FraudGuard separates two questions that are often collapsed into a single score:

  1. What kind of activity is associated with this IP? The threat classification describes the observed signal.
  2. How strongly should you respond? The ACE risk level reflects the severity, recency, repetition, and correlation of the available evidence.

Use both fields together. A classification provides context; the risk level helps determine the response.

Threat classifications

FraudGuard’s legacy threat field may return one of the following tracker classifications:

Classification What it indicates Typical handling
anonymous_tracker An anonymizing service such as Tor or a public proxy Add verification or apply policy controls when identity matters
botnet_tracker Infrastructure associated with coordinated, compromised-device activity Restrict or block when supported by current evidence
honeypot_tracker Direct interaction with FraudGuard honeypot infrastructure Treat as a strong indicator of hostile reconnaissance or exploitation
abuse_tracker Abusive behavior such as brute force, credential attacks, phishing, or exploitation Challenge or block according to risk and the protected workflow
spam_tracker Infrastructure associated with unsolicited or automated messaging Restrict messaging workflows and monitor related activity
vpn_tracker An IP associated with a VPN service Use as context, not proof of abuse; step up verification when appropriate
unknown No specific legacy tracker classification is available Evaluate the risk, recommendation, and supporting evidence before acting

A VPN, proxy, or other privacy service is not inherently malicious. FraudGuard’s ACE v2 response adds evidence, confidence, and a recommended action so customers do not have to make a decision from a label alone.

ACE risk levels

ACE expresses risk on a scale from 1 through 5:

Level Label Typical response
1 Minimal Allow
2 Low Allow or challenge when the workflow is sensitive
3 Medium Challenge and monitor
4 High Block unless trusted customer context overrides the signal
5 Critical Block and investigate related activity

These are starting points rather than a substitute for your own policy. A login, checkout, password reset, public API, and internal administrative tool do not have the same tolerance for risk.

Why scores change

IP reputation is dynamic. ACE continuously reevaluates evidence as activity appears, repeats, spreads across services, or becomes stale. Relevant factors include:

  • how recently the activity occurred;
  • whether the IP is a repeat offender;
  • how many attack types or target services are involved;
  • whether multiple FraudGuard sensors observed the source;
  • infrastructure and network-level context; and
  • customer-specific whitelist, blacklist, and geoblock policy.

An IP can escalate when new evidence arrives and cool down when hostile activity stops. Applications should respect the response’s recommended cache lifetime instead of storing a decision indefinitely.

Turn intelligence into policy

A practical decision path looks like this:

  1. Check the ACE recommendation and risk level.
  2. Read the classification, reasons, confidence factors, and observed activity.
  3. Apply customer-specific policy and the sensitivity of the requested action.
  4. Allow, challenge, or block the request.
  5. Log the evidence used so the decision can be reviewed later.

For the complete response schema and current endpoint behavior, use the FraudGuard API documentation. You can also investigate an IP before integrating the result into your request path.