Your Company Isn't Spying on You โ But It Might Feel That Way
Here's the first thing to understand: your company's IT department is almost certainly not sitting at a desk watching your every click. There's no one assigned to track your location. What's happening instead is far less dramatic and far more automated โ and that's actually what makes it tricky.
Modern companies run sophisticated software that watches for patterns. Not your specific behavior โ patterns. When something breaks from the expected pattern, the software raises a flag. A human might not look at it for days, or ever. But the flag exists, and it can trigger consequences: an automatic account lock, a compliance report, a question from your manager, or in the worst case, an HR conversation.
This is why the experience can feel so random. A colleague works from Lisbon for three weeks with no issues. You try the same thing and get locked out of Salesforce on day two. The difference isn't that IT was watching you specifically โ it's that something in your specific setup triggered a pattern flag that theirs didn't.
What likely happened: they hit a trigger threshold. The system gives you a window of forgiveness โ maybe it flags the unusual country login but waits to see if it persists. After a certain number of days or login events from an unexpected location, the automated action kicks in. The timing feels random because the threshold is invisible to you.
The Four Places IT Gets Your Location Data
Before we get into the systems themselves, it helps to understand where the raw data comes from. There are four main sources, and they work together โ meaning fixing one without fixing the others can still get you flagged.
Your IP Address โ The Most Reliable Signal
Every time your device sends data anywhere on the internet โ loading an email, opening a file, checking Slack โ it includes a return address called an IP address. This is how the internet knows where to send the response back to you.
IP addresses are publicly traceable to a geographic location. Not your exact home address โ but your city, your state, your country, and your internet service provider. There are databases that map IP addresses to locations, and they're accurate enough that "you logged in from Bangkok" is a trivially easy determination for any system to make.
What makes this particularly sticky is that corporate systems log IP addresses for every login, often indefinitely. They build a "normal" profile for you โ you almost always log in from a specific range of IPs associated with your home city. When that changes, the anomaly is obvious.
| What they can determine | Accuracy | Risk level |
|---|---|---|
| Your country | ~99% | Very High |
| Your city/region | ~85% | High |
| Your ISP name | ~95% | Medium |
| Whether you're using a VPN service | ~80% | High |
| Your exact street address | Not possible | N/A |
Device Location Services โ GPS & WiFi Triangulation
Your laptop constantly scans for nearby WiFi networks. Even networks you're not connected to. This isn't a bug โ it's a feature designed to help your computer find available networks quickly. But it has a side effect: your device knows, at all times, what WiFi networks are physically nearby.
If Location Services are enabled on your work device, apps like Microsoft Teams, Outlook, or your company's VPN client can read this data and report it to corporate servers. This happens silently, in the background, as part of normal application operation.
This is also why masking your IP address alone isn't enough. Your IP might say "United States" while your device's GPS coordinates say "14.0583ยฐ N, 108.2772ยฐ E" โ which is Vietnam. That inconsistency is itself a flag.
Timestamp & Timezone Metadata
Every action you take on a work system generates a log entry with a timestamp. When you open an email. When you save a file. When you join a Zoom call. These timestamps are recorded in the system's timezone โ and compared against your device's reported timezone and the geographic location of your IP.
When you travel, your laptop often updates its timezone automatically. This creates a traceable inconsistency. If your IP address says you're in Chicago but your device's timezone metadata says you're in Bangkok Standard Time, the mismatch is logged.
This catches people who only partially mask their location โ they fix the IP but forget that their laptop auto-updated to local time and every email timestamp is now broadcasting the wrong timezone.
Endpoint Telemetry โ What Your Work Laptop Reports Directly
If your company manages your laptop โ meaning they configured it, enrolled it in a device management system, or installed corporate security software โ the device itself may be sending location and status data directly to your company's IT infrastructure, completely independently of what you're doing or what network you're on.
This is called endpoint telemetry. Think of it as your laptop having a built-in check-in system that runs in the background. It might report: current IP address, current timezone, battery status, installed applications, running processes, and in some cases, GPS coordinates if the device has a GPS chip.
Not every company does this โ it depends heavily on size and industry. Heavily regulated industries (finance, healthcare, defense contractors, legal) are far more likely to have this level of endpoint visibility than a scrappy tech startup. But if your company gave you a laptop with IT already configured, assume some level of this is present.
