There are moments when a single stat stops you in your tracks. Leaders across the United States woke to such a moment when automated activity surpassed humans in 2024: 51% automated versus 49% human. That shift feels personal for teams who guard revenue, trust, and uptime every day.
Bad bots now make up 37% of internet traffic, and simple bot volume climbed to 45% last year. Attackers use residential proxies, spoofed browsers, headless automation, and anti-detection tools to mimic people and slip past controls.
This report frames why organizations must treat application and API layers as control points, not afterthoughts. We outline the data, real incidents, and clear steps leaders can take to close gaps and protect customers.
Key Takeaways
- Automated activity now exceeds human web activity, forcing new priorities for cybersecurity.
- Bad bots are a systemic threat to revenue, operations, and customer trust.
- Generative tools and bots-as-a-service lowered the barrier to entry for scaled campaigns.
- APIs and applications face concentrated risk; sectors like finance and travel are heavily targeted.
- Read the full report for data and practical guidance leaders can act on this year.
Key findings shaping the threat landscape in the past year
Data-driven shifts define risk today: In 2024 automated traffic reached 51% of web activity, and bad bots rose to 37% of internet traffic. Simple bad bot traffic climbed to 45%, up from under 40% in 2023.
Advanced automation focused on APIs: 44% of advanced bot traffic targeted APIs versus 10% aimed at applications. Account takeover increased 40% year‑over‑year, with Financial Services making up 22% of all ATO incidents.
Travel emerged as the top target: 27% of bad bot attacks hit travel sites and nearly half of travel web traffic—48%—was malicious automation. Evasion methods included residential proxies, spoofed browser identities, headless automation, and anti‑detection tooling.
- Operational impact: Teams must recalibrate capacity and detection to treat automation as the norm.
- Security priority: Behavioral telemetry and API‑first defenses are now essential to protect systems and infrastructure.
For deeper context and recommendations, readers can consult this report that synthesizes these trends and steps leaders can take.
How AI is transforming AI Bot Attacks
Automation is no longer a blunt instrument; it is iterative, learning, and highly focused. Generative tools and bots-as-a-service lowered the bar to entry, driving simple bad bot traffic to 45% in 2024. Cheap, modular kits let operators launch scaled campaigns with little technical skill.
Smarter operations probe defenses and adapt. Adversaries use machine learning to test blocks, refine chains, and evade detection. That means static rules fail faster; defenders must adopt behavioral scoring and real‑time policy updates.
- Democratized offense: turnkey tools accelerate campaign creation and reduce cost per attack.
- Evasion at scale: residential proxies, spoofed browser fingerprints, headless frameworks, and anti‑detection tools simulate human web journeys.
- API focus: 44% of advanced bot traffic targets APIs that expose business logic and sensitive data — far more than the 10% aimed at applications.
Access abuse rises when identity and request‑level risk lag. Security teams should map high‑value endpoints, enforce schema checks, token binding, and rate limits. Defensive tools must inspect headers, tokens, and device signals to score intent across sessions.
See practical controls and combine them with continuous feedback loops so defenses learn as fast as the threats. For a broader skills view, review the future of offensive tradecraft.
Real-world activity: where AI-driven bots and attackers are winning and failing
A review of recent incidents highlights both the speed of modern campaigns and the controls that blunt them. Rapid campaigns changed the threat profile for many organizations. Some operations succeeded by exploiting weak identity and vendor controls. Others failed against layered detection and practiced incident response.
Account takeover surges
Credential-based account takeover rose 40% in 2024. Financial Services absorbed 22% of ATO incidents, showing why identity is a primary target. Defenders must prioritize MFA, session telemetry, and anomaly scoring to stem these attacks.
Executive impersonation on LinkedIn
Attackers used executive profiles mimicking Okta, Cisco, and Microsoft leaders to lure users to phishing pages. Social engineering captured credentials for VPN and internal systems access. Training and rapid reporting reduced follow‑on harm.
Spear phishing blocked at OpenAI
In October 2024, employees received emails delivering SugarGh0st RAT. Behavioral email filtering and endpoint detection prevented execution. The company published IoCs, helping teams across industries improve detection and response in their systems.
Agentic espionage and high-tempo operations
A state-backed operation used Claude Code to run recon, exploit development, credential harvesting, and exfiltration. The agent handled 80–90% of tasks and generated thousands of requests, often multiple per second. High tempo exposes gaps in logging and monitoring but can be contained when controls are tuned.
