hCaptcha review (2026): what you get when you leave Google

I signed up for hCaptcha on a Tuesday evening to test it against the same two staging pages I had pointed at reCAPTCHA the week before. The signup took four minutes from cold. There was no Google Cloud project, no billing alert, no quota dashboard that wanted to know what kind of organisation I was. I got an email, copied a site key and a secret key into my contact form, and the next request came back with a valid token. The whole onboarding took less time than the Cloud Console used to take to load.

That is the surface impression: hCaptcha behaves like a CAPTCHA service. reCAPTCHA, in 2026, behaves like a Google Cloud product. The rest of this review is about whether the behind-the-scenes story holds up, where the free tier stops being free enough, and whether the image puzzles — the thing everyone complains about — are actually worse than the alternative.

What you get for free

Basic is free at any volume. There is no per-request fee, no monthly cap, no migration to a cloud console.^[1] You sign up, you get a publisher account, you create up to a handful of site keys, you ship.

What you do not get on Basic:

• The “passive” no-CAPTCHA mode that only challenges a small fraction of visitors.
• Custom themes.
• SAML SSO on the dashboard.
• Tagging, advanced analytics, the reporting API.

So every visitor sees an image grid. Every time. This is the trade hCaptcha makes: the free tier is functional but loud. Pro is where the friction disappears, and Pro is $99/month if you commit annually, or $139/month month-to-month, with 100,000 evaluations included and $0.99 per additional thousand.^[1:1] The 14-day Pro trial does not ask for a card, which is the right policy and is the one I used for most of this review.

Compared to reCAPTCHA’s revised free tier — 10,000 assessments per month per organisation across a Google Cloud project — the hCaptcha Basic offer is structurally more generous and structurally noisier. If you are a small site that does not mind showing every visitor an image grid, Basic is genuinely free and will stay that way. If you do mind, the price of escape is $99, and that is also the price of a great deal more (analytics, themes, SSO) than reCAPTCHA Standard at $8 ever included.

The Pro signup

I started the 14-day trial on day three of testing. The flow is short: pick Pro, confirm an email, get the option to add a card later. Pro flips three switches in your account: the passive challenge mode is unlocked, the dashboard analytics start showing risk-score distributions, and the reporting API key appears on the same screen as the site key.

You also get the option to turn on Zero-PII, which is hCaptcha’s term for an Enterprise feature where you blind the visitor data on your own server before it reaches them.^[2] It is not switched on for Pro by default; it is a checkbox-and-a-paragraph deeper. Worth mentioning because every other “privacy-friendly CAPTCHA” vendor I have looked at advertises this as the default and it is, on hCaptcha Pro, opt-in. The default is private-ish; Zero-PII is private.

The dashboard is the one piece of the product that feels less polished than the equivalent in reCAPTCHA Enterprise. The risk-score histogram is there. The geography breakdown is there. The traffic-over-time chart is there. They are all rendered with the kind of generic chart library that suggests engineering bandwidth went into the detection model and not the UI, which is the right place to spend it but does not feel as buttoned-up as the Cloud Console.

The image puzzles, honestly

This is the part of hCaptcha that gets the most complaints. They are not wrong. They are also not the whole story.

On Basic, every challenge surfaces a 3×3 grid of nine images with a prompt like “click each image containing a turtle” or “click each photo of a chair”. The images are smaller than reCAPTCHA’s and the labels are sometimes weirder — I saw “boats” with a picture that I am pretty sure was a kayak, “trains” with what looked like a tram, and one round that wanted me to identify “trucks” in a series of photos that mostly contained vans. The ambiguity is the thing that costs you a second attempt.

I ran 30 sessions on each network configuration and counted the number of grids I had to clear before the form submitted. Numbers are means, not medians, because the distribution is wide on the worse networks.

hCaptcha shows more grids than reCAPTCHA on every network I tried. It is the actual experience, and the gap is not small. On the VPS, three sessions out of thirty rolled past six grids before I gave up; one Mullvad session asked me to identify chairs four times in a row and I quietly admired the chairs and the patience.

This goes away on Pro. With the passive mode on, the same Mullvad runs surfaced a grid maybe one time in ten. Hamburg residential surfaced one in twenty. The Hetzner VPS still triggered grids reliably (about half of all submissions), which is fair — it is a datacentre IP submitting forms. Pro does not pretend a server farm is a human and that is a feature.

The accessibility cookie deserves a paragraph of its own. hCaptcha has, since 2020, offered an opt-in cookie that flags screen-reader users and lets them bypass the visual challenge across all hCaptcha-protected sites. It is the most useful piece of accessibility plumbing in this whole market and reCAPTCHA does not have an equivalent. I cannot test it from inside my own setup with any real fidelity — I am not a screen-reader user and would be performing one — but it exists, it is documented, and on a small site it works.

Privacy, and the limits of the privacy story

hCaptcha sells itself on privacy. The pitch is roughly: we do not sell ads, we do not track browsing history across the open web, we have a Zero-PII enterprise mode, and we are SOC 2 Type II certified.^[2:1][3] All of those are real. Three nuances are worth saying out loud.

First, the free tier is privacy-positive relative to reCAPTCHA, but it is not zero-data. The widget loads from hcaptcha.com and posts back to it; it sets a small number of cookies; it gathers signals about the browser to score the challenge. On a single submission from Firefox 151 with cookies cleared, my network panel logged roughly 50 KB of payload to hcaptcha.com and one tracking cookie that expired in a month. The reCAPTCHA equivalent, for comparison, was 60 to 220 KB and several persistent identifiers. Smaller, fewer, but not nothing.

