Agents Surf the AI-Written Web: Internet traffic driven by AI rripled last year, study shows

AI-driven activity on the internet rose sharply last year, a study shows.

What happened: AI-driven traffic, or internet interactions that were generated by or on behalf of AI systems, nearly tripled in 2025, according to a report by the cybersecurity firm Human Security. The volume of activity by crawlers that collected data en masse to train AI systems and bots that scraped data points such as prices for immediate use multiplied by single digits. Traffic by AI agents and agentic browsers ballooned (although it remained a tiny percentage of the total). More than 95 percent of AI-driven traffic involved activities the authors designated retailing and ecommerce, streaming and media, or travel and hospitality.

How it works: The 2026 State of AI Traffic and Cyberthreat Benchmark Report is based on an analysis of over 1 quadrillion internet interactions observed in 2025 by Human Security, which serves around 1,200 customers in more than 200 countries and territories.

• AI-driven traffic nearly tripled, while automated traffic, which includes both AI-driven and conventional bot traffic, grew more than 23 percent. Human traffic grew by around 3 percent.
• The rise in AI-driven traffic includes crawlers that collect training data (68 percent of AI-driven traffic for the year, more than 2x the previous year’s volume), scrapers that collect data for immediate use (32 percent for the year, a 7x increase in volume), and agents that execute browser-style tasks (1.7 percent in December, nearly 80x growth year over year).
• Of the agentic interactions, 77 percent took place on product and search pages. The rest involved account pages, authentication, and completing transactions, in that order.
• OpenAI was responsible for around 69 percent of automated traffic, including ChatGPT users and crawlers that collect training data (OAI-SearchBot) and timely information (GPTBot). Meta accounted for 16 percent, and Anthropic initiated around 11 percent.

Security implications: The researchers deemed a significant amount of the automated traffic malicious.

• Scraping activity that the authors deemed malicious, aiming to extract data for purposes such as competitive intelligence or systematic underpricing rather than aiding AI-driven interactions, rose nearly 47 percent from the prior year. (The authors labeled traffic malicious if the scraper spoofed its identity, followed a recognized attack pattern, or otherwise behaved in a suspicious manner.) Of the 750,000 threat profiles identified by the researchers, more than 60 percent were involved in malicious scraping.
• Attacks in which a bot attempted to take over a user account fell by more than 30 percent over the year. However, the remaining attempts showed a 4x increase in attacks that occurred after an account was logged in. Although such attacks often took advantage of existing accounts via stolen credentials or hijacked sessions in progress, the number in which an agent created the account rose by 89 percent from the prior year.
• The percentage of transaction traffic that involved a compromised payment card was “low and stable,” but the volume that was blocked by the card issuer rose by 20 percent. This may reflect a rising number of transactions executed on the Internet, an increased ability of agents to cycle through card numbers, or both.

Yes, but: The report analyzes only activity on Human Security’s platform, not the internet as a whole. Moreover, malicious traffic often misrepresents its origin, so the researchers’ evaluation of any given data point may be mistaken.

Why it matters: Autonomous systems are flooding the internet with a rising tide of additional traffic, and its likely this trend will continue in the foreseeable future. Infrastructure must be built or upgraded with this in mind. The rise in automated activity also poses challenges for cybersecurity because legitimate AI agents perform many of the same activities — browsing products, creating accounts, and checking out of transactions — that previously signaled malicious bots.

We’re thinking: Agentic traffic on the internet is just getting started. The 80x rise last year is bound to multiply further in coming years as agents become more capable, robust, and trustworthy.