The VPN market has matured — and most reviews haven’t caught up

The consumer VPN market in 2026 looks nothing like it did five years ago. The field has consolidated around a handful of serious players — NordVPN, ExpressVPN, Surfshark, and Mullvad among them — and the technical gap between them has effectively closed. Every major provider now runs thousands of servers across 60-plus countries, supports WireGuard, and posts speeds fast enough that most users will never feel the difference in daily use.

That convergence exposes a problem with how most reviews still work. Benchmarks built around server counts and peak download speeds made sense when those numbers actually varied in meaningful ways. They don’t anymore. A review that ranks NordVPN against a competitor based on which one hit 800 Mbps versus 750 Mbps is measuring noise, not signal.

What actually separates providers now is harder to quantify but easier to live with or regret. It comes down to how a company behaves over time: whether it publishes third-party audits and makes the findings public, how it responds when something goes wrong, and whether its privacy claims hold up under scrutiny rather than just marketing pressure.

NordVPN’s 2018 server breach is the clearest example of why this track record matters. The company didn’t handle the initial disclosure well — the breach became public through outside reporting, not a proactive announcement. But what followed matters more than the breach itself: infrastructure overhaul, the rollout of RAM-only servers, and a consistent audit program through firms like VerSprite and Deloitte that has continued since. That’s a documented response arc, not a press release.

Most 2026 VPN coverage hasn’t adjusted its framework to reflect this shift. Readers comparing providers still get tables of server locations and speed test results rather than an honest assessment of audit frequency, ownership transparency, or what a company’s incident history actually reveals about its priorities. For anyone making a real privacy decision — not a spec-sheet comparison — that gap between how reviews are written and what actually matters is the thing worth closing.

What ‘recommended by reviewers’ actually means — and why methodology matters

When ZDNET labels something a recommended product, that label carries a specific operational definition. The editorial team spends hours in comparative testing, pulls data from vendor listings, retailer catalogs, and independent review sites, then cross-references all of it against real customer feedback. The goal is to surface what actually matters to people who own and use the product — not what a marketing team wants emphasized.

The affiliate disclosure matters here too, and understanding it is a form of consumer literacy most VPN buyers skip. ZDNET earns commissions when readers click through to retailers. That revenue model is transparent and standard across tech journalism. What it does not do, by the publication’s stated editorial policy, is influence which products get covered, how they get evaluated, or what conclusions reviewers reach. Neither the publication nor the individual author receives direct compensation tied to a specific review outcome.

This distinction separates genuine endorsement from what the industry calls affiliate-driven placement — a practice where rankings and “best of” lists are ordered primarily by commission rate rather than product merit. In 2026, that problem is widespread enough that readers who cannot tell the difference are effectively making purchasing decisions based on disguised advertising.

The baseline standard for a credible VPN recommendation now requires triangulation: vendor claims checked against independent lab testing, retailer pricing data verified against actual subscription terms, and user reviews screened for patterns that reflect real-world performance rather than review-bombing or incentivized feedback. NordVPN consistently clears that bar across multiple outlets using that framework — which is precisely why its dominance in reviewer rankings reflects market reality rather than marketing spend.

The trust problem: Why NordVPN’s past controversies are actually a selling point now

In 2018, a threat actor gained access to a rented server in Finland that NordVPN used through a third-party data center. The attacker exploited an insecure remote management system the data center had enabled without NordVPN’s knowledge. No user credentials were exposed, but the breach was real, and NordVPN sat on the information for over a year before disclosing it publicly — a decision that drew sharp criticism.

That criticism mattered. The fallout forced NordVPN to do something most VPN providers have never been compelled to do: rebuild its infrastructure under public scrutiny. The company moved to diskless RAM-only servers, which retain no data between reboots. It commissioned independent security audits and made the results public. It established a formal bug bounty program. These weren’t marketing gestures — they were responses to a documented failure with a documented paper trail.

This is where the counterintuitive logic kicks in. A VPN provider with a clean security record might simply be a provider that hasn’t been targeted yet, or one that lacks the scale to attract serious adversaries. NordVPN operates over 6,000 servers across 111 countries. It has a target on its back. The 2018 breach happened, the company responded, and the response is verifiable.

The no-logs audit history makes the same point. NordVPN has undergone multiple independent no-logs audits conducted by firms including PricewaterhouseCoopers and Deloitte. Each audit is a discrete, dateable event — not a standing claim. That accumulated audit trail spans years and multiple third parties, which is a higher evidentiary standard than a privacy policy that simply states logs aren’t kept.

For a non-expert user choosing between providers, the relevant question isn’t which company has the cleanest history. It’s which company’s claims have been tested against reality. NordVPN’s trust case rests on demonstrated recovery rather than an absence of incident — and in security, that distinction is the only one that actually means anything.

