Privacy Detection That Works at Decision Time, Locally.
Fraud reviews and security investigations lose critical context when anonymized traffic goes undetected at decision time. A VPN flag arrives after a payment is approved. A SOC analyst triages an alert without knowing the source IP was a Tor exit node.
Three Environments Where an API-Based Lookup Doesn’t Fit.
An API is the right tool for plenty of privacy detection work. But some environments carry constraints an outbound lookup can’t satisfy.
Latency
An API call adds round-trip time at the exact moment a fraud or security decision is being made. A delayed VPN or proxy flag during login or payment review can turn a detectable event into an approved transaction or successful account takeover.
External dependency
An outage during a fraud campaign or active security incident means anonymized traffic goes unflagged entirely. Fraud teams approve transactions without VPN or proxy context, while SOC teams investigate alerts without visibility into masked infrastructure.
Data residency and compliance
Many regulated environments require all enrichment and decisioning to happen internally. Financial services, healthcare platforms, and government security operations often cannot route transaction or authentication data through external APIs during live workflows.
When Anonymized Traffic Loses Context at Decision Time
Privacy signals shape fraud reviews, escalation workflows, and security investigations long before an incident reaches a human analyst. When VPN, proxy, Tor, or relay context arrives late, teams make decisions with incomplete visibility.
One blind decision
A payment clears, or a login is allowed, before the VPN, proxy, or Tor signal reaches the review. The decision ships on time, just without the one piece of context that would have changed it.
And nothing catches it
Because nothing flagged the anonymized source, the event is never escalated or re-reviewed. The bad call now sits inside your system looking exactly like a good one.
And it spreads
The same actor reuses the same anonymizing infrastructure across more sessions and accounts. With no signal tying them together, each one is treated as unrelated and clean.
And the trail goes cold
When the pattern finally surfaces, the proxy context is identified only in hindsight. Investigations drag, escalation quality drops, and the audit trail can't reconstruct what was actually connected.
Why Many Privacy Detection Tools Create Operational Gaps
Most privacy detection tools were built around convenience rather than operational control. That becomes a problem when fraud systems, security workflows, and compliance reviews depend on accurate anonymization signals at decision time.
Free / open-source
Free and open-source lists often provide limited coverage, infrequent updates, and little visibility into hosting or broader anonymization infrastructure.
Inference-based
Many privacy datasets rely on indirect indicators such as hosting classifications, ASN ownership, or historical reputation. Those signals can be useful, but they don't always reflect how an IP is being used today.
Black-box scoring
Black-box scoring models collapse VPN, proxy, Tor, and relay signals into a single score. IPinfo exposes the underlying signals directly so teams can apply their own fraud, security, and compliance logic.
Want to see the data in action? We’ll show you exactly what the gap looks like on your traffic.
The Privacy Detection Database: Anonymizer Detection Without External Dependencies
The database lives inside your infrastructure. VPN, proxy, Tor, and relay detection happens through local lookups, with no outbound API calls, rate limits, or external dependencies at decision time.
That means privacy signals remain available inside fraud prevention systems, security workflows, and regulated environments where decisions need to happen immediately. Every detection type is exposed as a discrete field, giving your team direct access to the underlying signals and full control over how they are used.
- Local lookups
- No HTTP
- Air-gapped friendly
- Same verdict everywhere
Pull a Sample. Run It Against Your Own Traffic.
Download a sample of the privacy detection database and compare it against recent login, transaction, or security event data. See how our signal change the outcome.
What's in the file.
Every anonymization signal ships as a discrete field you can act on, across the full IPv4 and IPv6 space.
is_vpnis_proxyis_toris_relayis_hostingserviceTransparent Signals You Can Trust
IPinfo takes a different approach to privacy detection. VPN, proxy, Tor, and hosting detections are exposed as discrete fields, giving your team direct access to the underlying signals. Fraud teams, security analysts, and compliance teams can build logic around the factors that matter in their environment instead of adapting their workflows to a vendor-defined score.
Direct Provider Verification
Active subscriptions to the VPN services we track provide firsthand visibility into provider infrastructure. That direct verification helps identify anonymization infrastructure that legacy detection methods often miss.
Active Infrastructure Detection
Internet-wide scanning, VPN handshake testing, traceroute analysis, and infrastructure measurement help uncover anonymization services operating across the internet. This approach provides visibility into infrastructure that is otherwise difficult to identify.
Daily Refreshes for Changing Infrastructure
Privacy datasets are most accurate when they reflect how anonymization infrastructure operates today. Daily refreshes help account for newly deployed exit nodes, infrastructure changes, and provider updates.
