Every VPN review site claims to be independent. Most aren’t. Sponsored placements, affiliate-first rankings, and cherry-picked benchmarks are routine in this space. So here is exactly how we score the 49 VPNs on this site, what each criterion means, and why we weighted them the way we did.
No black boxes.
The short version
We evaluate each VPN across 19 criteria grouped into five categories: Performance, Security, Trust, Pricing, and Features. Each criterion contributes to an overall score out of 5. The rankings on the Compare page reflect those scores directly, no manual adjustments, no paying for position.
Category 1: Performance
Speed
Speed matters, but not in the way most review sites present it. A VPN that loses 10% of your base connection speed is fine. One that loses 70% makes basic browsing frustrating.
We test speeds across multiple servers (local, regional, and long-distance) using standardized conditions. The score reflects how much of your baseline connection a VPN actually preserves on average, not peak numbers from the best-case server.
Protocols
Modern VPNs support several tunneling protocols. WireGuard is the current standard for speed and simplicity. OpenVPN remains the most battle-tested option for security. IKEv2 works well on mobile. Proprietary protocols like NordVPN’s NordLynx or ExpressVPN’s Lightway are evaluated on the merits of their public documentation and audits.
We give higher scores to VPNs that offer WireGuard and give users explicit protocol control.
Category 2: Security
Encryption
A VPN’s encryption is only as strong as its default configuration. We check both the default cipher (what you get out of the box) and the strongest available option. AES-256-GCM and ChaCha20-Poly1305 are the current acceptable standards. Anything weaker affects the score.
Jurisdiction
Where a VPN is incorporated determines what laws apply to it. This criterion scores the country of registration and whether the VPN falls inside the Five Eyes, Nine Eyes, or 14 Eyes intelligence alliances.
VPNs incorporated in Panama, Switzerland, Iceland, or the British Virgin Islands score highest. These jurisdictions have no mandatory data retention laws and sit outside major surveillance alliances. VPNs headquartered in the US or UK score lower due to the legal tools available to those governments. For a detailed breakdown of what these alliances mean, see our Five Eyes, Nine Eyes, 14 Eyes guide.
No-Logs Audit
A no-logs policy printed on a website is worth nothing by itself. Every VPN claims one. What separates credible claims from marketing is independent verification.
We score this criterion based on whether a recognized third-party auditor (Deloitte, PwC, KPMG, Cure53, or equivalent) has examined the VPN’s server infrastructure and confirmed the no-logs claim holds up. Court-tested track records(where police seized servers and found nothing). That carries additional weight. A single audit from a firm the VPN itself selected scores lower than multiple audits over several years.
Category 3: Trust
This category covers broader transparency signals: ownership structure, parent company history, bug bounty programs, open-source components, and warrant canary maintenance. It answers a simple question: does this company behave like an organization that has something to hide, or one that actively invites scrutiny?
Ownership matters more than most reviews acknowledge. Several popular “independent” VPNs are owned by the same holding companies. We document parent company ownership for every provider on the Compare page and factor it into the Trust score.
Category 4: Pricing
We score price-to-value rather than raw price. A cheap VPN that fails on security criteria is not good value. A well-priced VPN with a strong security track record scores well here.
The pricing score accounts for the monthly price, the best available long-term plan price, the number of simultaneous connections, and whether a money-back guarantee is actually honored (not just advertised). We also note whether annual price hikes have occurred after the introductory period(a common practice that affects real-world cost).
Category 5: Features
This category scores the practical feature set: kill switch availability and reliability, split tunneling, multi-hop routing, ad and tracker blocking, number of server locations, and device compatibility. We weight reliability over quantity. A kill switch that actually stops traffic on disconnection scores better than five security features that half-work.
What we don’t do
We don’t accept payment for placement or higher scores. We don’t run “VPN of the month” promotions. We don’t create fake urgency with countdown timers. Affiliate commissions (which fund this site) are earned when readers choose a VPN after reading our content, not before we write it.
If we find a VPN has degraded since we last scored it, we update the score downward. The methodology page itself will be updated whenever the criteria or weights change, with dates noted.
A note on scores
All scores are out of 5. We deliberately avoided a 10-point scale because the extra granularity implied precision we don’t have. A 7.3 vs. a 7.6 communicates false confidence. The 5-point scale is honest about what the data actually supports.
The overall score is a weighted average. Security and Trust carry more weight than Features and Pricing, on the principle that a fast, cheap VPN that leaks your data is not actually a good VPN.
Methodology summary
19 criteria. 5 categories. 49 VPNs tested. Scores out of 5. No paid placements.
Security and Trust are weighted highest. Speed, Pricing, and Features matter, but a VPN that fails on logs or jurisdiction cannot score well overall, regardless of how fast it is.
What we deliberately don’t score
Methodology is also about exclusions, and ours are deliberate. Raw server counts don’t enter the scoring: ten thousand thin VPS instances tell you less than one well-placed, well-provisioned location, so the table tracks countries and capacity signals instead. Marketing features without verifiable behavior (proprietary “double-speed” protocols, vague threat-AI claims) wait outside until they can be tested. And short-lived promotional pricing doesn’t move the pricing score; the table records the standard intro terms a reader can actually obtain, with renewal behavior noted where it bites.
The same discipline applies to incidents: a breach or subpoena story changes scores only through what it demonstrates about architecture and honesty, which is why NordVPN’s 2018 datacenter episode reads differently in our table than a logging scandal would.
How to use the table like we do
The intended reading order: start from your primary use (the streaming column for catalog chasers, the trust columns for privacy buyers, pricing for budget hunts), shortlist two or three names, then read the relevant head-to-head reviews for texture the numbers compress away. Treat overall scores as tiebreakers rather than verdicts: a 4.1 that matches your exact needs beats a 4.6 that doesn’t. And finish every shopping journey the same way our testing finishes: a real trial on your own connection inside the refund window, because the last benchmark that matters is the one no methodology can run for you.
Corrections policy, since methodology pages should practice what they score: when retests contradict a published number, the table changes first and the affected articles follow, with lastmod dates carrying the audit trail. Readers who catch a stale figure are doing the site a favor, and the contact page exists for exactly that.
Keep reading: How to Choose a VPN in 2026: The 7 Criteria That Actually Matter.