Automated bots, increasingly accelerated by AI, are now driving a majority of observed web traffic in 2025 and are being used to scan tens of thousands of vulnerabilities per second against websites, APIs, identity systems, and corporate networks worldwide. The uncomfortable lesson is not that machines have suddenly become all-powerful. It is that defenders built much of the modern internet on assumptions about human speed, human intent, and human scarcity. Those assumptions are now breaking.
For years, bot traffic was treated as the grimy underside of the web: credential stuffing against login pages, fake account creation, content scraping, inventory hoarding, ad fraud, spam, and vulnerability probing. It was pervasive, but it still lived in the mental category of abuse around the edges of a human-centered internet.
That framing no longer holds. The latest bot reports from SonicWall and Thales describe an internet where automation is not peripheral traffic but the default condition many services must survive. Thales puts automated activity at more than half of global web traffic in 2025, while SonicWall says bad bot traffic alone has reached 37 percent of global internet traffic.
The most alarming figure is not merely the share of traffic. It is the tempo. SonicWall’s claim that automated bots are generating more than 36,000 vulnerability scans per second captures the real shift: attackers do not need to pick targets carefully when machines can enumerate the exposed web continuously.
This changes the economics of intrusion. A forgotten admin panel, an unpatched application server, a misconfigured API endpoint, or a login form without meaningful rate controls no longer waits patiently for a motivated attacker to discover it. It is fed into a machine-speed marketplace of opportunity.
What AI changes is friction. It lowers the skill required to generate convincing phishing lures, mutate malware, write exploit scaffolding, translate attacks across languages, analyze stolen data, and adapt campaigns to defensive responses. The attacker still needs infrastructure, intent, and opportunity, but the tooling is becoming less dependent on deep expertise.
That matters because cybercrime has always scaled when specialists packaged their skills for non-specialists. Exploit kits did this in the 2000s. Ransomware-as-a-service did it in the 2010s. AI-assisted automation is now doing it for reconnaissance, social engineering, and attack orchestration.
The phrase AI agent can sound like venture-capital vapor, but in security it describes a very practical problem. An automated system that can observe, decide, and act across multiple steps is far more dangerous than a simple script that repeats one action. It can test exposed services, interpret errors, select follow-up attacks, generate plausible messages, and hand off results to humans only when profit seems likely.
That is why defenders should be wary of both extremes in the AI debate. The bots are not omnipotent. They are, however, tireless, cheap, adaptive, and increasingly good enough.
The newer problem is deeper. Thales emphasizes attacks against APIs and identity systems, and that distinction matters. APIs are not brochureware; they are the connective tissue of digital business. They move orders, account data, session tokens, pricing, authentication decisions, telemetry, and customer workflows.
A bot that attacks an API is not necessarily trying to deface a website. It may be probing whether an account identifier can be incremented, whether a forgotten endpoint lacks authorization checks, whether rate limits apply inconsistently, or whether a mobile app’s backend trusts calls that look legitimate. This is where conventional perimeter thinking starts to collapse.
Identity systems are equally attractive because they are now the front door to almost everything. Cloud consoles, SaaS apps, VPNs, developer platforms, help desks, and financial systems all depend on identity being trustworthy. If bots can automate password spraying, session hijacking, MFA fatigue, phishing, fake account creation, and token abuse, then identity becomes not a control plane but a battleground.
This is why “enable MFA” is both essential and insufficient. Multi-factor authentication blocks enormous amounts of commodity abuse, but attackers increasingly route around it through social engineering, stolen tokens, adversary-in-the-middle phishing, push fatigue, help-desk manipulation, and compromised devices. MFA is a floor, not a strategy.
Machine-speed reconnaissance punishes delay. A vulnerability disclosed on Monday can be scanned for globally before many smaller organizations have even read the advisory. A misconfigured remote access service can be indexed before an IT generalist finishes another urgent support ticket.
This is where the security industry’s advice often becomes unintentionally cruel. Telling a 40-person company to adopt layered defense, behavioral analytics, API discovery, zero-trust identity, endpoint detection, and continuous vulnerability management is not wrong. It is just wildly detached from the staffing reality of many businesses.
