First-party IP intelligence for fraud prevention, bot detection, and abuse defense.

ACE v2 is FraudGuard's real-time IP reputation and IP intelligence API for account takeover prevention, credential stuffing defense, payment fraud screening, bot mitigation, VPN/proxy/Tor detection, and API security. Every decision is backed by FraudGuard's own collection, AI/ML intent verification, and evidence-rich response data.

Start Free Trial Read ACE v2 Docs Try Public Lookup
ACE v2 decision summary
Recommendation Block Actionable guidance with cached TTL and evidence summary.
Risk Critical Level 5 risk with confidence factors you can explain internally.
Observed activity 2 honeypots Multi-honeypot reach, repeated activity, and service-level evidence.
Infrastructure Alibaba Cloud Hosting provider, ASN, prefix, ISP, org, and geography in the same response.

Classification

web_scanner multi_service_scanner honeypot_attacker ai_automation hosting_provider

Why teams choose ACE v2

FraudGuard tells you not just what an IP looks like, but what it has actually done across our own collection and verification pipeline. That is the difference between generic reputation and evidence-driven enforcement.

First-party IP intelligence FraudGuard sources, verifies, and maintains its own IP reputation and abuse telemetry instead of blending third-party vendor feeds.
Real attacker telemetry One of the largest privately owned honeypot networks on the internet today, built to observe scanners, bots, and hostile infrastructure directly.
Intent verification AI/ML layers validate attack intent, reduce false positives, and separate noisy scans from meaningful abuse, automation, and AI-driven traffic.
Operational output Recommendation, risk, evidence, infrastructure, geography, and customer controls arrive in one response for fraud prevention, WAF, API security, and SOC workflows.

Why teams replace generic IP reputation vendors with ACE v2

Buyers do not need another black-box score. They need an IP intelligence system that can hold up in fraud reviews, trust and safety workflows, SOC triage, API abuse investigations, WAF enforcement, and automated risk engines. ACE v2 is built for exactly that.

Fraud prevention and account defense

ACE v2 helps stop account takeover, credential stuffing, signup abuse, promo abuse, and payment fraud with recommendation logic that is usable in real-time decisioning.

Bot detection and API abuse visibility

FraudGuard uses AI/ML verification layers to confirm whether behavior looks like real malicious intent, scripted abuse, bot traffic, scraping, agentic AI activity, or lower-signal noise.

Owned collection and verification

FraudGuard collects, verifies, and enriches its own signals end to end instead of reselling commodity feeds, which keeps ACE v2 fresh, explainable, and defensible.

Built for WAF, SIEM, SOAR, and risk engines

Get structured JSON output for infrastructure classification, proxy/VPN/Tor detection, geography, repeat attacker evidence, and service-level attack history without stitching providers together.

What powers the engine

ACE stands for Attack Correlation Engine, and ACE v2 is built on FraudGuard's own collection, correlation, and verification pipeline. At the center is a proprietary honeypot network that is one of the largest privately owned honeypot networks on the internet today. That network is engineered to watch what hostile infrastructure actually does across multiple services, targets, protocols, and time windows.

FraudGuard does not stop at raw honeypot events. We correlate repeat attackers, multi-honeypot attackers, service-level signatures, attack families, burst behavior, and target spread. We also enrich and verify that activity with AI/ML layers that evaluate whether the behavior aligns with real abuse, automated scanning, AI-driven automation, or broader campaign behavior.

We also go outside of our network in controlled ways. FraudGuard monitors public exposure paths, decoy credential activity, decoy key leakage, GitHub-style exposure workflows, credential stuffing behavior, automated abuse paths, and selected off-network validation channels that help us confirm infrastructure and intent without relying on third-party feed vendors.

The result is a dataset that is sourced and verified internally from end to end. FraudGuard does not use external reputation feeds for ACE v2. That control over collection, validation, and freshness is what makes ACE v2 more useful than generic reputation vendors for high-consequence fraud and security decisions.

Privately owned honeypot infrastructure

Observed attacker behavior across multiple services, target profiles, ports, and time windows gives ACE v2 evidence that generic feeds cannot produce.

