FraudGuard.io Threats & Risks Documentation
A practical guide to FraudGuard threat classifications, ACE risk levels, and the allow, challenge, or block decisions they support.
FraudGuard separates two questions that are often collapsed into a single score:
- What kind of activity is associated with this IP? The threat classification describes the observed signal.
- How strongly should you respond? The ACE risk level reflects the severity, recency, repetition, and correlation of the available evidence.
Use both fields together. A classification provides context; the risk level helps determine the response.
Threat classifications
FraudGuard’s legacy threat field may return one of the following tracker classifications:
| Classification | What it indicates | Typical handling |
|---|---|---|
anonymous_tracker |
An anonymizing service such as Tor or a public proxy | Add verification or apply policy controls when identity matters |
botnet_tracker |
Infrastructure associated with coordinated, compromised-device activity | Restrict or block when supported by current evidence |
honeypot_tracker |
Direct interaction with FraudGuard honeypot infrastructure | Treat as a strong indicator of hostile reconnaissance or exploitation |
abuse_tracker |
Abusive behavior such as brute force, credential attacks, phishing, or exploitation | Challenge or block according to risk and the protected workflow |
spam_tracker |
Infrastructure associated with unsolicited or automated messaging | Restrict messaging workflows and monitor related activity |
vpn_tracker |
An IP associated with a VPN service | Use as context, not proof of abuse; step up verification when appropriate |
unknown |
No specific legacy tracker classification is available | Evaluate the risk, recommendation, and supporting evidence before acting |
A VPN, proxy, or other privacy service is not inherently malicious. FraudGuard’s ACE v2 response adds evidence, confidence, and a recommended action so customers do not have to make a decision from a label alone.
ACE risk levels
ACE expresses risk on a scale from 1 through 5:
| Level | Label | Typical response |
|---|---|---|
| 1 | Minimal | Allow |
| 2 | Low | Allow or challenge when the workflow is sensitive |
| 3 | Medium | Challenge and monitor |
| 4 | High | Block unless trusted customer context overrides the signal |
| 5 | Critical | Block and investigate related activity |
These are starting points rather than a substitute for your own policy. A login, checkout, password reset, public API, and internal administrative tool do not have the same tolerance for risk.
Why scores change
IP reputation is dynamic. ACE continuously reevaluates evidence as activity appears, repeats, spreads across services, or becomes stale. Relevant factors include:
- how recently the activity occurred;
- whether the IP is a repeat offender;
- how many attack types or target services are involved;
- whether multiple FraudGuard sensors observed the source;
- infrastructure and network-level context; and
- customer-specific whitelist, blacklist, and geoblock policy.
An IP can escalate when new evidence arrives and cool down when hostile activity stops. Applications should respect the response’s recommended cache lifetime instead of storing a decision indefinitely.
Turn intelligence into policy
A practical decision path looks like this:
- Check the ACE recommendation and risk level.
- Read the classification, reasons, confidence factors, and observed activity.
- Apply customer-specific policy and the sensitivity of the requested action.
- Allow, challenge, or block the request.
- Log the evidence used so the decision can be reviewed later.
For the complete response schema and current endpoint behavior, use the FraudGuard API documentation. You can also investigate an IP before integrating the result into your request path.
Put the evidence to work
Turn an IP signal into a defensible decision.
Investigate a source with FraudGuard, then bring explainable allow, challenge, and block decisions into your own request path.
