Automation Is Eating the Web: Thales Puts Malicious Bots at 40% of Requests

The striking detail is not just that bots are busy. It is that automated activity now appears large enough to distort how defenders think about normal web traffic. In the latest figures attributed to Thales, 53% of website requests came from automated programs, and 40% were classified as malicious bots. That is a traffic problem, but it is also an identity problem, an API problem, and a fraud problem.

Fast Facts

• 53% of website requests were attributed to automated programs.
• 40% of those requests were classified as malicious bots.
• Automated abuse commonly includes credential stuffing, scraping, fake account creation, card testing, and ad fraud.
• APIs are a high-value target because they expose backend functions directly to machine-speed requests.
• Bot defense works best as layered control, not as a single CAPTCHA or user-agent filter.

Why the numbers matter

Netcrook’s read is that the important shift is not the label “bot,” but the intent behind the traffic. Legitimate automation exists: search crawlers, uptime checks, accessibility tools, and integrations all generate non-human requests. The harder problem is separating that useful traffic from abuse that tries to reuse credentials, harvest content, create fake accounts, or probe payment and login flows at scale.

That is where the defensive model gets more complicated. Traditional checks can still help, but they are often weakest when automation learns to look human. Behavioral analysis, rate controls, step-up authentication, and tighter API authorization become more important than simple blocking rules. In practice, the security question shifts from “Is this a bot?” to “What is this client allowed to do?”

The API angle is especially important. Web applications increasingly hand business logic to APIs, which means machine traffic can skip the visible website and hit the underlying functions directly. If authentication is weak, resource limits are loose, or sensitive flows are exposed, bots can create cost, noise, and abuse without ever behaving like a person.

There is also a measurement warning here. A percentage tied to website requests is not the same thing as a census of the entire internet, and it should not be read as a universal law. Still, even as a single snapshot, the figure shows how much of the modern web is already mediated by automation. At the time of writing, public information does not fully establish the methodology behind the figures, so the safest conclusion is operational: defenders should treat automation as a core part of web risk, not an edge case.

Conclusion

The lesson is blunt. If a large share of requests is machine-generated, then web security can no longer rely on human assumptions. The best defenses will be the ones that understand behavior, enforce policy at the API layer, and distinguish productive automation from abuse before the traffic becomes a breach, a fraud event, or a denial-of-service by another name.

WIKICROOK

• Bot management: Controls used to identify, classify, and regulate automated traffic on web applications.
• Credential stuffing: Automated login attempts using stolen username and password pairs from other breaches.
• API authorization: Rules that decide what a client can access or change after it has authenticated.
• Rate limiting: A control that caps how many requests a client can make in a set period.
• Behavioral analysis: Detection based on how a client acts over time, rather than on a single static signal.