All articles

How to Build an IP Risk Score

Combine VPN, proxy, Tor, hosting and reputation signals into one IP risk score. A practical guide to weighting signals, setting thresholds and tuning over time.

March 29, 20262 min read

A risk score turns a pile of separate IP flags into one number your rules can act on. You can use a ready-made IP fraud score, or build your own when you have data to tune it. Either way, the structure is the same — here's how to think about it.

The ingredients

A good IP risk score blends signals that each capture a different kind of risk:

SignalWhat it capturesTypical weight
VPN / proxy / TorOrigin hiddenHigh
Residential proxyDeliberate evasionHigh
Hosting ASNServer, not a personMedium–high
IP reputationPast abuseHigh
Geo consistencyMasked/odd locationMedium
VelocityBurst behaviourMedium

For the underlying concepts see what is IP reputation and what is an IP fraud score.

See the raw signals behind an IP

Step 1: gather signals from one lookup

Rather than calling many sources, pull the anonymiser, hosting and reputation signals from a single IP lookup via the IP reputation check or the detection APIs. Fewer calls, consistent data.

Step 2: weight and combine

Assign each signal a weight reflecting how predictive it is for your abuse, then combine into a 0–100 value. Start simple — a weighted sum capped at 100 — before reaching for anything fancier. Residential-proxy and reputation signals usually deserve the most weight.

Step 3: set action thresholds

Map the score to actions, not verdicts:

  • 0–29 → allow
  • 30–69 → challenge (verification / MFA)
  • 70–100 → block or manual review on sensitive actions

Step 4: tune with outcomes

This is where a custom score earns its keep. Feed back real results — confirmed fraud, chargebacks, false positives — and adjust weights and thresholds. Re-tune periodically as abuse patterns shift; a score set once and forgotten drifts out of date.

Step 5: combine with non-IP signals

IP risk is one input. Blend it with device, behavioural and payment signals for a complete picture, especially against sophisticated residential-proxy abuse.

Bottom line

An IP risk score is a weighted blend of anonymiser, hosting and reputation signals condensed into one 0–100 number. Pull the signals from a single lookup, weight residential-proxy and reputation most heavily, map the score to allow/challenge/block bands, and tune continuously against your own outcomes.

FAQ

Frequently asked questions

Use a ready score to start — it's faster and battle-tested. Build or customise your own weighting when you have enough of your own outcome data to tune signals to your specific abuse patterns.

Related articles

What Is an IP Fraud Score and How Do You Use It?ReadHow to Detect Proxy Servers (HTTP, SOCKS and Beyond)ReadHow Does VPN Detection Work? The Signals Behind the VerdictRead
Die Suite entdecken

Unsere anderen Tools ausprobieren

VPN-ErkennungErkennen Sie IPs, die über verschlüsselte VPN-Tunnel geleitet werden, um ihren echten Standort zu verschleiern.Proxy-ErkennungErkennen Sie HTTP-, SOCKS-, Residential- und Rechenzentrums-Proxys sowie Tor-Exit-Nodes.IP-GeolokalisierungOrdnen Sie jede IP einem Land, einer Region und einer Stadt zu – mit ISP- und Zeitzonendaten.ASN-DatenErmitteln Sie die Autonomous-System-Nummer und die Organisation, der ein IP-Bereich gehört.WHOIS-InfosRufen Sie Registrierungs- und Eigentümerdaten für Domains und IP-Bereiche ab.