Research conducted by F5 reveals that the proliferation of generative AI has significantly transformed the dynamics of bot traffic, indicating that automated users now surpass human users in accessing informational web content. The findings are part of the 2025 Advanced Persistent Bots Report, which analyzed over 207 billion web and API transactions spanning from November 2023 to September 2024, specifically focusing on organizations with established bot defenses.
The report highlights that automated sources accounted for 50.04% of web content page requests. In contrast, search requests and ‘add to cart’ transactions from automated sources were significantly lower at 22.3% and 21.5%, respectively. This trend underscores the increasing utilization of web scraping technology by leading providers of generative AI, including OpenAI and Anthropic, alongside the resilience of these bots in attempting to bypass countermeasures.
Out of the total monitored transactions, 21.22 billion—approximately 10.2%—originated from various automated sources, with 10 billion (or 4.8%) identified as malicious bot traffic. David Warburton, Director of the Threat Research Team at F5 Labs, noted that automated traffic is now predominantly targeting content rather than traditional areas like search functions or user journey processes. This shift indicates a marked increase in content scraping activities, likely fueled by the rapid expansion of AI technologies.
Industry-specific data reveal that bot traffic patterns vary significantly, with the hospitality sector receiving the highest amount of automated traffic at 44.6%, followed by healthcare at 32.6% and eCommerce at 22.7%. On mobile platforms, the entertainment sector led with 23% of traffic from bots, well ahead of eCommerce’s 4.5%. Despite these findings, many industries are witnessing a decline in automated activity compared to the previous year, suggesting successful implementation of bot mitigation strategies.
However, some industries remain under constant threat from credential stuffing attacks, which target user account control. Particularly in the technology sector, over a third (33.5%) of login attempts were classified as attempted account takeovers, with similar figures observed in retail and gaming. This trend was similarly present in the mobile realm, particularly toward entertainment and eCommerce sectors.
The sophistication of attacks varied across industries; most automated traffic aimed at healthcare was classified as basic, while sectors like general retail and financial services encountered more advanced threat vectors. Despite the overall lull in bot activity, hospitality and quick-service restaurants (QSRs) reported increases of 18.3% and 11.2% in web traffic, respectively, indicating a persistent challenge for these industries.
Regarding the effectiveness of deterrence, the report juxtaposed the experiences of organizations actively mitigating automated traffic against those that only monitored it. While the trend indicated that mitigation efforts led to lower automated activity in mobile environments, a contrary pattern emerged on the web. Here, companies actively targeting bot mitigation recorded higher levels of automated traffic across various workflows, including search and checkout processes.
The findings suggest a complex relationship between mitigation strategies and bot activity. Although it might seem counterintuitive, some bot operators increase their efforts to exploit vulnerabilities when met with challenges, implying that while deterrence is essential, it simultaneously motivates adversaries to refine their strategies. Ultimately, the report emphasizes that mitigation remains effective, demonstrating the importance of continuous monitoring and adaptation to evolving threats in the cybersecurity landscape.
