SAN FRANCISCO – The checkout page where you entered your credit card last week was almost certainly being tested by a bot at the same time. So was the airline booking form you used, the account login you completed, and the news article you opened. In 2025, for the second consecutive year, automated software generated more internet traffic than human beings – and the gap is no longer narrow.
The 2026 Imperva Bad Bot Report, compiled by Thales and based on traffic data collected throughout 2025, puts bots at 53% of all global web traffic. Humans account for the remaining 47%, a proportion that has been shrinking each year. In 2024 the split was 51-49. The trajectory is unambiguous.
What that number actually represents matters more than the headline figure itself. The 53% divides into two very different populations. Thirteen percent is what the industry classifies as “good bots”: search engine crawlers, uptime monitoring tools, and the AI scrapers that feed large language models their training data. The remaining 40% – up from 37% in 2024 and the seventh consecutive annual increase – is bad-bot traffic: software built to steal account credentials, scalp concert tickets, scrape pricing data for competitors, overwhelm servers, or commit payment fraud at industrial scale.
Stu Solomon, chief executive of HUMAN Security, a cybersecurity firm whose platform processed more than a quadrillion interactions last year, put it directly. “The internet as a whole was created with this very basic notion that there’s a human being on the other side of the computer screen,” Solomon told CNBC. “And that notion is very rapidly being replaced.” His company’s own State of AI Traffic report, released in March, found that automated traffic grew nearly eight times faster than human activity in 2025.
The structural problem this creates is one the internet was not designed to solve. When a clothing retailer sees a surge in sessions on a product page, the standard assumption is that customers are interested. But if those sessions are bots stress-testing the page, or competitors scraping the price, the data reads the same way to any analytics platform not specifically equipped to distinguish them. Businesses make restocking decisions, ad spend adjustments, and fraud-threshold calibrations based on traffic signals that are, by majority, not generated by the people they think they are serving.
The AI industry, which has positioned itself as the answer to most problems of digital efficiency, is also the primary engine of the bot surge. According to HUMAN Security’s benchmark data, OpenAI generated approximately 69% of all observed AI bot traffic in 2025. Meta accounted for roughly 16%, and Anthropic roughly 11%. The companies building the tools that companies use to automate their work are themselves responsible for the largest share of automated traffic flowing across the open web – often without the explicit knowledge of the site operators whose bandwidth and infrastructure absorb it.
Three industries absorbed more than 95% of AI-driven traffic last year: retail and e-commerce, streaming and media, and travel and hospitality. These are the sectors where structured, frequently updated data – product prices, flight availability, show listings – has the highest commercial value to AI systems that need current information to answer user queries. The cost of that data collection is borne almost entirely by the sites being crawled, not by the companies doing the crawling.
Cloudflare, which sits between vast portions of the web and the open internet, provided its own measurement in June. According to NBC News, Cloudflare found that 57.4% of requests to a selection of websites it hosts are now automated, with human-generated requests at 42.6%. The Cloudflare figure is higher than Imperva’s because the two measure different populations of traffic, but both point in the same direction. The internet is no longer predominantly a human medium.
What distinguishes the 2025 data from prior years is not the volume but the sophistication. Thales, in its Bad Bot Report, notes that AI-driven bot attacks surged 12.5 times year-over-year, with the daily average of blocked attack attempts rising from two million to 25 million. The techniques have evolved accordingly. Bad bots now commonly declare themselves to be Google Chrome – 41% of malicious bot traffic in 2025 claimed to be Chrome, up from 39% the year before – because that is the browser profile least likely to trigger a block. Older defenses built on checking which browser a visitor claims to be have become almost entirely useless against this approach.
The emergence of agentic AI is making the detection problem structurally harder. A traditional scraping bot repeated a fixed sequence of actions. An AI agent navigating a website plans its route, adapts when it encounters a login wall or a CAPTCHA, and mimics the hesitation patterns and cursor irregularities that once served as reliable markers of human presence. Filippo Menczer, a professor of informatics and computer science at Indiana University, noted that measuring bot traffic involves significant uncertainty because “these are very noisy estimates” – a point that applies equally to the threat and to any defense against it.
What Thales blocked is known: 17.2 trillion bot requests in 2025. What passed through undetected is, by definition, not in the data. The modified or self-hosted AI models that can be configured to avoid announcing themselves as automated agents are not captured in any of the major reports. The measurable AI traffic may be a fraction of the real exposure.
The question underneath all of it – whether the internet can function as a commercial, social, and informational infrastructure when the majority of its participants are not people – does not yet have an answer. What does have an answer, provisionally, is the direction of travel. Bad bot traffic has grown every year for seven consecutive years. AI agent traffic grew nearly 7,851% year-over-year, according to HUMAN Security. The Cloudflare CEO has said he expects bot traffic to exceed human traffic across the entire web by 2027.
For anyone building a website, running an online store, or simply trying to understand whether the traffic to their platform reflects real human interest, the honest answer is: probably not entirely. The tools for finding out how much of it is real are less reliable than anyone would like to admit. That gap – between what traffic signals appear to say and what they actually measure – is where fraud scales, where AI training data gets extracted, and where the basic economic logic of the open web is quietly being renegotiated.