The lesson from the new bot numbers is that basic controls have become more important, not less. Asset inventory, patch prioritization, strong identity policy, backup testing, least privilege, email filtering, logging, and user training are unglamorous precisely because they are old. But old does not mean optional.
The cruel twist is that AI gives both sides leverage. A small business can use managed detection, automated patch intelligence, phishing-resistant authentication, and AI-assisted log review to punch above its weight. Attackers can use the same general class of technology to find the business that did not.
What changes is consequence. A ransomware incident at a small manufacturer can be devastating. A disruption at a hospital, water utility, telecom provider, or defense contractor can become a public safety problem. The same bot-driven discovery process that finds an exposed corporate system can also find a neglected remote access device sitting at the edge of a critical network.
The operational technology world has long relied on segmentation, obscurity, vendor-specific equipment, and long maintenance cycles. AI-driven bot activity does not magically understand every industrial control system, but it does increase the volume of probing around the systems that bridge IT and OT environments. Those bridges are where many real incidents begin.
Critical infrastructure operators also face a procurement problem. Their systems are often designed to run for decades, while attacker tooling now iterates in weeks or days. A hospital cannot casually reboot every device. A utility cannot replace every legacy controller. A government agency cannot always move at cloud-startup speed.
That makes layered defense more than a slogan. IP filtering, network segmentation, behavior monitoring, identity hardening, privileged access management, secure remote access, and incident rehearsal are not interchangeable products. They are overlapping chances to catch a machine-speed attack before it becomes a human-scale disaster.
AI makes that asymmetry worse. Hyper-realistic phishing, voice cloning, video impersonation, fake meeting invites, synthetic customer complaints, and tailored business email compromise campaigns are all ways to attack cognition rather than infrastructure. The target is not a firewall rule. It is a moment of belief.
This is where bot traffic and social engineering converge. Automated systems can scrape public information, map relationships, identify executives, generate convincing pretexts, and launch many variants of the same approach. A human attacker can then step in only when the machine has found a promising victim.
The result is a more industrial form of deception. Instead of one carefully crafted spear-phishing email, a company may face thousands of plausible micro-campaigns tuned to departments, languages, vendors, and current events. The attack does not need every employee to fail. It needs one workflow to bend.
Training still matters, but it cannot carry the whole load. A finance employee should be taught to distrust urgent payment changes, but the business process must also require out-of-band verification. A help-desk worker should recognize social engineering, but the identity system should not allow a persuasive caller to reset the keys to the kingdom.
AI-driven bots strengthen the front end of that ecosystem. They can discover more weak points, qualify more victims, and accelerate the path from vulnerability to intrusion. The ransomware crew does not need to scan the internet manually if someone else’s automation can deliver a menu of possible entries.
The greatest danger is not only new vulnerabilities. It is old vulnerabilities exploited at new speed. Many organizations still carry technical debt in VPN appliances, file-transfer systems, web frameworks, content management platforms, and forgotten cloud assets. Attackers do not care whether a vulnerable system is boring. They care whether it is reachable.
Polymorphic malware adds another layer of difficulty. If malicious code can be altered for each target or delivery attempt, defenders relying on static signatures face diminishing returns. Behavioral detection, isolation, least privilege, and rapid containment become more important because the first indicator may not look like yesterday’s malware sample.
Still, there is a risk of overstating novelty. Most ransomware incidents do not require science fiction. They require a stolen credential, a missing patch, a flat network, weak backups, and a weekend. AI makes the assembly line faster, but the raw materials remain depressingly familiar.
The useful defensive role for AI is triage, correlation, and response acceleration. It can cluster suspicious activity, summarize incidents, flag deviations from normal behavior, identify likely phishing content, prioritize exposed assets, and help teams understand whether separate alerts are part of the same campaign.
But defensive AI inherits the same governance problem as every other enterprise system. It needs access to logs, identities, endpoints, cloud telemetry, tickets, email, and sometimes sensitive business data. If deployed carelessly, it becomes another privileged system that must be secured, monitored, and constrained.
There is also the problem of false confidence. A dashboard that says an AI model is watching the environment can become an excuse not to do hard engineering work. No model compensates for internet-facing systems nobody owns, service accounts with excessive privileges, backups that cannot be restored, or executives exempted from security rules.