Controlled out-of-band validation

FraudGuard uses public exposure monitoring, decoy keys, decoy credentials, and abuse-observation workflows to validate infrastructure and attacker intent outside of direct honeypot interaction.

AI/ML verification layers

Intent scoring helps determine whether traffic reflects AI abuse, automated abuse, scanning, credential pressure, payment-fraud behavior, spam activity, or broader campaign overlap.

Enrichment without vendor dependency

Hosting provider, network, geography, anonymity, behavioral, and customer-control context are collected, maintained, and correlated by FraudGuard rather than outsourced to feed resellers.

Fraud prevention, bot detection, account takeover defense, and API security in one IP intelligence engine.

ACE v2 is designed for login protection, signup abuse prevention, credential stuffing detection, payment fraud screening, promo abuse reduction, proxy/VPN/Tor detection, WAF enrichment, SIEM/SOAR enrichment, trust and safety review, and real-time IP risk scoring across web apps, mobile apps, APIs, and cloud platforms.

What the ACE v2 response actually gives you

ACE v2 is designed for systems and analysts. The output is structured so you can automate fast paths while still preserving the context needed for debugging, fraud review, SOC escalation, policy tuning, or executive explanation.

Recommendation

Action guidance such as block, plus human-readable evidence summary and cache TTL so you can enforce quickly without losing the why.

Classification

Primary and secondary labels like web scanner, honeypot attacker, AI automation, or hosting provider so you can sort and route risk intelligently.

Risk and confidence

Criticality, confidence score, and explicit confidence factors such as recent activity, repeated activity, multi-honeypot reach, and multiple target services.

Observed activity

Attack families, trends, counts, distinct attack types, target services, destination ports, first seen, last seen, and last observed attack details.

Attributes

Flags for AI automation suspicion and other structured behavioral markers that help distinguish low-signal traffic from meaningful abuse.

Infrastructure and anonymity

Hosting provider, data center IP, VPN, Tor, public proxy, residential proxy, mobile network, shared exit, and related infrastructure characteristics.

Network and geography

ASN, ASN org, ISP, organization, prefix, connection type, country, state, city, postal code, timezone, and geolocation coordinates.

Customer and metadata

Whitelist, blacklist, and geoblock matches plus request ID, schema version, API version, engine, and generated timestamp.