SIEM and EDR โ The Two Systems You've Probably Never Heard Of
The four data sources above are just raw ingredients. What turns them into actual flags and consequences are two categories of software that most employees have never heard of but that most medium-to-large companies run constantly in the background.
SIEM โ The Pattern Detector
SIEM stands for Security Information and Event Management. The name is less important than what it does. Think of it as a giant, tireless data analyst whose only job is to look at everything happening across your company's systems simultaneously and ask: does anything here look weird?
SIEM pulls logs from: your email system, your VPN, your file storage, your identity provider (the system that handles your work login), your cloud applications, and more. It correlates all of these against each other in real time.
EDR โ What Runs on Your Actual Laptop
EDR stands for Endpoint Detection and Response. While SIEM watches patterns across your company's cloud systems, EDR is software that runs directly on your device โ your work laptop specifically.
Popular EDR tools include CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black, and SentinelOne. If you work at a company with any serious security posture, at least one of these (or something equivalent) is almost certainly running on your work machine right now, whether you know it or not.
What EDR can see on your work laptop:
| Data point | What IT learns from it |
|---|---|
| All running processes | If you installed a personal VPN app, EDR sees it running. Some companies flag this as a policy violation. |
| Network connections | Every IP address your laptop connects to, continuously logged. |
| USB device insertions | What external drives or devices you plug in and when. |
| File activity | What files were opened, copied, moved, or deleted. |
| Geographic location | If the device has a GPS chip or location services enabled, coordinates are available. |
| WiFi networks nearby | The SSIDs of WiFi networks the device can see โ which are cross-referenceable to physical locations. |
The important thing to understand about EDR is that it operates below the level of your network. You can route all your internet traffic through a VPN โ the EDR agent still talks to your company's servers through whatever mechanism it uses, sometimes bypassing your VPN entirely. This is by design.
The Four Triggers That Will Actually Get You Flagged
Understanding the systems is one thing. Understanding specifically what behavior triggers them is what matters practically. These are the four most common triggers โ drawn directly from the kinds of IT security rules that SIEM systems are configured with.
Impossible Travel
This is the most reliably enforced rule across almost every corporate SIEM. The logic is simple: if you logged in from New York at 9 AM and from Tokyo at 11 AM the same day, you physically could not have traveled between those locations. The system assumes two people are using your account simultaneously โ which is exactly what an account compromise looks like.
What makes this so easy to trigger accidentally: VPN drop-off. You're connected to a VPN that shows you in the US. The VPN disconnects for 30 seconds. In that window, you open your email. Your real IP โ from wherever you actually are โ hits the mail server. The VPN reconnects. Now the logs show US login at 10:01, Thai login at 10:02, US login at 10:03. Impossible travel in both directions within two minutes.
Risky IP Login
Every IP address belongs to a category. Your home internet IP is a "residential" IP โ it's registered to a home internet customer. Your company's office IP is a "corporate" IP. Commercial VPN services use "data center" IPs โ IPs registered to server farms operated by cloud providers.
Security vendors maintain continuously updated lists of IP ranges categorized by type and risk level. When your login comes from a data center IP โ the kind used by NordVPN, ExpressVPN, and every other commercial VPN โ it gets flagged as a "risky IP login." This is specifically because threat actors (hackers, credential thieves) routinely use VPN services to obscure their location when trying to access corporate accounts with stolen credentials.
You're not a threat actor. But you're connecting from the same type of IP they use. The system doesn't know the difference โ and it's not designed to give you the benefit of the doubt.
"A VPN hides where I'm connecting from."
A VPN replaces your location with a data center address that's on corporate blocklists. You go from "suspicious foreign location" to "suspicious VPN/anonymizer IP" โ arguably worse.
Country-Level Access Policies
Many companies โ especially those in finance, healthcare, government contracting, or any industry with significant compliance requirements โ implement country-level access controls. These are not anomaly-detection rules. They are hard rules: logins from certain countries are simply blocked, regardless of how legitimate the login looks.
This exists because some countries have specific legal environments that create compliance risks for companies. Certain countries are subject to US sanctions, trade restrictions, or have data sovereignty laws that conflict with how the company handles data. The IT team can't always manually review every foreign login โ so they implement a blocklist at the country level and accept that occasional legitimate travelers will get caught in it.
