■ GUIDE

After two reviews: things I keep thinking about

Two CAPTCHA reviews in. Here's the stuff that didn't fit — pricing economics, the VPN tax, what dashboards leave out, what comes next.

By Updated 9 min read

I have written two reviews so far. One on Google reCAPTCHA and one on hCaptcha. Between them I spent about three weeks reading docs, kicking widgets, getting routed to image grids, and watching small charges land on a Google Cloud invoice that did not exist a month ago. This is the writeup I do not normally do — the meta one, the “what I keep thinking about” one — because the reviews are already long and there are pieces that did not fit and pieces that only show up once you have written about more than one service.

If you came here looking for a verdict on a specific product, go read the reviews. This is the bit where I yap about the shape of the market.

The pricing trap is a shape, not a number

Both services in my notebook so far have a free tier. Both free tiers have a cap. The number is different — reCAPTCHA’s is now 10,000 assessments per month per Google Cloud organisation, hCaptcha’s is unlimited on Basic but withholds the passive mode — but the shape is the same. There is a free tier that works on a hobby project, an inflection point where you tip over into paid, and a paid tier that scales pretty cleanly until the volume reaches “we should be talking to enterprise sales.”

The thing that turns the shape into a trap is what happens after the inflection point. Three patterns I keep seeing:

  • The cap is per-organisation, not per-site. If you run a few small client sites under one account, you do not get one cap each. You share one. This caught me on the reCAPTCHA migration and I expect it catches a lot of small shops.
  • The overage is unbounded. There is no setting in the Cloud Console that says “stop processing assessments at $25 of spend this month.” The closest you can do is a billing alert, which is information about a bill that has already happened.
  • The next tier exists but is priced in the language of procurement. hCaptcha Enterprise is custom. DataDome starts at $3,830 a month. There is no $300/month with-real-support tier in this market, and the gap between Pro and Enterprise is mostly trust and SOC certifications, not features.

The implication, if you are running a site large enough to think about a paid CAPTCHA, is that the free tier is rarely where you actually end up paying. You pay either nothing or $99/month for Pro on hCaptcha; you pay either nothing or $8 for Standard then $1 per thousand on reCAPTCHA. The numbers are still small at moderate volume. But you should pick on the shape, not on the entry price, because the entry price is the part of the menu that disappears first.

The VPN tax I cannot stop seeing

I run most of my tests from a Hamburg residential connection. I run a slice through Mullvad’s WireGuard endpoint in France and another slice through a Hetzner VPS in Germany so I can see what happens to traffic the model thinks is suspicious. The Hetzner number is interesting in the same way that the colour of a thermometer is interesting — it is meant to be hot, the service is meant to flag it.

The Mullvad number is the one I keep finding myself thinking about. A consumer VPN endpoint is not a botnet. It is a paying customer who, for reasons that are probably none of my business, prefers not to broadcast their home IP to every website they visit. On reCAPTCHA, that customer pays for the choice with on average about 1.8 image grids per submission instead of 0.3. On hCaptcha Basic they pay with about 2.6. On Pro, the cost drops back into the single digits per ten attempts.

That is real friction. It is also, mostly, invisible to the site operator. None of the dashboards I looked at this month broke out “challenge rate by IP type” in a way you could act on. You see the aggregate. You do not see the part where a chunk of your privacy-conscious users got asked four times in a row to click on chairs and gave up.

The most useful thing I could do for any future review is start measuring this systematically — not just “did the challenge appear” but “how many seconds did a legitimate VPN user lose on the way through your form.” I do not have a clean way to do that yet. The closest I have is a Playwright script that records the time-to-first-token and the number of challenge transitions, and it is too noisy on small samples to publish. Maybe by review number five.

Dashboards lie about how good detection is

Both reCAPTCHA Enterprise and hCaptcha Pro give you a score distribution chart. Both charts look reasonable. Both charts are, in the specific sense that matters, useless on their own.

The shape of a healthy score distribution is a tall hump near “definitely human” with a smaller tail near “definitely bot.” That is the shape both products show me. It is also what I would show you if I were a CAPTCHA vendor and you asked me whether my detection was working — because the shape is mostly a function of how the model is calibrated, not whether the model is right.