ACE v2 example response Illustrative payload 
{
  "ip": "8.216.12.173",
  "recommendation": {
    "action": "block",
    "evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
    "cache_ttl_seconds": 14400
  },
  "classification": {
    "primary": "web_scanner",
    "secondary": [
      "multi_service_scanner",
      "honeypot_attacker",
      "ai_automation",
      "hosting_provider"
    ]
  },
  "risk": {
    "level": 5,
    "label": "critical",
    "confidence": 85,
    "confidence_factors": [
      "recent_activity",
      "repeated_activity",
      "multi_honeypot_reach",
      "specific_attack_signature",
      "multiple_attack_types",
      "multiple_target_services"
    ]
  },
  "observed_activity": {
    "observed": true,
    "attack_families": [
      "web_probe"
    ],
    "activity": {
      "pattern": "burst",
      "trend": "burst",
      "attack_events_24h": 3,
      "attack_events_7d": 3,
      "attack_events_30d": 3,
      "distinct_attack_types_30d": 2,
      "distinct_target_services_30d": 2,
      "distinct_target_ports_30d": 2,
      "first_seen": "2026-05-26T15:45:54+00:00",
      "last_seen": "2026-05-26T19:31:59+00:00"
    },
    "attacks": [
      {
        "type": "jenkins_login_page_probe",
        "service": "jenkins",
        "protocol": "http",
        "destination_port": 8080,
        "attack_events_24h": 2,
        "attack_events_7d": 2,
        "attack_events_30d": 2,
        "honeypots_reached_24h": 1,
        "honeypots_reached_7d": 1,
        "honeypots_reached_30d": 1,
        "first_seen": "2026-05-26T15:45:54+00:00",
        "last_seen": "2026-05-26T15:45:57+00:00"
      },
      {
        "type": "waf_attack",
        "service": "http",
        "protocol": "http",
        "destination_port": 80,
        "attack_events_24h": 1,
        "attack_events_7d": 1,
        "attack_events_30d": 1,
        "honeypots_reached_24h": 1,
        "honeypots_reached_7d": 1,
        "honeypots_reached_30d": 1,
        "first_seen": "2026-05-26T19:31:59+00:00",
        "last_seen": "2026-05-26T19:31:59+00:00"
      }
    ],
    "last_observed_attack": {
      "event_type": "waf_attack",
      "service": "http",
      "protocol": "http",
      "destination_port": 80,
      "observed_at": "2026-05-26T19:31:59+00:00"
    }
  },
  "attributes": {
    "ai_automation_suspected": {
      "detected": true
    }
  },
  "reasons": [
    {
      "code": "abusive_activity_observed",
      "message": "Abusive activity observed by FraudGuard ACE",
      "severity": "high"
    },
    {
      "code": "scanner_activity_observed",
      "message": "Scanner or probing activity observed",
      "severity": "medium"
    },
    {
      "code": "honeypot_interaction_observed",
      "message": "Interaction observed across FraudGuard honeypot infrastructure",
      "severity": "high"
    },
    {
      "code": "waf_attack_activity_observed",
      "message": "HTTP/WAF attack activity observed",
      "severity": "high"
    },
    {
      "code": "activity_within_7_days",
      "message": "Activity observed within the last 7 days",
      "severity": "high"
    }
  ],
  "customer": {
    "ip_in_whitelist": false,
    "ip_in_blacklist": false,
    "ip_in_geoblock": false
  },
  "infrastructure": {
    "type": "hosting_provider",
    "provider": "Alibaba Cloud",
    "is_tor_exit": false,
    "is_public_proxy": false,
    "is_vpn": false,
    "is_hosting_provider": true,
    "is_residential_proxy": false,
    "is_mobile_network": false,
    "is_satellite_network": false,
    "is_shared_exit": false,
    "is_ai_agent": false,
    "first_seen": "2026-05-18T02:44:12+00:00",
    "last_seen": "2026-05-18T15:07:09+00:00",
    "updated_at": "2026-05-18T15:07:09+00:00"
  },
  "network": {
    "asn": 45102,
    "asn_org": "Alibaba US Technology Co., Ltd.",
    "isp": "Alibaba",
    "organization": "Alibaba",
    "prefix": "8.216.12.0/24",
    "connection_type": "Corporate"
  },
  "geography": {
    "country": "Japan",
    "isocode": "JP",
    "state": "Tokyo",
    "city": "Tokyo",
    "postal_code": "102-0082",
    "timezone": "Asia/Tokyo",
    "latitude": 35.6893,
    "longitude": 139.6899
  },
  "metadata": {
    "request_id": "acev2_example_single_lookup",
    "generated_at": "2026-05-27T00:47:35+00:00",
    "schema_version": "2.0.0",
    "api_version": "2.0.0",
    "engine": "ace_v2"
  }
}

Deep enrichment and abuse markers in the same decision engine

ACE v2 is not limited to a single reputation dimension. It combines infrastructure intelligence, proxy/VPN/Tor detection, abuse telemetry, fraud signals, and behavioral analytics so teams can evaluate risk from multiple angles without stitching tools together.

Hosting provider and data center detection

Recognize hosting infrastructure, cloud providers, data center IPs, shared exits, and enterprise-style network footprints before they become false trust signals.

Geolocation and network identity

Country, state, city, ASN, ISP, org, prefix, and connection profile help support regional policy, fraud review, and risk segmentation.

Repeat attacker tracking

ACE v2 tracks repeated activity patterns over 24-hour, 7-day, and 30-day windows so you can separate one-off noise from durable hostile infrastructure.

Multi-honeypot attacker reach

Seeing an IP reach multiple FraudGuard honeypots is a materially stronger signal than a single isolated event, and ACE v2 surfaces that directly.

