Thales Reports Bad Bots Comprise 40% of Internet Traffic

According to the Thales 2026 Bad Bot Report, distributed by Business Wire, automated activity represented 53% of observed internet traffic in 2025, while human interaction accounted for the remaining 47%. The report states that 40% of total internet traffic was classified as malicious bot activity in 2025, and that AI-driven bot attacks surged 12.5x year over year. Per the report, daily blocked requests rose from 2 million to 25 million in a single year. The research calls out increased attacker focus on APIs and identity layers and reports the United States accounted for 59% of bot attack volume.

The Thales report describes emergent AI agents that interact directly with applications and APIs to retrieve data and perform tasks, blurring distinctions between legitimate automation and abuse. The report documents behaviours such as mutating browser and network fingerprints, adjusting interaction timing, and adapting to mitigation controls, which enable persistent probing and tailored attacks on business logic. These technical observations are reported by Thales in the release and echoed across coverage by Help Net Security, TechRadar, and Resultsense.

Editorial analysis - technical context: AI-driven automation that mutates identifying signals and varies timing reduces the reliability of static fingerprinting and rate-based heuristics. Companies and security teams historically reliant on signature or threshold-based controls will find those signals increasingly noisy. Industry observers note that detection is shifting toward richer, multi-signal approaches that combine behavioural baselining, stronger API authorization checks, and contextual identity telemetry.

The scale reported by Thales - majority-automated traffic and nearly two fifths attributed to malicious bots - amplifies existing trends in API-focused intrusion methods. Coverage in TechRadar and Resultsense highlights that verticals such as financial services face disproportionate impact, including a high share of account-takeover activity as reported in media summaries of the Thales data. Reported growth in agentic automation changes the defender problem from discriminating "bot vs human" to inferring the intent and permissions associated with each automated actor.

For practitioners: monitor three indicators reported by Thales and repeated in coverage, the share of automated versus human traffic, the rate of AI-driven blocked requests (the jump Thales reports from 2 million to 25 million daily), and the proportion of incidents that exploit APIs or identity systems. Observe whether detection pipelines incorporate behavioural and intent signals rather than only identity or signature checks. Also watch vendor disclosures and incident reports for demonstrations of agentic behaviors that evade conventional mitigation.

Editorial analysis: While Thales provides the measurements and examples, public reporting frames this as a structural shift in attacker tooling rather than a transient spike. Observers and security teams will likely reassess how telemetry, API governance, and identity assurance are combined to separate benign automation from abuse at scale. The absence of detailed mitigation performance metrics in the release means benchmarked industry validation will be important as defenders adapt.