Introducing FraudGuard ACE v2 IP Intelligence
FraudGuard ACE v2 is our new Attack Correlation Engine release for real-time IP risk calculation and decision-grade IP intelligence.
It builds on the scale of ACE v1, which now supports 100M+ API calls per day, and moves IP reputation well beyond static lists. The new API combines first-party observed behavior, infrastructure attribution, attack evidence, risk scoring, and targeted AI-assisted verification into a clear recommendation that teams can use in real production workflows.
Built on the Attack Correlation Engine
ACE is the system behind FraudGuard’s IP intelligence, built to correlate attack activity, infrastructure context, historical behavior, and abuse signals into practical IP risk decisions.
ACE v1 will continue to matter, but the abuse landscape has changed. A simple risk result is no longer enough for many teams. Customers now need to know what an IP did, how recently it happened, whether the behavior was directly observed, what infrastructure the IP belongs to, why a recommendation was made, and what action their application should take.
That is what this release was built to solve.
In practical terms, the difference is this:
- ACE v1 focused on fast, reliable IP reputation decisions at scale.
- ACE v2 keeps that production focus, but adds structured evidence, clearer classifications, observed attack details, infrastructure context, confidence factors, reason codes, and recommended caching behavior.
Beyond Static IP Reputation Lists
Traditional IP reputation products often revolve around static lists, broad categories, or third-party feeds. Those signals can be useful, but they rarely answer the questions production teams actually need answered:
- What did this IP do?
- Was the activity recent?
- Was the behavior observed directly or inferred?
- What service, protocol, or port was targeted?
- Did the IP reach distributed FraudGuard honeypot infrastructure?
- Is the IP part of hosting, proxy, Tor, residential proxy, mobile, satellite, shared exit, VPN, or AI agent infrastructure?
- Should my application allow, challenge, or block the request?
The new response model is built around those questions and more.
FraudGuard collects, owns, and verifies its own intelligence rather than relying only on static reputation lists. That includes event processing from production enforcement systems, WAF-confirmed attack ingestion, infrastructure attribution, and signals from a massive independent honeypot network built specifically for IP reputation and abuse intelligence.
Where useful, AI-assisted analysis helps confirm malicious intent, automation patterns, and high-confidence abuse signals. The goal is not to replace evidence with a black box. The goal is to verify and enrich observed data so the final response is clearer, more accurate, and more useful to teams making security decisions.
What This Release Adds
This is a new response model, not just a new endpoint name.
The major additions are:
- A direct
allow,challenge, orblockrecommendation - A concise
evidence_summaryfor logs, dashboards, alerts, and support workflows - Deterministic
classification.primaryandclassification.secondarylabels - A cleaner
riskobject with level, label, confidence, and confidence factors - Observed attack activity, activity patterns, and trend direction from FraudGuard data sources
- Distinct honeypot reach counts through time
- Attack type, service, protocol, and target port context
- Infrastructure attribution for hosting, VPN, proxy, Tor, mobile, satellite, shared exit, residential proxy, and AI agent networks
- First-party FraudGuard observations verified through our own data pipelines
- Targeted AI-assisted confirmation for selected abuse, automation, and malicious-intent signals
- Recommended cache TTLs directly in the response
- A bulk endpoint that returns the same schema as the single IP lookup endpoint
The practical difference is simple: the API does not just say an IP is risky. It explains the behavior behind the decision.
Example: From Reputation Lists to Evidence
Older reputation APIs often force developers to interpret a score and a set of categories.