Payment fraud detection

FraudGuard uses attack and abuse telemetry to help identify infrastructure that aligns with carding, checkout abuse, transaction probing, and payment-related automation.

Automated abuse tracking

Watch for scripted abuse paths such as signup pressure, credential stuffing, probing, scraping, automation frameworks, and repeat abusive workflows.

AI abuse tracking

ACE v2 includes markers for AI automation suspicion and verification layers built to detect emerging agentic abuse patterns.

Threat behavior analytics

Trend, burst pattern, distinct target services, distinct attack types, and destination-port spread help explain how the infrastructure behaves, not just who owns it.

Spam detection and tracking

FraudGuard tracks spam-oriented abuse and related infrastructure behaviors as part of the broader reputation and verification pipeline.

Open proxy, Tor, VPN, and anonymous network detection

Public proxies, Tor exits, VPN infrastructure, residential proxy traits, and other shared or anonymized exits are surfaced inside the same response.

VPN identification

ACE v2 helps identify traffic coming from VPN-backed infrastructure so teams can tune controls for signup abuse, account protection, regional restrictions, or abuse review.

Botnet monitoring

Botnet-adjacent infrastructure, repeated scanners, and multi-service probing activity can be correlated and surfaced before they become production incidents.

Built for single lookups, bulk scoring, and production automation

Whether you need an immediate fraud decision for one IP or large-scale enrichment across a queue, log set, or abuse review backlog, ACE v2 keeps the same evidence model and operational logic for web, mobile, API, and cloud workflows.

ACE v2 single IP intelligence

Use the single endpoint when you need an immediate decision in a login flow, signup flow, payment workflow, WAF action, API request path, support tool, or analyst console.

  • Evidence-rich recommendation and risk output
  • Behavioral context, infrastructure, and geography in one call
  • Built for challenge, review, allow, or block decisions
  • Ideal for inline policy and transaction scoring
Single endpoint docs Try public lookup

ACE v2 bulk IP intelligence

Use the bulk endpoint when you need to enrich a backlog, API event queue, access log, fraud case set, SIEM dataset, or large operational workflow efficiently.

  • Same ACE v2 logic and response model at larger scale
  • Practical for risk backfills, threat hunts, and enrichment jobs
  • Designed for pipelines, exports, and scheduled scoring runs
  • Ideal for Business and higher-volume operational teams
Bulk endpoint docs Compare plans

Common production use cases

ACE v2 is flexible enough for direct enforcement and detailed enough for analysts. That combination is why teams use it across security, fraud, abuse, support, and platform operations.

Identity + trust

Account protection

Score login, signup, password reset, and account recovery traffic before it turns into credential stuffing, account takeover, fake-account pressure, or support escalations.

Payments

Payment and checkout defense

Use infrastructure, anonymity, and behavior signals to challenge or stop carding, transaction testing, promo abuse, checkout abuse, and automated payment workflows.

Edge controls

WAF and edge enforcement

Feed ACE v2 decisions into upstream controls so hostile infrastructure is challenged or blocked before it reaches expensive application layers, API gateways, and origin services.

Detection ops

SIEM and SOAR enrichment

Bring high-confidence IP context into detections, case management, enrichment steps, and analyst queues without juggling multiple vendors or fragmented threat feeds.

Abuse defense

Platform abuse and AI abuse review

Detect and explain automation, scripted behavior, agentic AI traffic, proxy-backed abuse, and coordinated hostile workflows faster.

Internal teams

Support and trust operations

Give internal teams a fast answer on whether an IP belongs to risky infrastructure, recent observed abuse, or a broader campaign before approving access, reviewing abuse, or escalating an incident.

Evaluate ACE v2 with real evidence, not generic reputation labels

Read the docs, run the public lookup, or start a trial and put ACE v2 behind your signup, login, payment, API, WAF, SIEM, or SOC workflows. FraudGuard gives you first-party IP intelligence that is built to be explained, tuned, and trusted in production.

Start Free Trial Read ACE v2 Docs Try Public Lookup