Implementations provide automated intrusion alert-based blacklisting with minimal false positives that ignores regular business operations, scalable to accommodate the volume of IDS alerts received by high-traffic internet-accessible networked systems. Implementations identify and block hostile infrastructure IP addresses during the reconnaissance phase based on IDS alert(s). Each IDS alert is automatically reviewed in historical context and triggers IP blocking as necessary. Some implementations maintain TCP/IP handshake records, preventing blocking an IP used to conduct regular business operations on the network that a malicious party has spoofed to avoid identification. Based on the historical context of each IP address within the local network environment, specifically regular business operations traffic versus malicious traffic, the IP address is blocked only if the majority of connections therefrom are malicious. This approach provides substantial cost-savings; frees up resources and personnel otherwise necessary for manual processes; and increases overall network security through automated network defense.