The better framing is not “AI versus AI.” It is automation discipline versus automation chaos. Organizations that know their assets, understand their identities, log meaningful events, and rehearse response will get more value from defensive AI. Organizations that lack those foundations may simply automate confusion.
The arrival of AI agents complicates this further. A human may ask an agent to book travel, compare prices, summarize documents, interact with SaaS tools, or perform administrative tasks. To a server, that may look like automation. To the user, it may be delegated human intent.
This distinction matters because crude blocking can break legitimate business, while permissive trust invites abuse. CAPTCHAs, user-agent strings, and simple rate limits are increasingly inadequate in a world where bots can use real browsers, residential proxies, stolen sessions, and human-solving services. The visible theater of “prove you are human” is giving way to the less visible work of proving that a request is authorized, expected, and behaviorally consistent.
For Windows administrators, this is not an abstract web-platform debate. Enterprise Windows environments increasingly depend on cloud identity, browser-based SaaS access, API-connected management tools, and automated device workflows. The endpoint is still important, but the decisive signals often live in identity logs, conditional access policies, network telemetry, and application behavior.
The future of bot defense will likely look less like a single blocking tool and more like a reputation and intent fabric. Devices, users, sessions, applications, and agents will need stronger ways to assert who they are and what they are permitted to do. That will be messy, political, and full of false starts.
The gap is not awareness in the abstract. It is execution under pressure. Security teams are asked to support cloud migrations, remote work, compliance audits, AI pilots, software delivery, legacy systems, vendor access, and incident response with finite money and finite people. Attackers, meanwhile, automate the search for whoever fell behind.
That is why vendor reports can be both useful and self-serving. SonicWall, Thales, and others have every incentive to describe the threat in terms that support their markets. But the broad pattern they describe matches what administrators already feel: more noise, faster exploitation, more identity attacks, more API exposure, and more pressure on small teams.
The right response is skepticism without denial. Do not treat every headline number as a precise measurement of the entire internet. Bot traffic is observed from particular networks, customers, sensors, and definitions. But do not dismiss the trend because the measurement is imperfect.
The direction is clear enough. Automation is taking a larger share of internet activity, bad bots are a substantial portion of that activity, and AI is making automated abuse more adaptive. Waiting for perfect numbers is just another way to lose time.
The Internet’s Background Noise Has Become the Main Signal
For years, bot traffic was treated as the grimy underside of the web: credential stuffing against login pages, fake account creation, content scraping, inventory hoarding, ad fraud, spam, and vulnerability probing. It was pervasive, but it still lived in the mental category of abuse around the edges of a human-centered internet.That framing no longer holds. The latest bot reports from SonicWall and Thales describe an internet where automation is not peripheral traffic but the default condition many services must survive. Thales puts automated activity at more than half of global web traffic in 2025, while SonicWall says bad bot traffic alone has reached 37 percent of global internet traffic.
The most alarming figure is not merely the share of traffic. It is the tempo. SonicWall’s claim that automated bots are generating more than 36,000 vulnerability scans per second captures the real shift: attackers do not need to pick targets carefully when machines can enumerate the exposed web continuously.
This changes the economics of intrusion. A forgotten admin panel, an unpatched application server, a misconfigured API endpoint, or a login form without meaningful rate controls no longer waits patiently for a motivated attacker to discover it. It is fed into a machine-speed marketplace of opportunity.
AI Did Not Invent Bot Abuse, but It Removed the Friction
There is a temptation to blame artificial intelligence for everything now wearing a black hat. That would be too neat. Botnets, web scrapers, credential stuffing tools, exploit scanners, and spam engines all predate the current AI boom by decades.What AI changes is friction. It lowers the skill required to generate convincing phishing lures, mutate malware, write exploit scaffolding, translate attacks across languages, analyze stolen data, and adapt campaigns to defensive responses. The attacker still needs infrastructure, intent, and opportunity, but the tooling is becoming less dependent on deep expertise.
That matters because cybercrime has always scaled when specialists packaged their skills for non-specialists. Exploit kits did this in the 2000s. Ransomware-as-a-service did it in the 2010s. AI-assisted automation is now doing it for reconnaissance, social engineering, and attack orchestration.
