For the first time in the history of the internet, a monumental shift has occurred: automated systems, web crawlers, and artificial intelligence (AI) agents—collectively known as bots—now generate more traffic than real human beings. Recent global traffic reports reveal that automated activity has eclipsed human navigation. This paradigm shift is not merely a statistical curiosity; it is forcing a comprehensive redesign of cybersecurity systems, digital advertising metrics, and our very understanding of what it means to be "online."

The Tipping Point: 51% and Beyond

According to the 2025 Imperva Bad Bot Report, automated traffic accounted for 51% of all web traffic in 2024, marking the first time in a decade that bots have surpassed human activity [1]. This milestone was not reached overnight but is the result of a steady, multi-year climb. The growth rate is staggering: the 2026 State of AI Traffic & Cyberthreat Benchmark Report by HUMAN Security found that automated traffic across the internet grew roughly eight times faster than human traffic year-over-year [2].

The composition of this non-human traffic is complex. It includes "good bots," such as search engine crawlers (like Googlebot) and copyright monitors, which are essential for the internet's infrastructure. However, it also includes a rapidly growing segment of "bad bots"—malicious automated scripts designed for web scraping, credential stuffing, distributed denial-of-service (DDoS) attacks, and inventory hoarding.

The primary driver behind this unprecedented surge in bot traffic is the proliferation of Artificial Intelligence, specifically Large Language Models (LLMs) and "Agentic AI."

The Data Hunger of LLMs

The development of advanced AI models requires massive datasets. To feed these models, AI companies deploy aggressive web crawlers to scrape text, images, and data from across the internet. In 2025, AI-driven traffic accelerated sharply, with monthly volumes growing by 187% from January to December [3]. Notably, traffic spikes often correlate with the pre-release data collection cycles of major frontier models from companies like OpenAI, Google, and Anthropic [3].

The Rise of Agentic AI

Beyond mere data collection, the nature of bots is evolving. We are entering the era of "Agentic AI"—autonomous systems capable of navigating the web and executing complex tasks on behalf of users. These agents can research products, manage accounts, and even complete online shopping checkouts without direct human intervention.

According to HUMAN Security, traffic generated by these autonomous AI agents grew an astonishing 7,851% year-over-year in 2025 [3]. This means bots are no longer just reading the web; they are actively transacting on it.

The Impact on Cybersecurity

The dominance of bot traffic presents a severe challenge to traditional cybersecurity paradigms. Historically, security systems were designed to differentiate between a human user and a rudimentary automated script. Today, that line is increasingly blurred.

Lowering the Barrier to Entry for Cybercriminals

The accessibility of generative AI tools has democratized the creation of sophisticated bots. Less skilled threat actors can now leverage AI to write complex scripts, analyze failed attack attempts, and refine their techniques to evade detection [1]. This has led to a surge in "Bots-As-A-Service" (BaaS) platforms, commercializing malicious automation.

The API Vulnerability

Modern web architecture relies heavily on Application Programming Interfaces (APIs). Bots increasingly target these APIs because they often provide direct pathways to sensitive data and core business logic. In 2024, API-directed attacks surged to 44% of all advanced bot traffic [1].

The Blurring Line Between Benign and Malicious

The behavior of a legitimate AI shopping assistant and a malicious scalper bot can look virtually identical. Both navigate product pages, add items to a cart, and attempt to check out rapidly. Across billions of interactions, the behavioral difference between benign and malicious automation is sometimes as narrow as half of one percent [3]. This requires security systems to move beyond simple rate-limiting and CAPTCHAs, employing behavioral analysis and intent verification to determine why a bot is accessing a site.

Redefining Digital Advertising and Metrics

The advertising industry, which underpins much of the internet's economy, is facing an existential crisis due to the bot takeover. Digital advertising relies on metrics like impressions, clicks, and conversions—metrics traditionally assumed to represent human engagement.

When bots constitute the majority of traffic, the integrity of these metrics collapses.

Advertisers are increasingly demanding "bot-free" guarantees, forcing publishers and ad networks to invest heavily in advanced bot mitigation tools to prove the validity of their traffic. If an advertiser pays for 100,000 impressions, but 51,000 of those were served to automated scripts, the Return on Investment (ROI) is severely compromised.

Industry-Specific Impacts

The burden of bot traffic is not distributed evenly across the internet. Certain sectors are disproportionately targeted due to the value of the data or inventory they hold.

1. Travel and Hospitality: In 2024, the travel industry became the most attacked sector, accounting for 27% of all bot attacks [1]. Bad bots make up 41% of traffic in this sector, primarily driven by competitors scraping pricing data and malicious actors hoarding airline tickets or hotel rooms to resell at a premium.

2. Retail and E-commerce: Retail faces a massive 59% bad bot traffic share [1]. This is driven by inventory scalping (especially for high-demand items like electronics or sneakers), price scraping, and automated checkout agents.

3. Streaming and Media: These platforms are heavily targeted by credential stuffing attacks, where bots use stolen username/password combinations to take over premium accounts and resell them

   on the dark web.

The Future: Navigating the Agentic Web

The internet has fundamentally changed. The assumption that a web request originates from a human sitting at a keyboard is no longer valid. As we move deeper into the era of Agentic AI, the volume of automated traffic will only continue to grow.

This is not necessarily a dystopian future. "Good bots" and AI agents have the potential to automate tedious tasks, find the best deals, and streamline our digital lives. However, realizing this potential requires a robust framework for digital trust.

Organizations must adapt by:

• Upgrading Security Postures: Moving away from static defenses (like IP blocking) toward dynamic, AI-driven behavioral analysis capable of discerning intent.

• Protecting APIs: Implementing strict authentication, rate limiting, and anomaly detection specifically tailored for API endpoints.

• Rethinking Metrics: Developing new KPIs that focus on verified human engagement and authenticated transactions rather than raw traffic volume.

The internet is now a machine-to-machine ecosystem where humans are the minority. Adapting to this reality is the defining challenge for the next decade of digital innovation.

References

[1] Thales Group. (2025). Artificial Intelligence fuels rise of hard-to-detect bots that now make up more than half of global internet traffic, according to the 2025 Imperva Bad Bot Report. Retrieved from https://cpl.thalesgroup.com/about-us/newsroom/2025-imperva-bad-bot-report-ai-internet-traffic

[2] CNBC. (2026). AI and bots have officially taken over the internet, report finds. Retrieved from https://www.cnbc.com/2026/03/26/ai-bots-humans-internet.html

[3] HUMAN Security. (2026). Measuring the AI-Driven Internet with The 2026 State of AI Traffic & Cyberthreat Benchmark Report. Retrieved from https://www.humansecurity.com/learn/blog/ai-traffic-growth-2025-key-findings/