What it measures
Bad bots are automated agents that violate a website's terms of service or cause direct harm. At 37% of all web traffic they represent the largest single category of internet traffic after legitimate human use. Key types:
- Scrapers — harvest content, prices, contact data without permission
- Credential stuffers — replay leaked passwords against login forms at scale
- Scalper bots — purchase limited inventory (sneakers, tickets, GPUs) faster than humans
- Click fraud — generate fake ad clicks to steal advertiser budget
- Vulnerability scanners — probe for exploitable endpoints automatically
Why humans should care
The cost to businesses is estimated at $100B+ annually in fraud, lost inventory, and infrastructure overhead. More critically, generative AI is dramatically lowering the sophistication barrier — scripts that once required programming expertise can now be generated by LLMs in minutes.
Bad bot operators are adopting LLMs to write scraping scripts, generate realistic behavioral patterns, and evade detection. The same tools that democratize AI for legitimate use also lower the barrier to sophisticated automated attacks.
What happens next
Bad bots at 37% of all traffic represent a $100B+ annual cost to businesses in fraud, lost inventory, and infrastructure overhead. The AI arms race is escalating: LLMs make it trivially easy to generate sophisticated scraping scripts and behavioral mimicry, while defenders race to deploy AI-based detection. Expect this share to remain stubbornly high even as mitigation tools improve.
Pros — Benefits
- Detection techniques improving: behavioral biometrics, device fingerprinting
- IP reputation databases and shared threat intelligence improving shared defense
- CDNs like Cloudflare offer bot management tools at the free tier
- Legal frameworks (CFAA, GDPR) creating meaningful deterrence for large operators
Cons — Risks
- AI-powered bots increasingly pass behavioral checks designed for dumb bots
- Rotating residential proxies make IP blocking largely ineffective
- Bad bot operators adapt faster than most defense playbooks update
- LLMs lower barrier to creating sophisticated polymorphic scraping scripts
What to watch for
- Imperva annual Bad Bot Report (April) — primary tracking source
- OWASP Automated Threat statistics updates
- Cloudflare WAF blocked request volumes by category
- HaveIBeenPwned credential exposure volumes — upstream indicator of stuffing attacks
- App store and marketplace AI-generated script availability for bot operators
Most critical tipping point
What you can do
- Enable bot protection on your hosting platform (Cloudflare, Vercel, Fastly)
- Check HaveIBeenPwned API to detect credential-stuffed accounts proactively
- Monitor your robots.txt compliance via server-log user-agent analysis
- Deploy a WAF with behavioral bot scoring, not just IP blocking
- Implement rate limiting on all API endpoints and login forms
- Run quarterly bot traffic audits; set baselines and alert on anomalies
- Separate bad bot traffic from analytics before reporting to stakeholders
- Expand CFAA/computer-crime coverage to AI-powered scraping explicitly
- Fund law enforcement capacity for large-scale bot operation prosecution
- Establish industry sharing networks for bad bot IP and fingerprint data
Data & methodology
- Source
- Imperva 2025 Bad Bot Report
- Classification
- Imperva uses ML on behavioral signals, header analysis, and threat intelligence to classify bot intent
- Update cadence
- Annual; April 2025 report
- Dashboard anchor
- Live stat on dashboard