The shift toward automation: the role of AI bots in internet security

bunny.net’s inaugural 2026 Edge Security Report reveals a rise in automated web traffic, highlighting how AI-driven activity is challenging traditional security models and reshaping the internet.

  • Wednesday, 1st July 2026 Posted 5 hours ago in by Katy Hill

One out of every five requests reaching websites today is automated. AI-powered bots, AI crawlers, and API-driven traffic are changing how organisations interact with the internet and secure their online applications. According to bunny.net's 2026 Edge Security Report, which analysed 42.5 billion requests between January and May 2026, automated traffic now represents a share of internet activity.

The increasing use of AI in internet activity presents a security challenge: distinguishing legitimate automation from malicious traffic. During the report's five-month analysis, total traffic grew by 53%, while automated requests accounted for approximately 20% of all traffic. HTTP libraries such as curl, Python requests, and Go HTTP Client represented 19% of requests, exceeding the combined total of all declared bot categories. According to the report, this shift increases the need for security systems that can distinguish between legitimate automation and malicious activity in real time.

The report also found that AI crawlers now generate more traffic than traditional search engine bots, accounting for 0.54% of all requests compared with 0.50% for search bots. 

As automated traffic becomes a larger proportion of internet activity, the report notes that attackers can more easily identify vulnerabilities and target applications at scale. It argues that these threats affect organisations of all sizes that operate online services. According to the report, security measures need to adapt to increasing levels of automated traffic and respond to threats in real time.

The increase in automated traffic has coincided with increasingly aggressive cyberattacks. During the reporting period, bunny.net recorded its largest Layer 7 DDoS attack, peaking at 16.5 million requests per second from more than 392,000 distributed IP addresses, which the company states it mitigated without service degradation. Traditional web application attacks also remained common. Injection attacks, including SQL injection, cross-site scripting (XSS), and remote code execution, accounted for 45.5% of all categorised web application firewall (WAF) blocks. 

The report concludes that isolated, per-server security models are less effective against current traffic patterns. It states that with a substantial proportion of internet traffic now automated and attacks increasingly distributed and machine-driven, security controls should be deployed closer to where traffic originates to help prevent resource exhaustion, credential abuse, and application-layer exploits before malicious payloads reach backend infrastructure.