Residential vs datacenter vs mobile proxies: detection, cost, and use cases

A proxy is just a machine that forwards your request and sends back the reply. The interesting question is never whether it forwards bytes. It is whose IP address sits on the front of that request, where that address came from, and what a defender thinks when it sees the address arrive. Three answers dominate the market: a server in a rented rack, a real home connection, or a phone on a cellular network. Same forwarding job, wildly different price tags, and wildly different odds of getting through a protected endpoint.

The gap between the cheapest and the most expensive option is not a few percent. It is two orders of magnitude per gigabyte, and the reason is not bandwidth or latency. It is detectability. A datacenter address can be convicted on sight; a mobile address is shared with so many real humans that blocking it is dangerous. This post is a comparison of the three types along the axes that actually decide which one you reach for: how each is sourced, how each is detected, what a gigabyte costs, and when each one is the right tool. The deep mechanics of ASN reputation scoring live in a companion piece, how anti-bot vendors detect residential proxies and ASN reputation; here the focus is the trade-off between the three classes rather than the internals of any one check.

We start with the supply side, because sourcing explains everything downstream: the price, the trust, and the ethics. Then the detection contrast, type by type. Then the money, with real 2026 numbers. Then ISP proxies, the hybrid that muddies the clean three-way split. And finally a use-case map: given a target and a budget, which type fits.

Where the addresses come from

The three proxy types are not three flavours of the same product. They are three different supply chains, and the supply chain is the single fact that predicts cost and detectability better than any benchmark.

Datacenter addresses are the simple case. A provider rents or buys IP space, announces it from its own autonomous system or a hosting partner’s, and resells access. The whole pool is contiguous, stable, and owned outright. AWS, Google Cloud, Azure, OVH, Hetzner, Vultr and DigitalOcean each publish or leak their ranges, and a datacenter proxy provider’s blocks sit in exactly the same category of address: server space, announced by a network whose business is renting compute. That is what makes datacenter proxies cheap. The provider has full control of the hardware, near-unlimited bandwidth, and no per-request marginal cost worth speaking of. It is also what makes them easy to catch, but we will get to that.

Residential addresses cannot be bought in bulk the way server space can, because they belong to households, assigned by consumer ISPs to real subscribers. So the residential proxy industry does not own its inventory. It borrows it, one device at a time, by getting software onto consumer machines that agrees to relay traffic. The mechanism is an embedded SDK. A proxy network pays an app developer to bundle its SDK into a free app, a VPN, a browser extension, or a desktop utility, and when a user runs that app, the device quietly becomes an exit node for somebody else’s request. The going rate paid to developers is small, on the order of a few cents per monthly active user, while the bandwidth that flows through each enrolled device is worth far more to the proxy network, which is the entire business model.

The clean version of this is consent-based and compensated. Bright Data, to take the most-documented operator, runs its peer network through an SDK that it says activates only after an explicit opt-in, behind a consent screen, with a two-click opt-out and a requirement that the host app give every opted-in user a real benefit in return. That is the model the industry points to when it calls itself ethically sourced, and it is a genuine improvement over the alternative. The how-it-is-sourced question, and where the line between consent and trickery actually falls, is its own subject covered in how proxy networks source IPs.

The dirty version of the same mechanism is what gets people arrested. In January 2026 Google’s Threat Intelligence Group published its disruption of a residential proxy network it traced to a cluster of thirteen proxy and VPN brands (IPIDEA, PIA S5 Proxy, 922 Proxy and others) fed by four SDKs: PacketSDK, CastarSDK, HexSDK and EarnSDK. Those SDKs reached devices through over 600 Android apps, free VPNs that covertly enrolled their users, and Windows binaries masquerading as system updates. The control plane was two-tier: an enrolled device first phoned a Tier One domain with its hardware details and got back a list of Tier Two servers, then polled those servers for tasking, receiving target hostnames to connect to on demand. At the time of writing the report counted roughly 7,400 Tier Two servers and observed over 550 distinct threat groups using the exits in a single week. Same SDK-on-consumer-device pattern as the legitimate networks. No consent, in this case, and a device pool overlapping the BadBox 2.0 botnet.

Mobile addresses are residential’s harder, pricier cousin, sourced the same way but from phones and cellular dongles rather than home broadband. The difference that matters is on the receiving end, not the sourcing end. A mobile exit egresses through a cellular carrier, and cellular carriers do something home ISPs mostly do not: they put hundreds or thousands of subscribers behind a single public IPv4 address using Carrier-Grade NAT. That one fact is why mobile sits at the top of the price chart, and it is worth its own paragraph in the detection section.

