June 6 2024

Bots make up approximately 50% of global web traffic.

Half of Internet traffic is generated by bots, representing a growing threat to the security of online resources.


Imperva, a leader in cybersecurity that protects critical applications, APIs and data at scale, announced the release of the Bad Bots Report 2024, a global analysis of automated bot traffic on the Internet. Nearly half (49,6%) of Internet traffic in 2023 was generated by bots, a 2% increase from the previous year, the highest level recorded by Imperva since 2013, the year it began tracking bots. automated traffic.

For the fifth consecutive year, the proportion of web traffic associated with bad bots grew, reaching 32% in 2023, compared to 30,2% in 2022, while human user traffic decreased to 50,4%. Automated traffic is costing organizations billions of dollars every year due to attacks on websites, APIs and applications.

Bots are one of the most pervasive and growing threats facing every industry, says Nanhi Singh, General Manager of Application Security at Imperva. “From simple web scraping to account takeovers, to spam and denial-of-service attacks, bots negatively impact an organization's online services, requiring greater investments in infrastructure and customer support. Organizations must proactively address the bad bot threat as attackers sharpen their focus on API-related abuse that can lead to account compromise or data exfiltration.

Key trends identified in the 2024 Bad Bots Report:

  1. The global average of bad bot traffic has reached 32%:
    Ireland (71%), Germany (67,5%) and Mexico (42,8%) saw the highest levels of bad bot traffic in 2023. The US also saw a slight increase in bad bot traffic, going from 32,1% in 2022 to 35,4% in 2023.
  2. Growing use of generative AI linked to the rise of simple bots:
    Rapid adoption of generative AI and large language models (LLMs) has led to simple bot volume increasing to 39,6% in 2023, up from 33,4% in 2022. This technology uses bots of automated web scraping and crawlers to power training models, allowing non-technical users to write automated scripts for personal use.
  3. Account takeover is a persistent business risk:
    Account Takeover (ATO) attacks increased 10% in 2023 compared to the same period last year. Remarkably, 44% of all ATO attacks targeted API endpoints, up from 35% in 2022. Of all internet login attempts, 11% were associated with account takeover. The industries that experienced the highest volume of ATO attacks in 2023 were Financial Services (36,8%), Travel (11,5%), and Business Services (8%).
  4. APIs are a popular attack vector:
    Automated threats caused 30% of API attacks in 2023. Of these, 17% were bad bots that exploited business logic vulnerabilities, a flaw in API design and implementation that allows attackers to manipulate legitimate functionality and access to sensitive data or user accounts. Cybercriminals use automated bots to find and exploit APIs, which serve as a direct route to sensitive data, making them a prime target for business logic abuse.
  5. Every industry has a bot problem:
    For the second year in a row, the Gaming sector (57,2%) saw the highest proportion of bad bot traffic. Meanwhile, the Retail (24,4%), Travel (20,7%) and Financial Services (15,7%) sectors experienced the highest volume of bot attacks. The proportion of advanced bad bots, those that closely mimic human behavior and evade defenses, was highest on Law & Government (75,8%), Entertainment (70,8%), and Financial Services (67,1) websites. ,XNUMX%).
  6. Bad bot traffic originating from residential ISPs grows to 25,8%:
    Bad bots' initial evasion techniques relied on masquerading as the user agent (browser) commonly used by legitimate human users. Bad bots masquerading as mobile user agents accounted for 44,8% of all bad bot traffic in the past year, up from 28,1% just five years ago. Sophisticated actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to escape detection by making the traffic source appear to be a legitimate residential IP address assigned by an ISP.

Automated traffic will soon surpass the proportion of Internet traffic that comes from humans, changing the way organizations approach building and securing their websites and applications,” continues Singh. “As more and more AI-enabled tools are introduced, bots will become ubiquitous. Organizations must invest in bot management and API security tools to manage the threat of automated and malicious traffic.

Insight into Bad Bot Analysis

Imperva, a leading cybersecurity company focused on protecting web applications and data, is known for its application and data protection services similar to those offered by CloudFlare. Every year, Imperva publishes a detailed report on bad bots, providing in-depth analysis of automated traffic on the Internet. This report has become a key resource for companies seeking to understand and mitigate the threats posed by malicious bots.

The Impact of Bots on Businesses

Bad bots are automated programs designed to perform tasks on the Internet without human intervention. While there are “good” bots used for legitimate purposes such as search engine indexing, Bad bots are created for malicious purposes, such as web scraping, data theft, vulnerability detection, and performing DDoS attacks. The increase in traffic generated by bad bots has serious consequences for businesses, including:

  1. Increase in Operating Costs:
    Malicious bots can consume a significant amount of network and server resources, forcing companies to invest in additional infrastructure to handle the additional traffic load. This can result in an increase in operating costs and a reduction in the performance of online services.
  2. Security Compromise:
    Bad bots can identify and exploit vulnerabilities in web applications and APIs, allowing attackers to access sensitive data and compromise user accounts. This type of activity can lead to data breaches and significant financial losses for businesses.
  3. Reputation Damage:
    Bot attacks can negatively impact user experiences, causing downtime, slowdowns, and other performance issues on websites. This can damage a company's reputation and lead to a loss of customer trust.
  4. Increased Customer Support Workload:
    Problems caused by bad bots often require customer support intervention to resolve. This increases the workload of support staff and can lengthen response times for legitimate customer requests.

The Need for Bot Management Tools and API Security

To effectively address the threat posed by bad bots, companies must invest in advanced bot management and API security solutions. These tools can help detect and block malicious bot traffic, while protecting company resources and improving the performance of online services. Among the most effective solutions are:

  1. Bot Management:
    Bot management tools that use machine learning and behavioral analytics to identify and block malicious bots in real time. These tools can distinguish between legitimate traffic and traffic generated by bots, ensuring that company resources are used efficiently.
  2. API Security:
    API security solutions that protect application programming interfaces from abuse and malicious attacks. These tools can monitor API traffic, detect anomalies, and enforce security policies to prevent unauthorized access to sensitive data.
  3. DDoS Attack Mitigation:
    DDoS mitigation services that can identify and block malicious traffic generated by bots before it reaches corporate infrastructure. These services can protect websites and applications from disruptions caused by DDoS attacks.


Imperva's 2024 Bad Bots Report highlights the importance of addressing the growing threat of malicious bots on the Internet. With nearly half of global traffic generated by bots, businesses must take proactive measures to protect their assets and ensure data and application security. This includes implementing advanced bot management and API security solutions, crucial to mitigating the risks associated with malicious bots. Websites, APIs, and major web servers like Apache and NGINX are particularly vulnerable to automated attacks. Protecting these critical components not only safeguards business operations, but also ensures a safe and reliable user experience, preserving the reputation and operational continuity of online businesses.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top