How much online traffic is real? The era of automation and AI has given increased importance to this issue. According to the 2025 Thales Bad Bot Report, up to 51% of all web traffic in 2024 was automated, while malicious bots specifically accounted for 37% of all internet traffic.
Quietly distorting the Internet, bots pose a growing cybersecurity challenge, whether they scrape pricing data and hoard inventory, spread misinformation, or launch large-scale attacks that take websites and IT resources offline.
Vice President of EMEA Cybersecurity Specialists at Thales.
This automation undermines trust in digital experiences and leads to significant financial losses. According to Imperva’s “Economic Impact of API and Bot Attacks” report, bot attacks and API security breaches cause up to $186 billion in losses for businesses worldwide.
Article continues below
Through the power of automation, bots also evolve and learn defenses as operators adapt their behavior to better integrate with legitimate traffic.
AI tools can help bots mimic our clicks, pauses, and even typing rhythms – with large language models helping to generate compelling natural text or responses that make them appear human in chat or API interactions.
Turn an opponent against himself
Blocking or throttling can only do so much and rarely stops them for good. A large part of the reason bot attacks can be so effective is that, individually, the cost of launching and running a bot is very low.
On the surface, this seems like an impossible task to combat, but by turning the power of automation to work at scale against itself, we can begin to make it too costly for robots to continue hunting.
Focusing on economics by wearing down an opponent until continuing is no longer worth it has parallels in the broader business world. In hostile mergers or acquisitions, a target company may use a defensive strategy to make an acquisition more costly.
By giving all shareholders except the acquirer the right to purchase shares of the target company at a discounted price, they can dilute the acquirer’s shareholder position. The cost of taking control becomes considerably high, making the acquisition less attractive.
“Compared to most online strategy games today, success is not just about spotting an opponent’s move, but also about making each step costly for them.
Often, winning means letting your opponent exhaust their resources and energy by forcing them to constantly react to your plays. The attacker carries the burden while the defender maintains his strength.
In the fight against robots, we need a similar approach: our systems must implement defenses that force robots to spend so much computing power and time that continuing the attack no longer makes sense. It’s not just about detecting all bots, but also about making attacks unprofitable and ineffective.
An evolving defense
Looking at the economics of an attacker and targeting them is also a much more scalable and long-term strategy. Working solely from a detection-based strategy means entering into an endless cat-and-mouse dynamic, where your defenses will always lag behind the innovation and evolution that advanced robots are capable of.
They can evolve on the fly, instantly analyzing failed attempts and adjusting their behavior in real time from each block, challenge, or rate limit.
The digital poison pill – or proof of work (PoW) – involves specialized software that issues a small computer puzzle every time a request is made to view a web page, access data or perform another task.
Unlike other, more intrusive solutions such as CAPTCHA challenges, real users don’t experience unnecessary friction since everything happens in the background.
A real user’s browser can fix these problems invisibly in the background because you only need to do it once, but having bots repeat it thousands of times gets very expensive, very quickly. This small obstacle eliminates both the speed and scale at which robots can operate.
A concrete example
The impact of robots is particularly felt by industries that operate with inventory systems, such as airlines. Here, sophisticated robots pretend to be humans to accumulate flight inventory and book tickets without completing the purchase.
Done at scale, they distort fare availability and pricing, negatively impacting actual customers and sales, as well as potential operational impacts if those seats are released at the very last minute.
In these environments – and in any robot detection challenge – you need precision. If you miss a bot, you risk fraud; if you block a real user, you risk losing a customer.
By combining advanced fingerprinting and behavioral analysis with a proof-of-work “poison pill” that increases the cost of each interaction with a bot, the incentive structure is reversed without increasing friction for real customers. Rampant bot activity on an airline website is becoming much more difficult to maintain.
Combating the next generation of intelligent robots will require applying classic business logic to cybersecurity. By drawing on principles from both economics – and my passion, fencing – security managers can make automated attacks too costly to maintain.
We have presented the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you would like to contribute, find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
