Thales (Imperva) Bad Bot Report 2026

Global internet traffic has officially ceased to be a space dominated by humans. According to data from the thirteenth annual study published in the Imperva - Bad Bot Report April 2026, automated programs generated a record 53% of all search and network requests over the past 12 months. The share of human activity dropped to 47%, marking a fundamental structural shift in how digital services consume infrastructure resources.

The primary driver of this rapid transformation has been the widespread adoption of artificial intelligence. AI is no longer just a supporting tool for cybercriminals—it is now deeply integrated into the very infrastructure of the internet, giving rise to advanced AI agents. These agents are capable of learning, mimicking legitimate users, and bypassing traditional IT security systems within a matter of hours.

The distinction between legitimate and malicious automation is becoming increasingly blurred. Next-generation bots utilize valid browser environments, closely replicate human behavior logic, and interact through the exact same API endpoints that power core business applications.

Global statistics: digital threats in numbers

The sheer scale of robotic activity exerts continuous background pressure on corporate networks and enterprise IT infrastructure. The Imperva - Bad Bot Report April 2026 highlights the following critical indicators of automated presence:

• 17.2 trillion — the total number of malicious bot requests blocked by Thales global security systems throughout the year.
• 40% of all internet traffic is generated exclusively by bad bots, which is a 3-percentage-point increase over the previous year's figures.
• A 12.5-fold increase in the number of detected and mitigated AI-driven attacks, bringing the daily average of blocked AI incidents from 2 million to 25 million.
• 21% of all mitigated cyberattacks map directly to OWASP automated threat categories.

The anatomy of AI traffic: crawlers vs. fetchers

With the rise of generative AI and large language models (LLMs), automated traffic has diverged into three categories: traditional good bots (such as search indexers), bad bots, and autonomous AI agents that perform tasks directly through applications on behalf of users. Today, detectable and declared AI traffic is divided into two key groups:

• AI Crawlers (85% of AI traffic): Systematically scan web resources to gather data for model training. The largest sources include Meta-External Agent (44%), Apple Bot (23%), and Bytespider Bot (13%).
• AI Fetchers (15% of AI traffic): Retrieve specific content in real time based on direct user prompts. This category is absolute dominated by ChatGPT-User with an 88% share, followed by PerplexityBot AI (7%) and Google-CloudVertexBot (4%).

The danger lies in the fact that their operational patterns frequently intersect with hacking techniques. The report's statistics reveal that 10.8% of AI fetcher sessions and 8.8% of AI crawler sessions triggered bad bot detection rules, while 4% of crawler requests triggered DDoS defense mechanisms.

API vulnerability and application business logic attacks

Attackers are increasingly moving away from compromising user interfaces, designing campaigns that are malicious by API-first intent. Last year, 27% of all bot attacks were directed straight at API endpoints. Bots completely bypass the frontend, using valid authentication and well-formed requests, making anomalies virtually invisible to traditional web filters. Among the most common threats targeting APIs are data leakage (26%), business logic abuse (13%), and remote code execution / remote file inclusion RCE/RFI (13%).

Industry-specific automated attacks

Striking the financial sector

• Total attack volume: Financial Services was the primary target for overall bot attack volume, accounting for 24% of all malicious bot incidents.
• Account Takeover (ATO): Financial institutions accumulated 46% of all global account takeover incidents. Cybercriminals heavily exploit credential reuse (credential stuffing) against authentication APIs, despite the widespread adoption of MFA.
• Threat specificity: Bots have embedded themselves deeply within financial infrastructure, interacting directly with core APIs and identity services that power digital banking and transactional operations.

Pressure on retail and travel

• Business logic abuse: The Retail and Travel sectors lead in targeted business logic attacks, accounting for 24% and 17% of such isolated incidents respectively.
• Artificial scarcity: In airlines and retail, bots deploy seat spinning and denial-of-inventory tactics—hoarding items or booking tickets in carts without completing the purchase. This distorts demand signals and prevents legitimate customers from completing transactions.
• Price scraping: High-frequency fetch-style bots continuously scrape product pages for pricing and promotions, undermining marketing strategies and dynamic capacity planning.

