What "VPN detection" actually means in 2026
Not all anonymized traffic looks the same. The tools you evaluate need to handle at least five distinct categories:
Commercial VPNs. NordVPN, ExpressVPN, Surfshark, and a few dozen others publish IP ranges, and those ranges are well-known. Catching these is table stakes. Every serious tool does it.
Datacenter and hosting IPs. AWS, GCP, DigitalOcean. Not technically VPNs, but flagged for the same reason: regular users don't browse from a hosting provider's IP. Detection here relies on ASN data, which is well-maintained and reliable across vendors.
Tor exit nodes. The Tor Project publishes a list of exit nodes. This is the easiest category to detect consistently because the list is public and actively maintained. Any vendor that misses Tor exits is not paying attention.
Residential proxies. This is where detection quality diverges most sharply between vendors. Residential proxy networks rent out real consumer IP addresses, often through SDK-laden apps that users install without understanding they're donating bandwidth. These IPs look identical to regular users in static IP databases. Catching them requires behavioral signals, honeypot networks, and continuous enumeration. Vendors that don't invest here miss a growing share of the threat, and that share has grown significantly over the past two years as fraud toolkits have shifted away from datacenter infrastructure.
SDK-based and "free VPN" proxies. A newer and expanding category: apps that convert user phones into proxy exits, sometimes without clear consent. The detection challenge is the same as residential proxies. Static lists don't help. Supply is growing faster than most detection databases update.
How to test a VPN detection tool
A vendor comparison based on marketing copy is useless. The only evaluation that tells you anything is one you run on your own traffic. Here's how to structure it.
Build a benchmark IP set. You need diversity across categories: 50 known commercial VPN IPs (pull from published provider ranges), 50 datacenter IPs (AWS, GCP, DigitalOcean), 50 Tor exit nodes (from the Tor Project's published list), 50 residential proxy IPs (rented from a provider for testing purposes), 100 clean consumer IPs, and 50 corporate VPN IPs. That last group matters because false positives on corporate VPNs are one of the most common production complaints. A tool that blocks your enterprise customers trying to reach your app through a company VPN is worse than useless.
Score each tool on four metrics:
- Catch rate: what percentage of known bad IPs are correctly flagged
- False positive rate: what percentage of clean and corporate VPN IPs are incorrectly flagged
- Latency: average response time in milliseconds per request
- Cost: price per million requests at your actual production volume, not the entry plan
Re-run your test after 30 days. Residential proxy networks add new exit nodes constantly. A vendor whose catch rate drops sharply on a fresh IP set is not keeping pace with new infrastructure. Update cadence is as important as snapshot coverage.
Here's a benchmark script you can adapt:
import requests
import time
# Replace with your actual API keys and test IPs
TEST_IPS = [
"185.220.101.34", # Known Tor exit
"104.21.0.1", # Datacenter (Cloudflare)
"45.142.212.100", # Known commercial VPN (NordVPN range)
"71.123.45.67", # Clean residential (replace with a verified clean IP)
]
TOOLS = {
"abstract": {
"url": "https://ipintelligence.abstractapi.com/v1/",
"params": lambda ip, key: {"api_key": key, "ip_address": ip},
"api_key": "YOUR_ABSTRACT_KEY",
},
"ipqualityscore": {
"url": "https://ipqualityscore.com/api/json/ip/{key}/{ip}",
"api_key": "YOUR_IPQS_KEY",
},
}
results = []
for ip in TEST_IPS:
row = {"ip": ip}
for tool_name, config in TOOLS.items():
start = time.time()
try:
if tool_name == "abstract":
r = requests.get(
config["url"],
params=config["params"](ip, config["api_key"]),
timeout=5,
)
data = r.json()
verdict = (
data.get("security", {}).get("is_vpn") or
data.get("security", {}).get("is_proxy") or
data.get("security", {}).get("is_tor")
)
elif tool_name == "ipqualityscore":
url = config["url"].format(key=config["api_key"], ip=ip)
data = requests.get(url, timeout=5).json()
verdict = data.get("proxy") or data.get("vpn") or data.get("tor")
except Exception as e:
verdict = f"error: {e}"
latency_ms = round((time.time() - start) * 1000, 1)
row[tool_name] = {"flagged": verdict, "latency_ms": latency_ms}
results.append(row)
print(row)
Add each vendor to the TOOLS dict, run it against your benchmark set, and track results in a spreadsheet. The numbers matter more than the marketing.
