Why IPQS, SEON, and Sift Miss 40% of Modern Threats

Open IPQualityScore. SEON. Sift. MaxMind minFraud. Try to find the field that tells you a visitor is using Kameleo, GoLogin, Multilogin, Dolphin{anty}, AdsPower, Incogniton, Linken Sphere, Octobrowser, Hidemium, or Vmlogin. It doesn't exist. 99% of fraud APIs in production today have zero visibility into the antidetect browser layer — the exact tool fraudsters use to spin up 500 fake accounts that all look like 500 different humans. This post is about why, and what catches them.

The fraud prevention industry has a dirty secret: most of the big-name platforms were architected in the mid-2010s, when bots used AWS and DigitalOcean IPs. That world no longer exists. Today's fraud stack is residential proxy + antidetect browser. Every major fraud vendor catches half of that, at best.

IPQualityScore (IPQS)

IPQS is the most widely deployed IP reputation API in the world, and also one of the most outdated when it comes to residential proxy detection. Their core database is built on static ASN and abuse history records. The moment a fraudster rotates to a fresh residential exit node, IPQS returns a clean score.

SEON

SEON's strength is social enrichment. This works for KYC verification but is largely useless for real-time bot detection. SEON does not perform client-side hardware fingerprinting, meaning it has no visibility into whether the browser connecting to your platform is headless.

The Sentinel Difference

Sentinel operates at the protocol and hardware layer, not the reputation layer. We look at how your user's device communicates, not just where it's connecting from. That distinction is the difference between catching 60% of fraud and catching the vast majority of it.

Sift

Sift's core architecture is a behavioral risk score driven by transaction data — order amount, customer history, product category, payment method, billing/shipping match. It's effective for the use case it was built for: post-payment chargeback risk on e-commerce checkouts where Sift has weeks of transactional context per customer.

It struggles in two scenarios that dominate 2026 fraud:

• First-touch detection — Sift needs prior signals to score a session well. A brand-new account or guest checkout has thin context, so the score tends toward "low risk" by default. Modern fraud rings exploit this with one-time-use synthetic identities that never reappear.
• Bot-driven traffic — Sift was never architected as a bot detection product. It treats humans and headless Chrome the same as long as the transactional metadata looks plausible. Agentic AI bots making first-time purchases at average-order-value with shipping addresses matching billing pass through cleanly.

Sift's pricing is also a barrier — minimum commitments typically start at $30k/year, which means most teams can't deploy it as a layer alongside another vendor.

The Architectural Reason All Reputation-Layer APIs Fail

IPQS, SEON, and Sift were all built before residential proxy networks reached commodity scale. Their core decision frameworks assume that an attacker's IP, email, or transaction pattern has detectable history. That assumption is now false:

• Residential proxy IPs are clean by definition — they are real consumer connections with no abuse history
• Synthetic identities pass email reputation checks because they use real, often aged, mailboxes purchased from underground markets at $1-5 per inbox
• First-touch transactions have no transactional history to score against

The detection layer that still works is the one that doesn't depend on prior history: real-time hardware and protocol fingerprinting. The attacker can rotate cards, IPs, emails, and identities cheaply. Rotating physical hardware is expensive — usually expensive enough that 90% of fraud volume comes from a small number of underlying devices, which is detectable as a cluster the moment two "different" sessions share enough hardware entropy.

What This Means If You're Building a Fraud Stack

Use reputation-layer APIs (IPQS, SEON, Sift) as a coarse first-pass filter. They will catch the obvious 20-30%. Pair them with a hardware/protocol-fingerprint layer (the category Sentinel sits in) to catch the long tail that residential proxies and synthetic identities are designed to slip through.

Don't pick one or the other. Pick both, run them in parallel, and combine the signals. The marginal cost of a second layer is small; the marginal lift in detection rate is typically 40-60 percentage points.