For the first time in a decade, bot traffic has officially surpassed human activity on the internet, according to the recently published 2025 Imperva Bad Bot Report by Thales. This milestone marks a significant shift in the digital landscape, with automated traffic now accounting for 51% of all web activity. Even more concerning is that malicious bot traffic has surged from 32% to 37% over the past year alone.

Why This Matters

This shift represents more than just an interesting statistical milestone. It fundamentally changes how we must think about web security, application design, and digital infrastructure. The internet was originally built for human-to-human interaction, but we're now operating in an environment where machine-to-machine communication dominates.

The surge in malicious bot activity is closely tied to the proliferation of artificial intelligence and large language models (LLMs). These technologies have dramatically lowered the barrier to entry for creating sophisticated bots, allowing less technically skilled threat actors to launch increasingly complex attacks at scale.

Industry Impact

The travel sector has become the primary target, accounting for 27% of all bot attacks, while retail continues to see high volumes of malicious bot traffic (59%) (Bad Bot Report, 2025). Probably most concerning is the targeting of APIs, with 44% of advanced bot traffic specifically exploiting API vulnerabilities to carry out payment fraud, account takeovers, and data exfiltration. They do not get tired like us humans do, they can go 24/7, which makes this more of a threat.

Financial services, healthcare, and e-commerce providers face the highest risk due to the sensitive nature of the data they manage. As organizations increasingly adopt cloud-based services and microservices architectures, the very features that make APIs essential also create unique vulnerabilities.

What This Means for IT and Cyber Professionals

For cybersecurity and IT professionals, this shift demands a fundamental reevaluation of security strategies. For one, bot detection must evolve. Traditional bot detection methods based on behavioral analysis need to be augmented with AI-powered solutions that can identify increasingly sophisticated automated threats. Moreover, API security can no longer be an afterthought. Organizations need comprehensive API security programs that include proper authentication, authorization, encryption, and monitoring. It is also crucial to distinguish between legitimate automation (like search engine crawlers) and malicious bots becomes increasingly complex and critical. However, this does not come without challenges. Infrastructure planning must account for the resource consumption of both legitimate and malicious bot traffic, which impacts everything from bandwidth to processing capacity.

As we continue to integrate AI and automation into our digital ecosystem, the line between helpful and harmful bots will become increasingly blurred. For IT programs and professionals, understanding and managing this new reality will be essential to building secure, resilient digital environments in a world where machines talk to machines more often than humans do.

References:

2025 Bad Bot Report. 2025. Imperva. https://www.imperva.com/resources/resource-library/reports/2025-bad-bot-report/

Muncaster, P. 2025, April 15. Bot Traffic Overtakes Human Activity as Threat Actors Turn to AI. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/bot-traffic-human-activity-threat/

Dr. Shaila Rana

Professor | Graduate IT Department

School of Business and Information Technology 

E: shaila.rana@purdueglobal.edu