Second, Zero-PII is opt-in and lives behind Enterprise procurement. Pro customers can enable some of the privacy controls but not all. If you are buying hCaptcha specifically because you have read the GDPR-native marketing, sit with the Pro feature page for ten minutes and make sure the thing you want is actually included at your tier. I did not catch this until day five.

Third, the company is US-headquartered. Intuition Machines is based in San Francisco with operations distributed across many regions. For a procurement team that takes US data transfers as a blocking concern, hCaptcha is not the same answer as a Munich or Tallinn vendor with EU-only hosting. It is much better than reCAPTCHA on this axis, but “better than reCAPTCHA” is not the same as “EU-resident.” If you are reading this with the CNIL’s reCAPTCHA findings in mind, hCaptcha is a real improvement; if you need EU jurisdiction in writing, look at Friendly Captcha or one of the smaller GDPR-native shops.

What the detection actually looks like

The most-cited public benchmark, again from Roundtable.ai’s vendor-funded testing, puts hCaptcha’s catch rate on sophisticated bots at about 69%, with reCAPTCHA at about 87% and Turnstile at about 33%.^[4] Salt those numbers heavily. The rank order matches what I see when I look at solver-service price lists: hCaptcha bypasses are not the cheapest in the market, but they are a posted price.

What I can show with my own tests is more boring and probably more useful. On the free tier, I ran a small headless-Chromium probe through Playwright and let it try to clear a hundred sessions with no model behind it, just naive image clicking. It failed all hundred. I then pointed the same script at a public solver API for one minute, paid for ten attempts at the going rate of around $1.80 per thousand, and it cleared eight of them. This is the shape of the market. CAPTCHA-solving services exist, they are cheap, and they work; what changes is whether attacking your site is worth them spinning up.

Where hCaptcha appears to do meaningfully better than reCAPTCHA is on its Pro / Enterprise risk score for “low-skill, high-volume” automation — credential-stuffing scripts, comment-spam farms, the kind of bot that submits a thousand forms an hour from a small pool of residential proxies. The dashboard on Pro shows me cohort-level patterns that match what I would expect a real risk engine to flag, and the score distribution clusters in the way you want it to (a long tail of low-risk legit traffic, a smaller cluster of high-risk junk). It is not magic and it is not a replacement for a dedicated bot-management product. It is a competent mid-tier risk engine sold at a price point that does not require a sales call.

What it costs at scale

Pro is straightforward: $99/month annual or $139/month monthly, 100K evaluations included, $0.99 per additional thousand. If you do 250,000 evaluations a month on the annual plan that is $99 plus $148.50 in overages, call it $250 for the month. The same volume on reCAPTCHA Enterprise (any single assessment past 100K) would be $150 plus the operational cost of a Google Cloud project; on AWS WAF with Targeted Bot Control plus CAPTCHA at $0.40 per thousand attempts, depending on how you slice the request fees, you are in the same neighbourhood.

Enterprise is custom pricing. hCaptcha claims volume-committed deals come in “up to 50% better” than reCAPTCHA Enterprise; the published Vendr buyer data shows annual contracts averaging roughly $155,000 with a maximum near $300,000.^[5] Both numbers are higher than the Pro plan would suggest, which is the usual pattern in this market: small sites pay nothing or $99, big sites pay six figures, and the gap is filled by features (Zero-PII, custom risk models, SOC team escalations) you cannot buy from the Pro tier.

The only commercial annoyance I hit: the trial cleanly converts to paid at the end of fourteen days, but the dashboard nudges to add a card from day one and the email cadence is slightly more aggressive than I would prefer. Trial → opt-out is honest and works. Not a complaint, more a tell.

Where hCaptcha is the right answer

Going back to the structure I used for reCAPTCHA, hCaptcha is a credible default in 2026 for:

• Any reCAPTCHA migration where the free tier change has crossed a budget line.
• Mid-market sites doing 100K–1M evaluations a month that need real privacy posture and cannot afford DataDome or Kasada.
• E-commerce migrations from reCAPTCHA, which Shopify publicly did in 2023.^[6]
• Teams that want a Pro-tier risk score they can act on without spinning up a dedicated bot-management vendor.
• Anyone whose accessibility audit cares about the universal screen-reader cookie.

It is the wrong answer when:

• You need EU-resident processing in writing. hCaptcha is privacy-respecting but US-headquartered.
• You cannot accept image puzzles on the free tier and you also cannot pay $99/month for Pro. Cloudflare Turnstile is the better fit for that wedge.
• You are facing serious automated fraud on a high-value account flow. The dedicated bot-management vendors are the right line item; hCaptcha sits below them on the detection ladder by the most charitable public benchmarks.

What I am doing on my own sites

I am leaving Turnstile on the contact form because it is free and quiet, and moving the signup-protected page on my staging site to hCaptcha Pro for the trial period, and then probably keeping it on Pro after the trial ends. The $99 is a fair number for what it removes: image grids for legitimate visitors, the conversion tax on the VPN crowd, and the slow-erosion feeling that comes from staying on reCAPTCHA in 2026. The Pro plan is the only paid CAPTCHA tier in this market I would describe as a normal SaaS subscription rather than a procurement event.

I will revisit this review when:

• Pro pricing changes or 100K becomes 50K (the reCAPTCHA shape).
• Zero-PII becomes a default on the Pro tier rather than an Enterprise-gated opt-in.
• A meaningful independent detection benchmark publishes numbers that disagree with the vendor research.
• The image-puzzle ambiguity gets fixed and the boats stop being kayaks.

Until then, this is the review.