What resy.com was observed using to filter automated traffic, and what IP class legitimate large-scale data collection tends to require. Reviewed July 2026.
Determined from public HTTP response signatures (cookies, headers and challenge assets), reviewed July 2026. Providers change their stack over time - verify current behavior yourself. This is read-only technical reference, not a bypass guide.
Enterprise bot management that scores IP reputation and browser signals before the page renders. Datacenter IPs are blocked wholesale and pooled residential ranges are increasingly pre-flagged.
Real mobile-carrier (4G/5G) IPs are the most durable class here, because carrier CGNAT is shared with millions of legitimate phone users and cannot be blocklisted wholesale.
Reservations & Dining: Reservation platforms defend table availability because automated hoarding and resale of bookings is a recognized abuse pattern, so they apply account gating, device checks, and sensitive rate limiting. Legitimate availability and market research needs city-accurate mobile IPs, low request rates, and strict adherence to platform terms.
Imperva (historically Incapsula) is an enterprise cloud security platform that combines a web application firewall, CDN, DDoS mitigation, and advanced bot protection, the latter built in part on technology from Imperva's acquisition of Distil Networks. It deploys as a reverse proxy in front of the origin: a site's DNS points at Imperva's edge network, so every request is inspected and classified before it can reach the protected application. It is common on enterprise, e-commerce, financial, and reservation-style properties, and appears in our registry on sites such as Resy.
Full Imperva (Incapsula) referenceGoogle reCAPTCHA is Google's widely deployed CAPTCHA and risk-scoring service, embedded by site owners as a JavaScript widget or invisible script on forms, logins, signups, and other sensitive flows. It sits at the application layer as a challenge and scoring gate: the protected site receives a token or score from Google and decides server-side whether to allow, add friction to, or reject the request. It appears across many verticals, including sites in our registry such as Funda, Resy, and LinkedIn.
Full Google reCAPTCHA referenceResponsible use. This page describes the defense that exists, not how to defeat it. Always respect Resy's robots.txt, Terms of Service and applicable law, and collect only data you are permitted to. We do not provide site-specific bypass instructions.
Data Works is our done-for-you web-data service: you send the URLs and fields, we run the collection on real 4G/5G carrier IPs and deliver clean, QA-checked CSV / JSON / API data. Prefer to run it yourself? The same carrier IPs are self-serve from $4/GB.
Yes. As of July 2026, resy.com was observed running Imperva (Incapsula), reCAPTCHA. Enterprise bot management that scores IP reputation and browser signals before the page renders. Datacenter IPs are blocked wholesale and pooled residential ranges are increasingly pre-flagged.
Real mobile-carrier (4G/5G) IPs are the most durable class here, because carrier CGNAT is shared with millions of legitimate phone users and cannot be blocklisted wholesale. Whatever you use, respect Resy's robots.txt and Terms of Service and collect only what you are permitted to.
Your browser runs from a home or mobile IP with clean reputation; a scraper on a datacenter or heavily-reused IP is scored and blocked before the page renders. Same request, different IP verdict.
Sometimes on lighter targets. Against enterprise bot management, pooled residential ranges are increasingly pre-flagged because the same IPs are resold to many users. Real mobile-carrier IPs are the more durable class because carrier CGNAT is shared with millions of legitimate phone users.