*The supply chain predicts both the price and the detectability. Owned server space is cheap and convictable; borrowed consumer devices are expensive and trusted.*

How each type gets detected

Detection is where the three types separate hardest, because the defender’s first move on every connection is to look up the source IP and ask what kind of network it is. That single classification, before a header is parsed or a byte of JavaScript runs, sets the starting trust score. The three types start that race in very different positions.

Datacenter is the convictable class. The hosting ASNs are enumerable, maintained as lists, and a residential-grade browser user-agent arriving from AWS or Hetzner is a contradiction the IP alone exposes: browsers do not normally run in a rented rack. So datacenter traffic gets the server-origin label and a low default trust, and a large share of crude automation is filtered right there. DataDome’s 2025 Global Bot Security Report, drawn from more than 16,900 protected sites, found that only 2.8 percent of websites were fully protected against bots, down from 8.4 percent the year before, even as LLM crawler traffic quadrupled to over ten percent of verified bot requests by August. The crude bots driving a lot of that volume run on datacenter IPs precisely because they are cheap, and they get caught precisely because the IP is cheap to convict. The two facts are the same fact.

Residential starts much higher because the address belongs to a real consumer ISP, on an ASN that has never knowingly hosted a server. The IP layer has little to say about a clean residential exit. What catches it is everything correlated with the address rather than the address itself. The most reliable network-layer leak is latency geometry: a residential exit relaying for a scraper whose real machine sits in a distant datacenter inherits the round trips of both hops, so the TLS handshake takes longer than any honest user at either location would experience. Cloudflare built a production detector directly on this. Its mid-2024 machine-learning model combined multi-hop latency features with behavioural traffic-spike patterns and, by the team’s account, classified on the order of 17 million unique IPs per hour as showing residential-proxy activity at roughly 95 percent accuracy on the worst distributed attacks. The honest caveat the same team raised is the one that explains the whole pricing structure: about four out of five requests from residential-proxy IPs are ordinary humans, because the device is somebody’s actual phone or TV when it is not relaying. Block the IP and you hit a real person four times out of five. That is why residential detection moved off the IP and onto behaviour, and why a clean residential exit is worth paying for.

*Detection resistance is collateral-damage resistance. The more real users share an address, the more a defender must hesitate before blocking it, and the more a proxy operator can hide inside the crowd.*

Mobile is the class that breaks the blunt instruments outright, and the reason is Carrier-Grade NAT. A cellular carrier cannot give every subscriber a public IPv4 address; there are not enough addresses, so it maps hundreds or thousands of real subscribers onto each public IP. The shared-address machinery has its own reserved block, the 100.64.0.0/10 range set aside by RFC 6598 in 2012 for exactly this use, sitting between subscriber equipment and the carrier’s NAT. The outside world sees one address doing the work of a small town. Block it for one abuser and you block everyone behind it. Cloudflare’s October 2025 analysis of CGNAT put a number on the squeeze: CGNAT addresses carried essentially the same median bot score as non-CGNAT addresses, yet got rate-limited about three times as often, purely because so many legitimate users pile onto each one that aggregate volume trips the thresholds. A proxy operator who routes a scraper through a 4G or 5G exit gets to hide inside that exact crowd, and the detector cannot lean on the IP, because the IP is shared with people it must not block.

None of this makes mobile un-catchable. CGNAT reduces IP-only friction; it does not erase the rest of the fingerprint. A mobile exit fronting a Python or Go HTTP client still emits a TLS ClientHello and HTTP/2 settings that no real phone browser would send, and that JA3 or JA4 mismatch convicts the session regardless of how trusted the IP is. The IP and the transport layer get scored together, and a perfect IP cannot rescue a handshake that announces an automation toolkit. The transport-layer half of that story is in TLS fingerprinting from ClientHello bytes to JA4. The point for this comparison is the ordering: datacenter loses on the IP alone, residential loses on latency and behaviour, mobile rarely loses on the IP at all and so the fight moves entirely up the stack.

What a gigabyte actually costs

The pricing follows the supply chain exactly, and once you have the supply chain in mind the numbers stop looking arbitrary.

Datacenter is the cheap tier because the provider owns the hardware and the bandwidth is effectively free at the margin. The common billing model is per-IP rather than per-gigabyte: you rent an address or a small block for a flat monthly fee and push as much traffic through it as you like. Where datacenter is sold by traffic, a gigabyte runs roughly fifty cents to two dollars in 2026, and per-IP pricing can drop below a dollar per address per month at volume. The catch is that the cheapness and the detectability are the same property. You are paying little because the address is worth little against a protected target.

