Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Reveals
The post Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Reveals appeared first on Thales CPL Blog Feed.
Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Revealsjosh.
Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Reveals
The post Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Reveals appeared first on Thales CPL Blog Feed.
Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Revealsjosh.pearson@t…Thu, 04/30/2026 – 07:31
The modern internet is becoming less human by the day. Bot traffic is increasing, and human traffic is shrinking. Malicious automated traffic is getting harder to spot. The Thales 2026 Bad Bot Report, now in it’s 13th consecutive edition, is the most significant yet , as AI agents accelerate a permanent shift toward machine-driven internet activity. It breaks down how AI – and specifically AI agents – have transformed the internet, accelerating bot activity, complicating detection and monitoring to unprecedented levels, and putting businesses in jeopardy.
The modern internet is becoming less human by the day. Bot traffic is increasing, and human traffic is shrinking. Malicious automated traffic is getting harder to spot.
The Thales 2026 Bad Bot Report, now in it’s 13th consecutive edition, is the most significant yet , as AI agents accelerate a permanent shift toward machine-driven internet activity. It breaks down how AI – and specifically AI agents – have transformed the internet, accelerating bot activity, complicating detection and monitoring to unprecedented levels, and putting businesses in jeopardy.
Here are some of the key insights from this year’s report.
Automation Is Now the Default State of the Internet
It’s a strange and dangerous time to be online.
Bots now account for 53% of all internet traffic. Bad bots alone account for 40%, rising 3% from last year. That means two-fifths of all internet traffic is actively malicious , enabling automated cyber crime, fraud, and business logic abuse. In 2025, Thales blocked 17.2 trillion bad bot requests. What’s to blame for this rise? You guessed it – AI.
From 2024 to 2025, Thales observed a more than tenfold increase in daily AI-driven bot attacks, rising from just 2 million to 25 million. And yet, remarkably, that growth wasn’t even the most significant change 2025 brought. The more fundamental shift is the normalization of AI-driven automation within internet infrastructure, fundamentally changing how business must manage risk, performance, and trust.
AI Agents: The Third Category Changing Everything
In previous years, Thales split bots into two categories: good bots and bad bots. However, over the past year, the landscape has changed so significantly that we’ve had to introduce a third category of automated traffic: AI agents.
These agents browse websites, gather data, and complete tasks for users. Agents are built into browsers, search platforms, and enterprise tools and they interact directly with applications and APIs. As a result, automated activity that once raised red flags now blends in with legitimate use, making detection and monitoring much harder.
To complicate matters further, detectable AI traffic represents just a fraction of total AI-enabled activity. Attackers can deploy self-hosted LLMs that don’t identify themselves, which creates a visibility gap between what organizations can detect and the true scale of AI-enabled activity.
In short, what’s observable today represents only a fraction of the total attack surface.
APIs Are the New Front Line
APIs are the backbone of the modern internet and are growing more important by the day. This criticality makes them a critical exposure point for automated threats.
Our threat intelligence reveals that increasingly, cybercriminals are designing API-first campaigns. Bots bypass user interfaces (UI) and interact directly with backend services using well-formed, authenticated requests. Most web layer controls fail to spot them, and attackers operate at a scale and speed far beyond human capability.
As a result, attackers exploiting API-specific vulnerabilities more often. The most common threats to APIs include:
Data Leakage (26%)
Remote Code Execution/Remote File Inclusion (13%)
Business Logic (13%)
Automated Attack (8%)
Path Traversal/Local File Inclusion (7%)
At the same time, a new class of AI-driven fetcher bots – designed to take actions rather than simply crawl – are actively interacting with APIs to execute workflows and probe backend logic.
These findings signal a shift toward automated, API-level exploitation rather than surface-level scanning.
Industries Hit Hardest by Bot Attacks
Not all industries suffer bot attacks at the same scale or frequency.
The Sports industry, for example, accounted for a tiny 0.1% of all bot attacks in 2025. At the other end of the scale, the Financial Services and Business sectors accounted for 24% and 19% of bot attacks, respectively.
Financial Services’ position should come as little surprise. It consistently appears among the most targeted sectors over the years. For attackers, the potential rewards are lucrative, and the APIs that underpin online banking make it an attractive target.
What has changed, however, is how automated traffic is now embedded within financial infrastructure. Bots used to merely test the edges of financial systems. Today, they interact directly with the same APIs, identity services, and workflows that power core customer transactions and digital banking operations.
Notably, Financial Services didn’t top the list for sectors most targeted by AI-driven bots. That spot is reserved for the Retail sector – particularly those with dynamic pricing, limited inventory, or high-demand promotions. AI-driven bots interact directly with APIs, continuously monitoring availability, pricing, and promotions at scale.
By bypassing the user interface and querying backend services directly, bots can operate at high frequency with minimal friction. This allows attackers to rapidly identify pricing discrepancies, inventory gaps, or promotional logic weaknesses, turning what appears to be normal API traffic into a scalable exploitation tool for retail platforms.
A New Defensive Challenge Emerges
For organizations, the problem is no longer simply identifying bots; it’s distinguishing between automation that drives the business and automation that exploits it.
Traditional, surface-level signals like IP reputation, user-agent strings, and rate limiting aren’t enough to stay safe in today’s world. Bad bots now operate through legitimate browsers, valid fingerprints, residential proxies, and human-like interaction patterns. As a result, bad bots blend seamlessly into normal traffic.
Organizations have a clear path forward. By treating APIs as critical infrastructure, adopting adaptive defenses that learn alongside evolving bot behavior, and combining AI-driven detection with human expertise, they can strengthen resilience and unlock more secure, seamless digital experiences.
Download the 2026 Thales Bad Bot Report for unparalleled insight into the bad bot landscape, and more recommendations on how to lock your digital doors against them.
THALES BLOG
April 30, 2026
*** This is a Security Bloggers Network syndicated blog from Thales CPL Blog Feed authored by [email protected]. Read the original post at: https://cpl.thalesgroup.com/blog/application-security/bad-bots-in-the-agentic-age
About Author
.png "Why Financial Services Leaders Are Re-Evaluating Open Source for Database Change Management")
