The Comparitech VPN Data Hub is a public testing laboratory that benchmarks major consumer Virtual Private Networks (VPNs) continuously (24/7) from a colocated bare-metal test fleet, with composite scores recomputed every two hours. Everything on this page is a live snapshot of that benchmark data at the moment you load it — where the measured providers stand right now, not a fixed best-of-the-year list. ExpressVPN currently tops the composite. Our programmatic methodology grades each service across six pillars — Security, Speed, Streaming, Ease of Use, Value, and System Performance — normalising every speed sample against the same-day, same-machine direct baseline so a fast network day is never mistaken for a fast VPN. Sessions that fail our active-state trust verification — exit geolocation and tunnel-state checks read on the runner itself — are persisted as audit records but excluded from scoring rather than silently averaged in. The seven providers ranked below are those that have cleared full benchmark coverage on all six pillars; a further 67 providers in the catalogue are scored on researched data and held out of the head-to-head until they pass the measurement bar. The underlying datasets, the per-criterion evidence behind every score, and the methodology document itself are all linked from this page.
Today’s VPN lab standings
A live snapshot of our composite benchmark scores across six independently measured pillars — Security, Speed, Streaming, Ease of Use, Value, and System Performance — recomputed every two hours as new tests land.
ExpressVPN
The strongest all-round package in the current panel: the highest measured speed score, the joint-highest security score, and the widest protocol set we instrument against (four distinct protocols). Trades mid-pack system overhead for breadth and consistency.
Lightway
Audited no-logs
Coverage 6/6
Why it leads right now
Where it leads. Highest composite in the panel (8.13), the highest measured Speed score (8.21), and joint-highest Security (9.6, level with NordVPN). It is instrumented across four distinct protocols — Lightway, WireGuard, OpenVPN UDP and OpenVPN TCP — the widest set in the panel, and pairs that with an independently audited no-logs policy and an outside-14-Eyes jurisdiction.
Where it trails. System Performance (6.28) is its lowest pillar — Surfshark (8.35), Proton VPN (7.94), Total VPN (7.11) and IPVanish (6.9) all add less CPU/RAM overhead during an active session. Streaming (8.5) sits just behind NordVPN (8.7). Value (6.8) has improved to mid-panel — the $3.49 introductory monthly-equivalent is competitive, though it rises to $8.33 on renewal.
NordVPN
Best streaming
CyberGhost
Ease of use 8.0
Surfshark
Unlimited connections
Proton VPN
Outside 14 Eyes
Total VPN
Highest raw Mbps
IPVanish
Ease of use 7.8
View the full scorecard table
| Provider | Security | Speed | Streaming | Ease of use | Value | System perf | Composite ↓ | Coverage |
|---|---|---|---|---|---|---|---|---|
| ExpressVPN | 9.6 | 8.21 (4 proto) | 8.5 | 8.4 | 6.8 | 6.28 | 8.13 | 6/6 |
| NordVPN | 9.6 | 7.83 (3 proto) | 8.7 | 8.9 | 6.0 | 5.87 | 7.86 | 6/6 |
| CyberGhost | 9.0 | 7.76 (4 proto · 6/7 ctry) | 8.5 | 8.0 | 6.1 | 5.87 | 7.56 | 6/6 |
| Surfshark | 8.9 | 6.76 (4 proto) | 8.2 | 6.3 | 6.8 | 8.35 | 7.26 | 6/6 |
| Proton VPN | 8.3 | 6.12 (3 proto) | 8.2 | 4.2 | 7.3 | 7.94 | 6.52 | 6/6 |
| Total VPN | 6.3 | 6.78 (3 proto) | 8.2 | 5.5 | 5.8 | 7.11 | 6.33 | 6/6 |
| IPVanish | 7.6 | 5.25 (4 proto) | 8.0 | 7.8 | 6.0 | 6.9 | 6.17 | 6/6 |
How to read this table. Composite is the equal-weight average of a provider’s scored pillars. So that “equal weight” is genuinely equal, each category is first placed on a common 0–10 scale before averaging: the measured categories (Speed, System Performance) are normalised against a frozen quarterly reference band that widens as the field grows — Speed’s current band is 5.0–8.5 — while the absolute checklist categories (Security, Streaming, Value, Ease of Use) already span the full 0–10. There are no hidden per-pillar weights, and a category a provider isn’t scored on is left out of the average rather than counted as zero. Pillar scores are independently published so a provider’s strengths and weaknesses remain visible behind the headline number. The number in parentheses next to Speed reports how many distinct VPN protocols we currently instrument against that provider — the more protocols, the more independent paths the speed score is averaged across. Coverage 6/6 means all six pillars currently have fresh data within the publication window; every provider in this table has cleared full benchmark coverage, so no Speed cell is editorially estimated. Values mirror the downloadable scorecard exactly; the scorecard carries full-precision figures, so a measured pillar may show two decimals where a researched pillar shows one. CyberGhost’s Speed is currently measured across 6 of the 7 panel countries (Brazil pending); every other provider covers all 7. Data snapshot: exported 2026-06-03 12:20 UTC, with Speed placed on the frozen Q2-2026 reference band (5.0–8.5) when computing each provider’s overall.
