Why Proxy Pool Size Stopped Mattering in 2026 — FourA Blog
ESC
↑ ↓ navigate<br>Enter open<br>ESC close
The number every proxy vendor sells
400 million IPs. 155 million. 100 million. Pick a residential proxy provider and the first thing you'll see is the size of its pool. Bigger pool, better product. That's been the pitch for a decade.
Two things broke that pitch in early 2026. One was a takedown. The other was a benchmark nobody selling proxies wanted to publish.
In January, Google's Threat Intelligence Group disrupted IPIDEA, a residential proxy network running 9 to 11 million daily active IPs across more than 550 distinct threat actors (GreyNoise, April 2026). The takedown cut the network's pool by roughly 40% overnight. If pool size were the thing that mattered, that should have rattled the market. It didn't. Within days the slack shifted to datacenter traffic and other networks soaked up the demand (BleepingComputer, April 2026). Lost capacity rebuilt fast.
And that's the tell. When you can pull 40% of a major network's supply and nothing downstream changes, supply was never the scarce thing.
IP reputation was the real product. It's failing.
Pool size was always a stand-in for something else: trust. A residential IP belongs to a real household, so anti-bot systems treated it as a real user. A big pool meant lots of fresh, trusted IPs to rotate through before any single one got flagged. You weren't buying IPs. You were buying reputation, sold by the million.
That trust is collapsing. Researchers who analyzed 4 billion sessions found residential proxies slipped past IP reputation checks 78% of the time (BleepingComputer, April 2026). Read that backwards: if malicious traffic looks identical to legitimate traffic at the IP level, the defender can't use the IP to tell them apart. So they stop trying.
The defenders have already started. IPinfo and AbuseIPDB presented research at RSA 2026 showing 53% of actively abusive IPs traced back to VPNs or residential proxies, and 45% to residential proxies specifically (Brander Group, May 2026). When half of your "abusive" list is indistinguishable from ordinary home users, IP reputation isn't a filter anymore. It's noise.
So here's the uncomfortable part. The signal you've been paying a premium for (a clean, trusted IP) is the same signal defenders are quietly decommissioning. You're buying access to a wall that's being torn down.
Pool size was never an honest number anyway
Even before the trust problem, the headline counts were soft. Proxyway's 2026 testing caught one provider advertising 155 million residential proxies while running a pool that was "average in size and nowhere near this number in daily use" (Proxyway, 2026). Bright Data advertises 400 million-plus. The figure on the pricing page is the total ever seen, not what's live and reachable the second you fire a request.
Pool size stuck around as the headline metric for the same reason megapixels did on phone cameras: it's one big number that's easy to print and almost impossible for a buyer to verify. And it tells you nothing about whether your specific request to your specific target actually gets through.
What actually predicts success
Proxy type still matters, just not the way the banner suggests. Datacenter IPs get blocked 30 to 60% of the time on aggressively protected targets, while residential lands at 85 to 99% (SparkProxy, 2026). Residential wins where the target fights back. But the pool-size pitch skips the other half: on sites without aggressive bot detection, datacenter proxies clear 85 to 90%-plus (Torch Proxies, February 2026), at a fraction of the cost.
Most targets aren't hostile. We've watched teams burn an entire month's budget on residential IPs for sites a datacenter pool would have handled fine. The proxy type should match the target's defenses, not the vendor's marketing copy.
And the proxy is only one layer. The same researchers who flagged the IP reputation collapse point defenders toward behavioral signals instead: sequential probing from rotating IPs, device fingerprints that survive an IP change, request timing that doesn't move like a person (SC Media, April 2026). We dug into that shift in Bot Detection Went Behavioral. A pristine residential IP wrapped around a request that behaves like a script gets caught anyway.
What this means for data teams
Stop shopping for pool size. It tells you nothing you can act on.
Measure success rate on your own targets instead. Run the same job through datacenter and residential IPs, on the sites you actually scrape, and compare first-request success and cost per successful response. For a lot of teams the result stings a little: the cheap option handles most of the list, and the expensive pool only earns its keep on a handful of hostile domains. (That's also where a chunk of the hidden cost of running your own scrapers hides, by the way.)
Then put the saved budget where it moves the number: making requests look...