intent.

Quadrant III: High Client Errors, High Server Errors (Bottom-Left)

This is the most concerning quadrant. IPs generating both client and server errors are likely probing your application aggressively enough to trigger both access control rejections and application failures. This pattern is consistent with active exploitation attempts—trying multiple attack vectors, some of which are blocked (4xx) and some of which cause backend errors (5xx).

Typical inhabitants: Active attackers, vulnerability scanners, fuzzing tools, exploitation frameworks.

Action: Prioritize investigation immediately. Cross-reference with AbuseIPDB enrichment and trigger AI investigation. The combination of 4xx and 5xx errors strongly suggests malicious intent.

Quadrant IV: High Success, High Server Errors (Bottom-Right)

IPs in this quadrant successfully access most endpoints but also trigger server errors on specific paths. This pattern can indicate legitimate users hitting buggy endpoints, or it can indicate targeted attacks against known-vulnerable endpoints where the attacker understands the application structure well enough to make valid requests but is pushing specific functionality past its limits.

Typical inhabitants: Legitimate users encountering bugs, targeted attackers exploiting specific endpoints, load testers.

Action: Examine which endpoints are generating 5xx responses. If the errors cluster on a single endpoint, it may be an application bug rather than an attack. If the errors spread across multiple endpoints with high request volumes, investigate for potential abuse.

Per-Application Scoping and Time Ranges

Real-world infrastructure hosts multiple applications, each with distinct traffic profiles. A public marketing site has fundamentally different behavioral norms than an internal API or a payment processing service. Analyzing all traffic in a single quadrant chart would conflate these patterns and reduce the analytical value.

SecureNow provides quadrant analysis scoped to each application with configurable time ranges. This means you can:

• Compare traffic patterns between your public API and internal services to identify anomalies specific to each
• Narrow the time window to a specific incident period to isolate attack traffic from normal operations
• Expand the time window to establish baseline patterns and identify long-running, low-volume attacks that evade short-window detection

The per-application scoping is critical for accurate behavioral classification. An IP that generates 80% client errors against your public marketing site might be a misconfigured crawler. The same IP generating 80% client errors against your authentication API is almost certainly malicious. Context determines classification, and application scoping provides that context.

<!-- CTA:trial -->

Identifying Attack Types by Quadrant Position

Different attack methodologies produce characteristic quadrant signatures. Understanding these patterns transforms the scatter plot from a visualization into a threat classification tool.

Vulnerability Scanners

Scanners probe large numbers of paths looking for known vulnerable endpoints, exposed admin panels, default configurations, and directory listings. The vast majority of their requests hit non-existent paths, generating 404 responses that place them firmly in the high client error region (left side of the chart).

Signature: Far left on the X-axis, clustered tightly. High request volume with 90%+ client error rates. Server error rates are typically low because scanners rarely send payloads complex enough to crash backends.

Credential Stuffing

Credential stuffing attacks target authentication endpoints with stolen credentials. Most attempts fail (generating 401 or 403 responses), placing the attacker IPs in the high client error region. However, successful credential matches produce 200 responses, pulling the position slightly rightward compared to pure scanners.

Signature: Left side of X-axis but not as extreme as scanners. Moderate client error rates (70–95%) because some credentials succeed. Minimal redirect or server error rates. For a detailed walkthrough of detecting credential stuffing with SecureNow, see our credential stuffing detection case study.

DDoS Participants

Distributed denial-of-service traffic typically targets valid endpoints with well-formed requests. The goal is resource exhaustion, not exploitation. Initially, DDoS participants appear in the high success quadrant (right side) because the application responds normally. As the attack succeeds and the backend degrades, responses shift to 5xx errors, pulling IPs toward the bottom-right quadrant.

Signature: Starts in Quadrant I, migrates toward Quadrant IV as the attack progresses. High request volume per IP. Uniform request patterns across participating IPs (same endpoint, same method, same timing).