The phrase AI agent can sound like venture-capital vapor, but in security it describes a very practical problem. An automated system that can observe, decide, and act across multiple steps is far more dangerous than a simple script that repeats one action. It can test exposed services, interpret errors, select follow-up attacks, generate plausible messages, and hand off results to humans only when profit seems likely.
That is why defenders should be wary of both extremes in the AI debate. The bots are not omnipotent. They are, however, tireless, cheap, adaptive, and increasingly good enough.
The Target Has Moved from Web Pages to Business Logic
The old bot problem was often visible at the website edge. A retailer saw inventory scraping. A ticketing platform saw automated scalping. A publisher saw content theft. A login portal saw brute-force attempts.The newer problem is deeper. Thales emphasizes attacks against APIs and identity systems, and that distinction matters. APIs are not brochureware; they are the connective tissue of digital business. They move orders, account data, session tokens, pricing, authentication decisions, telemetry, and customer workflows.
A bot that attacks an API is not necessarily trying to deface a website. It may be probing whether an account identifier can be incremented, whether a forgotten endpoint lacks authorization checks, whether rate limits apply inconsistently, or whether a mobile app’s backend trusts calls that look legitimate. This is where conventional perimeter thinking starts to collapse.
Identity systems are equally attractive because they are now the front door to almost everything. Cloud consoles, SaaS apps, VPNs, developer platforms, help desks, and financial systems all depend on identity being trustworthy. If bots can automate password spraying, session hijacking, MFA fatigue, phishing, fake account creation, and token abuse, then identity becomes not a control plane but a battleground.
This is why “enable MFA” is both essential and insufficient. Multi-factor authentication blocks enormous amounts of commodity abuse, but attackers increasingly route around it through social engineering, stolen tokens, adversary-in-the-middle phishing, push fatigue, help-desk manipulation, and compromised devices. MFA is a floor, not a strategy.
The Small Business Problem Is Really a Time Problem
Small and midsize businesses are often described as easy targets because they lack budget. That is true, but incomplete. The deeper issue is that they lack time: time to patch, time to monitor, time to investigate, time to tune identity policies, time to replace legacy systems, and time to train users before the next campaign arrives.Machine-speed reconnaissance punishes delay. A vulnerability disclosed on Monday can be scanned for globally before many smaller organizations have even read the advisory. A misconfigured remote access service can be indexed before an IT generalist finishes another urgent support ticket.
This is where the security industry’s advice often becomes unintentionally cruel. Telling a 40-person company to adopt layered defense, behavioral analytics, API discovery, zero-trust identity, endpoint detection, and continuous vulnerability management is not wrong. It is just wildly detached from the staffing reality of many businesses.
The lesson from the new bot numbers is that basic controls have become more important, not less. Asset inventory, patch prioritization, strong identity policy, backup testing, least privilege, email filtering, logging, and user training are unglamorous precisely because they are old. But old does not mean optional.
The cruel twist is that AI gives both sides leverage. A small business can use managed detection, automated patch intelligence, phishing-resistant authentication, and AI-assisted log review to punch above its weight. Attackers can use the same general class of technology to find the business that did not.
Critical Infrastructure Faces the Same Playbook with Less Margin for Error
Defense, healthcare, energy, transport, communications, and public-sector systems are not attacked by magical methods unavailable elsewhere. The playbook is familiar: reconnaissance, credential theft, phishing, exploitation of exposed systems, abuse of third-party access, lateral movement, persistence, and extortion.What changes is consequence. A ransomware incident at a small manufacturer can be devastating. A disruption at a hospital, water utility, telecom provider, or defense contractor can become a public safety problem. The same bot-driven discovery process that finds an exposed corporate system can also find a neglected remote access device sitting at the edge of a critical network.
The operational technology world has long relied on segmentation, obscurity, vendor-specific equipment, and long maintenance cycles. AI-driven bot activity does not magically understand every industrial control system, but it does increase the volume of probing around the systems that bridge IT and OT environments. Those bridges are where many real incidents begin.
Critical infrastructure operators also face a procurement problem. Their systems are often designed to run for decades, while attacker tooling now iterates in weeks or days. A hospital cannot casually reboot every device. A utility cannot replace every legacy controller. A government agency cannot always move at cloud-startup speed.
