Detection Signals

Each signal is evaluated independently. When a signal fires, its point value is added to the Trust Score. The Details array in the webhook lists every signal for that session.

Device Signals (OS Fingerprinting)

ShieldLabs compares User-Agent OS against the TCP stack fingerprint from Shield.Tcp (passive capture — TTL, MSS, window size). Anti-detect browsers change the User-Agent but cannot fake the OS kernel TCP stack.

Signal	Points	When it fires
`UA OS is not detected`	+30	Cannot determine OS from User-Agent
`Network OS is not detected`	+30	TCP fingerprint did not match any known OS
`Fail by windows os detect`	+60	UA says Windows, TCP says not Windows
`Fail by linux os detect`	+60	UA says Linux, TCP says not Linux
`Fail by android os detect`	+60	UA says Android, TCP says not Android
`Fail by IOS detect`	+60	UA says iOS, TCP says not iOS/macOS
`Fail by Mac OS detect`	+60	UA says macOS, TCP says not macOS/iOS
`Antidetect browser (...)`	+60	Localhost antidetect/automation ports detected

OS mismatch scenarios

Scenario	User-Agent	TCP	Signal
Clean Windows user	Windows	Windows	No signal
ADS with Mac UA on Windows	macOS	Windows	`Fail by Mac OS detect` +60
Headless	Unknown	Unknown	`UA OS not detected` +30, `Network OS not detected` +30

Network Signals (IP Intelligence)

Sourced from ipapi.is plus Shield.Tcp VPN hints (direct, vpn, tor_double_vpn, datacenter).

Signal	Points	Description
`Is tor`	+99	Tor exit node (exclusive)
`Is privacy relay`	+15	iCloud Private Relay (exclusive)
`Is VPN`	+15	VPN via 2-of-3 rule — see Scoring Rules
`Browser VPN/Proxy`	+30	Extension VPN/proxy collapse
`Is proxy`	+10	Proxy server IP
`Is datacenter`	+10	Cloud/datacenter ASN
`Is abuser`	+10	Abuse blacklist IP

Connectivity Signals (STUN/ICE)

WebRTC STUN confirms UDP connectivity and contributes to VPN detection.

Signal	Points	Description
`Stun is not checked`	+30	No STUN binding within scoring window
`Browser timezone ≠ IP-timezone`	+10	Browser timezone ≠ IP geolocation timezone

STUN failure also counts as one of three VPN detection signals.

How signals combine

Example: Anti-detect on VPN (UA=macOS, TCP=Windows, STUN failed)

  Is VPN:                  +15  (2-of-3: IP + STUN)
  Fail by Mac OS detect:   +60  (blocked by VPN exclusive rule)
  ──────────────────────────────
  Score: 15  (VPN exclusive — OS mismatch not added)

Without VPN exclusive rule:

  Is datacenter:           +10
  Fail by Mac OS detect:   +60
  Stun is not checked:     +30
  ──────────────────────────────
  Score: 100

Reading the Details array

"Details": [
  { "Value": 10, "Description": "Is datacenter" },
  { "Value": 30, "Description": "Stun is not checked" },
  { "Value": 10, "Description": "Browser timezone ≠ IP-timezone" }
]

The sum of scored Value fields equals Score. Debug entries with Value: 0 are informational only.

​Detection Signals

​Device Signals (OS Fingerprinting)

​OS mismatch scenarios

​Network Signals (IP Intelligence)

​Connectivity Signals (STUN/ICE)

​How signals combine

​Reading the Details array