We don't aggregate lists. We run four primitives: a feed collector, a subnet scanner, an ASN identity refinery, and a base-zero scorer. Every verdict ships with a receipt you can audit before you block a customer.
Raw signal to actionable score. p99 under 50ms.
Tor, FireHOL, Blocklist.de, and internal honeypots.
Indexed range query over the /24 CIDR block. O(log N).
Landlord lookup (Clouvider, M247, Comcast) plus v2.3 base-zero math.
JSON + scoreReasons, served from Redis at p99 under 50ms.
Collectors run continuously against Tor exit lists, FireHOL Level 1, Blocklist.de, and our internal honeypot network. Every new IP lands in the datas collection within minutes, stamped with firstSeen so you can tell a two-year-old Tor exit from a botnet that spun up 14 minutes ago.
ip-collector.js
Geo-IP tools score one address at a time. We scan the whole /24 CIDR block around your attacker, and we'll reach up to /22 for wholesale-sized abuse clusters. If 26 of 256 neighbors are already flagged, we surface networkCluster: +25 on the first request, not the fifty-first. One indexed range query against ipLong. O(log N), not a table scan.
analyzeNetworkRelationships()
Your login doesn't come from "Unknown." It comes from a landlord. Comcast, Verizon Wireless, or a wholesale hosting operator like Clouvider, M247, or Performive. We parse the ASN name, the reverse-DNS hostname, and 50+ curated keywords, then tag every IP as hosting, residential, mobile, or a commercial VPN (NordVPN, Surfshark, ExpressVPN). Wholesale infrastructure gets flagged as proxy risk on contact.
asnType, isProxy, normalized ispclassifyAsn()
Every IP starts at 0. We don't assume your user is half-guilty with a base of 50. Clean residential lines earn a -10 trust bonus, mobile carriers earn -5, and clear infrastructure signals get charged: asnHosting +15, proxyInferred +20, tor +45. Every delta lands in scoreReasons with a component name, a signed integer, and a human-readable detail. Verify the logic before you block a customer.
calculateTrustScore() · version v2.3-base-zero
Developers hate magic numbers. Every score CandycornDB returns ships with scoreReasons: a structured array that lists every signal that fired, the signed delta it contributed, and a human-readable detail. You can reconstruct the final score with a single reduce().
This is the actual wire shape from /api/public/ip-score, not a marketing mockup. Served out of Redis at p99 under 50ms. Stamped with scoreVersion so a silent model change surfaces in your CI, not in production.
Pull your first base-zero score with a full scoreReasons receipt in under 60 seconds.