FraudGuard and Proxy Intelligence: Why Attack Evidence Matters
IP intelligence often starts with infrastructure context: VPNs, proxies, Tor exits, hosting providers, shared exits, residential networks, mobile gateways, geography, ASN data, and provider attribution.
That context is useful. It can help a security team understand how a connection is reaching an application and whether the traffic is coming from infrastructure that deserves closer review.
But infrastructure labels are not the same thing as attack evidence.
A VPN flag, proxy label, hosting classification, or shared-exit indicator can support a risk decision, but those labels are usually strongest when combined with behavioral evidence: what the IP actually did, how recently it did it, how often it appeared, and whether the activity matches known abuse patterns.
FraudGuard ACE v2 is built around that broader model.
Proxy Labels Are Useful, But Limited
A proxy or VPN flag can mean many things:
- a fraudster hiding origin infrastructure
- a privacy-conscious user on an entirely legitimate proxy/VPN
- an employee on a corporate VPN
- a traveler using a hotel network
- a legitimate customer behind a mobile carrier gateway
- automation running through rented infrastructure
If a security system treats “VPN detected” as the only reason to block, it can create avoidable false positives. If it treats “not VPN” as safe, it can miss attackers using ordinary hosting, cloud, residential, or compromised infrastructure.
Proxy detection is useful context. It is not the full case file.
How ACE v2 Uses Infrastructure Context
FraudGuard ACE v2 uses infrastructure attributes as part of a broader risk decision. A VPN, proxy, Tor, hosting, residential proxy, shared-exit, ASN, or provider signal can change how an IP is interpreted, but it is not automatically the main reason an IP becomes high risk.
The stronger signals are behavioral:
- observed honeypot interaction
- attack family
- targeted service
- destination port
- recency
- repeated activity
- multi-honeypot reach
- multiple attack types
- confidence factors
- reason codes
Infrastructure answers: “How does this IP connect?”
ACE v2 answers: “What did this IP do, how strong is the evidence, and what should my application do now?”
Real ACE v2 Response
This real ACE v2 response shows the distinction. The IP includes hosting infrastructure context, but the block recommendation is not based on the provider label alone. It is based on observed Jenkins probing, HTTP/WAF attack activity, honeypot interaction, recency, repeated activity, and confidence factors.
{
"ip": "8.216.12.173",
"recommendation": {
"action": "block",
"evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
"cache_ttl_seconds": 14400
},
"classification": {
"primary": "web_scanner",
"secondary": [
"multi_service_scanner",
"honeypot_attacker",
"ai_automation",
"hosting_provider"
]
},
"risk": {
"level": 5,
"label": "critical",
"confidence": 85,
"confidence_factors": [
"recent_activity",
"repeated_activity",
"multi_honeypot_reach",
"specific_attack_signature",
"multiple_attack_types",
"multiple_target_services"
]
},
"observed_activity": {
"observed": true,
"attack_families": [
"web_probe"
],
"activity": {
"pattern": "burst",
"trend": "burst",
"attack_events_24h": 3,
"attack_events_7d": 3,
"attack_events_30d": 3,
"distinct_attack_types_30d": 2,
"distinct_target_services_30d": 2,
"distinct_target_ports_30d": 2,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
},
"attacks": [
{
"type": "jenkins_login_page_probe",
"service": "jenkins",
"protocol": "http",
"destination_port": 8080,
"attack_events_24h": 2,
"attack_events_7d": 2,
"attack_events_30d": 2,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T15:45:57+00:00"
},
{
"type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 1,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T19:31:59+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
}
],
"last_observed_attack": {
"event_type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"observed_at": "2026-05-26T19:31:59+00:00"
}
},
"attributes": {
"ai_automation_suspected": {
"detected": true
}
},
"reasons": [
{
"code": "abusive_activity_observed",
"message": "Abusive activity observed by FraudGuard ACE",
"severity": "high"
},
{
"code": "scanner_activity_observed",
"message": "Scanner or probing activity observed",
"severity": "medium"
},
{
"code": "honeypot_interaction_observed",
"message": "Interaction observed across FraudGuard honeypot infrastructure",
"severity": "high"
},
{
"code": "waf_attack_activity_observed",
"message": "HTTP/WAF attack activity observed",
"severity": "high"
},
{
"code": "activity_within_7_days",
"message": "Activity observed within the last 7 days",
"severity": "high"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "hosting_provider",
"provider": "Alibaba Cloud",
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": true,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": "2026-05-18T02:44:12+00:00",
"last_seen": "2026-05-18T15:07:09+00:00",
"updated_at": "2026-05-18T15:07:09+00:00"
},
"network": {
"asn": 45102,
"asn_org": "Alibaba US Technology Co., Ltd.",
"isp": "Alibaba",
"organization": "Alibaba",
"prefix": "8.216.12.0/24",
"connection_type": "Corporate"
},
"geography": {
"country": "Japan",
"isocode": "JP",
"state": "Tokyo",
"city": "Tokyo",
"postal_code": "102-0082",
"timezone": "Asia/Tokyo",
"latitude": 35.6893,
"longitude": 139.6899
},
"metadata": {
"request_id": "acev2_example_single_lookup",
"generated_at": "2026-05-27T00:47:35+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
That is materially different from relying on a single infrastructure label. The infrastructure field is present, but the decision is driven by observed abuse.
Why This Matters
For many applications, the useful output is not just an enrichment label. Security teams need enough context to decide whether to allow, challenge, monitor, or block traffic.
That is why ACE v2 combines:
- infrastructure context
- observed attack behavior
- recent activity windows
- tracker classifications
- confidence signals
- reason codes
- action recommendations
This approach helps teams avoid treating every masked connection as malicious while still identifying IPs with real evidence of abusive behavior.
Bottom Line
Proxy intelligence is an attribute. Attack evidence is a stronger decision foundation.
FraudGuard tracks Tor exits, open public proxies, VPNs, residential proxies, hosting providers, shared exits, ASN context, geography, and related infrastructure. ACE v2 uses those labels as context around observed behavior, not as the only basis for risk scoring.
The reason to use FraudGuard is not simply that it can identify masked or unusual infrastructure. The reason is that ACE v2 can show what an IP did, how recently it did it, how confident the evidence is, and whether your application should allow, challenge, or block.
Test FraudGuard IP Lookup, review ACE v2, or compare plans.