Platform
Use Cases
ACCOUNT SECURITY
Account TakeoverMulti-AccountingAccount SharingIDENTITY & FRAUD
Synthetic IdentitiesIncentive AbuseTransaction FraudPricing
Docs
February 23, 2026
hCaptcha has always supported passive and invisible abuse detection, and most users evaluated via hCaptcha Enterprise and Pro experience zero friction.
However, we continue to find CAPTCHAs a very useful part of our detection and deterrence arsenal.
CAPTCHAs serve many purposes at the same time, including increasing cost for the attacker and slowing down attacks, thus reducing total attack volume.
And while AI/ML approaches to solving CAPTCHA challenges have continued to improve over the past decade, our challenges have also evolved in both obvious and invisible ways.
hCaptcha uses many different challenges at any time, and continuously adapts to ensure they remain robust to automation while staying easy for people to solve.
If a challenge starts to see higher automation solve rates, it is rapidly discarded or updated to break bots again.
Unlike legacy alternatives, hCaptcha CAPTCHAs are a continuously moving target; this improves system robustness over time.
While Vision-Language Models (VLMs) have improved in general recognition, there are still many ways in which they differ from human perception. They continue to have both subtle and obvious gaps in performance vs. humans, including with simple tasks that take people only a few seconds.
Even when they reach human-level performance on many benchmarks, we expect these points of difference will be very difficult to eradicate and remain useful in detection for years to come.
Thus, while models have improved in vision and cognitive performance over the years, our challenges have evolved in lockstep with them.
Compared to simply letting an attacker connect directly to your endpoint, or using a WAF / WAF bot manager, which is likely to miss over 90% of requests from residential proxies, a robust CAPTCHA from hCaptcha can have a dramatic impact, even in dynamic challenge modes where it minimizes friction for real people.
We regularly see 70-90% reductions in total attack volume in 2026 when comparing traffic on sites that deploy hCaptcha Enterprise vs. pre-deployment attack levels, even when they were already using a WAF or other less robust security solutions.
While you can still gain a large advantage over legacy WAF-style approaches by using the state of the art passive and invisible protections built into hCaptcha Enterprise, there is no substitute for an active challenge in high abuse scenarios.
Millions or tens of millions of IPs may make only one or a few abuse requests each day with residential proxies, rendering these threats largely invisible to most defenses.
When your goal is to increase the cost and difficulty of attacks, especially when facing highly distributed threat tools like residential proxies, an active CAPTCHA using the advanced features of hCaptcha Enterprise is the most robust solution.
We have seen this repeatedly, and the resulting trend has only accelerated in 2026.
Sites under regular attack that have tried weaker alternatives tend to eventually migrate to hCaptcha Enterprise.
The list includes everyone from the largest payment providers, e-commerce platforms, banks, and millions of websites and apps to familiar Top 10 global services like Wikipedia.
The focus on security, privacy, and compliance means that hCaptcha is much easier to deploy than less privacy-focused alternatives, and can operate with no PII and provably limited access to your app data via features like Secure Enclave.
Browser use agents are not an intrinsically new phenomenon, but they have been getting more competent at browsing tasks.
While use by real people is still minimal as of February 2026, we do expect this to increase over time, and have built many detections and countermeasures into hCaptcha Enterprise over the past few years.
However, one trend we should call out:
This is a troubling trend, and is not behavior that should be normalized. Legitimate agents should clearly identify themselves.
Failing to do so means that these companies are building tools more useful for cybercriminals than real users, and e-commerce players like Amazon have started to take action.
They recently sent cease-and-desist letters to Perplexity over its Comet browser, which attempts to disguise itself in this way.
However, a browser agent is only as good as its model, and hCaptcha's robust and state of the art CAPTCHAs are designed to adapt as frontier models improve.
It seems likely that agents will become more popular over time, although today they continue to be slow and inaccurate for many tasks.
We have focused on giving hCaptcha Enterprise users the ability to set policies and control the behavior of agents on their sites and apps.
Knowing it's an agent is the first step. Whether you decide to block, challenge, or restrict agents on some parts of your site is up to you.
hCaptcha Enterprise provides detection and policy controls for agents today, and we are committed to maintaining detection capabilities.
This includes partnerships with responsible AI companies, and other methods when less responsible companies in the space start to adopt the tactics of cybercriminal tooling vendors.
There is currently a gap in social norms and legislation around agent use, but we suspect that societies around the world will be forced to deal with this soon.
As domain experts, we are actively collaborating with AI safety and policy institutes to ensure that the laws ultimately passed are informed by our real world experience and observations.
That said, it seems likely that both legal and technical solutions will be required in the future, just as they are today.
