Bots Surpass Humans in Web Traffic as AI Agents Drive Record Cyber Attacks

Thales has released its 2026 Bad Bot Report, revealing a historic shift in internet composition where automated traffic now accounts for 53% of all web activity. This marks the first time that bots have surpassed human users, who now represent only 47% of global traffic. Central to this surge is the rapid proliferation of AI agents, which are increasingly being utilized to conduct sophisticated and high-volume automated operations.

The report identifies a massive 12.5x increase in AI-driven bot attacks compared to the previous year. These malicious "bad bots" now constitute 40% of total global web traffic, presenting a significant challenge for cybersecurity teams. The emergence of autonomous AI agents has further complicated the landscape by blurring the traditional lines used for bot detection, making it harder for standard security protocols to distinguish between legitimate automated services and malicious actors.

Strategic Impact on Financial Services and Retail

Security vulnerabilities are increasingly concentrated in specific sectors and technical interfaces. According to the data, 27% of all bot attacks are now directed specifically at APIs. This shift suggests that attackers are moving away from traditional front-end exploitation in favor of direct backend access. The AI-driven bot attacks are particularly prevalent in the retail sector, which currently attracts 20% of all AI-based automated threats.

The financial services industry remains the primary target for credential-based threats. Thales found that 46% of all account takeover attempts are focused on financial institutions. This high concentration of activity highlights the ongoing risk to digital banking infrastructure as AI agents become more adept at bypassing legacy security measures. Geographically, the United States continues to be the most targeted region for these automated threats.

For technology leaders and strategists, these findings necessitate a transition toward more adaptive security frameworks. As AI-driven bot attacks continue to scale, the reliance on static detection methods is becoming less effective. Organizations must prioritize API security and implement advanced behavioral analysis to counter the rising tide of agentic bot traffic that now dominates the modern web.

While we strive for accuracy, bytevyte can make mistakes. Users are advised to verify all information independently. We accept no liability for errors or omissions.

Photo by Mohamed Nohassi on Unsplash

Related Articles

• Stanford 2026 AI Index: Adoption Surges, Transparency Falls
• AWS Agent Registry Launches to Centralize AI Governance
• Lenovo Study Finds Unregulated Enterprise Shadow AI Risks Corporate Security and ROI

✔Human Verified