That makes layered defense more than a slogan. IP filtering, network segmentation, behavior monitoring, identity hardening, privileged access management, secure remote access, and incident rehearsal are not interchangeable products. They are overlapping chances to catch a machine-speed attack before it becomes a human-scale disaster.
The Human Weak Link Is Becoming a Synthetic Target
Security people have called users the weakest link for so long that the phrase has become lazy. Users are not weak because they are foolish. They are vulnerable because modern work asks them to make high-stakes trust decisions under pressure, inside noisy inboxes and collaboration tools, while attackers optimize every cue.AI makes that asymmetry worse. Hyper-realistic phishing, voice cloning, video impersonation, fake meeting invites, synthetic customer complaints, and tailored business email compromise campaigns are all ways to attack cognition rather than infrastructure. The target is not a firewall rule. It is a moment of belief.
This is where bot traffic and social engineering converge. Automated systems can scrape public information, map relationships, identify executives, generate convincing pretexts, and launch many variants of the same approach. A human attacker can then step in only when the machine has found a promising victim.
The result is a more industrial form of deception. Instead of one carefully crafted spear-phishing email, a company may face thousands of plausible micro-campaigns tuned to departments, languages, vendors, and current events. The attack does not need every employee to fail. It needs one workflow to bend.
Training still matters, but it cannot carry the whole load. A finance employee should be taught to distrust urgent payment changes, but the business process must also require out-of-band verification. A help-desk worker should recognize social engineering, but the identity system should not allow a persuasive caller to reset the keys to the kingdom.
Ransomware Will Feed on the Bot Economy
Ransomware is often discussed as the final payload, but it is better understood as an ecosystem. Initial access brokers find footholds. Credential thieves harvest accounts. Botnets test exposures. Phishing crews generate leads. Ransomware operators choose victims based on access, revenue, pressure points, and likelihood of payment.AI-driven bots strengthen the front end of that ecosystem. They can discover more weak points, qualify more victims, and accelerate the path from vulnerability to intrusion. The ransomware crew does not need to scan the internet manually if someone else’s automation can deliver a menu of possible entries.
The greatest danger is not only new vulnerabilities. It is old vulnerabilities exploited at new speed. Many organizations still carry technical debt in VPN appliances, file-transfer systems, web frameworks, content management platforms, and forgotten cloud assets. Attackers do not care whether a vulnerable system is boring. They care whether it is reachable.
Polymorphic malware adds another layer of difficulty. If malicious code can be altered for each target or delivery attempt, defenders relying on static signatures face diminishing returns. Behavioral detection, isolation, least privilege, and rapid containment become more important because the first indicator may not look like yesterday’s malware sample.
Still, there is a risk of overstating novelty. Most ransomware incidents do not require science fiction. They require a stolen credential, a missing patch, a flat network, weak backups, and a weekend. AI makes the assembly line faster, but the raw materials remain depressingly familiar.
The Defender’s AI Is Not a Silver Bullet, but It May Be the Only Way to Keep Pace
If AI helps attackers move at machine speed, defenders will inevitably use AI to respond at machine speed. That is not marketing fantasy; it is operational necessity. Human analysts cannot manually inspect every login anomaly, API call pattern, phishing lure, endpoint alert, and vulnerability signal generated by a modern enterprise.The useful defensive role for AI is triage, correlation, and response acceleration. It can cluster suspicious activity, summarize incidents, flag deviations from normal behavior, identify likely phishing content, prioritize exposed assets, and help teams understand whether separate alerts are part of the same campaign.
But defensive AI inherits the same governance problem as every other enterprise system. It needs access to logs, identities, endpoints, cloud telemetry, tickets, email, and sometimes sensitive business data. If deployed carelessly, it becomes another privileged system that must be secured, monitored, and constrained.
There is also the problem of false confidence. A dashboard that says an AI model is watching the environment can become an excuse not to do hard engineering work. No model compensates for internet-facing systems nobody owns, service accounts with excessive privileges, backups that cannot be restored, or executives exempted from security rules.
The better framing is not “AI versus AI.” It is automation discipline versus automation chaos. Organizations that know their assets, understand their identities, log meaningful events, and rehearse response will get more value from defensive AI. Organizations that lack those foundations may simply automate confusion.