The tools
These are the most commonly evaluated options in 2026. Alphabetical order: position on this list says nothing about quality.
Abstract IP Intelligence
Abstract's IP Intelligence product covers every core detection category in a single request: commercial VPNs, datacenter proxies, Tor nodes, hosting providers, relays, and mobile IPs. The response returns boolean flags per category alongside geolocation, ASN, and company data. There's no separate product to add for location data and no second API call to make.
For teams building fraud screening, signup validation, or geo-enforcement into their stack, that matters. Most production detection workflows need both the security signal and the location context. Getting both from one request simplifies your integration, reduces latency in your critical path, and means you're not stitching together data from two separate vendors with different update cadences.
Where Abstract fits best: engineering teams that want to move fast, clean documentation, a free tier that covers real production traffic for most early-stage workloads, and a pricing model that scales predictably as volume grows. Most teams are live in under 5 minutes.
Where it fits less well: teams whose primary threat is high-volume residential proxy abuse at enterprise scale, where Spur's specialized residential proxy infrastructure gives it a coverage edge.
Free tier: 1,000 requests / month. No credit card required to start benchmarking.
Fingerprint
Fingerprint differs fundamentally from the others on this list. It's a device intelligence platform, not an IP reputation API. It identifies users by browser and device fingerprint, which means its VPN and proxy detection is a byproduct of device-level signals rather than IP-level data.
That distinction matters for how you'd deploy it. Fingerprint works client-side, in the JavaScript environment of your web app or mobile app. It can't be dropped into a backend service that receives an IP address and needs a verdict in 50ms. For login fraud and account takeover detection, where the device matters as much as the connection, it's worth evaluating. For backend IP classification, it's the wrong tool.
If you're evaluating Fingerprint, use it alongside an IP API, not instead of one.
Free tier: 500K requests / month on Android. Usage-based pricing from there.
IPInfo
IPInfo's residential proxy database is updated daily and covers both ISP-assigned and peer-to-peer proxy IPs. The data is available as an API or as a downloadable database, which is a meaningful differentiator if your architecture requires running detection inside a VPC without external API calls, or if you need to bulk-classify large historical IP sets without per-request costs.
The privacy detection product (covering proxies, VPNs, Tor, and hosting) is a separate add-on from their core geolocation product. If you're already using IPInfo for geolocation, adding privacy detection is a low-friction upgrade. If you're starting fresh, evaluate the combined cost against a single-product alternative.
Integration footprint is broad: official libraries cover Python, Node, Go, PHP, Ruby, and more, plus direct database download formats for teams that prefer offline lookups.
Pricing for plans including privacy detection starts around $99 / month. Confirm current tier details on their pricing page before committing, as these have changed over the past year.
IPQualityScore (IPQS)
IPQS is a full fraud prevention platform. Their proxy and VPN detection returns 20+ data points per lookup: VPN flag, proxy flag, Tor flag, fraud score (0–100), abuse velocity, recent abuse, ISP, connection type, and more. The fraud score is tunable: most teams find that blocking at 90+ catches malicious traffic while keeping false positives low, though the right threshold depends on your traffic mix and risk tolerance.
Residential proxy detection is among the stronger options available, backed by honeypot networks and real-time behavioral analysis rather than static IP lists. Enhanced residential proxy detection, including coverage of private VPN networks, is gated behind Premium and Enterprise tiers. If residential proxies are your primary threat, confirm which tier gives you that coverage before signing up.
The trade-off is scope. IPQS is built for fraud teams that want a full scoring engine with email validation, phone reputation, and device risk layered on top of IP intelligence. If your use case is narrower (VPN flag only, no additional fraud signals needed), you're paying for features you won't use. For teams that want the broader platform, the consolidation has real value.
Free tier: 1,000 requests / month. Startup plan at $99 / month.
