FraudGuard vs IPinfo: Geolocation Alone Is Not Threat Intelligence
IPinfo is a strong IP data product. Its API covers geolocation, ASN, privacy detection, carrier data, hosted domains, company data, and related enrichment depending on plan.
But if you are evaluating IP data for security, fraud prevention, WAF decisions, login protection, or API abuse controls, geolocation is not enough.
FraudGuard already includes reliable geography, ASN, ISP, organization, network, and infrastructure context in its APIs. ACE v2 then adds the part a geolocation product cannot provide by itself: observed attack behavior, honeypot evidence, confidence factors, reason codes, and a direct allow, challenge, or block recommendation.
That is the real comparison. IPinfo tells you where an IP is and what network it belongs to. FraudGuard tells you that too, then tells you whether the IP has been observed doing something hostile.
What IPinfo Is Best At
IPinfo’s own API documentation describes its services as a mix of geolocation, ASN, privacy, carrier detection, and confidence metrics across API tiers. Its pricing page shows that paid tiers add city, region, postal code, timezone, latitude/longitude, ASN details, privacy flags, named privacy providers, carrier data, and residential proxy or anonymizing-service signals.
That data is useful for:
- content localization
- analytics and traffic reporting
- regional routing
- compliance and jurisdiction checks
- network attribution
- standalone geolocation enrichment pipelines
If your only job is “give me a dedicated geolocation dataset,” IPinfo is a natural fit.
The Security Gap
The problem starts when teams treat geography or ASN data as a security decision.
An IP geolocated to the United States can still be part of a credential-stuffing campaign. A residential ISP address can still be a compromised device or proxy exit. A cloud provider address can be a legitimate customer webhook or a disposable scanner. A VPN flag may justify extra scrutiny, but it does not prove an attack.
Threat intelligence needs behavior:
- what service was targeted
- what payload or pattern was observed
- how recently it happened
- whether activity repeated across time windows
- whether multiple sensors saw the IP
- whether the right response is block, challenge, or allow
That is the layer FraudGuard adds on top of the geo and network data already returned by its APIs.
What FraudGuard Adds
FraudGuard ACE v2 is designed for real-time allow, challenge, and block decisions using verified FraudGuard honeypot observations, attack behavior, infrastructure enrichment, network context, geography, and customer-specific controls.
This is where the product becomes more than enrichment. Honeypot findings give FraudGuard a behavioral record: attack families, targeted services, repeated events, recency, and cross-sensor reach. ACE v2 turns that record into confidence factors and a direct action.
The same response also includes geography and network context. In this real ACE v2 single-lookup response, FraudGuard returns country, state, city, timezone, latitude, longitude, ASN, ISP, organization, prefix, connection type, infrastructure type, provider, and threat evidence together:
{
"ip": "8.216.12.173",
"recommendation": {
"action": "block",
"evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
"cache_ttl_seconds": 14400
},
"classification": {
"primary": "web_scanner",
"secondary": [
"multi_service_scanner",
"honeypot_attacker",
"ai_automation",
"hosting_provider"
]
},
"risk": {
"level": 5,
"label": "critical",
"confidence": 85,
"confidence_factors": [
"recent_activity",
"repeated_activity",
"multi_honeypot_reach",
"specific_attack_signature",
"multiple_attack_types",
"multiple_target_services"
]
},
"observed_activity": {
"observed": true,
"attack_families": [
"web_probe"
],
"activity": {
"pattern": "burst",
"trend": "burst",
"attack_events_24h": 3,
"attack_events_7d": 3,
"attack_events_30d": 3,
"distinct_attack_types_30d": 2,
"distinct_target_services_30d": 2,
"distinct_target_ports_30d": 2,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
},
"attacks": [
{
"type": "jenkins_login_page_probe",
"service": "jenkins",
"protocol": "http",
"destination_port": 8080,
"attack_events_24h": 2,
"attack_events_7d": 2,
"attack_events_30d": 2,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T15:45:57+00:00"
},
{
"type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 1,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T19:31:59+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
