Thales Reports AI-Driven Bot Attacks Surge 12.5x

Thales released the 2026 Bad Bot Report: Bad Bots in the Agentic Age, distributed via Business Wire, reporting that automated activity now dominates internet traffic. The report states that bots account for over 50% of traffic and that 40% of bot traffic is classified as malicious, per the Thales release. According to the report, AI-driven bot attacks surged 12.5x in 2025 compared with 2024. The release highlights three structural shifts: the emergence of AI agents as a distinct traffic category, the dominance of automated activity over human interaction, and a rapid expansion of attacks targeting APIs and identity systems. The report includes a direct quote from Tim Chang, Global Vice President and General Manager, Application Security at Thales: "The challenge is no longer identifying bots. It's understanding what the bot, agent, or automation is doing, whether it aligns with business intent, and how it interacts with critical systems."

The Thales release describes AI agents as interacting directly with applications and APIs to retrieve data and perform tasks, which the report frames as blurring the line between legitimate and malicious automation. The report also identifies APIs and identity layers as primary targets where attackers bypass front-end defenses to exploit core business logic at scale, according to the Business Wire distribution.

Editorial analysis - technical context: Companies observing similar shifts have seen automated, programmatic access move from low-volume scraping to high-volume, stateful interactions with backend services; this pattern increases the value of telemetry that captures intent and multi-step workflows rather than single-request signatures. Defensive tooling that relies on simple rate limits or static fingerprinting is less effective when agents mimic legitimate multi-step sessions and use valid credentials or API keys.

The Thales report adds to a growing body of vendor and research publications documenting an acceleration in automated, AI-enabled abuse across web and API surfaces. For security teams and platform engineers, the combination of higher-volume AI-driven agents and targeted attacks on identity and API layers increases both attack surface and the difficulty of distinguishing benign automation from malicious activity. This trend also elevates the importance of telemetry that links authentication, session state, and business logic access patterns.

• •Indicators of compromise at the API and identity layer, such as credential stuffing against token endpoints or unusual token scopes being requested.
• •Adoption of behavioral and intent-based detection signals that correlate multi-step actions across sessions.
• •Any follow-up reporting from independent researchers that quantify attack effectiveness or reveal new agent tooling families.

Editorial analysis: Observers should treat the reported 12.5x increase as a signal that automated attacks are both growing in volume and evolving in sophistication; defenders will need to balance blocking known bad actors with capabilities to verify intent and context for high-value requests. The Thales release is a vendor report; independent validation and telemetry sharing will help practitioners gauge how representative the findings are across industries.