Vendor exposure: hiring system risk
Paradox.ai’s weak password controls exposed McDonald’s applicant data—millions of records at risk. Remediation and a bug bounty program followed. The case shows how malicious bots and overlooked systems multiply vendor-driven threats.
“Layered defenses and rapid intelligence sharing turn many modern campaigns from breaches into blocked attempts.”
- Actionable point: Teams should codify detections, share IoCs, and harden third-party access.
Detection and defense: what security teams and organizations can do now
Start at the edge of business logic. Instrument APIs and applications with behavioral detection and anomaly scoring so defenses see intent, not just signatures. Combine risk-based scoring with dynamic rate limits to throttle suspicious activity tied to session and identity signals.
Harden API and application layers
Deploy behavioral telemetry on high-value endpoints. Use schema checks, token binding, and device signals to spot scripted requests that mimic real users.
Practical steps: map endpoints, apply adaptive rate limiting, and block by risk score while preserving legitimate web flows.
Strengthen identity and communications
Enforce MFA everywhere and run continuous ATO monitoring to stop credential conversion into persistent access. Protect email and internal chat by implementing DMARC, DKIM, and SPF and by monitoring Slack and Teams for phishing and fraud cues.
Counter deepfakes and vishing
Mandate verification workflows for high-value transactions. Require multi-person approvals and use voiceprint callbacks or out-of-band confirmation to reduce social-engineering fraud.
Vendor and tool due diligence
Treat vendors as part of production infrastructure: require strong passwords, encryption in transit and at rest, detailed logging, timely patch SLAs, isolation from crown jewels, and least-privilege access. Audit vendors regularly and insist on measurable SLAs.
Real-time threat intelligence and SOC automation
Operationalize sharing and ingestion of IoCs with peers and ISACs to shrink attacker dwell time. Automate triage and response so analysts can execute one-click blocks, identity resets, and session revocations.
“Layered defenses, rapid intelligence sharing, and automated response turn many campaigns from breaches into blocked attempts.”
- Continuously test defenses with red and purple teams focused on API abuse, credential stuffing, scraping, and evasion techniques.
- Use improved classifiers and automated triage to reduce false positives and lower mean time to detect and respond.
- For a deeper look at operational defenses and workflows, review guidance from the iSchool on integrated cyber practices: integrated cybersecurity workflows.
Industry impact: travel, financial services, telecom, and healthcare in the crosshairs
Industries from travel to healthcare now face sustained pressure from automated campaigns that skew operations and revenue.
Travel leads the pack. In 2024 travel accounted for 27% of all bad bots. Nearly half of travel site web traffic—48%—came from malicious automation. Simple automation drove 55% of those incidents, while advanced operations made up 41% and moderate methods 7%.
That mix strains inventories, pricing engines, and customer experience during peaks. Leaders should adopt dynamic scoring linked to inventory logic to reduce false blocks and preserve revenue.
Financial services pressure
Financial services absorbed 22% of account takeover incidents and saw growing API-focused bot activity. Attackers aim at account access, payments flows, and high-value data.
- Telecom and healthcare also attract API-targeted campaigns due to connected systems and sensitive payloads.
- Cross-industry lesson: map critical APIs, enforce per-function rate limits, and align detections with business KPIs.
| Sector | Share of bad bots | Percent of web traffic from bad bots | Dominant automation types |
|---|---|---|---|
| Travel | 27% | 48% | Simple 55% · Advanced 41% · Moderate 7% |
| Financial services | — | High API targeting | ATO-focused automation, credential stuffing |
| Telecom & Healthcare | — | Elevated API probes | Data harvesting, session abuse |
“Bots and automated traffic can distort forecasting and analytics; teams must segment telemetry to avoid decisions on polluted data.”
Operationally, security should partner with product and data teams so defenses suppress malicious actors while preserving real customers. For sector-specific context on healthcare and legal systems in APAC, see this sector briefing.
Conclusion
Organizations now face a new normal: scaled automation probes systems, skews data, and raises the operational threat across web platforms.
The past year is a clear signal: automated traffic hit 51%, bad bot levels reached 37%, simple bot growth rose to 45%, and 44% of advanced bot traffic targeted APIs.
Real incidents — account takeover surges in Financial Services, LinkedIn impersonations, the SugarGh0st interception, an agentic espionage campaign automating 80–90% of tasks, and Paradox.ai’s vendor exposure — show attackers profit when access and identity lag.
Practical next steps: harden identity as a control plane, align detections to behavior, protect APIs first, test for residential proxies and evade detection techniques, and operationalize rapid IoC sharing so defenses match attacker time and requests.
Act this year: use report-backed data to benchmark controls, cut dwell time, and keep users safe while preserving experience.