Comparitech Open Data Program
To support transparent research in the cybersecurity sector, we provide raw, machine-readable exports of our scoring matrices, refreshed continuously. Academic researchers, journalists, and AI data crawlers are permitted to utilise this data under a Creative Commons CC-BY 4.0 license. Every graded value carries a provenance tag — measured on the fleet, analyst-verified, or researched from documentation — so a consuming model can weight its trust accordingly. Partner-tier access additionally exposes per-session verification records, baseline-capture metadata, and silent-failure-rate time series alongside the score series.
Lab Testing Methodology & Scoring Matrix
Comparitech’s scoring system is not based on subjective editorial reviews. Every VPN provider in the panel is evaluated against a strict algorithmic matrix in which only trusted, verified sessions count toward the published score. Sessions that fail our active-state trust verification — exit geolocation confirmed across three independent geo-IP databases, and tunnel state classified as a clean, verified session — are persisted as audit records but excluded from scoring.
Algorithmic Normalization: Rewarding Network Efficacy Over Bloat
The core question the speed score answers is not “how fast was the tunnel?” but “how much of the available pipe did the tunnel preserve?” Every measurement enters the pipeline as a ratio of tunnelled throughput to that runner’s same-day, same-machine direct baseline — a no-VPN test to a server on the same colocation network — so a provider whose tunnel sustains 90% of the available pipe scores higher than one whose tunnel hits a higher absolute Mbps on a temporarily faster day. (This is why the panel leader on raw median download, Total VPN at ~782 Mbps, does not lead the Speed score: ExpressVPN preserves more of its available pipe once each sample is normalised and family-weighted.)
The full pipeline runs in eight stages; the five that do the heavy lifting between a raw sample and a published /10:
- Daily medians. Per-sample ratios are reduced to a per-day median for each (provider, protocol, country) cell. Reducing to a median first absorbs intra-day sample-count variance so an unusually heavy testing day cannot bias the longer-running average.
- Time-weighted recency. Daily medians are combined with a 14-day half-life exponentially-weighted moving average over a 90-day window — though with that half-life only the most recent ~30 days meaningfully contribute (the 90-day tail keeps less-frequently-tested providers from falling off a cliff). A measurement from two weeks ago contributes half the weight of yesterday’s; from four weeks ago, a quarter. Each (provider, protocol, country) cell needs at least 10 samples across 3 distinct days before it publishes. Persistent regressions surface; one-day spikes do not.
- Cell blend. Each cell’s number is a weighted blend of download (0.65), upload (0.20), and latency (0.15). The latency term is inverted — lower is better — against a 200 ms ceiling above which it contributes zero. Latency is itself adjusted: the overhead of the AAISP reference gateway (Andrews & Arnold, a residential UK ISP used as a typical-home-broadband reference) is subtracted from the raw VPN latency, so providers are scored on the latency the VPN itself adds, not the underlying round-trip.
- Country and family roll-up. Cells aggregate to (provider, protocol) by country weight — published two ways, a UK-weighted blend (the default: US 30%, UK 20%, then Germany, Japan, Australia and the rest) and a global-equal trimmed mean — then to provider-level by taking the best within each protocol family and weighting the families: Modern UDP (WireGuard, NordLynx, Lightway-UDP, IKEv2) 70%, Established (OpenVPN UDP/TCP) 15%, TCP fallback 10%, and Legacy (L2TP/PPTP) 5%. When a provider lacks a family, the remaining weights renormalise over what it offers. A provider is credited for being excellent at the family its users actually run rather than dragged down by one they do not.
- Frozen curve mapping. The blended raw number is mapped to a /10 score by its rank within a frozen quarterly field distribution. The mapping uses
(rank − 0.5) / Nas the percentile, interpolated into a bounded score range that widens as the field grows — currently5.0–8.5for a field under 20 measured providers, opening to 4.5–9.0 at 20+ and 4.0–9.5 at 50+. The current curve was frozen for Q2 2026 (a one-off mid-quarter freeze on 22 May while the Speed pipeline was rebuilt; from Q3 the freeze lands on the calendar-quarter boundary). Because the curve is frozen, intra-quarter score movements reflect measured performance change — not methodology drift.
