One of the perhaps more surprising findings from our Global Bot Security Report 2025 is that when it comes to bot protection, scale does not equal security. Whether a company is a startup or a global enterprise, most organizations still fail to detect even the simplest automated attacks.

For a problem that costs the global economy billions in fraud, scraping, and data theft, our data reveals a deeper issue in how businesses approach security readiness.

Larger does not mean safer

Every year, DataDome tests thousands of high-traffic websites worldwide to measure how efficiently they detect and block common automated threats. For the 2025 edition of our report, we analyzed nearly 17,000 popular domains across. 

The 2025 data shows that larger companies have only marginally stronger bot protection than smaller ones.

Among businesses with more than 10,000 employees, nearly 61% of domains allowed every test bot request through, while just 2.16% of the tested websites correctly identified all the test bots (we consider these as fully protected). At the smaller end of the spectrum, around 62% of businesses with 50 or fewer employees failed to detect any bots, with fewer than 3% fully protected. 

The gap between small and large organizations has narrowed dramatically over the past year. As the report highlights:

“While larger enterprises still maintain a slight edge, the margin is smaller. In 2024, large companies were over 10x more likely to have full protection than the smallest businesses; in 2025, that gap shrank to just a single percentage point in many cases.”

Bigger companies, bigger blind spots?

We also found that protection levels remain low across all categories of traffic volume, and that the largest, most-visited domains are actually often the least protected.

“The largest domains, those with over 30 million monthly page views, actually had the lowest full protection rate in our dataset at just 2.04%.”

In contrast, smaller domains (under 10 million monthly visits) performed marginally better, but still left over 61% of traffic fully exposed.

This particular insight is counterintuitive but telling: scale doesn’t drive security maturity. In fact, the complexity of large infrastructures often works against them, creating blind spots across multiple digital surfaces — websites, APIs, and mobile apps — that bots can easily exploit.

As the report concludes:

“Traffic volume alone is not a strong indicator of bot protection maturity in 2025. In fact, the lowest levels of protection were found among the largest, highest-traffic websites—those with over 30 million monthly visitors.”

That means the websites that attract the most attention — and the most attackers — are often the least equipped to stop them.

Weak bot hygiene invites high-ROI attacks

These findings have a direct financial implication. When a website fails to stop even basic bots, it becomes a prime target for more advanced, higher-ROI exploitation. As our threat research team warns:

“Weak bot hygiene becomes a signal to fraudsters that your stack is ripe for more aggressive, high-ROI exploitation.”

If simple traffic passes undetected, attackers know that more sophisticated automation — using residential proxies, fingerprint spoofing, or AI-based decision-making — will likely go unnoticed as well.

That’s when bad actors escalate: from scraping and inventory denial to credential stuffing, carding, and account takeover.

Or, as the report puts it: “Advanced attacks don’t always start off advanced. They escalate. And if your detection stack is failing at the basics, you’re not just missing small threats, you’re inviting bigger ones.”

The high-ROI endpoints every business must protect

The 2025 data also shows that AI-driven bots increasingly target high-value transactional endpoints.

In DataDome’s customer analysis, AI-driven bots interacted most heavily with forms (64%), login pages (23%), and checkout flows (5%). These are the same points where automation yields the highest financial returns for attackers — and the highest potential losses for businesses.

Without real-time, intent-based detection, these endpoints remain open to abuse, such as credential stuffing, fake account creation, or AI-powered scraping of product, pricing, and customer data.

Protecting these high-ROI targets requires more than perimeter defense. It demands continuous visibility into who or what is interacting with your systems — and why.

Why intent-based detection is now a business imperative

As AI and agentic commerce reshape the internet, businesses can no longer afford to ask only “Is this a bot?” The question must become: “What is the intent behind this request?”

For companies of all sizes, that means shifting from static detection to adaptive, behavior-based protection, which is capable of distinguishing legitimate automation from malicious activity in real time.

Enterprises and fast-growing platforms alike will need to adopt intent-based detection and AI-powered traffic analysis to maintain control, protect user trust, and keep fraud from eroding growth.

Because at every scale, from the smallest online shop to the most-visited global brand, the reality is the same: If you can’t detect simple bots today, you can’t defend against intelligent ones tomorrow.

Download the full Global Bot Security Report

The Global Bot Security Report 2025 discusses how company size, traffic scale, and bot hygiene relate to real-world risk, and what organizations can do to build stronger, intent-based defenses before AI-driven automation becomes the norm.

Download the full report to benchmark your organization, identify weak points, and strengthen your defenses where they matter most.