Full Report
Thales report reveals bots now account for 51% of all web traffic, surpassing human activity
Analysis Summary
# Industry News: AI-Driven Bots Dominate Web Traffic, Raising Security Alarms
## Summary
Automated bot traffic has surpassed human activity on the web for the first time in a decade, driven significantly by the increased use of AI and Large Language Models (LLMs) by threat actors. Bad bot traffic surged to 37% of total traffic, with sectors like retail and travel experiencing disproportionately high rates of malicious automated attacks.
## Key Details
- Date: Announced April 15, 2025 (Based on 2024 data)
- Companies Involved: Thales, Imperva (via the 2025 Imperva Bad Bot Report)
- Category: Market Analysis/Threat Report Release
## The Story
The 12th annual Imperva Bad Bot Report, powered by Thales, indicates a major shift in internet dynamics: 51% of all web traffic in 2024 was automated, marking the first time in ten years that bot activity outpaced human interaction. This rise is largely attributed to threat actors leveraging new AI and LLM technologies to create sophisticated and scalable malicious bots. The report tracked 13 trillion bad bot requests blocked across various industries. Malicious bot activity specifically accounted for 37% of total automated traffic. Notable bots making the list include ByteSpider (54% of AI-enabled attacks), Applebot (26%), ClaudeBot (13%), and ChatGPT User Bot (6%). Travel (41% of traffic attacked) and Retail (59% of traffic attacked) were identified as the most targeted industries by bad bots in 2024.
## Business Impact
### For the Companies Involved
- **Thales/Imperva:** This report reinforces their position as key authorities in bot mitigation and web security, providing valuable data that drives sales for their security solutions.
### For Competitors
- Competitors in the bot management and WAF space will need to swiftly benchmark their detection capabilities against the AI-driven bots highlighted (e.g., ByteSpider) to remain relevant.
### For Customers
- Businesses, especially in e-commerce and travel, face heightened risk from credential stuffing, inventory hoarding, and scraping activities, necessitating immediate reassessment and upgrading of bot defense mechanisms.
### For the Market
- The market trajectory for advanced behavioral analytics and AI-native defense solutions is accelerating rapidly, as traditional signature-based defenses are proving inadequate against LLM-powered automation.
## Technical Implications
The report highlights the operationalization of generative AI in offense, specifically naming sophisticated crawlers like ByteSpider and those related to major LLMs (ClaudeBot) as significant vectors for malicious automation. This signifies a shift from simple script-based bots to more adaptive, context-aware automated threats.
## Strategic Analysis
- **Market Positioning:** The finding solidifies the narrative that web application security is rapidly evolving into an arms race dominated by automation. Companies must pivot from treating bots as a nuisance to recognizing them as a primary threat vector alongside traditional malware.
- **Competitive Advantage:** Vendors who can effectively neutralize LLM-generated behavioral patterns will gain significant market traction.
- **Challenges:** Organizations face increased complexity in distinguishing legitimate automated tasks (like Google/Bing crawlers) from malicious bot activity, demanding greater investment in specialized, AI-powered detection tools.
## Industry Reactions
- **Analyst Opinions:** Industry analysts are likely emphasizing the need for organizations to move beyond legacy CAPTCHA and IP-based blocking, focusing instead on behavioral biometrics and anomaly detection calibrated against the new wave of GenAI-assisted threats.
- **Market Response:** Expect increased enterprise spending forecasts for advanced application security platforms capable of handling high-volume, sophisticated bot attacks.
## Future Outlook
- **Predictions and Expectations:** The trend suggests that malicious bot traffic will continue to grow as access to powerful LLMs democratizes offensive capabilities. Expect further blurring between seemingly legitimate crawler traffic and sophisticated attacks.
- **What to watch for:** Focus will shift to regulation, if any, around the malicious deployment of LLMs for cybersecurity disruption, and the corresponding development of defensive AI counterparties.
## For Security Professionals
Cybersecurity teams must immediately audit their current WAF/bot management solutions to ensure they can effectively analyze and mitigate traffic exhibiting patterns associated with ByteSpider, ClaudeBot, and other emerging AI-backed agents. Prioritize investment in runtime application self-protection (RASP) and advanced behavioral analytics that can spot subtle deviations from legitimate user interaction.