}
],
"last_observed_attack": {
"event_type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"observed_at": "2026-05-26T19:31:59+00:00"
}
},
"attributes": {
"ai_automation_suspected": {
"detected": true
}
},
"reasons": [
{
"code": "abusive_activity_observed",
"message": "Abusive activity observed by FraudGuard ACE",
"severity": "high"
},
{
"code": "scanner_activity_observed",
"message": "Scanner or probing activity observed",
"severity": "medium"
},
{
"code": "honeypot_interaction_observed",
"message": "Interaction observed across FraudGuard honeypot infrastructure",
"severity": "high"
},
{
"code": "waf_attack_activity_observed",
"message": "HTTP/WAF attack activity observed",
"severity": "high"
},
{
"code": "activity_within_7_days",
"message": "Activity observed within the last 7 days",
"severity": "high"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "hosting_provider",
"provider": "Alibaba Cloud",
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": true,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": "2026-05-18T02:44:12+00:00",
"last_seen": "2026-05-18T15:07:09+00:00",
"updated_at": "2026-05-18T15:07:09+00:00"
},
"network": {
"asn": 45102,
"asn_org": "Alibaba US Technology Co., Ltd.",
"isp": "Alibaba",
"organization": "Alibaba",
"prefix": "8.216.12.0/24",
"connection_type": "Corporate"
},
"geography": {
"country": "Japan",
"isocode": "JP",
"state": "Tokyo",
"city": "Tokyo",
"postal_code": "102-0082",
"timezone": "Asia/Tokyo",
"latitude": 35.6893,
"longitude": 139.6899
},
"metadata": {
"request_id": "acev2_example_single_lookup",
"generated_at": "2026-05-27T00:47:35+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
That is the point: you do not need to call a separate geolocation API just to understand where this IP is from before making a security decision. FraudGuard gives you the context and the evidence in one response.
The Finding Is The Product
For security buyers, the valuable part is not merely knowing that an IP belongs to a cloud provider or appears to use a proxy. The valuable part is knowing that the IP was observed doing something hostile, recently, with enough context to justify an action.
That is what FraudGuard packages. A customer gets the benefit of a sensor network without deploying one: decoys that attract scanners and attackers, ingestion that separates meaningful behavior from noise, reliable geo and network context, and ACE v2 responses that show why the recommendation exists.
The Common Anti-Pattern
Many teams start with a rule like this:
if ip.country in BLOCKED_COUNTRIES:
deny_request()
elif ip.company.type == "hosting":
deny_request()
else:
allow_request()
This is simple, but it breaks quickly. It blocks legitimate customers who happen to be in the wrong country or on hosting infrastructure, and it misses attackers who route through allowed geographies or residential proxies.
A better pattern is to make the security decision from the same response that already contains the geo and network context:
fg = fraudguard.lookup(ip)
action = fg["recommendation"]["action"]
if action == "block":
deny_request(reason=fg["recommendation"]["evidence_summary"])
elif action == "challenge":
require_step_up_verification()
else:
continue_request(
country=fg["geography"]["country"],
asn=fg["network"]["asn"],
provider=fg["infrastructure"]["provider"]
)
FraudGuard decides whether the request is risky and returns the geo/network fields needed for routing, logging, analytics, support, and investigation.
Pricing Context
The buyer question is not “which vendor has geolocation?” FraudGuard already has reliable geo data in its APIs. The buyer question is whether geolocation is all you need.
For teams whose main problem is IP threat decisioning, the FraudGuard value is direct: $99/month gets Professional access with ACE v2 and 5 million monthly API requests. That is a low barrier for putting honeypot-derived evidence, geo data, network context, and enforcement recommendations into a real production control.
Bottom Line
IPinfo is a good geolocation and network enrichment product. FraudGuard includes reliable geo data and goes further: ACE v2 adds observed attack behavior, honeypot evidence, risk confidence, reasons, and an enforcement recommendation.
Try FraudGuard IP Lookup, review ACE v2, or compare FraudGuard pricing.
Related comparisons: FraudGuard vs AbuseIPDB and FraudGuard vs CrowdSec.