Skip to main content
Anonymity Signals tell you how masked a visit is: VPN, proxy, Tor, Privacy Relay, datacenter, abuse reputation, anti-detect browsers, and consistency mismatches. Each signal is a plain-language entry in the Details array when it fires, with the points it added. ShieldLabs surfaces these signals. Your own code owns the decision: allow, challenge, review, or block. See Risk Scoring.

The signals, by outcome

Each signal answers one question about the visit. The groups below describe what each one tells you, not how it is found.

Network and anonymity

These signals tell you the connection is relayed, tunneled, or coming from infrastructure rather than an ordinary network.
  • Tor - the connection exits through the Tor network.
  • VPN - the connection runs through a VPN.
  • Privacy Relay - the connection uses iCloud Private Relay or a similar relay.
  • Proxy - the connection is routed through a proxy.
  • Browser VPN/Proxy - an in-browser VPN or proxy extension is in use.
  • Datacenter IP - the IP belongs to a datacenter or hosting network.
  • Abuser Flag - the IP or device appears on an abuse reputation list.

Consistency and mismatch

These signals tell you the browser’s story and the network’s story disagree, which is what spoofed or relayed visits leave behind.
  • OS Mismatch - the operating system the browser reports does not match other evidence.
  • IP Mismatch - the visitor’s reported and observed IP addresses disagree.
  • Timezone Mismatch - the device timezone does not match the IP location.

Environment

These signals tell you the runtime is spoofed, stripped, or could not be fully verified.
  • Anti-detect Browser - the browser shows anti-detect or fingerprint-spoofing indicators.
  • JavaScript Disabled - the page ran without the script environment a real browser provides.
  • OS not Detected - the operating system could not be determined.
  • Network check incomplete - a network verification step could not be completed.

Signal weights

Each signal carries a fixed weight. A higher weight is stronger evidence that the visit is masked, spoofed, or abusive.
SignalWeightWhat it means
Tor99Connection exits through the Tor network
JavaScript Disabled90The page ran without the script environment a real browser provides
OS Mismatch60The operating system the browser reports does not match other evidence
Anti-detect Browser60The browser shows anti-detect or fingerprint-spoofing indicators
Browser VPN/Proxy30An in-browser VPN or proxy extension is in use
OS not Detected30The operating system could not be determined
Network check incomplete30A network verification step could not be completed
IP Mismatch30The visitor’s reported and observed IP addresses disagree
VPN15The connection runs through a VPN
Privacy Relay15The connection uses iCloud Private Relay or a similar relay
Proxy10The connection is routed through a proxy
Datacenter IP10The IP belongs to a datacenter or hosting network
Abuser Flag10The IP or device appears on an abuse reputation list
Timezone Mismatch10The device timezone does not match the IP location
Signals sum into the Risk Score and the total is capped at 100. The strongest anonymity signal (Tor, then Privacy Relay, then VPN) takes priority over the others.

Why the VPN signal catches more

ShieldLabs corroborates VPN across multiple signals, so it catches masking that a simple IP blocklist misses. A blocklist is always behind: commercial VPNs rotate through large IP pools daily, and residential proxies hide on ordinary consumer ISPs. Because the VPN signal does not depend on a list alone, a fresh exit node that no blocklist has yet seen can still surface.

Connection type

Every visit also resolves to a single connection type, the headline label for how the visit reaches you. It is stored on the snapshot and shown in the dashboard.
Connection typeWhat it means
DirectAn ordinary connection with no masking signal
MobileA mobile carrier network
VPNThe connection runs through a VPN
ProxyThe connection is routed through a proxy
TorThe connection exits through the Tor network
Privacy RelayiCloud Private Relay or a similar relay
UnknownThe connection type could not be determined
The connection type is a summary. The Details array on the Risk Score is the full breakdown: one visit can carry a proxy connection type along with a datacenter and abuser flag underneath it.

A masked visit is not always abuse

A legitimate visitor can carry these signals. A corporate VPN, iCloud Private Relay, or a privacy-focused browser all raise the score without any wrongdoing.
Decide on the Score, the Details, and the sensitivity of the action together, never on the connection type alone. A payment screen is not a blog read. See Acting on the Risk Score.
Because every signal is explainable, your code can treat Privacy Relay differently from a datacenter VPN. Both are masking, but they carry different intent, and you decide which action each one warrants.

Example

A visit on a proxy with a timezone mismatch returns both reasons in Details: 
{
  "RequestID": "13f84f05-3b2a-4f1e-9c7d-2a4b6e8f0a11",
  "DeviceID": "5eb7fd5c-8c2e-4a91-b0f3-1d7c9e2a4b55",
  "VisitorID": "161dfbad-2f4a-4c81-9e0b-7a3c5d8f1e22",
  "IP": "203.0.113.42",
  "OS": "Windows",
  "Country": "Germany",
  "UserHID": "u_7f3c9a2b",
  "Score": 20,
  "Details": [
    { "Value": 10, "Description": "Proxy" },
    { "Value": 10, "Description": "Timezone Mismatch" }
  ],
  "LastRequestTime": "2026-06-16T18:00:21.685Z",
  "Phase": "initial"
}
Because both reasons are visible, your code can hold this visit for a step-up challenge on a withdrawal while letting the same visit read a blog post with no friction.

Next steps

Risk Scoring

How signal weights roll up into the 0-100 score and the Clean, Low, Medium, and High bands.

Patterns

The dashboard patterns that grade an identity over time, distinct from these per-request signals.