ACE v2 makes the recommendation and supporting evidence explicit:
Here is a real sample response:
{
"ip": "176.65.148.38",
"recommendation": {
"action": "block",
"evidence_summary": "This IP was observed performing 13,381 AI API probing events across 2 FraudGuard honeypots in the last 30 days, with additional HTTP/WAF attack activity observed in the last 7 days, most recently on May 26, 2026 at 18:37 UTC.",
"cache_ttl_seconds": 14400
},
"classification": {
"primary": "ai_endpoint_scanner",
"secondary": [
"web_scanner",
"media_server_scanner",
"multi_service_scanner",
"honeypot_attacker",
"repeat_offender",
"ai_automation"
]
},
"risk": {
"level": 5,
"label": "critical",
"confidence": 99,
"confidence_factors": [
"recent_activity",
"high_event_volume",
"multi_honeypot_reach",
"specific_attack_signature",
"multiple_attack_types",
"multiple_target_services"
]
},
"observed_activity": {
"observed": true,
"attack_families": [
"ai_endpoint_probe",
"media_server_probe",
"web_probe"
],
"activity": {
"pattern": "recurring",
"trend": "cooling",
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 13444,
"distinct_attack_types_30d": 3,
"distinct_target_services_30d": 3,
"distinct_target_ports_30d": 3,
"first_seen": "2026-05-19T01:42:03+00:00",
"last_seen": "2026-05-26T18:37:52+00:00"
},
"attacks": [
{
"type": "ai_api_probe",
"service": "ai_api",
"protocol": "http",
"destination_port": 8000,
"attack_events_24h": 0,
"attack_events_7d": 0,
"attack_events_30d": 13381,
"honeypots_reached_24h": 0,
"honeypots_reached_7d": 0,
"honeypots_reached_30d": 2,
"first_seen": "2026-05-19T01:42:03+00:00",
"last_seen": "2026-05-19T10:46:11+00:00"
},
{
"type": "plex_api_probe",
"service": "plex",
"protocol": "http",
"destination_port": 32400,
"attack_events_24h": 0,
"attack_events_7d": 0,
"attack_events_30d": 62,
"honeypots_reached_24h": 0,
"honeypots_reached_7d": 0,
"honeypots_reached_30d": 2,
"first_seen": "2026-05-19T01:45:54+00:00",
"last_seen": "2026-05-19T04:14:48+00:00"
},
{
"type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 1,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T18:37:52+00:00",
"last_seen": "2026-05-26T18:37:52+00:00"
}
],
"last_observed_attack": {
"event_type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"observed_at": "2026-05-26T18:37:52+00:00"
}
},
"attributes": {
"ai_automation_suspected": {
"detected": true
},
"ai_gateway_reconnaissance": {
"detected": true
},
"high_volume_honeypot_activity": {
"detected": true
},
"llm_api_probe": {
"detected": true
},
"media_server_probe": {
"detected": true
},
"openai_compatible_api_probe": {
"detected": true
},
"payload_domain_indicator": {
"detected": true
},
"plex_discovery_probe": {
"detected": true
},
"repeated_probe_pattern": {
"detected": true
},
"scan_retry_pattern": {
"detected": true
},
"sensitive_file_probe": {
"detected": true
},
"sustained_probe_stream": {
"detected": true
}
},
"reasons": [
{
"code": "scanner_activity_observed",
"message": "Scanner or probing activity observed",
"severity": "medium"
},
{
"code": "abusive_activity_observed",
"message": "Abusive activity observed by FraudGuard ACE",
"severity": "high"
},
{
"code": "exploit_or_sensitive_probe_observed",
"message": "Exploit, admin, or sensitive-path probing observed",
"severity": "high"
},
{
"code": "multi_source_activity_observed",
"message": "Seen across multiple FraudGuard sources",
"severity": "medium"
},
{
"code": "honeypot_interaction_observed",
"message": "Interaction observed across FraudGuard honeypot infrastructure",
"severity": "high"
},
{
"code": "waf_attack_activity_observed",
"message": "HTTP/WAF attack activity observed",
"severity": "high"
},
{
"code": "activity_within_7_days",
"message": "Activity observed within the last 7 days",
"severity": "high"
},
{
"code": "high_event_volume_observed",
"message": "High-volume attack activity observed",
"severity": "high"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "unknown",
"provider": null,
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": false,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": null,
"last_seen": null,
"updated_at": null
},
"network": {
"asn": 51396,
"asn_org": "Pfcloud UG (haftungsbeschrankt)",
"isp": "Pfcloud UG (haftungsbeschrankt)",
"organization": "Pfcloud UG (haftungsbeschrankt)",
"prefix": "176.65.148.0/24",
"connection_type": "Corporate"
},
"geography": {
"country": "The Netherlands",
"isocode": "NL",
"state": "Limburg",
"city": "Eygelshoven",
"postal_code": "6471",
"timezone": "Europe/Amsterdam",
"latitude": 50.8897,
"longitude": 6.0563
},
"metadata": {
"request_id": "acev2_6726bfbe838219bc18533b08",
"generated_at": "2026-05-27T17:08:02+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
This response gives enforcement systems a decision, gives analysts structured evidence, and gives support teams a plain-language explanation they can use without digging through raw logs.
