IP threat intelligence

Detect VPNs, proxies, Tor exit nodes & datacenter IPs.

Risk score, TLS fingerprints, anonymizer flags — straight from the same edge that processes Nevision's session traffic.

Free — no signup required

Built for fraud, abuse & bot teams

Three signals, one score. Drop into your decision pipeline as a single API call.

Anonymizer detection

VPN, proxy, Tor exit, and datacenter flags merged from MaxMind, AWS WAF managed rules, and the daily Tor exit list. Surfaced as a 0–100 risk score per IP.

JA3 / JA4 fingerprinting

Captured at the TLS handshake at our CloudFront edge. Identifies the client software regardless of User-Agent — bots and headless browsers leak distinct fingerprints.

Real-time risk score

Combines all signals into a single 0–100 score. Tune your thresholds: 70+ block, 40–69 step-up auth, <40 allow. No black-box ML — every signal is documented and adjustable.

Get the API on every plan

Same enrichment, your account API key, no per-visitor cap. From 1,000/month free to 2.5M/month on Business.

Free

1,000/mo

$0/mo

Lite

25,000/mo

$12/mo

Pro

250,000/mo

$39/mo

Business

2.5M/mo

$99/mo

Frequently asked

How does VPN/proxy detection work?+

We combine three signals: (1) the daily Tor exit-node list, refreshed at 04:00 UTC; (2) AWS WAF Managed Rules' AnonymousIpList annotation, which flags known commercial VPNs and anonymizing proxies at the edge; (3) ASN-level classification of datacenter ranges (DigitalOcean, OVH, Hetzner, etc.). The combined signal is a 0–100 risk score.

What's the difference between VPN, proxy, Tor, and datacenter flags?+

VPN = commercial VPN providers (NordVPN, ExpressVPN, etc.). Proxy = open or anonymizing HTTP proxies. Tor = current Tor exit nodes. Datacenter = IP belongs to a hosting provider's range (often the source of bots and scrapers). An IP can carry multiple flags — a Tor exit hosted on DigitalOcean would flag both Tor and datacenter.

What are JA3 and JA4 fingerprints?+

JA3 and JA4 are hashes of the TLS Client Hello — they identify the client software at the protocol level. Useful for fraud detection because a headless browser or curl-with-spoofed-User-Agent leaks a different fingerprint than a real Chrome. We capture them at the TLS handshake at our CloudFront edge, so they're only available when looking up your own IP (not when looking up arbitrary IPs).

How accurate is the threat detection?+

Tor detection: ~99% (we sync the official exit list daily). Commercial VPN detection: ~85–95% via AWS WAF (lags new IPs by 12–24h). Datacenter detection: 95%+ at ASN level — the trade-off is that legitimate cloud-hosted servers also flag as datacenter.

Should I block all anonymous IPs?+

Almost never. ~5–15% of legit traffic comes through VPNs (corporate, privacy-conscious users, travelers). Use the risk score as one input — combine with behavioral signals (rate, page sequence, form patterns) and block-lists curated for your specific abuse vectors.

Can I use this in production?+

Yes — this exact backend is the API every Nevision plan ships with. Free plan: 1,000 lookups/month. Pro: 250,000/month. Business: 2.5M/month. Authenticated GET /v1/lookup endpoint, sub-100ms latency from the edge.

What's the rate limit on this free tool?+

5 lookups per visitor IP per day. Resets at UTC midnight. For higher volumes, sign up — Free plan starts at 1,000 lookups/month with no per-visitor cap.

Related

Free IP Address Lookup →

Same backend, broader view: geolocation, ASN, ISP, network details — plus the same threat data.