Do you actually need a VPN? A threat-model guide
By Nadia Rahman · · 7 min read
The honest answer is: it depends on what you are trying to protect and from whom. Some people get real value from a VPN; others would be better off spending that money and attention on passwords and account security. The fastest way to know which group you are in is to think through your own threat model — and it takes about ten minutes.
Start with a threat model, not a product
"Threat model" sounds technical, but it is really just three plain questions:
- What am I protecting? Your browsing history, your location, your accounts, your messages, your identity?
- Who might want it, and what could they do? Your ISP profiling you, someone on the same Wi-Fi, advertisers, a stalker, a scammer?
- What can I realistically do about it? Which tools and habits actually address that specific risk?
Answer those honestly and the right tools fall out naturally. Crucially, this stops you buying something that does not match your actual problem — which is how a lot of people end up with a VPN they barely need while their real weak spot is a reused password.
When a VPN genuinely helps
You use public or untrusted Wi-Fi often
If you regularly work from cafés, airports, hotels or shared spaces, a VPN encrypts your traffic on networks you do not control. This is the strongest everyday case for a VPN, and a sensible reason to keep one installed.
You do not want your ISP profiling your browsing
Depending on where you live, your internet provider may log and even monetise the sites you visit. A reputable VPN takes that visibility away from your ISP. Remember the trade-off, though: you are handing that visibility to the VPN provider instead, so it has to be one you trust.
You travel and need services from home
If you travel and want your usual region's services, or simply want to avoid revealing your location to every site you visit, changing your apparent location with a VPN is useful. Always stay within the terms of the services you use.
When a VPN is the wrong tool
If your real worries are any of the following, a VPN will not fix them:
- Phishing and scams. A VPN cannot tell that a login page is fake. Caution and a password manager help far more.
- Malware. Encryption does not scan downloads. Keep software updated and be careful what you install.
- Tracking by accounts you log into. Signed-in platforms know who you are regardless of your IP. See how websites track you for what actually reduces this.
- Your data already published by brokers. A VPN does nothing about listings that already exist. Our guide on removing your data from data brokers covers that.
Match common situations to the right move
| Your situation | Does a VPN help? | Better first step |
|---|---|---|
| Frequent café / airport Wi-Fi | Yes, clearly | Install a trustworthy VPN |
| Worried about ISP profiling | Yes | Choose an audited no-logs VPN |
| Keep getting phishing emails | No | 2FA + a password manager |
| Targeted ads follow you around | Mostly no | Browser settings + tracker blocker |
| Your details are on broker sites | No | Opt out of data brokers |
Build the foundation first
Whatever your threat model, a few basics protect you against the most common threats, and they cost little or nothing. Use strong, unique passwords for every account — a dedicated password generator makes that painless. Turn on two-factor authentication wherever it is offered. Keep your devices and browsers updated. Treat unexpected links and attachments with suspicion. These habits stop more real-world harm than any single product.
If you decide a VPN is worth it
If your threat model points to a VPN, the next question is which one — and that is where many people get steered wrong by paid "top 10" lists. Judge providers on independent audits, a genuine no-logs policy, transparent jurisdiction and ownership, and a working kill switch. Our how-to-choose-a-VPN guide turns that into a short checklist you can run on any provider. And before you trust a free one, read the hidden risks of free VPNs.
Frequently asked questions
What is a threat model in simple terms?
A threat model is just a clear answer to three questions: what are you protecting, who might want it, and what can you realistically do about it. It keeps you from buying tools you do not need and from ignoring risks you do face.
Do I need a VPN if I only browse at home?
Not necessarily. At home, a VPN mainly stops your internet provider profiling your browsing. If that matters to you, a VPN helps. If your bigger worries are accounts, passwords or tracking, your effort is better spent there first.
Is a VPN enough on its own?
No. A VPN is one layer. Strong, unique passwords, two-factor authentication, software updates and scepticism about links protect you against far more common threats. Treat a VPN as a useful add-on, not the whole plan.
When does a VPN not help at all?
A VPN does not stop phishing, malware, or tracking by accounts you are logged into. It also does not make you anonymous. If those are your concerns, a VPN is the wrong tool and you should focus on habits, settings and account hygiene instead.
This article is general online-safety education, not professional security advice.