Observed Activity
One of the most important changes is the new observed_activity object.
Instead of only returning broad tracker categories, the API can show observed behavior such as:
- SMB probing
- SSH credential attempts
- Docker API enumeration
- WAF-confirmed HTTP attacks
- SIP registration attempts
- Redis probing
- VNC handshakes
- AI endpoint reconnaissance
- Many more, with new attack types added over time
It can also report how many distinct FraudGuard honeypots an IP reached without exposing honeypot IP addresses. Customers get the value of distributed observation while FraudGuard protects sensor infrastructure.
Infrastructure Context Matters
Not every risk decision is based only on attack events.
Infrastructure context can change the trust model for an IP. The API can identify hosting providers, VPNs, public proxies, Tor exits, residential proxies, shared exits, mobile networks, satellite networks, and known AI agent infrastructure.
That means a clean-looking IP can still be treated carefully when the infrastructure itself materially changes risk. For example, public proxy, Tor exit, residential proxy, known AI agent, and shared exit signals can trigger a challenge-level recommendation even when no recent attack activity is present.
Who Should Use This
ACE v2 is designed for teams that need IP intelligence in real production workflows, including:
- Security teams investigating suspicious traffic
- Fraud teams reviewing account abuse, payment abuse, or signup abuse
- DevOps and infrastructure teams enriching WAF, SIEM, firewall, and access-control decisions
- Developers building login, signup, checkout, password reset, and critical account-protection controls
- Support and trust teams that need a plain-language explanation behind an IP decision
- Compliance and risk teams that need clearer evidence for security review workflows
- Data and platform teams performing bulk IP analysis or offline enrichment
If your team needs to decide whether traffic should be allowed, challenged, blocked, reviewed, or enriched with better context, this release is the recommended FraudGuard integration path.
Recommended Migration Path
For new integrations, we recommend starting directly with ACE v2.
For existing integrations, we recommend a staged migration:
- Add ACE v2 IP intelligence alongside your existing FraudGuard IP lookup.
- Log
recommendation.action,risk.level,classification.primary, andevidence_summary. - Compare ACE v2 decisions against your current enforcement rules.
- Move enforcement to
recommendation.actiononce your team is comfortable. - Use
observed_activity,reasons,attributes, and related fields for analyst workflows and support tooling.
Endpoints
Single IP lookup:
POST https://api.fraudguard.io/ace/v2/ip/check
Bulk IP lookup:
POST https://api.fraudguard.io/ace/v2/ip/check/bulk
Start Using ACE v2 now
ACE v2 is available now for FraudGuard customers.
Developers can start with the single IP lookup endpoint, use the bulk endpoint for batch workflows, and review the full API documentation for request formats, authentication, response fields, caching behavior, and batching guidance.
Dive in here:
Prefer a no-hassle free IP lookup first? Try IP Lookup.
Want to see plans and pricing? fraudguard.io/pricing.
For questions about ACE v2, API recommendations, integration guidance, feature requests, or selecting the right FraudGuard plan, contact us at hello@fraudguard.io.