Bad bots continue to target organizations across every industry and geography, but the rise of Artificial Intelligence (AI) is fueling bot attacks, making them more intelligent and more evasive than ever before. For over twelve years, Imperva has been dedicated to helping organizations manage and mitigate the threat of bad bots. We’ve published the 2025 Imperva Bad Bot Report as part of our commitment to helping organizations better understand the challenges associated with automated traffic and its risks. In particular, we examine how bad bots are a growing business problem that’s becoming too costly to ignore.
The Rapid Rise of AI in Bot Attacks
In this 12th Annual Imperva Bad Bot Report, we explore the rapidly changing landscape of automated internet traffic, looking at how AI is changing the bot threat landscape and how APIs, still the backbone of modern digital infrastructure, require security measures that can keep pace with the growing challenges from increasingly evasive, AI-enhanced attacks.
This year’s report focuses on the growing role of Artificial Intelligence (AI) in bot attacks, significantly increasing their volume, accessibility, and ability to evade detection. Bad bots are increasingly targeting businesses through tactics like data scraping, account hijacking, and inventory manipulation for financial gain. As AI evolves, organizations must adopt advanced mitigation strategies to protect against fraud, financial losses, and security risks. The report also offers ten recommendations to mitigate bot attacks better.
AI is driving the growth of more simple bot attacks by lowering the barrier to entry for prospective attackers, even those with limited technical ability. Thanks to generative AI tools and bots as a service (BaaS) platforms, even those with minimal skills can now launch an attack.
It’s also enabling more sophisticated bots that use machine learning to adapt to mitigation strategies and refine their attack techniques, returning repeatedly until they achieve their goal.
The resulting emergence of more sophisticated, evasive bad bots puts businesses at greater risk than ever before. As automated traffic volumes increase, security teams must adapt their approach to application security, facing increasing pressure to counter an evolving threat landscape.
Here are some key highlights from the report:
Bots are Gaining the Upper Hand
For the first time in a decade, automated traffic surpassed human activity, accounting for 51% of all web traffic in 2024. This is thought to be largely driven by the rapid adoption of AI and large language models (LLMs), which have made bot development more accessible and achievable even for the less technically skilled.
Bad Bots Account for 37% of all internet traffic
Bad bot activity has risen for the sixth consecutive year, with malicious bots now accounting for 37% of all internet traffic, a substantial increase from 32% the year before.
AI Continues to Fuel a Rise in Simple Bad Bots
The Bad Bot Report classifies bot attacks into three categories: advanced, moderate, and simple, according to the level of sophistication and the tactics used when attempting (or not) to evade detection. In 2024, simple bad bot traffic grew from just under 40% in 2023 to 45% in 2024, a significant increase that can be attributed to the growing adoption of AI.
Bot Attacks Targeting APIs Surged to 44%
In 2024, 44% of advanced bot traffic targeted APIs, compared to only 10% targeting applications. This highlights a deliberate shift by attackers toward API endpoints, which handle sensitive or high-value data and are the connective tissue of most modern businesses.
Financial services, business, telecom and healthcare are among the most targeted industries for bot attacks on APIs, accounting for over 75% of all API attacks. These sectors depend on APIs for critical operations and sensitive transactions, making them prime targets for sophisticated bot attacks.
Account Takeover Attacks Increase by 40%
Account takeover (ATO) attacks use malicious bots to gain unauthorized access and take over online user accounts through credential stuffing and cracking, leading to digital identity theft and financial losses for targeted organizations and consumers. In 2024 Account Takeover attacks increased by 40%, a surge likely driven by cybercriminals using AI and machine learning to enhance and optimize their techniques. Financial Services remains the top targeted industry for ATO attacks accounting for 22% of all ATO attacks in 2024.
Security Evasion Tactics
As bots become more sophisticated and adept at mimicking human behavior, security teams face increasing challenges in differentiating between bots and real users. As the proliferation of AI tool usage grows, we see attackers’ evasion tactics constantly advance and evolve. The Bad Bot Report examines the most common evasion tactics used by attackers, such as using residential proxies, faking browser identities, AI-assisted scripting, headless browsers and anti-detection tools to evade detection.
Top Targeted Industry
Travel bypassed Retail in 2024 to become the most targeted industry, accounting for 27% of all bad bot attacks. The travel industry and airlines, in particular, face a real challenge from automated attacks intent on disrupting operations. In 2024, 48% of all web traffic to travel sites was made up of bad bots, with the remainder consisting of 47% human traffic and 5% good bot traffic. Simple bot attacks targeting the Travel sector account for 55% of all attacks, up from 34% in 2023, supporting the theory that AI is fueling a surge in simple bot activity. 41% of attacks were in the advanced category, and only 7% were considered moderate.
Bad Bots are a Business Risk
From data scraping to account hijacking, bad bots are now a persistent, costly threat to businesses. With AI accelerating their growth, organizations must act decisively adopting advanced mitigation strategies to protect against fraud, financial losses, and security risks.
Download a copy of the 2025 Imperva Bad Bot Report to learn more about the latest bot trends and how to protect your organization.
The post 2025 Imperva Bad Bot Report: How AI is Supercharging the Bot Threat appeared first on Blog.