cost-of-attack / bot economy
what does a scraping job actually cost? size the job and pick how you run it - proxy bandwidth, captcha solves, the browser runtime (self-host, cloud, anti-detect or a managed api) and the infra around it - and watch the operator cost per 1k and per 1m requests land in fractions of a cent, beside what the defender pays per request for the same traffic. that is the whole point: the operator pays almost nothing, so the defender pays instead. prices are dated 2026 estimates, not live quotes; they drift.
cost-of-attack calculator
size a scraping job and pick how you run it. it computes the operator cost per 1k and per 1m requests - the fractions-of-a-cent reality of volume scraping - beside what the defender pays per request for the same traffic, and where each fraction goes.
the operator's request lands in fractions of a cent; the defender pays 3.4x that per request. that is the thesis: at these prices the job is economical for the operator, so the cost falls on the defender - bot management on every visitor, infra to absorb the load, and the fraud loss on what gets through.
the job
volume + consumption
block assets to drop gb / 1k; a warmed residential session earns a passing score and drives the captcha rate toward zero. the managed scraping api bundles proxy + captcha, so toggle those two off when you model it.
operator cost · per 1k requests
what the defender pays · per 1k requests
the defender pays this on the whole stream, not just the bots: bot management evaluates every visitor, the waf and origin answer the junk that reaches them, and the fraud loss lands on the requests that clear. that asymmetry is the bot economy.
the cost axes of an average scraping job - proxy, captcha, the browser runtime and the infra around it - beside what the defender pays for the same traffic, with dated unit prices. these are plausible 2026 estimates from the bot-economy price corpus, not live quotes - every entry is stamped as of and marked an estimate where it is one. prices drift; treat them as order-of-magnitude. token names that are catalogued surfaces link to the knowledge base.
proxy bandwidth
real-isp exit ips billed by bandwidth; the clean-ip premium is most of the cost of a credible session, and the dominant line item in a job.
src: residential-proxy market mid-tier ($/gb), 2026 estimate
datacenter-hosted ips registered to consumer isps: residential reputation at a stickier, cheaper rate, but a finite pool that burns.
src: isp/static-residential proxy market ($/gb), 2026 estimate
cheap bandwidth on hosting-asn ips; an order of magnitude under residential, but trivially flagged by asn reputation.
src: datacenter-proxy market ($/gb), 2026 estimate
carrier-grade-nat 4g/5g exits; the most trusted ip class, the most expensive, because many users share one ip.
src: mobile-proxy market ($/gb), 2026 estimate
captcha solves
human-farm or vision-model solve, posting g-recaptcha-response back; only paid on the fraction of requests that hit a gate.
src: 2captcha / capsolver published rate (recaptcha v2/v3), 2026
image-grid solve returning h-captcha-response; priced like recaptcha on the public solver tiers.
src: 2captcha / capsolver published rate (hcaptcha), 2026
managed-challenge token harvest (cf-turnstile-response) by driving a real browser; cheaper, no grid to label.
src: solver-service rate (cloudflare turnstile), 2026 estimate
the 3d match game is the hardest to farm, so it carries the highest per-1k price; arkose rotates art to keep it that way.
src: solver-service rate (arkose funcaptcha), 2026 estimate
browser & runtime
headless chrome you run yourself on cheap compute; near-zero marginal cost per page, you eat the ops and the patching.
src: self-hosted headless chrome, amortised compute, 2026 estimate
hosted chrome rented by the browser-hour; no ops, you pay per session, normalised here over a typical pages-per-hour throughput.
src: hosted-browser per-session/hour pricing (browserless/browserbase class), 2026 estimate
a managed fingerprint profile subscription amortised over a run; the per-page cost depends entirely on how many pages each profile drives before it burns.
src: anti-detect browser subscription ($/profile/mo, multilogin/gologin/kameleo class), 2026 estimate
a single per-request price that bundles proxy, browser and captcha; switch the proxy and captcha axes off when you model this, it already includes them.
src: managed scraping api all-in rate (scraperapi/zyte/scrapingbee class), 2026 estimate
infrastructure
the orchestration around the browser: queue, compute, storage and egress. small per page, but it is the line that scales with the fleet.
src: self-host compute + egress math ($/vcpu-hr, $/gb-hr, nat egress), 2026 estimate
compute that idles at zero cost; a higher unit price per page, but nothing to pay between jobs.
src: functions/containers scale-to-zero pricing, 2026 estimate
what the defender pays
the per-request line for running enterprise bot management across all traffic, not just the bots; the defender pays it on every visitor.
src: enterprise bot-management list pricing (datadome/human/kasada class) per request, 2026 estimate
the cost of simply answering the junk requests that reach the edge: waf evaluation, origin compute, and the bandwidth out.
src: waf + origin compute + bandwidth to serve unwanted traffic, 2026 estimate
the loss on the requests that clear: scraped content, hoarded inventory, scalped stock. the biggest and least predictable defender line.
src: residual abuse loss per 1k cleared requests (content/inventory/scalping), 2026 estimate
go deeper
- → captcha & challenge intel the cost to solve, per vendor: which challenge the captcha $/1k actually buys.
- → network details the proxy classes the $/gb axis prices: datacenter vs residential vs mobile.
- → browser details the browser runtime the job pays for: what each automation tool fixes, leaks, and how it scored.
- → bot-detector intel who runs the detection the defender pays for, refreshed daily from the live loaders.