Introduction
Nearly half of all web traffic in 2026 is not human. As AI agents, crawlers, and automation tools multiply across the internet, organizations face a growing challenge that simple block-or-allow security rules cannot solve. The question is no longer just “is this a bot?” — it’s “which bot, what does it want, and should we let it in?”
Fastly’s Threat Insights Report takes a fresh approach to this challenge by pairing bot identification with intent — specifically, whether automated traffic is targeting cached content or going all the way to origin. Drawn from trillions of requests analyzed across Fastly’s Next-Gen WAF and Bot Management platforms, this report gives security and business leaders the data-backed framework they need to build a real bot strategy for the AI era.
You Will Learn
- Why bot and human traffic volumes have reached near-parity, and what that means for operations
- How bot intent — cache versus origin — creates two very different sets of business risks
- Why 99% of all bot traffic is classified as unwanted, and what that looks like across industries
- How AI bots represent only 8% of wanted bot traffic yet create outsized impact per request
- The difference between AI crawlers and AI fetchers, and why each demands a distinct strategic response
- Which AI bots dominate traffic by volume across cache and origin — and whose they are
- How bot traffic patterns vary significantly by industry, from Publishing to SaaS/PaaS to AdTech
- What bot monetization looks like in practice, and why it is becoming an emerging revenue strategy
- How Fastly’s Deception technology shifts the advantage back to defenders against account takeover attacks
- Regional bot breakdowns across North America, EMEA, JAPAC, and LATAM
Strategic Insight: Bot Intent Is the Missing Layer in Every Organization’s Security Strategy
Half Your Traffic Isn’t Human — and Most of It Is Unwanted
The data is stark: in January 2026, bots generated 49% of all web traffic analyzed across Fastly’s platform. Of that bot traffic, 99% came from unwanted sources — unverifiable automation, malicious scanners, deceitful user agents, and bots impersonating legitimate services like ChatGPT. Organizations that haven’t built granular visibility into their bot traffic are effectively making security and business decisions based on assumptions rather than reality.
Cached Content Is No Longer a Low-Stakes Target
Organizations have historically paid little attention to who accesses their cached content, viewing it as a cost-efficient layer with limited exposure. That calculus has shifted. With 47% of cached content requests now coming from bots, competitive intelligence gathering, unauthorized data scraping, and nefarious activity are happening against an organization’s most popular and visible assets — largely undetected.
AI Bots Are Small in Volume but Large in Consequence
AI-driven bots account for just 8% of all wanted bot traffic globally, yet their business impact is disproportionate. A single crawl of a publisher’s site can feed content directly into an LLM response, potentially diverting users away from the source permanently. For travel, SaaS, and EMEA-based businesses, AI bot traffic runs well above the global baseline. Knowing which AI bots are accessing which content — and at what abstraction level — is now a brand, legal, and revenue question, not just a security one.
Fetchers Are the Frontier That Demands the Most Attention
Unlike crawlers that spider indiscriminately, AI fetchers retrieve content in direct response to human queries. They hit apps and APIs in real time, meaning their access decisions immediately shape whether a business appears in an LLM’s response. The strategic question of whether to allow, rate-limit, or monetize fetcher access sits at the intersection of visibility, brand authority, and future revenue.
Governance and Challenges
Organizations face serious governance gaps when it comes to bot traffic: the lack of verified bot identification creates false assumptions at the policy level, unwanted bots operating under false identities can trigger misguided blocking decisions, and the nuance required to distinguish crawlers from fetchers from impostors is beyond what most legacy security tooling supports. IP protection of proprietary content and compliance risk from outdated or inaccurate content being ingested by AI further complicate decision-making.
Implementation and Strategy
The report outlines three strategic pillars for organizations to act on: gaining deep visibility into bot traffic at the individual bot level, moving beyond simple blocking to purpose-built capabilities like Deception technology that disrupts attacker economics, and exploring bot monetization frameworks that allow organizations to generate revenue from sanctioned AI access to their content. Each pillar builds on the others and is most effective when delivered through an integrated platform that connects bot management, CDN-level data, and broader AppSec tooling.
Who Should Read This
This report is essential for CISOs, security architects, and AppSec engineers navigating bot management strategy, as well as digital operations and platform leaders responsible for API security, egress costs, and content governance. It is equally relevant for product and revenue leaders in Publishing, E-commerce, Travel, AdTech, and SaaS who need to understand how AI traffic is reshaping their business models and competitive exposure.
Download AI, Bots, and the Agentic Future of the Web from Fastly to get the full data breakdown by bot type, industry, and region — and build a bot strategy that goes beyond blocking.
