Cymatic's IP Reputation Scoring

Analyzing Results

Cymatic determines if the IP address is high risk based on the following data points:

Fraud Scores - Overall score from 0 to 100 which indicates how likely the IP address belongs to an abusive user or is associated with malicious behavior. Fraud Scores for proxy & VPN connections with average risk are in the 70-75 range. Some clients may find that IP addresses with scores in these ranges are not problematic. However, IP addresses with Fraud Scores >= 80 indicate abusive and malicious behavior, therefore we strongly recommend blocking requests associated with these scores. Simply filtering traffic, users, and transactions by the Fraud Score is the easiest way to quickly analyze results.
Abuse Velocity - Indicates frequent abusive behavior over the past 24-48 hours. Values can be "high", "medium", "low", or "none". "High" and "medium" levels are usually associated with poor reputation IP addresses.
Recent Abuse - This data point will be true for all users with recent abusive behavior detected among our honeypots, traps, and live sites across the Cymatic network that report real-time data back to our scoring engines.
Bot Status - This data point will be true when this IP address has recently been involved in a botnet or made automated, non-human requests.

Cymatic will return the following threat vectors:

recent_abuse - This value will indicate if there has been any recently verified abuse across our network for this IP address. Abuse could be a confirmed chargeback, compromised device, fake app install, or similar malicious behavior within the past few days.
abuse_velocity - How frequently the IP address is engaging in abuse across the Cymatic threat network. Values can be "high", "medium", "low", or "none". Can be used in combination with the Fraud Score to identify bad behavior.
bot_status - Indicates if bots or non-human traffic has recently used this IP address to engage in automated fraudulent behavior. Provides stronger confidence that the IP address is suspicious.
vpn - Is this IP suspected of being a VPN connection? This can include data center ranges which can become active VPNs at any time. The "proxy" status will always be true when this value is true.
tor - Is this IP suspected of being a TOR connection? This can include previously active TOR nodes and exits which can become active TOR exits at any time. The "proxy" status will always be true when this value is true.
active_vpn - Identifies active VPN connections used by popular VPN services and private VPN servers.
active_tor - Identifies active TOR exits on the TOR network.
mobile - Is this user agent a mobile browser?
fraud_score - The overall fraud score of the user based on the IP, user agent, language, and any other optionally passed variables. Fraud Scores >= 75 are suspicious, but not necessarily fraudulent.

How to interpret the data within the Cymatic UI

User Intel > IP Risk Widget - The data shown here is filtered by IP Risk that is >=80 / High Risk. The results are per user profile, not per login. In other words, if user A logged in 3 times in that time period, this number will reflect only 1. To see all events, please refer to the widget under Analytics > IP Analysis.

Analytics > IP Analysis - The data shown here is filtered by IP Risk and is broken into 2 parts: (1) Risky and (2) Safe. Cymatic displays Risky IPs as IPs that have a fraud score >=80. All IPs under 80 are shown as safe. The results are per attempt, not per profile. In other words, if user A logged in 3 times with a Risky IP in that time period, this number will reflect 3 even if the same risky IP was used all 3 times. You can download the report via the download button in the upper right corner fo the widget to get details on which users are included in this analytic and why.

Users > Risks > IPs - The data shown here is filtered by IP Risk that is >=80 / High Risk. This view is different then the other two views discussed above as it is sorted by IP address, not by user. Therefore, you can get a list of all risky IPs that attempted to access your application. You can then slice this data further by clicking the magnifying glass in the first column to display the users who came from that address. This will help identify potential risk from a shared location, like public WiFi.

Activity Logs > Pre Verifications/Verifications - When an IP risk >=80 / High Risk is seen on a login attempt or during a session, a 'Threat Flag' will be displayed under the 'Threat Flag' column. You can click on this flag to display more information about the IP risk on the attempt/login.

Users > Profiles > IPs - This will list all IPs seen from that user. This list is the only place where Cymatic will display all IP risk levels and does not filter this data by risk level.
Was this article helpful?
Thank you!