The thing that would actually tell me the model is working is a measurement neither vendor surfaces and I cannot easily run on my own: ground-truth false-positive and false-negative rates against known-good and known-bad traffic. I do not have that data. Roundtable’s published numbers — 87% for reCAPTCHA, 69% for hCaptcha, 33% for Turnstile on sophisticated bots — are the closest public proxy, and they come from a vendor, so I quote them with the same caveat in every post.

What I can say with confidence is this: the difference between a good CAPTCHA dashboard and a useful one is whether it tells you how often legitimate visitors gave up. None of the dashboards I have seen this month do that. The hCaptcha Pro one comes closest because it shows me submission completion rate next to the score distribution, but it is still a derived number and it still assumes the score is meaningful, which is the thing we wanted to check.

The things I cannot see from one chair

I am writing this from one apartment in Hamburg, on a hand-rolled set of devices, with one mobile carrier, one VPN account, one VPS provider. That covers most of what a normal European visitor experiences and most of what a small attacker experiences. It misses several worlds.

A short list of things I know I cannot see:

  • How any of these services behave for users in mainland China. GeeTest dominates that market and I have not touched it yet.
  • What CAPTCHA fatigue looks like for a screen-reader user on a service whose accessibility cookie does not work. I have read the standards; I have not lived the experience.
  • The shape of an actual coordinated attack on one of these widgets. I can run a Playwright probe; I cannot summon a credential-stuffing campaign against my own staging site without crossing lines I do not want to cross.
  • The view from inside an enterprise customer of any of these vendors. Procurement, custom risk models, the support relationship — all of that is invisible to me.

I am not pretending those gaps do not exist. The reviews I have published name the things I could measure and the things I could not. The point of this post is to say it out loud: the picture is partial and getting less partial with each review, but it will never be complete from one person’s setup.

The migrations are the signal

If you want a single sentence about where this market is in mid-2026, here it is: the migrations are running one way. Shopify left reCAPTCHA for hCaptcha. Multiple large e-commerce platforms have followed. I have not yet found a public migration in the other direction.

The CNIL question — the French regulator’s view that reCAPTCHA processes too much personal data for purposes that are not really about security — has been quietly setting the procurement terms. Once a buyer’s legal counsel has read the summary, the conversation about reCAPTCHA stops being about quality of detection and starts being about whether anyone will sign off on Google Analytics’ close cousin for bot blocking. That is the kind of slow-moving force that does not show up in benchmark posts but determines which vendors are still on the shortlist two years from now.

The other thing the migrations are doing is funnelling demand into a small group of alternatives. Cloudflare Turnstile picks up the lowest-friction free traffic. hCaptcha picks up the paid mid-market. DataDome / Kasada / HUMAN pick up the enterprise. And a much smaller GDPR-native pack — Friendly Captcha, MTCaptcha, CaptchaFox, a few others — picks up the EU-jurisdiction buyer for whom the US-headquartered alternatives are also a non-starter.

Two reviews in, I cannot tell you who wins. I can tell you that the incumbent is no longer the default.

What I want to write next

The reviews I have queued in my notebook, roughly in the order I plan to write them:

  • Cloudflare Turnstile. I keep recommending it in every other post; I owe it an actual review.
  • A side-by-side comparison of reCAPTCHA Enterprise and hCaptcha Pro, on the same staging pages, on the same dates. The two reviews so far were sequential; a parallel test will be more honest.
  • Friendly Captcha. The EU-jurisdiction question deserves a real test, not just a footnote.
  • One of the open-source self-hosted options (mCaptcha or Altcha) so the “what if you ran this yourself” wedge has a proper writeup.
  • A short post on what a CAPTCHA-solving service looks like from the buyer’s side. I will not name names; I will publish methodology and what the rate cards say.

If you want to push something to the top of that list, tell me. I am not promising to listen, but I read everything.

A small thank-you

The two reviews so far have had more readers than I expected for a site this young, and the few replies I have received have, without exception, been people pointing out something I missed or something I got slightly wrong. That is the kind of feedback that makes the next review better. Keep it coming.