Common blocked country categories: sanctioned countries (obvious ones like North Korea, Iran, Cuba), countries with specific data residency conflicts, and in some cases, high-risk regions identified by the company's cyber insurance provider.
Behavioral Anomaly Accumulation
This is the subtlest trigger and the one that explains why some people get caught weeks into a trip rather than on day one. Modern SIEM systems don't always fire on a single anomaly. Instead, they assign a risk score that accumulates over time. Each anomaly adds points:
| Anomaly | Typical risk score contribution |
|---|---|
| Login from new country | +15 points |
| Login at unusual hour | +10 points |
| Login from data center/VPN IP | +20 points |
| Timezone mismatch vs login location | +10 points |
| Multiple countries in short period | +25 points |
| Accessing sensitive data from new location | +30 points |
Scores are hypothetical examples โ the specific values vary by system and company configuration. But the mechanism is real. You can have a foreign country login (15 points) plus an unusual hour (10 points) plus a VPN IP (20 points) and hit a threshold of 45 that triggers an alert โ even though none of those three things individually would have done it.
This is also why someone can "get away with it" for two weeks and then suddenly have an issue. They're accumulating points. On week three, they access a sensitive document (another +30) and cross the threshold that triggers escalation.
Five Things People Get Wrong About This
"If I just use incognito mode, IT can't see where I am."
Incognito mode prevents your browser from saving local history. It does nothing to your IP address, your device telemetry, or any of the server-side logs that IT systems read.
"IT is too busy to actually look at this stuff."
They don't have to look. The system automatically creates tickets, locks accounts, and sends alerts. Human review is optional โ the automated consequences aren't.
"My manager approved me working remotely, so IT won't flag me."
Manager approval is an HR/policy question. SIEM and EDR are security systems that run independently of HR processes. One has nothing to do with the other โ unless IT specifically whitelisted your IP or location, which almost never happens.
"A good VPN will make me invisible."
Commercial VPN IPs are on corporate blocklists. A VPN changes your apparent location to a data center, which is often more suspicious than a foreign residential IP. And endpoint telemetry bypasses your VPN entirely.
"Small companies don't run this kind of software."
Microsoft 365 Business Premium โ a standard package for SMBs โ includes Microsoft Defender for Endpoint (an EDR) and Azure AD Identity Protection (which does impossible travel detection) by default. You don't need a dedicated security team. It's on by default in standard business software packages.
What Actually Works โ and Why
Given everything above, here's what the data says actually addresses the problem at the root rather than just creating new ones.
This is why the hardware approach โ routing all traffic through your actual home network โ addresses the problem more completely than any software solution. You're not masking your location with a different IP. You're routing your traffic through your actual home, so your IP genuinely is your home IP. The timezone matches because you can set it to home time. The behavioral pattern matches because you're coming from the same network you always do.
The two things the hardware approach can't fix are endpoint telemetry from MDM-enrolled work laptops and GPS data from location services. Those require disabling location services in your device settings and being aware that your company-managed work laptop may report its own location regardless of your network. For those scenarios, working on a personal device connected to the travel router is the cleanest approach.
What This Means for You
Corporate location tracking isn't a conspiracy and it isn't personal. It's compliance automation built on top of legitimate security requirements, running in the background of tools your company already pays for. The people building these systems aren't trying to catch remote workers โ they're trying to detect actual account compromises, data breaches, and insider threats. Remote workers just happen to look like threats to the pattern detector if they're not careful about how their digital footprint presents.
The good news is that once you understand the system, the solution isn't complicated. The pattern detector looks for anomalies. Remove the anomalies. Your IP should look like home, your timezone should look like home, your behavior should look like home. Do that consistently and there's nothing for the system to flag, because there's genuinely nothing anomalous happening โ your traffic really is coming from home.
That's the goal โ solve it once, correctly, and stop thinking about it. The trip to Thailand shouldn't have an IT incident as a possible outcome. With the right setup, it doesn't.
Want the setup that handles all of this?
HomeLink ships pre-configured โ plug in at home, take the travel router, every device routes through your home network automatically. 30-day free trial.