No IP intelligence service can prove that an address is permanently safe. Addresses are reassigned, shared, compromised, routed through proxies, and used by different people over time.

A useful lookup answers a narrower question: does current evidence justify allowing, challenging, monitoring, or blocking this request?

The five-minute IP safety check

1. Confirm the address and event

Start with the exact source IP, timestamp, route, and outcome. Remove private addresses and obvious parsing errors. If a reverse proxy or CDN is involved, confirm that you are reading the trusted client-IP header rather than the address of your own edge.

2. Look for observed malicious behavior

Run the address through FraudGuard IP Lookup. Give more weight to direct, recent observations than to broad labels. Ask:

  • Was the IP observed attacking or probing a sensor?
  • What attack family or service was involved?
  • Was the behavior repeated?
  • Did more than one sensor or time window see it?
  • When was the most recent event?

3. Read the network context

Review ASN, provider, prefix, connection type, hosting, VPN/proxy, and geography. These fields help explain the source; they do not establish guilt.

A hosting address may be an attacker, a search crawler, or a customer integration. A residential address may be a person, a shared gateway, a compromised device, or a rotating proxy exit.

4. Compare with your own evidence

Your event supplies the context an external lookup cannot:

  • Did authentication succeed?
  • Is the country or device new for the account?
  • Is request velocity abnormal?
  • Is the source touching sensitive or unrelated routes?
  • Does the session resemble known fraud or automation?
  • Is the address already an approved partner or office?

The combination is stronger than either dataset alone.

5. Choose a proportionate action

Finding Reasonable next step
No current malicious evidence; normal behavior Allow and log
Clean lookup but anomalous account behavior Challenge or investigate
Ambiguous source or weak evidence Rate-limit, monitor, or step up authentication
Recent repeated attacks with strong confidence Block temporarily and alert
Known legitimate exception Allowlist with an owner and expiry

What “no evidence found” means

A clean lookup is useful, but it is not a guarantee. The address may be new, the behavior may not have reached an external sensor, or the risk may exist at the account or device layer instead of the network layer.

Do not turn “unknown” into “trusted forever.” Cache results for a period appropriate to the response and re-evaluate sensitive actions.

Signs that deserve more investigation

  • recent attacks against multiple services;
  • repeated behavior across time windows;
  • an IP rotating within one prefix or provider while targeting the same account;
  • a mismatch between source geography and account history;
  • impossible request cadence or repeated failed authentication;
  • high-confidence reasons that align with your own event.

Use Advanced Threat Lookup when you need to pivot from one address into a broader network pattern.

Automating the decision safely

When adding IP intelligence to a live request path:

  1. begin in log-only mode;
  2. store the action, reasons, evidence time, and policy version;
  3. define what happens if the lookup is slow or unavailable;
  4. use reversible controls for ambiguous results;
  5. add customer-specific allowlists;
  6. provide a dispute path for legitimate users;
  7. measure both abuse prevented and user friction.

For the underlying concepts, read IP Reputation Explained. For a structured false-positive workflow, see IP Dispute Manager.

The goal is not to label an IP “safe” forever. The goal is to make the best current decision and preserve enough evidence to revisit it.