API Enumeration

Attackers systematically testing API endpoints to map your surface generate a distinctive mixed pattern. Valid endpoints return 200s or 301s; non-existent endpoints return 404s; unauthorized endpoints return 401s or 403s. The result is a scattered position with moderate values on both axes—not extreme enough to cluster with scanners, but clearly separated from legitimate users.

Signature: Center-left region with moderate client error rates (40–70%). Mixed response codes rather than the homogeneous patterns of scanners or credential stuffers. Often accompanied by sequential or alphabetical path patterns visible in trace analysis.

Data Exfiltration

Successful data exfiltration is the hardest attack to detect via quadrant analysis because the attacker's requests succeed. Exfiltration traffic appears in the high success quadrant (right side), often overlapping with legitimate user positions. The distinguishing factor is volume and access pattern, not error rates.

Signature: Right side of X-axis, similar to legitimate traffic. Detection requires supplementary analysis—request volume, endpoint sensitivity, payload sizes, and timing patterns visible in trace data rather than pure HTTP status distributions.

The IP List: Drilling Into the Data

The scatter plot provides the macro view—pattern recognition across your entire IP population. But investigation requires drilling down to individual IPs. SecureNow's quadrant analysis includes an IP list view that complements the visual chart with structured data for every plotted IP.

The IP list provides:

• IP address and current investigation status
• Total request count within the selected time range
• Response code distribution — exact percentages for 2xx, 3xx, 4xx, and 5xx categories
• AbuseIPDB enrichment — confidence score, country, ISP, usage type
• First seen and last seen timestamps
• Hit count — total interactions across the monitored application

The list supports sorting and filtering, allowing analysts to zero in on specific behavioral clusters identified in the scatter plot. Clicked an outlier in the bottom-left quadrant? Filter the IP list by high 4xx and 5xx rates to see every IP in that region, then sort by request volume to prioritize the most active attackers.

For extended analysis or integration with external tools, the IP list supports CSV export. This enables offline analysis, correlation with data from other security tools, and documentation for incident reports and compliance audits.

Real-World Example: DDoS Day vs. Normal Day

To illustrate the practical value of quadrant analysis, consider a comparative scenario.

Normal Traffic Day (Tuesday, February 4)

An e-commerce API serving 150,000 daily active users shows the following quadrant distribution:

• 85% of IPs cluster in Quadrant I (top-right)—high success rates, some redirects. This is the expected position for legitimate users browsing products, adding items to carts, and completing purchases.
• 8% of IPs appear in the left region with elevated client error rates. Investigation reveals these are search engine crawlers hitting deprecated URL patterns and a small number of misconfigured partner integrations.
• 4% of IPs scatter across the center with mixed response patterns. These turn out to be internal monitoring systems and load balancers.
• 3% of IPs cluster in the far-left region with 95%+ client error rates. AbuseIPDB enrichment confirms these are known scanners. Standard background noise.

The scatter plot shows a dense, predictable cluster with a few identifiable outliers. This is what healthy traffic looks like.

DDoS Day (Wednesday, February 5)

At 11:23 AM, the quadrant chart transforms. A new cluster of approximately 2,800 IPs appears in Quadrant I, densely packed with nearly identical positions: 99% success rate, minimal redirects. These IPs are hitting the /api/products/search endpoint with well-formed GET requests at a combined rate of 45,000 requests per minute.

The first visual indicator is the density anomaly—a cluster that's too tight and too large to be organic traffic. Legitimate users have varied browsing patterns that spread them across the quadrant. Botnet participants executing identical attack scripts cluster with unnatural precision.

Over the next 20 minutes, as the application's backend begins to degrade under load, the cluster migrates downward. Response codes shift from 200 to 503 as the service hits capacity limits. The DDoS cluster moves from Quadrant I toward Quadrant IV—high success mixed with increasing server errors—creating a visual trajectory that's unmistakable.