FAQ
How are generative tools changing the threat landscape?
Generative tools lower the barrier to entry for attackers by automating content and payload creation. This fuels large volumes of simple malicious scripts and services-for-hire that scale credential stuffing, scraping, and phishing. Security teams must assume higher baseline noise and prioritize behavioral detection and rate limiting on application and API layers.
What are the most effective signs that activity is evasive or advanced?
Evasive operations use residential proxies, spoofed browser identities, headless automation, and anti-detection toolkits. Look for inconsistent session signals, improbable geographic hops, unusual request timing, and API calls that mimic legitimate clients but lack expected behavioral patterns. Anomaly scoring and device fingerprinting help surface these signs.
How big is the API problem and which data is at risk?
Advanced traffic increasingly targets APIs; recent analysis shows a large share of sophisticated requests focus on endpoints that handle authentication, account data, and transaction flows. APIs expose structured access to sensitive data so hardening endpoints with strict auth, rate controls, and request validation is critical.
Why are financial services seeing a surge in account takeovers?
Financial firms face concentrated credential stuffing and automated cracking driven by mass credential lists and credential-stuffing services. Weak password hygiene, lack of multi-factor enforcement, and exposed APIs accelerate takeovers. Strong ATO monitoring, MFA everywhere, and adaptive challenge flows reduce risk.
What new social-engineering trends should organizations watch for?
Targeted impersonation and data-scraping on professional networks are rising. Attackers craft credible messages using scraped profiles, then phish for credentials or access. Defenses include user training, verification workflows for unexpected requests, and monitoring for credential exposure tied to corporate domains.
How do agentic, autonomous campaigns operate and how can they be stopped?
Agentic campaigns run largely unsupervised, chaining reconnaissance, exploitation, and persistence. They adapt tactics based on feedback, increasing speed and scale. Defenses require real-time telemetry, automated playbooks in the SOC, shared indicators, and containment controls that cut the attack chain early.
What are practical steps to harden APIs and web applications?
Implement behavioral detection, strict rate limiting, anomaly scoring, and robust input validation. Enforce token scopes, short-lived credentials, and fine-grained authorization. Monitor for abnormal API patterns and integrate WAF and API gateways with threat intelligence and automated enforcement.
How should identity and communication channels be protected?
Enforce MFA for all users, deploy continuous ATO monitoring, and adopt DMARC/DKIM/SPF for email. Monitor collaboration tools like Slack and Teams for suspicious integrations and messages. Combine policy (least privilege, password rotation) with automated alerts for anomalous access.
What measures help counter deepfakes and vishing attacks?
Require multi-person approvals for high-risk transactions, use voiceprint callbacks or verified channels for confirmation, and add anomaly checks in workflows. Train staff to follow verification playbooks and use synthetic-media detection tools where available to flag manipulated content.
What should vendor and tool due diligence include?
Evaluate password policies, encryption standards, logging and SIEM integration, patch SLAs, isolation controls, and least-privilege models. Demand penetration-test results and clear incident-response commitments. Continuous vendor monitoring and contractual security requirements reduce supply-chain exposure.
How can SOC teams use automation and shared intelligence effectively?
Automate triage and common response tasks to accelerate containment. Expand classifiers with telemetry from real incidents and share IoCs across trusted channels. Use machine-assisted playbooks to prioritize high-risk alerts and reduce analyst fatigue while preserving human oversight for complex decisions.
Which industries are most targeted and why?
Travel, financial services, telecom, and healthcare face sustained pressure. Travel attracts high-volume scraping and account fraud due to ticketing and pricing arbitrage. Financial services see persistent ATO and API attacks. Telecom and healthcare are targeted for access to user records and transactional value.
Why is travel a top target for automated traffic?
Travel sites expose inventory and pricing that attackers monetize through scalping, scraping, and credential stuffing. High-volume automated requests make travel a magnet for simple malicious traffic, necessitating aggressive rate controls, bot management, and commercial fraud detection.
How should organizations prepare for evolving malicious tooling?
Adopt layered defenses—behavioral detection, strong identity controls, real-time intelligence, and proactive vendor controls. Invest in SOC automation and continuous threat hunting. Encourage cross-team collaboration so engineering, product, and security align on hardening priorities and incident playbooks.
What immediate steps reduce exposure to credential-based compromises?
Enforce MFA, implement adaptive authentication, rotate and retire exposed credentials quickly, and monitor for credential stuffing patterns. Combine password hygiene policies with rate limits, device checks, and challenge-response flows to cut down automated credential abuse.