MaxMind GeoIP Anonymous IP
MaxMind is the most established vendor on this list, with an IP intelligence product that has been in production at scale for over two decades. Their Anonymous IP database categorizes IPs as registered VPNs, residential proxies, hosting providers, and public proxies. Geolocation accuracy is consistently strong, and their web service uptime track record (99.99% over 11 years) is the best on this list.
The limitation worth understanding: the database updates weekly. For commercial VPN ranges and datacenter IPs, that cadence is fine. For residential proxy networks that spin up new exit nodes daily, a week is a long gap. A new residential proxy service that launches mid-week routes undetected traffic through your systems until MaxMind's next update cycle. If your threat model includes active residential proxy infrastructure, that cadence matters.
For risk scoring beyond binary flags, you'd need minFraud, which is a different product with a heavier integration: it requires sending full transaction data (billing address, email, device info) to return a risk score. That's appropriate for e-commerce fraud workflows, but more than most teams want for standalone IP classification.
Where MaxMind remains the right choice: compliance teams that need proven uptime and geolocation accuracy, teams already running MaxMind for geolocation that want anonymous IP detection as a low-friction add-on, and any workflow where weekly update cadence is acceptable.
GeoLite2 (geolocation only) is free. GeoIP Anonymous IP starts around $50 / month.
Spur
Spur is the most specialized tool on this list. The entire platform is built around one problem: identifying anonymized and proxy traffic, with particular depth on residential proxy infrastructure. Where most IP APIs treat proxy detection as one feature among many, Spur treats it as the core product.
Each IP lookup returns 20+ attributes: provider ownership, ASN, connection type, tunnel entry and exit context, and behavioral signals through Spur's session enrichment layer. That last piece is the differentiator. Session enrichment correlates IP data with live session behavior, surfacing signals that pure IP reputation can't catch, including high-frequency access patterns and account farming behavior that only become visible at the session level.
The coverage advantage on residential proxies comes at a real cost. API access starts at $200 / month for 50,000 requests on the Teams plan, and enterprise contracts start at $40,000 / year. For teams whose primary threat is residential proxy abuse at scale, that cost is justified. For teams that primarily need commercial VPN and datacenter detection, it isn't.
Community tier: 250 manual lookups with no API access, which is enough to run spot checks but not a production benchmark.
How to decide
The right tool depends on your use case, your threat model, and your volume.
Compliance and content licensing. Your primary concern is users bypassing geographic restrictions. Commercial VPN and datacenter detection is sufficient for most of this traffic. Abstract, MaxMind, and IPInfo all handle this category well. Residential proxy detection matters less here because proxy-assisted geo-bypass represents a smaller share of that traffic, and the cost of a specialized tool rarely justifies the incremental catch rate gain.
Fraud prevention and signup abuse. Residential proxy detection is the critical variable. Start with IPQS if you want a full fraud scoring engine with email and phone signals alongside IP data. Start with Spur if your threat is specifically residential proxy infrastructure and you need the highest available coverage. Run the benchmark above on your own traffic before committing to either.
Bot management. Update cadence matters more here than snapshot coverage. Evaluate vendors on how quickly their data incorporates newly active proxy infrastructure, not just their current database size. The 30-day re-test in the methodology section above is not optional for this use case.
Volume thresholds. Under 100K requests / month, free tiers from Abstract, IPQS, and IPInfo cover real production traffic. You can benchmark all three against live data before spending anything. Above 1M requests / month, pricing model differences compound fast. Compare the per-request cost at your actual volume, not just the entry plan headline.
Pick one, then test it
VPN detection quality varies enough across vendors that no published benchmark fully substitutes for testing on your own traffic. The benchmark script above gives you a starting point. Run it, re-run it in 30 days on fresh IPs, and let the numbers drive the decision.
Abstract IP Intelligence includes VPN, proxy, Tor, hosting, and relay detection alongside geolocation and ASN data in a single request. The free tier covers benchmarking and most early production workloads, and there's no credit card required to start.
Run a benchmark with Abstract's free tier →
See also: How to detect if an IP address is using a VPN | IP Intelligence product page | What is geofencing