The SOC team, monitoring the quadrant chart, identifies the migration pattern within minutes. They filter the IP list to the anomalous cluster, export the 2,800 IPs, and push them to their WAF for blocking. They also create a forensic query to examine the full timeline. For an in-depth guide on using SecureNow's forensic query capabilities, see our security forensics guide.

Integrating Quadrant Insights with IP Investigation

Quadrant analysis is a detection and classification tool. It answers "what is happening" and "which IPs are doing it." But it deliberately stops short of answering "why" and "what should we do about it." Those answers come from integrating quadrant insights with deeper investigation workflows.

The recommended integration follows a three-step pattern:

Step 1: Visual identification. Use the quadrant chart to identify anomalous clusters or outlier IPs. The visual format makes pattern detection faster than any log query or dashboard.

Step 2: Enrichment review. For identified IPs, review the auto-populated AbuseIPDB enrichment data in the IP list. Confidence scores, usage types, and Tor/proxy/VPN flags add context that helps differentiate between misconfigured clients and active threats.

Step 3: AI investigation. For IPs where the quadrant position and enrichment data suggest malicious activity, trigger SecureNow's AI investigation. The AI pulls full trace data—request paths, methods, timing, payloads—and produces a comprehensive verdict with risk score, attack pattern classification, and recommended response actions. For details on the AI investigation workflow, see our guide on automating IP threat investigation.

This three-step workflow transforms quadrant analysis from a passive visualization into an active detection pipeline. The scatter plot surfaces threats that would be invisible in traditional log analysis. The enrichment layer adds external intelligence. The AI investigation produces the actionable verdict that drives response.

Building Quadrant Analysis Into Your Security Operations

The MITRE ATT&CK framework documents dozens of techniques that produce distinctive HTTP response patterns—from T1595 Active Scanning to T1110 Brute Force to T1499 Endpoint Denial of Service. Quadrant analysis provides a unified visual layer that surfaces all of these patterns without requiring technique-specific detection rules for each.

For security teams looking to operationalize quadrant analysis, the key practices are:

1. Establish baselines. Run quadrant analysis over a 7-day window for each application to understand normal cluster positions. Document where legitimate traffic concentrates so that anomalies become immediately apparent.
2. Check daily. Incorporate a quadrant chart review into daily SOC routines. A 60-second visual scan of each application's chart can surface emerging threats faster than waiting for alert rules to trigger.
3. Correlate across applications. An IP that appears in the high-error quadrant for multiple applications simultaneously is a stronger signal than one targeting a single service. Cross-application correlation reveals infrastructure-level campaigns.
4. Use time range comparisons. Compare today's quadrant distribution against the same day last week. Seasonal traffic patterns, marketing campaigns, and business cycles all affect baseline distributions—understanding these prevents false positive escalations.
5. Export and document. Use CSV exports to document quadrant analysis findings in incident reports. The combination of visual charts and structured data provides both executive-level summaries and analyst-level detail for post-incident review.

Traffic behavior tells you more about intent than any single indicator. An IP's position in the quadrant chart encodes its entire interaction pattern with your application into a single, interpretable coordinate. That coordinate, enriched with AbuseIPDB data and validated through AI investigation, produces the kind of high-confidence threat classification that security operations require to act decisively.

<!-- CTA:demo -->

Frequently Asked Questions

What is quadrant analysis in security monitoring?

Quadrant analysis plots IPs on a scatter chart based on their HTTP response patterns — success vs client error rates on one axis, redirects vs server errors on the other — to visually cluster normal and anomalous traffic.

How do I identify scanners using quadrant analysis?

Scanners typically appear in the high-client-error quadrant because they probe non-existent paths, generating many 404 responses. They cluster separately from legitimate users who mostly receive 200 responses.

Can quadrant analysis detect credential stuffing?

Yes, credential stuffing attackers show up with high 4xx rates (401/403 responses) on authentication endpoints, placing them in the client-error quadrant distinct from normal user traffic.

Is quadrant analysis available per application?

Yes, SecureNow provides quadrant analysis scoped to each application with configurable time ranges, so you can analyze traffic patterns for individual services.