Test Like an Attacker.
Real Carrier Egress.

Cloudflare, Akamai, AWS Shield, and most enterprise WAFs treat AWS/GCP/Azure egress as hostile by default. Your scanner gets blocked before the first real probe lands.

Modern threat models include attackers operating from compromised consumer devices on real carrier networks. Pentesting from a datacenter never exercises that path.

Apps that serve different code, auth flows, or payment options to mobile-carrier traffic vs. corporate IPs leave you blind to entire risk surfaces if you only test from cloud.

Clients pay for DataDome, PerimeterX, and Imperva but never see them under real adversary conditions. You need carrier-grade traffic to validate detection vs. evasion.

Egress from genuine consumer mobile ASNs (AT&T, T-Mobile, Verizon) — exactly what client SIEMs see from real users. Validates that detection rules aren't over-fitted to datacenter ranges.

Per-proxy fingerprint override: present as iOS 17 Safari, Android 14 Chrome, macOS, Windows, or passthrough Linux. Match the OS your scenario expects so MSS/window/TTL signals don't betray you.

No pooled residential IPs. One license = one modem = one customer. Your traffic never collides with other testers or with bot-net residue from a shared pool.

Hit different geographic egress points to test geo-fenced controls, regional auth flows, and city-specific fraud rules. Useful for CDN cache-poisoning and geo-bypass research.

Rotate IPs between probes to test rate-limiting, account-lockout thresholds, and detection windows. Useful for credential-stuffing simulations and brute-force readiness checks.

Works with Burp Suite, ZAP, Caido, sqlmap, ffuf, nuclei, mitmproxy, and any tooling that accepts a proxy URL. SOCKS5 lets you tunnel TCP-level scans (nmap, masscan within carrier-acceptable rates).

Sign up at relaykit.net and fund your balance.

Pick a US city + carrier matching your scenario. Multi-Location lets you switch cities mid-engagement on Verizon.

From the proxy card → Manage → Fingerprint. Pick iOS 17, Android 14, macOS 14, Windows 11, or Linux passthrough to match the threat model.

Drop credentials into Burp upstream proxy, ZAP, or pipe through SOCKS5 for CLI scanners. Rotate IPs between scan phases as your test plan dictates.

RelayKit proxies are for authorized testing only — scope must come from the asset owner (signed engagement letter, bug bounty program rules, or your own infrastructure). Same legal posture as any other commercial proxy or VPN. Our AUP prohibits unauthorized intrusion; engagements outside scope are your liability, not ours. Stay within scope and you're fine.

SOCKS5 supports TCP-level scanning, but stay within reasonable consumer-grade rates. Carrier networks throttle aggressive scans and will rotate your IP off the pool if a tower flags you. For light recon (nmap top-1000, masscan low-rate, nuclei), it's fine. For heavy port sweeps, use a VPS as the source and only proxy the targeted-protocol traffic.

It defeats the IP+TCP-stack inference layer (the one that flags "iOS user-agent on a Windows TCP stack" mismatches). It does NOT defeat TLS fingerprinting (JA3/JA4) or browser-side fingerprinting — those are client-controlled. Pair the proxy with a mobile-fingerprint browser stack (e.g., RelayKit Cloud Browser with Extra Stealth) to cover both layers.

Most programs accept "real consumer egress" — mobile carrier IPs qualify and are arguably stronger than residential since they map to real device traffic. Always check program rules; some explicitly require residential ISP IPs, in which case mobile won't satisfy that clause. When in doubt, ask the program triagers.

Your home IP exposes your real identity and ties findings to you personally — a privacy issue and an OPSEC risk. RelayKit gives you carrier egress without the attribution. Also: you can rotate per scan phase, switch cities, and run multiple parallel proxies — none of which work cleanly off a single home connection.

Get Pentest Proxies

Open an account, top up the minimum, and run your first op in minutes.