Legacy defenses collapsing as AI-driven traffic reshapes the web; only 2.8% of 16,900+ domains fully protected

NEW YORK – September 30, 2025 – DataDome, the leader in cyberfraud protection, today released its 2025 Global Bot Security Report, an in-depth analysis of over 16,900 websites across 22 industries that examines businesses’ resilience against automated threats. 

The findings reveal a stark truth: AI is now the dominant force shaping online traffic, yet most businesses remain dangerously unprepared to manage it.

AI-generated traffic, ranging from large language model (LLM) crawlers to AI-powered agents, has surged to unprecedented levels. In 2025, AI bot and crawler traffic quadrupled across DataDome’s customer base, now making up more than 1 in 10 verified bot requests. This seismic shift means that organizations must confront a new reality where AI-driven traffic is no longer the exception but the norm.

“AI agents are rewriting the rules of online engagement,” said Jérôme Segura, VP of Threat Research at DataDome. “They mimic human behavior, spawn synthetic browsers, bypass CAPTCHAs, and adapt in real time. Traditional defenses, built to spot static automation, are collapsing under this complexity. Businesses can’t tell if the AI traffic they’re seeing is good or bad, which leaves them both exposed to fraud and blind to opportunity. What’s needed is adaptive, intent-based protection that can make sense of this AI-driven chaos in real time.”

Key Findings:

• AI traffic has exploded: LLM crawler traffic quadrupled across DataDome’s customer base in 2025, rising from 2.6% of verified bot traffic in January to over 10.1% by August. DataDome alone detected nearly 1.7 billion requests from OpenAI crawlers in a single month. These crawlers scrape massive amounts of web content, usually without consent or oversight, draining server resources and exposing proprietary data.
• Businesses are pushing back, but ineffectively: 88.9% of domains disallow GPTBot in their robots.txt files, yet this measure offers little real protection. AI-powered crawlers and browsers ignore these directives, rendering static blocking strategies obsolete. Without active enforcement beyond robots.txt, organizations risk exposing their content, data, and infrastructure to the next generation of automated threats.
• Legacy defenses are failing fast: Only 2.8% of websites were fully protected in 2025, down from 8.4% in 2024. Most businesses still cannot stop even basic bots, let alone AI-driven ones that dynamically adapt their identity and behavior.
• AI bots target high-value endpoints: Unlike older automation, AI-driven traffic doesn’t stop at scraping. In 2025, 64% of AI bot traffic reached forms, 23% login pages, and 5% checkout flows, creating new vectors for fraud, account takeover, and compliance risk.
• AI traffic is a double-edged sword: While much of it is malicious, AI-driven requests also represent legitimate new use cases. Without the ability to classify intent, businesses risk either blocking innovation or opening the door to abuse.
• High-risk industries remain underprotected. Government, Non-Profit, and Telecoms sectors had the weakest protection. Meanwhile, Travel & Hospitality, Gambling, and Real Estate led the way with the highest combined rates of full and partial protection. Even among the top-performing industries, full protection remains rare, and partial protection alone isn’t enough to stop sophisticated bots. 
• Scale doesn’t equal better security. Only 2% of domains with over 30M monthly visits were fully protected. Even among enterprises with 10,001+ employees, just 2.2% had full protection, and 61% were completely unprotected.
• Advanced bots evade most defenses. Anti-fingerprinting bots were only blocked by ~7% of websites, leaving most businesses highly vulnerable to account takeover, carding, and advanced scraping attacks. Fake Chrome and curl bots were detected just 21% of the time.
• Weak bot defenses are a global constant. Latin America had the highest share of protected websites, yet only 3.5% were fully protected and 38.5% partially protected—leaving nearly 6 in 10 domains completely exposed. North America and Europe showed similar patterns, with over 60% of websites lacking any bot protection. Asia Pacific lagged further, with just 1.6% fully protected. This lack of regional variation enables attackers to reuse the same tools across markets, reducing costs and increasing the scalability of global cyberfraud campaigns.

The report underscores that AI has permanently changed the fabric of the internet. Websites are no longer just contending with humans versus bots; they face a spectrum of AI activity blending automation and human input in ways legacy tools cannot parse.

“This isn’t just about stopping fraud anymore,” added Segura. “It’s about making sure businesses don’t miss opportunities hidden in AI traffic while still defending against sophisticated threats. Security must now operate at AI speed.”

For the full set of findings and insights from DataDome’s 2025 Global Bot Security Report, click here. Follow DataDome on YouTube and LinkedIn for regular updates on threat research, customer case studies, and to ensure your bot protection is ready to tackle the most sophisticated attacks.