How much online traffic is real? The age of automation and AI has given added importance to this question. As much as 51% of all Web traffic in 2024 was automated, according to the 2025 Thales Bad Bot Report, while malicious bots specifically made up 37% of all Internet traffic.
Quietly distorting the Internet, bots are a growing cybersecurity challenge, whether they’re scraping pricing data and hoarding inventory, spreading misinformation, or launching large-scale attacks that knock websites and IT resources offline.
VP for EMEA Cybersecurity Specialists at Thales.
This automation undermines trust in digital experiences as well as causing significant financial losses. According to the ‘Economic Impact of API and Bot Attacks’ report from Imperva, bot attacks and API security flaws result in up to $186 billion in losses for businesses globally.
Article continues belowThanks to the power of automation, bots are also evolving and learning from defenses as operators adapt their behavior to better blend in with legitimate traffic.
AI tools can help bots mimic our clicks, pauses, and even typing rhythms – with large language models help generate convincing natural text or responses that make them sound human in chat or API interactions.
Turning an adversary against themselves
Blocking or rate-limiting can only do so much and rarely stop them for good. A large part of why bot attacks can be so effective is that individually, the cost of launching and running a bot is very small.
At first, it seems an impossible task to combat – but by turning automation’s power to operate at scale against itself, we can start to make it too costly for bots to keep hunting.
Focusing on the economics by wearing out an adversary until continuing is no longer worth the effort, has parallels in the wider corporate world. During hostile mergers or acquisitions, a target company may employ a defensive strategy to make a takeover more expensive.
By giving all shareholders except the acquirer, the right to purchase shares of the target company at a discount, they can dilute the acquirer’s ownership position. The cost of gaining control is made significantly expensive, making the acquisition less attractive.
“Compared to many of today’s online strategy games, success isn’t just about spotting an opponent’s move, but about making every step costly for them.
Often, victory means letting your adversary exhaust their resources and energy by forcing them to constantly react to your plays. The attacker bears the burden, while the defender conserves strength.
In the fight against bots, we need a similar approach: our systems should implement defenses that require bots to expend so much computing power and time that continuing the attack no longer makes sense. The point isn’t just to detect every bot, but to make attacking uneconomical and inefficient.”
A scalable defense
Looking at an attacker’s economics, and targeting that, is also much more scalable and long-term as a strategy. Working purely from a detection-based strategy is signing up to endless cat and mouse dynamics, where your defenses will always be one step behind the innovation and evolution that advanced bots are capable of.
They can evolve on the fly, analyzing failed attempts instantly and adjusting their behavior in real time from every block, challenge or rate limit.
The digital poison pill – or a Proof of Work (PoW) - involves specialist software issuing a small computational puzzle every time a request is made to view a webpage, access data, or carry out another task.
Unlike other but more intrusive solutions such as CAPTCHA challenges, real users don’t encounter unnecessary friction as it all happens in the background.
A real user’s browser can solve these invisibly in the background because they just need to do it once, but for bots to repeat thousands of times gets very expensive, very quickly. This small hurdle eliminates both the speed and scale at which bots can operate.
A real-world example
The impact of bots is keenly felt by industries that operate with inventory systems, such as airlines. Here, sophisticated bots masquerade as humans to hoard flight inventory – reserving tickets without completing the purchase.
Done at scale, they distort fare availability and pricing, negatively impacting real customers and sales, alongside potential operational impacts if those seats are released at the very last minute.
In these environments – and in any bot detection challenge – you need precision. If you miss a bot, you risk fraud; if you block a real user, you risk losing a customer.
By blending advanced fingerprinting and behavior analysis, with a Proof of Work ‘poison pill’ that ratchets up the cost of every bot interaction, the incentive structure is flipped without increasing friction for real customers. The frantic bot activity on an airline’s website becomes much more difficult to sustain.
Fighting back against the next generation of intelligent bots will take an application of classic business logic to cybersecurity. By taking principles from both economics – and my passion, the sport of fencing – security leaders can make automated attacks too costly to sustain.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.