Hard guards run at the database layer rather than in editorial post-processing. Throughput ratios are gated to (0, 2.0] — a strictly-positive floor drops handshake-aborted, zero-throughput sessions, while the 2.0 ceiling guards against sensor error — and a session is only scored once its exit geolocation and tunnel state clear the active-state trust verifier. Coverage is gated too: a Speed score publishes only when a provider has trusted measurements in at least five of the seven panel countries, including both core locations (US and UK) and at least one long-distance location — otherwise the score is withheld and the provider is left unranked rather than scored on a partial, non-representative slice. When the methodology itself revises, the curve is re-frozen only on a genuine measurement-method change, logged with a reason and an audit trail; historical scores remain comparable within their own curve, and the platform never silently re-scores history.
Physical Testing Environment
Speed and latency are measured empirically around the clock (24/7) using the Ookla CLI — the same engine behind speedtest.net, so the measurement is one providers can’t dispute — from a single consistent vantage point: a colocated bare-metal fleet. Tests run against each provider’s own servers in seven panel countries: the US and UK as the two core, highest-weight locations, plus Germany and the long-distance set of Japan, Australia, Brazil, and South Africa. Every sample is divided by a same-day, same-machine direct baseline (no VPN in the path) to yield a unitless ratio, so ISP-day variation — not raw megabits — is corrected out before scoring. Two country blends are published from the same data: a UK-weighted default, skewed toward our audience, and a global-equal variant.
Privacy & Leak Vulnerability
Four leak tests — DNS, IPv4, IPv6, and WebRTC — run on every benchmark session, immediately after the tunnel comes up and before the speed test. A confirmed, still-reproducing leak is disqualifying: it caps the entire Security score in the fail band (≤ 2.0), regardless of how strong a provider’s encryption, audit, or jurisdiction posture is. Current status: the per-provider leak surface is temporarily withheld and the leak criteria sit at an editorial default while we re-validate the detector end-to-end; measured pass-rates resume feeding the score once that validation completes. Kill-switch behaviour is presently scored from declared, cross-checked capability — a verified-by-benchmark teardown test is in development. Exit IP is geolocated across three independent geo-IP databases and the tunnel state is classified per session (verified / unstable / not-established).
Verified Lab Infrastructure
Our lab tests run on dedicated, colocated bare-metal hosts rather than shared cloud instances, so CPU-bound encryption work is measured without neighbouring-tenant interference. The runner VMs are pinned to expose the host CPU’s AES-NI instructions, so AES-bound protocols are measured at native crypto throughput rather than capped by a software fallback. System-Performance and CPU/RAM differentials are captured on hardware-identical, quiesced Windows machines, and the runner refuses to start a job unless Windows Defender is confirmed off — so antivirus activity can’t pollute the measurement.
The Six Scoring Pillars
- Security: Leak resistance (DNS, IPv4, IPv6, WebRTC), no-logs audit recency, jurisdiction, modern cryptography, obfuscation, anonymous payment, and kill-switch support — sixteen criteria summing to 10, with a confirmed leak capping the score in the fail band.
- Speed: Download, upload, latency, and jitter expressed as ratios to a same-day direct baseline — never raw Mbps — blended 65/20/15, rolled up across seven countries and four protocol families, then mapped to /10 on a frozen quarterly curve.
- Streaming: A measured unblock pass-rate over a rolling 14-day window — Tier 1 (Netflix, Disney+) and Tier 2 (BBC iPlayer, ITVX) weighted heaviest — plus a capped 2.0 block for declared streaming features. The current measured ceiling is 9.0/10 until a Tier-3 service is added.
- Ease of Use: A seventeen-criterion feature matrix — app coverage across major platforms, browser extensions, router support, support channels, signup friction, and reviewer-scored UI.
- Value: Intro, renewal, and standard pricing scored separately (with a penalty when renewal exceeds 1.5× intro), plus money-back window, the connection limit (the single highest-weighted criterion), and bundled extras.
- System Performance: Only load efficiency — the marginal CPU cost per Mbps the tunnel adds while moving data, baseline-subtracted on both sides — is scored; idle-CPU and RAM deltas are measured and disclosed but do not move the score. Averaged across a provider’s protocols.
Score Versioning & Reproducibility
Each quarter the field’s distribution is frozen into an immutable score curve, so intra-quarter movements reflect measured performance change rather than methodology drift. The curve is re-frozen only when the measurement method itself changes — never to chase a score — and every re-freeze is logged in the public changelog with its reason and an audit trail. Each additive category score (Security, Value, Ease of Use) is reproducible from its per-criterion breakdown; the measured categories (Speed, System Performance) show their percentile decomposition instead. Historical scores stay comparable within their own curve, and the platform never silently re-scores history.