Advanced Threat Lookup for IP Investigations
Query FraudGuard attack intelligence by ASN, provider, country, connection type, threat class, and risk to investigate patterns beyond one IP.
A single-IP lookup answers “what does FraudGuard know about this address?” Advanced Threat Lookup answers the next question: “what broader pattern does this address belong to?”
The API lets analysts filter FraudGuard intelligence across network ownership, provider, geography, connection type, threat classification, and risk. It is designed for investigations and scoped enrichment—not as a shortcut for blocking every address that shares one attribute.
When to use Advanced Threat Lookup
Use it when you need to:
- review abuse associated with an ASN or provider;
- find similar sources after an incident;
- examine threat activity within a country or connection type;
- validate whether a proposed network rule is too broad;
- build a bounded dataset for threat research or remediation;
- pivot from one IP into a campaign-level view.
For a live allow, challenge, or block decision on one request, use ACE v2 IP Intelligence instead.
Available filters
| Filter | Investigative use |
|---|---|
asn |
Find activity from one or more Autonomous System Numbers |
asn_organization |
Search by the network owner’s name |
isp |
Review activity attributed to an internet service provider |
organization |
Search the organization associated with an address |
country / isocode |
Scope results geographically |
connection_type |
Compare consumer, cellular, corporate, or unclassified sources |
threat |
Focus on one or more FraudGuard threat classifications |
risk |
Bound results by risk level |
limit / offset |
Page through a controlled result set |
Refer to the Advanced Threat Lookup documentation for the current parameter contract and response schema.
Investigation patterns
Check a hosting network after an incident
Start with the ASN or organization associated with a confirmed source, then narrow by threat type and risk. Review whether activity is recent, repeated, and distributed across multiple prefixes.
GET /advanced-threat-lookup?asn_organization=Example+Hosting&risk=4,5
The purpose is to measure the pattern—not to label every customer of the provider as malicious.
Validate a proposed country rule
Query the relevant geography, then compare attack types, infrastructure, and recency. A country can be useful policy context, but geography alone does not prove intent. If the evidence is mixed, a challenge or rate limit may be more appropriate than a blanket block.
GET /advanced-threat-lookup?isocode=BR&threat=botnet_tracker&limit=100
Pivot from an IP to its surrounding network
Take the ASN, provider, prefix, and threat family from an ACE v2 response. Search those dimensions separately, then intersect them in your analysis. This can expose repeated behavior while avoiding the assumption that one shared attribute means one actor.
A defensible analyst workflow
- Begin with a confirmed event. Preserve the source, time, target, and reason it became suspicious.
- Pull the single-IP evidence. Establish observed behavior, recency, confidence, and network attribution.
- Choose one pivot at a time. ASN, provider, country, and threat family answer different questions.
- Compare inside and outside the suspected cluster. A control group helps reveal whether a pattern is genuinely distinctive.
- Document the proposed action. State whether the result supports monitoring, a temporary rule, a challenge, or a block.
- Set an expiry. Infrastructure and attacker behavior change; investigation-derived rules should be reviewed.
What the API should not be used for
Advanced Threat Lookup is not a license to block an entire ISP, country, or ASN because matching results exist. Large networks contain legitimate users, shared infrastructure, compromised endpoints, and unrelated customers. Apply broader controls only when the pattern is strong, the business context supports it, and a safer tiered response is insufficient.
It is also not a replacement for your own incident data. FraudGuard supplies external observations; your logs supply the target, account, transaction, and impact. The strongest conclusion combines both.
Product availability
Advanced investigative features vary by plan and workflow. Review the current FraudGuard pricing page or contact hello@fraudguard.io for a data-delivery or investigation requirement that does not fit a standard endpoint.
Put the evidence to work
Turn an IP signal into a defensible decision.
Investigate a source with FraudGuard, then bring explainable allow, challenge, and block decisions into your own request path.
