Predax Blog

Product updates, best practices, and deep dives into IP intelligence.

IP Risk Scoring Explained: What the Numbers Actually Mean
Predax Team

IP Risk Scoring Explained: What the Numbers Actually Mean

risk-scoringexplainerfraudbest-practices

What Does a 0–100 Risk Score Represent?

An IP risk score is a normalised summary of everything an IP reputation system knows about a given address. A score of 0 means the IP looks entirely benign — it is a residential address with no abuse history, no association with VPN or proxy services, and no unusual traffic patterns. A score of 100 means the IP is a known threat: a Tor exit node, a flagged open proxy, or an address with a documented history of attacks.

The score exists because individual signals are not always conclusive on their own. A single VPN flag on a low-traffic IP might be a false positive. A combination of VPN + datacenter + abuse history + unusual geo patterns at score 87 is not. The score aggregates all available evidence into a single number that you can threshold against.

The Signals That Feed Into Scoring

Risk scores are calculated by weighting and combining multiple independent signals. Predax uses the following signal categories:

Network infrastructure signals (all returned under classification.* in the response)

  • is_vpn — IP belongs to a known VPN provider's ASN or CIDR range
  • is_proxy — IP is a known open or commercial proxy
  • is_tor — IP is a current Tor exit node (updated hourly from the official consensus)
  • is_datacenter — IP is registered to a cloud/hosting provider (AWS, GCP, Azure, Hetzner, OVH, etc.)

Reputation signals

  • ASN reputation — the Autonomous System the IP belongs to has a history of abuse
  • Community flagging — the IP has been reported across multiple Predax customers within a rolling window
  • Abuse database matches — the IP appears in public abuse databases (AbuseIPDB, Spamhaus, etc.)

Behavioural and geographic signals

  • Geographic anomalies — the IP's claimed location conflicts with its routing path
  • Crawler/bot patterns — the IP matches known web scraper or bot ASN profiles
  • High request velocity — the IP has been observed making unusually large numbers of API calls across the Predax customer base

Each signal contributes a weighted additive component to the final score. The weights are tunable per-account using Predax's custom scoring feature.

IP intelligence signal breakdown showing weighted risk components
IP intelligence signal breakdown showing weighted risk components

Score Ranges in Practice

ScoreClassificationWhat it typically means
0–20CleanResidential or business ISP, no signals, safe to allow
20–40Low riskMinor flags (e.g. a datacenter IP with no abuse history)
40–65ElevatedMultiple weak signals or one moderate signal; worth logging
65–85High riskStrong evidence of VPN/proxy/datacenter use or abuse history
85–100CriticalKnown Tor exit, confirmed open proxy, or high-abuse ASN

Real-World Score Examples

A residential DSL connection in Germany (Telekom DE): Score 4. No VPN/proxy flags. Clean ASN. Typical user traffic.

A Google Cloud Platform IP with no abuse history: Score 38. classification.is_datacenter: true. No abuse signals. Elevated because datacenters are unusual origins for human users, but the score stays low because there is no corroborating evidence of misuse.

A commercial VPN exit in the Netherlands (ASN registered to a known VPN provider): Score 71. classification.is_vpn: true, datacenter range, moderate community flagging. Not a known Tor node, so not critical, but clearly a privacy tool at minimum.

A known Tor exit node: Score 94. classification.is_tor: true, classification.is_vpn: true, high community flagging, known abuse ASN. Near-maximum risk because Tor exit nodes are used almost exclusively by people trying to evade detection.

A corporate headquarters IP (large Fortune 500 company): Score 12. Clean ASN, no abuse history. Slightly elevated from zero because large corporate IP ranges are sometimes used by employees for scraping or testing.

Choosing the Right Threshold

The right threshold is not universal — it depends on what you are protecting and what the cost of a false positive is versus a false negative.

Login / account creation: A threshold of 65–70 is appropriate for most applications. Block Tor (scores almost always above 85) outright; challenge VPN users (scores 50–80) with MFA.

Checkout / payment: A threshold of 60–65. Payment fraud is expensive, so you want to catch more — accept a slightly higher false positive rate in exchange for lower fraud rate.

API rate limiting: A threshold of 80–85. You want to limit rate-limiting false positives (a developer on a corporate VPN should not be rate-limited). Save the hard blocks for confirmed high-abuse IPs.

Content access / geo-restriction: A threshold of 50–60 for VPN detection specifically. You care about intent (bypassing geo-blocks) more than confirmed abuse.

Score vs. Individual Flags

The risk score and the individual boolean flags (classification.is_vpn, classification.is_tor, etc.) are complementary. Use the flags when you need to act on a specific signal — for example, you might block all Tor exits unconditionally regardless of risk score, because legitimate users essentially never browse through Tor.

Use the risk score when you need a holistic view — for example, when deciding whether to hold a WooCommerce order for review. A score of 78 tells you more than any single flag because it accounts for the combination of signals present.

The best implementations use both: flag checks for hard stops (Tor = always challenge), score thresholds for graduated responses (score 50–80 = MFA, score 80+ = block).

Security decision flowchart showing score thresholds and flag-based hard stops
Security decision flowchart showing score thresholds and flag-based hard stops

Related guides

Ready to use it? See pricing — every plan exposes the full score plus the underlying flags.