Features non-experts actually need versus features that make headlines

Kill switches, split tunneling, and DNS leak protection don’t generate press releases. They don’t get their own product launch events. But these are the features that determine whether a VPN actually protects you during the moments that count — a dropped connection mid-session, an app accidentally bypassing the tunnel, a DNS query leaking your real location to your ISP. NordVPN’s implementation of all three works consistently across Windows, macOS, iOS, and Android, with the kill switch functioning at both the application and system level depending on what you need.

That consistency across platforms is where most VPN comparisons go wrong. A product can perform beautifully in a controlled Windows desktop test and behave erratically on an iPhone or a household router. For a family running four different device types — which describes most NordVPN subscribers — cross-platform reliability is the actual product. Friction at the router level alone causes most people to abandon VPN coverage entirely on smart TVs and gaming consoles.

Meanwhile, VPN marketing has pivoted hard toward AI-adjacent features: threat intelligence dashboards, dark web monitoring, real-time malware scanning. NordVPN bundles several of these under its Threat Protection Pro feature. These additions aren’t worthless, but they create a noise problem. A subscriber evaluating whether NordVPN’s core tunneling protocol holds up under real network conditions gets distracted by features that duplicate what a good antivirus or password manager already provides. The headline features are easy to demo; the unglamorous ones are harder to fake over time.

The users who benefit most from NordVPN are not the ones optimizing for the longest feature checklist. They’re the ones who want a kill switch that fires reliably when their Wi-Fi drops at an airport, split tunneling that keeps their banking app on the local network without manual configuration every session, and DNS leak protection that doesn’t require them to run a diagnostic tool to verify it’s working. NordVPN delivers all three without requiring technical fluency to configure. That’s the actual value proposition, and it’s harder to build than any dark web monitoring dashboard.

The pricing reality: What you’re actually paying for in 2026

NordVPN’s introductory pricing is genuinely competitive — a two-year Standard plan routinely runs under $4 per month during promotional periods. The catch arrives at renewal, when that rate can jump to $8–$13 per month depending on the plan tier. Most VPN review sites flag this in a footnote. Few treat it as the central financial fact it actually is, because over a four-year ownership cycle, the effective average cost is nearly double what the headline price suggests.

The tiered structure — Standard, Plus, and Ultimate — reflects a deliberate bundling play rather than a simple feature ladder. Standard covers the core VPN with malware protection and ad blocking. Plus adds NordPass, Nord’s password manager, and dark web monitoring. Ultimate layers in identity theft insurance and cyber insurance coverage. Each step up costs roughly $2–4 more per month, which sounds modest until you calculate it across a two-year billing cycle.

The bundling logic makes sense on paper. Password managers and identity monitoring are genuinely useful tools, and packaging them together creates a single-vendor privacy suite. The problem is that most users already have a password manager — either a dedicated app like 1Password or Bitwarden, or a browser-native solution — which makes the Plus upgrade redundant for a significant portion of NordVPN’s existing customer base.

For the majority of people whose actual threat model involves avoiding tracking on public Wi-Fi, accessing geo-restricted content, and basic data security, the Standard plan covers every real need. The upsells are not padding, but they solve problems that most users either don’t have or have already solved elsewhere.

The practical advice is straightforward: buy the two-year Standard plan, set a calendar reminder 60 days before renewal, and shop the promotional rate again at that point. NordVPN, like most subscription software companies, offers returning customers comparable introductory rates rather than lose them entirely. Treating the renewal as a new purchase decision — rather than a passive auto-charge — cuts the long-term cost significantly.

Who NordVPN is NOT right for — and why that honesty matters

NordVPN is built for the broad middle of the market — and that’s precisely where it stops being the right answer.

Journalists working under hostile governments, activists operating in countries like Iran or China, and security researchers handling sensitive sources need tools designed around operational security from the ground up. Tor routes traffic through multiple volunteer-run nodes specifically to frustrate traffic analysis. Mullvad accepts cash and Monero payments, requires no email address to sign up, and has a documented history of handing police investigators empty hands because there is genuinely nothing to hand over. NordVPN’s no-logs policy has passed independent audits, but it still requires an account, still processes payment data, and still operates within a commercial framework that serves 14 million users. That scale is a strength for most people and a liability for the few who need true anonymity.

The streaming use case deserves similar honesty. NordVPN unblocks Netflix US, BBC iPlayer, and several other major platforms reliably for most users most of the time — but “most” is doing real work in that sentence. Geo-detection technology from platforms like Disney+ and Amazon Prime Video evolves constantly, and performance varies by server, region, and week. Users in Southeast Asia or Latin America trying to access specific regional libraries report inconsistent results that rarely make it into the headline scores of positive reviews. If streaming access is your primary reason for buying a VPN, testing the specific platform and region you care about before committing to an annual plan is not optional advice.

The framing “recommend to most people” is not a hedge — it’s the most precise claim a reviewer can honestly make. It acknowledges that privacy needs are contextual, that no single product is universally optimal, and that the reviewer has drawn a real line between the majority case and the exceptions. When that qualifier disappears from a review, the review has stopped being useful and started being marketing.