IP Risk Scoring Explained: What the Numbers Actually Mean
What Does a 0–100 Risk Score Represent?
An IP risk score is a normalised summary of everything an IP reputation system knows about a given address. A score of 0 means the IP looks entirely benign — it is a residential address with no abuse history, no association with VPN or proxy services, and no unusual traffic patterns. A score of 100 means the IP is a known threat: a Tor exit node, a flagged open proxy, or an address with a documented history of attacks.
The score exists because individual signals are not always conclusive on their own. A single VPN flag on a low-traffic IP might be a false positive. A combination of VPN + datacenter + abuse history + unusual geo patterns at score 87 is not. The score aggregates all available evidence into a single number that you can threshold against.
The Signals That Feed Into Scoring
Risk scores are calculated by weighting and combining multiple independent signals. Predax uses the following signal categories:
Network infrastructure signals (all returned under classification.* in the response)
is_vpn— IP belongs to a known VPN provider's ASN or CIDR rangeis_proxy— IP is a known open or commercial proxyis_tor— IP is a current Tor exit node (updated hourly from the official consensus)is_datacenter— IP is registered to a cloud/hosting provider (AWS, GCP, Azure, Hetzner, OVH, etc.)
Reputation signals
- ASN reputation — the Autonomous System the IP belongs to has a history of abuse
- Community flagging — the IP has been reported across multiple Predax customers within a rolling window
- Abuse database matches — the IP appears in public abuse databases (AbuseIPDB, Spamhaus, etc.)
Behavioural and geographic signals
- Geographic anomalies — the IP's claimed location conflicts with its routing path
- Crawler/bot patterns — the IP matches known web scraper or bot ASN profiles
- High request velocity — the IP has been observed making unusually large numbers of API calls across the Predax customer base
Each signal contributes a weighted additive component to the final score. The weights are tunable per-account using Predax's custom scoring feature.
Score Ranges in Practice
| Score | Classification | What it typically means |
|---|---|---|
| 0–20 | Clean | Residential or business ISP, no signals, safe to allow |
| 20–40 | Low risk | Minor flags (e.g. a datacenter IP with no abuse history) |
| 40–65 | Elevated | Multiple weak signals or one moderate signal; worth logging |
| 65–85 | High risk | Strong evidence of VPN/proxy/datacenter use or abuse history |
| 85–100 | Critical | Known Tor exit, confirmed open proxy, or high-abuse ASN |
Real-World Score Examples
A residential DSL connection in Germany (Telekom DE): Score 4. No VPN/proxy flags. Clean ASN. Typical user traffic.
A Google Cloud Platform IP with no abuse history: Score 38. classification.is_datacenter: true. No abuse signals. Elevated because datacenters are unusual origins for human users, but the score stays low because there is no corroborating evidence of misuse.
A commercial VPN exit in the Netherlands (ASN registered to a known VPN provider): Score 71. classification.is_vpn: true, datacenter range, moderate community flagging. Not a known Tor node, so not critical, but clearly a privacy tool at minimum.
A known Tor exit node: Score 94. classification.is_tor: true, classification.is_vpn: true, high community flagging, known abuse ASN. Near-maximum risk because Tor exit nodes are used almost exclusively by people trying to evade detection.
A corporate headquarters IP (large Fortune 500 company): Score 12. Clean ASN, no abuse history. Slightly elevated from zero because large corporate IP ranges are sometimes used by employees for scraping or testing.
Choosing the Right Threshold
The right threshold is not universal — it depends on what you are protecting and what the cost of a false positive is versus a false negative.
Login / account creation: A threshold of 65–70 is appropriate for most applications. Block Tor (scores almost always above 85) outright; challenge VPN users (scores 50–80) with MFA.
Checkout / payment: A threshold of 60–65. Payment fraud is expensive, so you want to catch more — accept a slightly higher false positive rate in exchange for lower fraud rate.
API rate limiting: A threshold of 80–85. You want to limit rate-limiting false positives (a developer on a corporate VPN should not be rate-limited). Save the hard blocks for confirmed high-abuse IPs.
Content access / geo-restriction: A threshold of 50–60 for VPN detection specifically. You care about intent (bypassing geo-blocks) more than confirmed abuse.
Score vs. Individual Flags
The risk score and the individual boolean flags (classification.is_vpn, classification.is_tor, etc.) are complementary. Use the flags when you need to act on a specific signal — for example, you might block all Tor exits unconditionally regardless of risk score, because legitimate users essentially never browse through Tor.
Use the risk score when you need a holistic view — for example, when deciding whether to hold a WooCommerce order for review. A score of 78 tells you more than any single flag because it accounts for the combination of signals present.
The best implementations use both: flag checks for hard stops (Tor = always challenge), score thresholds for graduated responses (score 50–80 = MFA, score 80+ = block).
Related guides
- How to detect VPN users — the most common signal feeding into the score.
- Proxy detection API guide — proxy categories and how each weights the score differently.
- Residential vs datacenter proxies — why proxy *type* matters as much as proxy *presence*.
- ASN-based blocking explained — using ASN reputation as a higher-leverage filter than per-IP scoring.
- Bot traffic in 2026 — applying risk scoring to non-human traffic.
Ready to use it? See pricing — every plan exposes the full score plus the underlying flags.
