FraudGuard vs Shodan: Asset Discovery vs IP Threat Decisions
Shodan is one of the best tools in security for finding exposed internet services. It helps teams answer questions like:
- Which IPs expose SSH?
- What software banners are visible?
- Which devices in an organization are reachable from the internet?
- What countries, ASNs, or products appear in a search result?
- Did an exposed service change recently?
FraudGuard answers a different question: has this source IP shown malicious behavior, and should this request be allowed, challenged, or blocked?
Both products are useful. They are not substitutes.
The interesting overlap is honeypots. Shodan helps you find what is exposed on the internet. FraudGuard intentionally operates exposed decoy infrastructure so attackers reveal themselves, then ACE v2 converts those observations into IP risk decisions customers can use at the edge.
What Shodan Is Best At
Shodan is an internet scanning and search platform. Its developer API supports host search, count queries, facets, filters, and host data across the internet exposure dataset.
That makes Shodan valuable for:
- external attack surface management
- exposed-service discovery
- vulnerability research
- red team reconnaissance
- banner and product inventory
- internet-wide measurement
- monitoring your own public assets
If your question is “what is exposed on this IP or across this query,” Shodan is the right kind of tool.
What Shodan Does Not Try To Be
Shodan does not primarily exist to decide whether an incoming request to your login page should be blocked. An open SSH port, a banner, or an exposed service fingerprint does not prove that the source IP is attacking your application.
That difference is critical.
An IP can run an exposed service and still be harmless to you. Another IP can have no interesting public services and still be part of a credential-stuffing campaign. Asset discovery and source reputation are different security problems.
FraudGuard’s Role
FraudGuard ACE v2 is built for real-time allow, challenge, and block decisions using verified FraudGuard honeypot observations, attack behavior, infrastructure enrichment, network context, geography, and customer-specific controls.
The product value comes from the findings. FraudGuard’s honeypots observe source IP behavior against decoy services, then ACE v2 correlates recency, attack family, repeated activity, infrastructure context, confidence factors, and recommended action. That lets customers benefit from a sensor network they did not have to deploy.
Instead of asking “what is open on this IP,” FraudGuard asks:
- Has this IP attacked honeypots?
- What attack families were observed?
- How recently did the activity occur?
- Did it reach multiple sensors?
- Is the behavior repeated?
- What infrastructure context changes the risk?
- Should the customer block, challenge, or allow?
A real ACE v2 response:
{
"ip": "8.216.12.173",
"recommendation": {
"action": "block",
"evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
"cache_ttl_seconds": 14400
},
"classification": {
"primary": "web_scanner",
"secondary": [
"multi_service_scanner",
"honeypot_attacker",
"ai_automation",
"hosting_provider"
]
},
"risk": {
"level": 5,
"label": "critical",
"confidence": 85,
"confidence_factors": [
"recent_activity",
"repeated_activity",
"multi_honeypot_reach",
"specific_attack_signature",
"multiple_attack_types",
"multiple_target_services"
]
},
"observed_activity": {
"observed": true,
"attack_families": [
"web_probe"
],
"activity": {
"pattern": "burst",
"trend": "burst",
"attack_events_24h": 3,
"attack_events_7d": 3,
"attack_events_30d": 3,
"distinct_attack_types_30d": 2,
"distinct_target_services_30d": 2,
"distinct_target_ports_30d": 2,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
},
"attacks": [
{
"type": "jenkins_login_page_probe",
"service": "jenkins",
"protocol": "http",
"destination_port": 8080,
"attack_events_24h": 2,
"attack_events_7d": 2,
"attack_events_30d": 2,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T15:45:57+00:00"
},
{
"type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 1,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T19:31:59+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
}
],
"last_observed_attack": {
"event_type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"observed_at": "2026-05-26T19:31:59+00:00"
}
},
"attributes": {
"ai_automation_suspected": {
"detected": true
}
},
"reasons": [
{
"code": "abusive_activity_observed",
"message": "Abusive activity observed by FraudGuard ACE",
"severity": "high"
},
{
"code": "scanner_activity_observed",
"message": "Scanner or probing activity observed",
"severity": "medium"
},
{
"code": "honeypot_interaction_observed",
"message": "Interaction observed across FraudGuard honeypot infrastructure",
"severity": "high"
},
{
"code": "waf_attack_activity_observed",
"message": "HTTP/WAF attack activity observed",
"severity": "high"
},
{
"code": "activity_within_7_days",
"message": "Activity observed within the last 7 days",
"severity": "high"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "hosting_provider",
"provider": "Alibaba Cloud",
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": true,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": "2026-05-18T02:44:12+00:00",
"last_seen": "2026-05-18T15:07:09+00:00",
"updated_at": "2026-05-18T15:07:09+00:00"
},
"network": {
"asn": 45102,
"asn_org": "Alibaba US Technology Co., Ltd.",
"isp": "Alibaba",
"organization": "Alibaba",
"prefix": "8.216.12.0/24",
"connection_type": "Corporate"
},
"geography": {
"country": "Japan",
"isocode": "JP",
"state": "Tokyo",
"city": "Tokyo",
"postal_code": "102-0082",
"timezone": "Asia/Tokyo",
"latitude": 35.6893,
"longitude": 139.6899
},
"metadata": {
"request_id": "acev2_example_single_lookup",
"generated_at": "2026-05-27T00:47:35+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
That response is designed for enforcement and logging, not asset discovery.
Pricing Context
Shodan pricing and quota details can change over time, so the safer comparison is use-case based: Shodan packages access around internet search, monitoring, and data access.
FraudGuard pricing is tied to API usage and product access. Public plans run from $29/month to $599/month, with ACE v2 included on Professional and higher plans.
The buying decision should follow the use case:
- buy Shodan when you need visibility into exposed internet assets
- buy FraudGuard when you need to make source-IP risk decisions in production traffic
That second use case is where FraudGuard’s pricing matters. ACE v2 starts on the $99/month Professional plan with 5 million monthly requests. For teams that need high-volume source-IP decisions, this is a direct way to buy honeypot-backed evidence without building a research operation.
Bottom Line
Shodan finds exposed assets. FraudGuard evaluates source IP behavior.
If your current problem is internet asset discovery, Shodan is a strong category leader. If your current problem is real-time IP reputation for login, API, WAF, or fraud workflows, FraudGuard is built for that job because ACE v2 turns honeypot findings into a decision your systems can enforce.
Review FraudGuard ACE v2, test IP Lookup, or compare plans.