Residential flips the model to per-gigabyte, because the provider does not own the bandwidth and has to pay, directly or indirectly, for every byte that crosses a borrowed consumer device. The market has split into tiers. Enterprise providers (Bright Data, Oxylabs) sit around eight to twelve dollars per gigabyte. A mid-market band (Decodo, SOAX, NetNut and similar) runs roughly three to six dollars. Budget operators reach down to under two dollars per gigabyte, with the usual trade-offs in pool freshness and sourcing transparency. The spread of one to twelve dollars for nominally the same product is mostly a spread in pool quality, geographic coverage, and how clean the sourcing is.

Mobile is the premium tier, commonly quoted in the rough range of four dollars per gigabyte at the low end up to thirty or forty at the high end, depending on whether you are buying shared bandwidth or a dedicated cellular exit. The premium is not for speed; mobile is often slower than residential. It is for the CGNAT collateral-damage shield that makes the address so hard to block. You are paying for the crowd of real humans you get to hide behind.

*Two orders of magnitude separate the cheapest datacenter byte from the priciest mobile byte. You are not paying for bandwidth. You are paying for how hard the address is to block.*

The economics on the supply side are worth one honest line, because they explain why residential and mobile bandwidth can be priced the way it is. A proxy network pays an app developer roughly a nickel per monthly active user to host its SDK, then routes far more value than that through each enrolled device. The markup between what the device owner’s host app earns and what the bandwidth resells for is enormous, which is the engine that funds the whole residential and mobile market, and the same engine that makes the ethics genuinely contested. The broader vendor-side economics, including how the defenders monetise the other side of this arms race, are in the economics of anti-bot vendors.

ISP proxies: the hybrid that blurs the line

The clean three-way split has a fourth member that does not fit any of the boxes, and any honest comparison has to name it. ISP proxies, also sold as static residential, are datacenter-hosted addresses that have been registered under a consumer ISP’s autonomous system. The IP lives on a fast server in a rack, with all the speed and stability that implies, but it announces from the ASN of AT&T, Comcast, BT, Lumen or a similar consumer carrier rather than from a hosting ASN. To an anti-bot system doing the first-pass ASN lookup, it reads as residential.

The appeal is obvious. You get datacenter performance, gigabit links, no flaky home Wi-Fi, no device that vanishes when its owner closes the app, paired with the residential ASN trust that gets you past the cheap first-pass filter. The address is static, so it holds a session and a reputation over time instead of rotating away. Pricing sits between datacenter and rotating residential, commonly a couple of dollars per IP per month, or a per-gigabyte rate a little above plain residential.

The weakness is in the word static. Because these are server-hosted addresses sitting in contiguous blocks under a residential ASN, they cluster, and clusters are exactly what the IP-reputation feeds are built to find. Once one address in a static-residential block burns, its neighbours are guessable. Some ISP-proxy ranges get reclassified as commercial by the better feeds; one industry account puts the share of a given provider’s IPs that end up flagged as commercial as high as the mid-thirties percent. They also do not get the CGNAT shield, because each address belongs to one server, not to a crowd of real subscribers. So ISP proxies are excellent against targets that key on the ASN first-pass and weaker against targets that maintain their own behavioural and clustering reputation. They are a precision tool, not a default. The reasons a clean residential-looking IP still leaks, ISP proxies included, are laid out in the ASN-detection companion post.

Matching the type to the job

Put the three together and the decision is mostly a function of what the target keys on and how much you are willing to spend per request.

For targets with no meaningful bot defence (open APIs, public datasets, internal tools, anything that checks at most an API key) datacenter wins on every axis. It is the cheapest, the fastest, and the only signal the target reads is whether your request is well-formed. Spending residential money here is lighting cash on fire. The same applies to high-volume crawling of cooperative sites where you are honouring robots.txt and rate limits; the politeness and frontier design carry far more weight than the exit IP, and those are the real engineering problems, covered in designing a distributed crawler and crawl politeness and robots.txt. Use datacenter, behave well, and the IP class never becomes the bottleneck.

For targets behind a real anti-bot vendor that does ASN classification (most retail, travel, sneaker and ticketing sites, anything with a login or a checkout) datacenter is dead on arrival and residential is the working floor. The clean residential exit gets you past the first-pass ASN filter; whether you survive the behavioural layer above it depends on the rest of your stack, not the proxy. This is the band where most scraping budgets actually go, and where pool quality, session stickiness and geographic match against the claimed locale matter more than headline price. Managing a residential pool well, rotating on the right signal and retiring burned addresses, is a discipline of its own, covered in proxy pool management.