The Signals Matter More Than the Score
Most privacy detection tools give you a score. Those abstract away the signal.
What constitutes a high-risk IP depends on your environment, your users, and your risk tolerance. IPinfo exposes VPN, proxy, Tor, and relay detections as discrete fields, giving your team the inputs to build scoring, decisioning, and investigation workflows that fit your use case.
risk_score: 87 — opaque, vendor-defined, hard to defend in an audit.vpn: true, proxy: false, tor: false, hosting: true, service: "NordVPN" — your rule, your call.Switching Privacy Detection Databases Without Rebuilding Your Stack
One catalog. Four formats. Daily refresh. Pick the one your stack already speaks.
If you're already running a local privacy detection database, switching to IPinfo is a file swap: same place in your stack, richer signals underneath. The database ships as MMDB for fast binary lookups and CSV for database imports, with Parquet and JSON for data lake and warehouse pipelines like Snowflake, Databricks, and BigQuery. Daily updates drop straight into the tools you already run, from Splunk and Microsoft Security Copilot to your own fraud, SIEM or SOAR, and enrichment workflows.
MMDB
~140 MBMemory-mapped binary. Sub-millisecond reads for authentication, fraud prevention, and security workflows.
CSV
~420 MBRange-per-row. Easy imports into warehouses, enrichment pipelines, and internal tools.
JSON
~580 MBOne record per IP block. Built for APIs, automation, and systems that already speak JSON.
Parquet
~110 MBColumnar and compressed. Optimized for Snowflake, Databricks, BigQuery, and large-scale analytics.
Cloud storage push
AWS S3, Google Cloud Storage, or Azure Blob Storage. Pulled into your account via presigned URL. IAM-scoped, versioned, region-pinned.
Direct download
Signed HTTPS URL with a rotating token. Drop into a cron, ship to your CDN, mirror to your registry.
Webhook
POST to your endpoint the moment a new snapshot is signed and ready. Useful for time-sensitive fraud rules.
Cloud marketplace
Subscribe through Snowflake Marketplace or Google Cloud Marketplace. Procure on existing cloud commit, data flows into your account.
The file lands in your environment. From there, it's a connector or a one-line load into whatever your team already runs.
See What Anonymized Traffic Looks Like in Your Environment
Run IPinfo's privacy detection data against your own traffic. Evaluate VPN, proxy, Tor, hosting, and relay signals against real activity and see how additional context improves your day-to-day work.
Not Sure You Need the Database?
If your volumes are modest or your lookups are occasional, the API or a standard subscription may serve you better: the same IP privacy data, delivered differently. We’d rather route you to the right fit than sell you more than you need.
Put the lookup next to your code.
Pull a sample dataset and run it against your traffic. Talk to sales when you're ready to size a license to the volume you're actually pushing.
Frequently Asked Questions
For the majority of teams, the transition is straightforward. IPinfo's privacy detection database is available in familiar formats and can be integrated into the same fraud, security, and enrichment workflows.
IPinfo combines direct observation, infrastructure verification, and continuous validation to classify VPN, proxy, Tor, relay, and hosting infrastructure. The dataset is refreshed daily and regularly verified against active anonymization services and observed network behavior.
Daily. VPN providers add exit nodes, hosting providers change ownership, and proxy infrastructure shifts constantly. Daily updates help keep classifications aligned with active infrastructure.
Yes. The database is designed for local deployment and can be used in environments where outbound API calls are restricted or unavailable.
MMDB, CSV, JSON, and Parquet. Teams use MMDB for high-performance local lookups, while CSV, JSON, and Parquet support enrichment pipelines, analytics environments, and data warehouse workflows.
Deploy the database locally and perform lookups directly inside your application, fraud platform, SIEM, SOAR, or enrichment workflow. All classifications are available without contacting an external service at decision time.
MMDB is a compact binary database format optimized for extremely fast IP lookups. It is widely used in production environments because it supports local lookups with minimal latency and resource overhead.
Yes. IPinfo supports OEM and redistribution use cases for organizations building commercial products and customer-facing platforms.
Synthetic identity operations often rely on VPNs and other anonymization services to create and manage accounts at scale. Privacy detection adds infrastructure context that helps fraud teams evaluate whether activity originates from environments commonly associated with account abuse.
Fraud velocity refers to the speed and frequency of suspicious activity. Privacy detection signals can provide additional context when identifying coordinated activity originating from anonymized infrastructure.
Yes. Privacy detection coverage includes both IPv4 and IPv6 address space, helping teams maintain visibility as IPv6 adoption continues to grow.
