Why Context Beats Fraud Scores: A Better Way to Evaluate IP Risk

When evaluating IP traffic risk, one of the most common questions asked by security and fraud researchers is: Can I get a fraud (or risk) score on this IP?

It’s a fair question. After all, scores are familiar and simple to understand, and easy to plug into systems for decision making. But that simplicity is also their biggest limitation.

Instead, security and fraud teams should take a different approach – one that prioritizes transparency, flexibility, and control. Instead of compressing complex signals into a single rigid, out-of-the-box number, look for rich IP intelligence attributes that let you define risk multidimensionally and in context on your organization’s terms.

This post examines the problem with a one-size-fits-all approach to IP risk scoring and how to interpret advanced IP context to deliver risk signals that matter.

The Problem with a One-Size-Fits-All Approach

There is a place for IP risk scores, and they can be useful in certain situations. If you need a quick, generalized signal to triage traffic with limited modification required – especially in low-stakes environments – a score can provide a fast answer. It’s easy to set a threshold (for example, “block anything over ‘80’”) and move on.

Every organization has a unique risk appetite

The concern with out-of-the-box scores is that risk means different things to different organizations. Context is key in both calculating and interpreting a scoring model so that it is unique for each organization and use case. For example, some organizations prioritize growth and are willing to tolerate a higher level of fraud risk in exchange for fewer false positives. Others operate in regulated environments where even a small amount of risk is unacceptable. Many fall somewhere in between, with different thresholds depending on the use case (e.g., a login, signup, checkout, or API access).

Consider these examples:

• A residential proxy might be extremely risky for an e-commerce checkout flow but less concerning for simple content browsing.
• A hosting provider IP might be suspicious for account creation, but perfectly valid for a developer using your API.
• A VPN connection might be acceptable for privacy-conscious users in one region, but a red flag in another.

The problem is that most fraud and IP risk scoring tools lack the flexibility to adapt to these nuances without becoming overly conservative (blocking too much) or dangerously permissive (letting too much suspicious traffic through).

Risk scores are a black box

Risk and fraud scores are ultimately a black box abstraction. The score reflects a vendor’s interpretation of risk, based on their assumptions, training data, and customer base. Simple scores that consolidate a multidimensional problem into a single number strip away the nuance that actually matters.

Understanding IP Context: Moving from a Black Box Answer to a Glass Box Explanation

Instead of compressing signals into a score, a different approach examines the underlying attributes that define IP behavior. An advanced IP context object includes signals like:

• Whether the IP is associated with a proxy, VPN, or hosting provider
• ASN and organization metadata
• Connection type and infrastructure classification
• Behavioral and reputation indicators
• Geographic and network-level consistency signals

These attributes give you the raw ingredients to define risk in a way that aligns with your business.

What follows are a few example use cases of how to translate IP attributes like these to inform decisioning, using a sample IP context object.

Example IP Context Object

{
  "as": {
    "number": 49981,
    "organization": "WorldStream"
  },
  "client": {
    "behaviors": [
      "FILE_SHARING",
      "TOR_PROXY_USER"
    ],
    "concentration": {
      "city": "Polāia Kalān",
      "country": "IN",
      "density": 0.2675,
      "geohash": "tsn",
      "skew": 6762,
      "state": "Madhya Pradesh"
    },
    "count": 4,
    "countries": 2,
    "proxies": [
      "ABCPROXY_PROXY",
      "9PROXY_PROXY",
      "NETNUT_PROXY",
      "GOPROXY_PROXY"
    ],
    "spread": 4724209,
    "types": [
      "MOBILE",
      "DESKTOP"
    ]
  },
  "infrastructure": "DATACENTER",
  "ip": "89.39.106.191",
  "location": {
    "city": "Amsterdam",
    "country": "NL",
    "state": "North Holland"
  },
  "organization": "WorldStream B.V.",
  "risks": [
    "CALLBACK_PROXY",
    "TUNNEL",
    "GEO_MISMATCH"
  ],
  "services": [
    "OPENVPN"
  ],
  "tunnels": [
    {
      "anonymous": true,
      "entries": [
        "89.39.106.82"
      ],
      "operator": "PROTON_VPN",
      "type": "VPN"
    }
  ]
}

Use Case Example #1: High-Risk Automation Detection

An organization focused on preventing bot-driven activity observes the following:

• infrastructure = "DATACENTER"
• AND client.behaviors = "TOR_PROXY_USER"
• AND services = "OPENVPN"
• AND tunnels[].anonymous = true

This IP is running through datacenter infrastructure, is associated with Tor/proxy-like behavior, using a known VPN service (ProtonVPN), and explicitly marked as anonymous tunnel traffic. This IP would therefore be treated as the highest risk for an organization concerned about bot traffic because a combination of these attributes shows patterns typically aligned with abuse tooling.

Use Case Example #2: Moderate Risk with Contextual Allowance

A team that wants to reduce false positives might take a more nuanced approach after observing these attributes:

• services = "OPENVPN"
• AND infrastructure = "DATACENTER"
• BUT location.country = "NL"
• AND client.concentration.country = "IN"
• AND risks = "GEO_MISMATCH"

This IP shows a combination of VPN usage, cross-region inconsistency (India concentration vs. Netherlands exit), and anonymization signals. It would therefore be treated as medium-to-high risk based on use case.

For example, if the team were investigating account takeovers or suspicious sessions these insights could be used to add friction such as triggering step-up authentication. However, if traffic was observed during simple browsing activity, then it would be treated as medium risk. In either scenario it’s the context that defines the action.

Use Case Example #3: Strict Policy for Sensitive Actions

A financial services company defines strict rules for high-value transactions. For example, the team observes:

• infrastructure = "DATACENTER"
• OR risks = "CALLBACK_PROXY"
• OR risks = "TUNNEL"
• OR tunnels[].operator = "PROTON_VPN"

This IP appears to operate from non-residential infrastructure, is associated with tunneling and callback proxy behavior, and is using a commercial anonymization provider. The financial services company would use this intelligence to flag it as high risk and immediately block or require step-up verification for high-risk flows if they do not allow anonymized infrastructure for this action. (For additional context in a similar use case, watch this webinar that examines how a bank uses advanced IP intelligence to inform step-up authentication rules.)

If this were reduced to a single fraud score, all of this context – Tor usage, VPN tunneling, geographic mismatch, and datacenter infrastructure – would be compressed into a number like “87.” But that number doesn’t tell you why it’s risky or how to respond. Instead, each of these three examples informs actions but the logic is transparent, adaptable, and aligned with the organization’s specific needs.

In practice, teams should start by identifying their highest-risk user flows (e.g., signup, checkout), then map relevant attributes to decision logic. Over time, this logic evolves as patterns change – something that static scores can’t accommodate.

Spur’s Approach: IP Risk is More Than a Score

To be sure, there is a pathway to effective risk scoring if done appropriately and with context, but the majority of out-of-the-box models are far too reductive to be useful. When you reduce a complex signal to a single number – regardless of how it is derived – you lose the context and flexibility that drives better informed, nuanced decisions. Considering multiple attributes preserves that context. Advanced IP intelligence gives you the flexibility to interpret risk according to your organization’s risk appetite.

At Spur, we believe that risk intelligence should be transparent, explainable, and adaptable. That’s why we focus on delivering high-fidelity IP intelligence designed to plug directly into your decisioning systems. Instead of forcing you into a predefined score, we give you the tools to define risk in a way that fits your use cases, users, and risk tolerance.

Ready to experience our high-fidelity IP intelligence in action? Start with free access to Spur Community or schedule a 1:1 demo to discuss your specific requirements with a Spur representative.