For the hardest targets (the ones that maintain their own IP-reputation data, score behaviour aggressively, and lean on mobile-app traffic where a cellular exit is the expected norm) mobile is what is left. The CGNAT crowd is the only thing that reliably defuses IP-layer reputation at that level, and for a mobile-app API that genuinely expects cellular traffic, a mobile exit is not an upgrade, it is the correct fingerprint. You pay for it. The premium is the point. And even then the IP only buys you a seat at the table; the transport and runtime fingerprints still have to hold, which is why nobody serious treats the proxy as the whole solution.

ISP proxies slot in as the specialist choice for one specific shape of job: long-lived sessions against a target that keys hard on the ASN first-pass but does not maintain aggressive per-prefix behavioural reputation. Account management, a logged-in session you need to keep warm for hours, a target where session stability matters more than rotation. When that profile fits, a static residential IP outperforms a rotating residential pool. When it does not, it is the worst of both: datacenter clustering wearing a residential label that the better feeds eventually see through.

What the comparison comes down to

The three proxy types are priced and detected along a single axis, and once you see the axis the whole market snaps into focus: how many real humans does the defender hit if it blocks your address? For a datacenter IP the answer is roughly none, so it blocks freely and the address is cheap and weak. For a residential IP the answer is four real people in five, so it hesitates, and the hesitation is what you are renting. For a mobile IP behind CGNAT the answer is a whole town, so it barely blocks at all on the IP, and that immunity is the most expensive thing in the catalogue. Detection resistance is collateral-damage resistance, and collateral-damage resistance is what the price chart measures.

The part that does not show up on a comparison table is that the IP class has quietly stopped being the decision it used to be. A decade ago the IP was the gate: bad IP, blocked. Now it is a prior, a starting score that the layers above either confirm or contradict. The latency that betrays a double hop, the JA4 that announces a scripting library, the timezone that does not match the exit country, the impossible trajectory across a rotating pool: these carry the verdict when the IP itself comes up clean, and they do so regardless of which of the three types you bought. Which means the honest answer to “residential, datacenter, or mobile?” is usually a question back. What does the target actually check, and is the IP even the thing that is failing? More often than the proxy vendors would like to admit, it is not, and the gigabyte you overpaid for buys nothing that a correct TLS fingerprint would not have bought for a fiftieth of the price.

---

Sources & further reading

• AminAzad, Vargas, Martinetti / Cloudflare (2024), Using machine learning to detect bot attacks that leverage residential proxies — the latency-plus-behaviour ML detector, the 17M-IP/hour and ~95% figures, and the four-in-five legitimate-traffic caveat that explains the pricing.
• Giotsas, Fayed / Cloudflare (2025), One IP address, many users: detecting CGNAT to reduce collateral effects — how CGNAT works, the RFC 6598 shared range, and the equal-bot-score-but-3x-rate-limited finding for mobile-style addresses.
• Google Threat Intelligence Group (2026), Disrupting the world’s largest residential proxy network — the IPIDEA takedown: 13 proxy brands, the PacketSDK/CastarSDK/HexSDK/EarnSDK supply chain, 600+ apps, ~7,400 Tier Two servers, two-tier control plane.
• DataDome (2025), 2025 Global Bot Security Report — 16,900+ sites analysed, only 2.8% fully protected (down from 8.4%), and LLM crawler traffic quadrupling past 10% of verified bot requests.
• Weaver, Kreibich, Nechaev, Paxson et al. / IETF (2012), RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space — the standard reserving 100.64.0.0/10 for Carrier-Grade NAT, the address machinery underneath every mobile proxy.
• ScrapeOps, The crazy economics of residential & mobile proxies — the per-MAU developer payout, per-GB resale model, and why mobile bandwidth carries the steepest markup.
• Bright Data, Ethically sourcing residential proxies — the vendor’s consent-screen, two-click-opt-out, opt-in SDK model and the conditions it places on host apps.
• Proxyway, What are ISP proxies (static residential proxies)? — the hybrid explained: datacenter hosting under a consumer-ISP ASN, per-IP pricing, and the commercial-reclassification weakness.
• IPQualityScore, Detecting residential proxies: unmasking fraudulent IP addresses — a defender’s account of ASN cross-referencing, honeypots, and the consistency checks that catch a clean residential exit.
• Mi, Feng, Liao, Liu, Wang et al. (2019), Resident Evil: Understanding Residential IP Proxy as a Dark Service — the IEEE S&P measurement study that mapped the residential-proxy supply chain and its overlap with compromised devices.