Understanding the Hazard Report
The Hazard Report is BigDataCloud's consolidated view of IP address risk. It combines reactive signals (evidence of past malicious behaviour) with proactive indicators (the likelihood of future misuse) to help you make safer, faster decisions about incoming traffic, users, and transactions.
Rather than relying solely on whether an IP has been reported before, the Hazard Report blends historical evidence with forward-looking assessments — such as whether an IP belongs to a hosting environment with no real user behind it. This dual approach provides a more complete picture of threat likelihood than blocklist checks alone.
Why it matters
- Reduce blind spots — Traditional blocklist methods miss new or unlisted threats such as newly provisioned VPNs and proxies. Proactive indicators close that gap.
- Accelerate decisions — Structured, machine-readable signals speed up both automated risk evaluation and manual review.
- Improve zero-day defence — Recognise likely malicious infrastructure before it is used, not after an incident has occurred.
How it works: reactive and proactive signals
The Hazard Report aggregates multiple categories of evidence:
- Reactive signals — Checks against widely used blocklist and abuse databases; indicators of previously observed malicious activity; known anonymiser detections where available.
- Proactive indicators — The Hosting Likelihood model assesses whether an IP sits in infrastructure characteristic of servers and automated systems rather than residential networks. This helps identify high-risk traffic even when there is no prior incident history.
By evaluating both dimensions, the report helps you distinguish between routine residential traffic and infrastructure more commonly associated with bots, scrapers, and attack staging.
Key fields explained
| Field | Description |
|---|---|
hostingLikelihood (0–10) |
Probability that the IP belongs to a hosting environment. Higher values imply greater likelihood of non-human or automated usage. See What is Hosting Likelihood? |
| ASN and provider context | Signals that the Autonomous System (AS) announcing the IP space appears to be a hosting or data-centre provider rather than a residential ISP. |
| Blocklist and abuse checks | Evidence that the IP has been reported for spam, abuse, or other malicious activity in third-party datasets where applicable. |
| Anonymiser indicators | Detection signals for VPNs, proxies, and related services where identifiable. Some services deliberately obfuscate their footprint and may evade purely reactive detection. |
| Composite risk perspective | A structured view that lets you weigh reactive evidence against proactive indicators to support allow, deny, step-up verification, or rate-limit decisions. |
Common use cases
- E-commerce — Reduce card-not-present fraud by stepping up verification for high-risk sources.
- Account security — Trigger multi-factor authentication or velocity limits for sign-ins from likely hosting environments.
- Content platforms — Throttle or block automated posting and scraping from non-residential networks.
- Ad integrity — Filter non-human traffic to protect budgets and improve campaign analytics.
For implementation details, see the Hazard Report API.