Key technological differences in defense approaches

Traditional security tools (WAF and Rate Limiting)

• Operational principle: Rely on analyzing surface-level signals, such as User-Agent strings, basic IP reputation, and static rate limiting thresholds.
• Effectiveness against AI bots: Extremely low. Static thresholds fail because advanced bots constantly mutate their behaviors and iterate faster than defenders can manually reconfigure rules.
• Business risks: High rates of false positives (blocking real humans) or missing low-noise, persistent automated attacks targeting sensitive application workflows.

Imperva Advanced Bot Protection platform

• Operational principle: Utilizes advanced browser and device fingerprinting alongside behavior-based monitoring and session consistency analysis across entire multi-step user journeys.
• Effectiveness against AI bots: High. The platform maintains persistent identification to track bot activity across multiple sessions, even if attackers rotate devices, fingerprints, or residential proxy IPs.
• Business advantages: Minimizes friction for real customers, provides granular visibility into AI tools, crawlers, and fetch agents, and protects critical API endpoints without compromising performance.

Thales technological response: capabilities of Imperva Advanced Bot Protection

To counteract next-generation automated threats, Thales offers a comprehensive solution—Imperva Advanced Bot Protection (ABP), which seamlessly integrates into a unified application security framework. The platform enables a paradigm shift from pure defensive blocking to proactive traffic governance:

• Multi-layered detection and fingerprinting: Deep client-side analysis validates hundreds of attributes to uncover sophisticated bot frameworks mimicking standard browser identities like Google Chrome (41%) or Android Browser (17%).
• Residential proxy identification: The system evaluates propagation patterns and timing inconsistencies to successfully isolate bots routing their traffic through legitimate mobile and residential ISP networks.
• API and business logic security: Imperva ABP inspects payload data and transaction-level behaviors in real time, stopping unauthorized scraping, parameter manipulation, and business workflow abuse.
• Adaptive challenge mechanisms: In place of traditional CAPTCHAs easily cracked by AI tools, the platform uses adaptive challenge mechanics like computational Proof-of-Work to drastically increase attack costs while maintaining a smooth user experience.
• Synergy with Account Takeover Protection (ATO): Together, ABP and ATO provide a dual layer of protection: ABP mitigates automated bulk traffic, while ATO utilizes deep behavioral analysis to flag subtle deviations in individual user sessions that signal fraudulent account takeover.

Real-world mitigation use cases: financial losses of business

Case 1. Healthcare insurance and SMS Pumping attack

A global health insurance provider fell victim to a sustained automated attack hitting its SMS-based two-factor authentication. Bots triggered continuous one-time password (OTP) API requests using automated accounts created with disposable or temporary email addresses. The bot activity caused a massive surge in outbound SMS messages sent to invalid regions completely outside the vendor's customer base. While no user data was breached, the attack hit the business financially: over a 20-day period, the company racked up approximately $300,000 in telecom SMS charges. Implementing automated bot detection models and rate limiting at the API layer allowed the firm to close the vulnerability.

Case 2. Securing banking credentials from ATO attacks

A financial institution detected a sudden, abnormal surge in automated login requests aimed at its customer authentication APIs. Because baseline bot mitigations were not configured at the time, the brute-force traffic initially penetrated standard system defenses. Collaborating with Security Analyst Services, the bank quickly deployed Imperva Account Takeover Protection alongside custom Advanced Bot Protection rules. These controls evaluated session behaviors, isolated automated anomalies from expected customer login patterns, and halted the fraud campaign—ultimately shielding the bank from long-term financial losses and severe regulatory enforcement actions under GDPR, DORA, and PSD2.