A single-IP lookup answers “what does FraudGuard know about this address?” Advanced Threat Lookup answers the next question: “what broader pattern does this address belong to?”

The API lets analysts filter FraudGuard intelligence across network ownership, provider, geography, connection type, threat classification, and risk. It is designed for investigations and scoped enrichment—not as a shortcut for blocking every address that shares one attribute.

When to use Advanced Threat Lookup

Use it when you need to:

  • review abuse associated with an ASN or provider;
  • find similar sources after an incident;
  • examine threat activity within a country or connection type;
  • validate whether a proposed network rule is too broad;
  • build a bounded dataset for threat research or remediation;
  • pivot from one IP into a campaign-level view.

For a live allow, challenge, or block decision on one request, use ACE v2 IP Intelligence instead.

Available filters

Filter Investigative use
asn Find activity from one or more Autonomous System Numbers
asn_organization Search by the network owner’s name
isp Review activity attributed to an internet service provider
organization Search the organization associated with an address
country / isocode Scope results geographically
connection_type Compare consumer, cellular, corporate, or unclassified sources
threat Focus on one or more FraudGuard threat classifications
risk Bound results by risk level
limit / offset Page through a controlled result set

Refer to the Advanced Threat Lookup documentation for the current parameter contract and response schema.

Investigation patterns

Check a hosting network after an incident

Start with the ASN or organization associated with a confirmed source, then narrow by threat type and risk. Review whether activity is recent, repeated, and distributed across multiple prefixes.

GET /advanced-threat-lookup?asn_organization=Example+Hosting&risk=4,5

The purpose is to measure the pattern—not to label every customer of the provider as malicious.

Validate a proposed country rule

Query the relevant geography, then compare attack types, infrastructure, and recency. A country can be useful policy context, but geography alone does not prove intent. If the evidence is mixed, a challenge or rate limit may be more appropriate than a blanket block.

GET /advanced-threat-lookup?isocode=BR&threat=botnet_tracker&limit=100

Pivot from an IP to its surrounding network

Take the ASN, provider, prefix, and threat family from an ACE v2 response. Search those dimensions separately, then intersect them in your analysis. This can expose repeated behavior while avoiding the assumption that one shared attribute means one actor.

A defensible analyst workflow

  1. Begin with a confirmed event. Preserve the source, time, target, and reason it became suspicious.
  2. Pull the single-IP evidence. Establish observed behavior, recency, confidence, and network attribution.
  3. Choose one pivot at a time. ASN, provider, country, and threat family answer different questions.
  4. Compare inside and outside the suspected cluster. A control group helps reveal whether a pattern is genuinely distinctive.
  5. Document the proposed action. State whether the result supports monitoring, a temporary rule, a challenge, or a block.
  6. Set an expiry. Infrastructure and attacker behavior change; investigation-derived rules should be reviewed.

What the API should not be used for

Advanced Threat Lookup is not a license to block an entire ISP, country, or ASN because matching results exist. Large networks contain legitimate users, shared infrastructure, compromised endpoints, and unrelated customers. Apply broader controls only when the pattern is strong, the business context supports it, and a safer tiered response is insufficient.

It is also not a replacement for your own incident data. FraudGuard supplies external observations; your logs supply the target, account, transaction, and impact. The strongest conclusion combines both.

Product availability

Advanced investigative features vary by plan and workflow. Review the current FraudGuard pricing page or contact hello@fraudguard.io for a data-delivery or investigation requirement that does not fit a standard endpoint.