The Bot Fight Is Becoming a Fight Over Legitimacy
One of the hardest problems in the next phase of internet security will be deciding which automated traffic is allowed to exist. Not all bots are malicious. Search crawlers, uptime monitors, accessibility tools, enterprise integrations, AI assistants, security scanners, payment processors, and internal automation all generate non-human traffic.The arrival of AI agents complicates this further. A human may ask an agent to book travel, compare prices, summarize documents, interact with SaaS tools, or perform administrative tasks. To a server, that may look like automation. To the user, it may be delegated human intent.
This distinction matters because crude blocking can break legitimate business, while permissive trust invites abuse. CAPTCHAs, user-agent strings, and simple rate limits are increasingly inadequate in a world where bots can use real browsers, residential proxies, stolen sessions, and human-solving services. The visible theater of “prove you are human” is giving way to the less visible work of proving that a request is authorized, expected, and behaviorally consistent.
For Windows administrators, this is not an abstract web-platform debate. Enterprise Windows environments increasingly depend on cloud identity, browser-based SaaS access, API-connected management tools, and automated device workflows. The endpoint is still important, but the decisive signals often live in identity logs, conditional access policies, network telemetry, and application behavior.
The future of bot defense will likely look less like a single blocking tool and more like a reputation and intent fabric. Devices, users, sessions, applications, and agents will need stronger ways to assert who they are and what they are permitted to do. That will be messy, political, and full of false starts.
The Real Security Gap Is Between Knowing and Doing
The most damning part of the current bot surge is that many of the countermeasures are already known. Organizations know they should patch faster. They know they should use MFA, preferably phishing-resistant MFA for privileged and high-risk users. They know they should monitor identity events, restrict administrative access, segment networks, protect APIs, and train staff.The gap is not awareness in the abstract. It is execution under pressure. Security teams are asked to support cloud migrations, remote work, compliance audits, AI pilots, software delivery, legacy systems, vendor access, and incident response with finite money and finite people. Attackers, meanwhile, automate the search for whoever fell behind.
That is why vendor reports can be both useful and self-serving. SonicWall, Thales, and others have every incentive to describe the threat in terms that support their markets. But the broad pattern they describe matches what administrators already feel: more noise, faster exploitation, more identity attacks, more API exposure, and more pressure on small teams.
The right response is skepticism without denial. Do not treat every headline number as a precise measurement of the entire internet. Bot traffic is observed from particular networks, customers, sensors, and definitions. But do not dismiss the trend because the measurement is imperfect.
The direction is clear enough. Automation is taking a larger share of internet activity, bad bots are a substantial portion of that activity, and AI is making automated abuse more adaptive. Waiting for perfect numbers is just another way to lose time.
The New Baseline for Surviving Machine-Speed Abuse
The practical lesson is not that every organization must buy another miracle platform tomorrow. It is that bot defense, identity security, API governance, and user resilience can no longer be treated as separate projects. They are different views of the same attack surface.- Organizations should assume that any internet-facing asset will be discovered quickly after it appears or becomes vulnerable.
- Multi-factor authentication should be treated as a minimum requirement, with phishing-resistant methods prioritized for administrators, executives, developers, and finance workflows.
- API inventories, authorization checks, rate limits, and anomaly detection should receive the same seriousness traditionally reserved for firewalls and endpoint protection.
- Security awareness programs should be redesigned around deepfakes, voice impersonation, MFA fatigue, and business-process manipulation rather than generic phishing screenshots.
- Defensive automation should be used to compress detection and response time, but only after logging, asset ownership, and identity governance are made reliable.
- Small businesses should favor managed, measurable security controls over sprawling toolsets they do not have the staff to operate.
References
- Primary source: Escudo Digital
Published: 2026-06-24T05:10:46.140456
Loading…
www.escudodigital.com - Related coverage: cpl.thalesgroup.com
Loading…
cpl.thalesgroup.com - Related coverage: lyrie.ai
Loading…
lyrie.ai - Related coverage: crnasia.com
Loading…
www.crnasia.com - Related coverage: techradar.com
Loading…
www.techradar.com - Related coverage: europapress.es
Loading…
www.europapress.es