# IP Risk Scoring for Developers: How to Assess IP Reputation in Real Time

> IP risk scoring helps you catch fraud at signup and checkout by analyzing VPN usage, proxy detection, Tor connections, data centre IPs, and geolocation anomalies. Learn how to integrate IP reputation checks and set scoring thresholds.

**Author:** Matt King | **Published:** June 17, 2026 | **Category:** IP Intelligence

---

Every request to your application carries an IP address. That IP contains a surprising amount of intelligence about who is on the other end: whether they are connecting through a VPN, routing through a proxy, hiding behind a Tor exit node, or operating from a data centre.

**IP risk scoring** turns that raw intelligence into a single actionable number. Low score, let them through. High score, block or review.

## Why IP Risk Scoring Matters

**At signup:** Fake account creation, free tier abuse, and bot registrations almost always originate from high-risk IPs. A data centre IP combined with a disposable email is a near-certain indicator of abuse.

**At checkout:** Stolen credit cards are typically used from IPs that don't match the cardholder's billing country. Scoring the IP before processing payment saves you chargebacks.

For more on how risk scores work, see [what a risk score is and how it works](/blog/what-is-a-risk-score-and-how-does-it-work).

## The Signals Behind an IP Risk Score

### VPN Detection
VPN usage alone is not proof of fraud, but combined with other signals it increases confidence significantly.

### Proxy Detection
Open proxies are particularly dangerous because anyone can route traffic through them.

### Tor Exit Nodes
Tor exit nodes are publicly listed, making detection straightforward. Their presence in a transaction flow is a strong risk signal.

### Data Centre and Hosting IPs
Legitimate users browse from residential ISPs, not from AWS or DigitalOcean instances.

### Abuse History
IPs that appear in spam blocklists or honeypot traps carry additional weight.

### Geolocation Anomalies
If a user claims to be in the US but their IP geolocates to Nigeria, that is a risk signal. See [geolocation fraud detection](/blog/geolocation-fraud-detection-how-location-data-catches-bad-transactions).

## Checking IP Reputation at Signup

```php
// app/Services/FraudScreening.php
use Illuminate\Support\Facades\Http;

class FraudScreening
{
    public function checkSignup(string $email, string $ip): array
    {
        $response = Http::timeout(3)
            ->withHeaders([
                'Authorization' => 'Bearer ' . config('services.fidro.api_key'),
            ])
            ->post('https://api.fidro.io/v1/validate', [
                'email' => $email,
                'ip' => $ip,
            ]);

        if (! $response->successful()) {
            return ['action' => 'allow', 'score' => 0];
        }

        $result = $response->json();
        $score = $result['risk_score'];

        if ($score > 70) {
            return ['action' => 'block', 'score' => $score, 'data' => $result];
        }
        if ($score > 30) {
            return ['action' => 'review', 'score' => $score, 'data' => $result];
        }
        return ['action' => 'allow', 'score' => $score, 'data' => $result];
    }
}
```

Try the [free IP checker tool](/tools/ip-checker) or the [VPN detector](/tools/vpn-detector) to see the full analysis for any IP address.

## Checking IP Reputation at Checkout

At checkout, also pass the billing country for geolocation matching:

```php
$check = Http::timeout(3)
    ->withHeaders([
        'Authorization' => 'Bearer ' . config('services.fidro.api_key'),
    ])
    ->post('https://api.fidro.io/v1/validate', [
        'email' => $request->email,
        'ip' => $request->ip(),
        'country_code' => $request->billing_country,
    ]);

$result = $check->json();

if ($result['risk_score'] > 70) {
    return response()->json(['error' => 'Payment could not be processed.'], 422);
}

if ($result['risk_score'] > 30) {
    // Require 3D Secure for medium-risk transactions
}
```

## Setting Thresholds: The Three-Tier Framework

### Tier 1: Allow (Score < 30)
Residential IP, well-known ISP, no VPN or proxy, geolocation matches. Process normally.

### Tier 2: Review (Score 30 to 70)
Some risk signals but not clearly fraudulent. Require email verification or flag for monitoring.

### Tier 3: Block (Score > 70)
Multiple strong risk signals. Block the action and log for analysis.

### Tuning Your Thresholds

Start with 30/70 and monitor:

- **False positive rate:** Too many real users blocked? Raise block threshold to 80.
- **False negative rate:** Still seeing chargebacks from low-score users? Lower allow threshold to 20.

For a full guide, see [tuning fraud thresholds](/blog/tuning-fraud-thresholds).

## What High-Risk IPs Look Like

### Residential User, Low Risk (Score: 8)
```json
{
  "risk_score": 8,
  "checks": { "vpn": false, "proxy": false, "tor": false, "datacenter": false },
  "location": { "country_code": "US", "isp": "Comcast Cable Communications" }
}
```

### VPN User, Medium Risk (Score: 42)
```json
{
  "risk_score": 42,
  "checks": { "vpn": true, "proxy": false, "tor": false, "datacenter": false },
  "location": { "country_code": "US", "isp": "NordVPN" }
}
```

### Tor on Data Centre, High Risk (Score: 91)
```json
{
  "risk_score": 91,
  "checks": { "vpn": false, "proxy": false, "tor": true, "datacenter": true, "bad_ip": true },
  "location": { "country_code": "DE", "isp": "Hetzner Online GmbH" }
}
```

## Combining IP Scores with Email Validation

IP risk scoring is most powerful when combined with email intelligence:

```php
$result = $fidro->validate($request->email, $request->ip());

$isDisposable = $result['checks']['disposable_email'] ?? false;
$isVpn = $result['checks']['vpn'] ?? false;

// Custom rule: disposable email + VPN is always blocked
if ($isDisposable && $isVpn) {
    return response()->json(['error' => 'Registration blocked.'], 403);
}
```

Try the [email checker](/tools/email-checker) alongside the [IP checker](/tools/ip-checker) to see how these signals complement each other.

## Getting Started

1. Sign up at [fidro.io/pricing](/pricing). Free plan includes 200 requests per month.
2. Test with the [IP checker tool](/tools/ip-checker).
3. Integrate at signup first, then extend to checkout.
4. Monitor and tune thresholds based on your data.

For API reference, see the [documentation](/docs). For more on IP intelligence, read [IP intelligence for detecting VPNs, proxies, and Tor](/blog/ip-intelligence-detect-vpns-proxies-tor).

---

## Frequently Asked Questions

### What is IP risk scoring?

IP risk scoring assigns a numerical score to an IP address based on fraud signals like VPN usage, proxy detection, Tor connections, data centre hosting, abuse history, and geolocation anomalies. A higher score indicates higher likelihood of fraudulent activity.

### Should I block all VPN users based on their IP risk score?

No. VPN detection should be one factor in a composite risk score, not a standalone block rule. Combine it with email validation, geolocation matching, and behavioural signals to make nuanced decisions.

### What IP risk score thresholds should I start with?

A good starting point: allow scores below 30, review scores between 30 and 70, block scores above 70. Monitor your false positive rate and adjust based on your traffic patterns.

### How fast is real-time IP risk scoring?

Fidro returns IP risk scores in under 200ms, fast enough to run inline during signup or checkout flows without noticeable latency.

### Can I use IP risk scoring at both signup and checkout?

Yes, and you should. Checking at signup catches fake accounts. Checking at checkout catches stolen cards and account takeover. Scoring at multiple touchpoints gives you better coverage.