TL;DR:
Bots now make up 49% of all traffic, nearly equal to humans (51%)
99% of bot traffic is unwanted, including scrapers, impersonators, automated attackers, and generic automation
Only 1% of bots are verified/wanted, with AI representing a small but high-impact subset
Bot traffic is unique to every business, industry, and region, JAPAC saw the least humans, the most unwanted bots, and the least wanted bots, while LATAM saw the opposite
Bottom line: Bots aren’t just part of your traffic; they’re shaping how your content is accessed, consumed, and exposed, and their presence comes with different impacts for every business.
----
AI isn’t just changing how people use the internet – it’s changing how the internet uses you.
Behind the scenes, bots are now responsible for nearly half of all traffic across applications and APIs. But the real story isn’t just volume; it’s where bots are going, what they’re accessing, and how little visibility most organizations have into it.
In our latest Threats Insights Report, we analyzed trillions of requests across Fastly’s network to understand how bots interact with cached and origin content. What we found challenges some long-held assumptions about performance, cost, and control, and highlights why your bot strategy may need a serious reconsideration.
Nearly Half of Your Traffic Isn’t Human, and Most of it Isn’t Verifiable
In January 2026, bots accounted for 49% of all requests, nearly matching human traffic at 51%. That alone isn’t surprising, but this was: 99% of that bot traffic is unwanted or unverifiable.
These aren’t harmless crawlers, they’re:
Impersonating legitimate services
Scraping competitive intelligence
Probing for vulnerabilities
Automating attacks like account takeovers (ATO)
And because many of them attempt to disguise themselves as verified bots, organizations are often making policy decisions based on bad data. If you think you’re allowing “ChatGPT,” by looking at just their declared User Agent, for example, there’s a real chance you’re actually allowing bots pretending to be it too.
This is where most bot strategies break down. They stop at “is this a bot?” when the real question is: what is this bot doing – and should it be allowed to do it?
Your Most Valuable Content is More Exposed Than You Think
Cached content has typically been seen as low-risk. It’s faster, cheaper to deliver, and often overlooked from a security perspective. But nearly half of requests to cached content (47%) come from bots. That raises an important question: who is accessing your most visible and valuable content – and why.
For many organizations, that answer isn’t clear. Some of this activity may be expected. Some of it may be strategic. But without deeper visibility, it’s difficult to determine:
Which bots are creating value
Which are creating risk
And which should be allowed at all
Bots are Quietly Driving Up Infrastructure Costs
When bots move beyond cache, the impact shifts from visibility to cost. These requests hit your infrastructure directly, bypassing cache, increasing egress costs, and adding load where it matters most.
Not all of this traffic is malicious, but much of it is: low-value, redundant, and (potentially!) entirely unnecessary.
Without understanding the intent behind these requests, organizations are left absorbing the cost without understanding the tradeoff. The report found that 60% of all origin traffic is from bots, forcing organizations to understand what’s being accessed and the value derived from allowing it.
AI Bots: Small Slice, Outsized Impact
Everywhere you look, it’s there, AI. So we’d be remiss to not give it the attention it deserves. But our data has unearthed a bit of nuance to the (all-consuming) AI conversation.
Only 1% of bots are verified or “wanted”, and AI represents a subset of that traffic. Yet their influence is disproportionate.
AI bots don’t just access content – they reshape how it's surfaced, summarized, and consumed. In some cases, they can decouple content from its original source entirely. One trend we highlight in the report: 57% of AI fetcher requests target non-cached content, often tied to real-time or highly specific queries.
What this Means: Bot Strategy is Now Business Strategy
Previously, bot management lived in the background, a security or infrastructure concern. That model doesn’t hold anymore.
When bots account for half your traffic, drive the majority of origin load, and determine how your content is surfaced in AI systems, they stop being a technical edge case and start becoming a business variable. What our data makes clear is that the real shift isn’t just volume. It’s decision-making.
Every request now carries implicit questions:
Should this bot be allowed to access this content, and under what context?
What is the business impact if it does?
Most organizations can’t answer that question today. Not because they lack data, but because they lack the ability to connect bot identity with intent in a meaningful way.
That’s the gap. And it’s where strategy needs to evolve.
Because in an AI-driven ecosystem, access is leverage. The bots you allow shape how your brand appears, how your data is used, and how your infrastructure is consumed – often long after the original request is made.
The organizations that adapt won’t be the ones that simply block more or allow more. They’ll be the ones that make deliberate, granular decisions about who gets access to what, and why.
Read the full Threat Insights Report to see how bot identity, intent, and access are redefining performance, cost, and control across the web and learn how you can respond.