Imperva a Thales company: Bad Bot Report 2025
News | 26.05.2025
Automated threats are rising at an unprecedented rate, with bad bots now making up 37% of all internet traffic. AI is not only being used by attackers to create more advanced, evasive bots that target APIs, exploit business logic, and fuel fraud, but it is also lowering the barrier to entry for attackers resulting in an increase in volumes of simple bot attacks. For the first time in a decade, automated traffic has surpassed human activity, accounting for 51% of all web traffic. Businesses must adapt their security strategies to keep pace with these increasingly sophisticated threats.
The 2025 Bad Bot Report offers critical insights into the latest trends in automated attacks, revealing how bad bots are infiltrating industries, bypassing security measures, and disrupting digital ecosystems. Discover key findings, industry-specific risks, and effective strategies to defend your applications, APIs, and customer data. Get the report now and stay ahead of advancing bot threats.
Artificial Intelligence fuels rise of hard-to-detect bots that now make up more than half of global internet traffic, according to the 2025 Imperva Bad Bot Report.
AI is driving the growth of more simple bot attacks by lowering the barrier to entry for prospective attackers, even those with limited technical ability. Thanks to generative AI tools and bots as a service (BaaS) platforms, even those with minimal skills can now launch an attack.
It’s also enabling more sophisticated bots that use machine learning to adapt to mitigation strategies and refine their attack techniques, returning repeatedly until they achieve their goal.
The resulting emergence of more sophisticated, evasive bad bots puts businesses at greater risk than ever before. As automated traffic volumes increase, security teams must adapt their approach to application security, facing increasing pressure to counter an evolving threat landscape.
The Bad Bot Report classifies bot attacks into three categories: advanced, moderate, and simple, according to the level of sophistication and the tactics used when attempting (or not) to evade detection. In 2024, simple bad bot traffic grew from just under 40% in 2023 to 45% in 2024, a significant increase that can be attributed to the growing adoption of AI.
In 2024, 44% of advanced bot traffic targeted APIs, compared to only 10% targeting applications. This highlights a deliberate shift by attackers toward API endpoints, which handle sensitive or high-value data and are the connective tissue of most modern businesses.
Financial services, business, telecom and healthcare are among the most targeted industries for bot attacks on APIs, accounting for over 75% of all API attacks. These sectors depend on APIs for critical operations and sensitive transactions, making them prime targets for sophisticated bot attacks.
Account takeover (ATO) attacks use malicious bots to gain unauthorized access and take over online user accounts through credential stuffing and cracking, leading to digital identity theft and financial losses for targeted organizations and consumers. In 2024 Account Takeover attacks increased by 40%, a surge likely driven by cybercriminals using AI and machine learning to enhance and optimize their techniques. Financial Services remains the top targeted industry for ATO attacks accounting for 22% of all ATO attacks in 2024.
As bots become more sophisticated and adept at mimicking human behavior, security teams face increasing challenges in differentiating between bots and real users. As the proliferation of AI tool usage grows, we see attackers’ evasion tactics constantly advance and evolve. The Bad Bot Report examines the most common evasion tactics used by attackers, such as using residential proxies, faking browser identities, AI-assisted scripting, headless browsers and anti-detection tools to evade detection.
Travel bypassed Retail in 2024 to become the most targeted industry, accounting for 27% of all bad bot attacks. The travel industry and airlines, in particular, face a real challenge from automated attacks intent on disrupting operations. In 2024, 48% of all web traffic to travel sites was made up of bad bots, with the remainder consisting of 47% human traffic and 5% good bot traffic. Simple bot attacks targeting the Travel sector account for 55% of all attacks, up from 34% in 2023, supporting the theory that AI is fueling a surge in simple bot activity. 41% of attacks were in the advanced category, and only 7% were considered moderate.
From data scraping to account hijacking, bad bots are now a persistent, costly threat to businesses. With AI accelerating their growth, organizations must act decisively adopting advanced mitigation strategies to protect against fraud, financial losses, and security risks.
Download a copy of the 2025 Imperva Bad Bot Report to learn more about the latest bot trends and how to protect your organization. The report also offers ten recommendations to mitigate bot attacks better.
Imperva is the leader in end-to-end digital security, dedicated to helping organizations protect their data and all paths to it. Customers around the world trust Imperva to protect their applications, data, and websites from cyber-attacks.
Contact Softprom experts for personalized consultation on Imperva solutions.
Softprom - Value Added Distributor of Imperva.
Share:
