The Hazard Report is BigDataCloud’s consolidated view of IP address risk. It combines reactive signals (evidence of past malicious behaviour) with proactive indicators (likelihood of future misuse) to help you make safer, faster decisions about incoming traffic, users, and transactions.
Instead of relying solely on “who attacked before”, the Hazard Report blends that history with forward-looking assessments — such as whether an IP belongs to a likely hosting environment with no eyeball behind the device. This dual approach provides a more complete picture of threat likelihood.
Why it matters
- Reduce blind spots — Traditional methods miss new or hidden threats (e.g., unlisted VPNs/proxies). Proactive indicators close the gap.
- Accelerate decisions — Summarised, structured signals speed up automated or manual risk evaluation.
- Improve zero-day defence — Recognise likely malicious infrastructure before it’s used, not after.
How it works: Reactive + Proactive signals
The Hazard Report aggregates multiple categories of evidence:
- Reactive signals — Checks against widely used blocklist and abuse databases; indicators of previously observed malicious activity; known anonymiser detections where available.
- Proactive indicators — The Hosting Likelihood model assesses whether an IP sits in infrastructure characteristic of servers and automated systems (rather than residential “eyeball” networks). This helps identify high-risk traffic even when there’s no prior incident history.
By evaluating both dimensions, the report helps you distinguish between routine residential traffic and infrastructure more commonly associated with bots, scrapers, and attack staging.
Key fields explained
hostingLikelihood(0–10)- A score indicating the probability that the IP belongs to a hosting environment. Higher values imply greater likelihood of non-human or automated usage. See What is Hosting Likelihood? for details.
- ASN & provider context
- Signals that the Autonomous System (AS) announcing the IP space appears to be a hosting or data-centre provider rather than a residential ISP.
- Blacklist / abuse checks
- Evidence that the IP has been reported for spam, abuse, or other malicious activity in third-party datasets (where applicable).
- Anonymiser indicators
- Detection heuristics for VPNs, proxies, and related services where identifiable. Note that some services deliberately obfuscate their footprint and may evade purely reactive detection.
- Composite risk perspective
- A structured view that lets you weigh reactive evidence against proactive indicators to support allow/deny, step-up verification, or rate-limit decisions.
Common use cases
- E-commerce — Reduce card-not-present fraud by stepping up verification for high-risk sources.
- Account security — Trigger MFA or velocity limits for sign-ins from likely hosting environments.
- Content platforms — Throttle or block automated posting and scraping from non-eyeball networks.
- Ad integrity — Filter non-human traffic to protect budgets and improve campaign analytics.
Ready to integrate? See the Hazard Report API for implementation details.