Skip to main content
The Risk Score is a single number from 0 to 100 that tells you how anonymous or abusive a visit looks, with the signals behind it. Higher means more anonymous: more likely masked, spoofed, or abusive. ShieldLabs surfaces the score and the reasons; your own code decides allow, challenge, review, or block. The score is hard-capped at 100. Individual signals can sum past 100 internally, but the score you receive is always clamped to 100. There is no value above 100 and no negative score.

Explainable by design

Every score ships with the reasoning attached, so you never act on a black box. The score travels with a Details array: one entry per signal that fired, each { "Value": <int>, "Description": "<signal>" }. Value is the points that signal added; Description names it in plain language. A realistic webhook body for a visit on a proxy with a timezone mismatch: 
{
  "RequestID": "13f84f05-3b2a-4f1e-9c7d-2a4b6e8f0a11",
  "DeviceID": "5eb7fd5c-8c2e-4a91-b0f3-1d7c9e2a4b55",
  "VisitorID": "161dfbad-2f4a-4c81-9e0b-7a3c5d8f1e22",
  "IP": "203.0.113.42",
  "OS": "Windows",
  "Country": "Germany",
  "UserHID": "u_7f3c9a2b",
  "Score": 20,
  "Details": [
    { "Value": 10, "Description": "Is proxy" },
    { "Value": 10, "Description": "Browser timezone ≠ IP-timezone" }
  ],
  "LastRequestTime": "2026-06-16T18:00:21.685Z",
  "Phase": "initial"
}
The score is 20 because the two signals add 10 points each. Because both reasons are visible, your code can treat that 20 on a payment screen differently from a 20 on a blog read.
The Risk Score is delivered by webhook and readable from the History API. The browser does not compute it. See Webhooks and the Management API.
The score maps to four bands, and these labels are the only ones ShieldLabs uses. The recommended action is a guide, not a rule: you set the action per band that fits your own risk tolerance.
BandRangeMeaningRecommended action (a guide, not a rule)
Clean0–9No meaningful signalsPass through, no friction
Low10–29One minor signalAllow, worth logging
Medium30–59Several overlapping signals, or one moderate signalStep-up challenge, second look, or review
High60–100Strong anonymity or abuse signalsBlock, review, or require verification

How signals combine

The score is additive: each signal in Details contributes its points, the total is summed, then capped at 100. A few rules shape which signals are added.
  • The strongest anonymity signal takes priority. Tor, Privacy Relay, and VPN are evaluated in that order; if one fires, the weaker anonymity signals are not added on top of it.
  • Proxy-family signals stack. Proxy, Datacenter, and Abuser reputation signals add up with each other.
  • Everything is summed, then capped at 100. A very high total is clamped down to the 100 ceiling.
For the complete list of signals and their per-signal weights, see Anonymity Signals.
A legitimate user can score high. A corporate proxy, a VPN, or a privacy browser all raise the score without any wrongdoing. Decide on Score plus Details plus context (signup, login, payment, withdrawal), never on the number alone. Tune your thresholds gradually as you observe real traffic.

999 is not a score

The customer-facing scale is 0 to 100 only. You may see the value 999 referenced internally: it is a rate-limit ban marker, never a customer score and never a band. A rate-limit ban surfaces as a separate gateway behavior, HTTP 429, not as a value in the payload. See Rate limits.

Next steps

Acting on the Risk Score

Turn Score plus Details into allow, challenge, review, or block in your own code.

Patterns

Ready-made abuse patterns that link activity across accounts, devices, and IPs.

Anonymity Signals

Every signal that can fire, its weight, and what it means.