DataDome’s Global Bot Security Report 2025 reveals a dramatic shift in how automation and the rise of AI traffic are shaping the web. For the first time, the report dedicates an entire section to AI-driven traffic and its impact on online security.

Every year, DataDome tests thousands of the world’s most visited websites to understand how well they stand up against automated attacks. This year’s analysis covered nearly 17,000 domains across industries and regions. But for 2025, our researchers also added something new.

The rapid growth of large language model (LLM) crawlers and agentic AI has introduced a new class of automated threats. To reflect this evolution, we added two additional testing methodologies to this year’s analysis:

• A review of robots.txt directives for all the tested domains, to assess how sites are managing AI traffic like GPTBot, CCBot, and ChatGPT-User agents.
• A separate analysis of anonymized traffic across DataDome’s customer base (a different sample than the 17,000 tested domains), providing insight into which AI bots are visiting customers’ websites and which endpoints receive the most AI traffic.

Businesses are moving to block AI crawlers

Our research found that 88.9% of robots.txt files in our dataset explicitly disallow GPTBot, making it the most-referenced AI crawler by far. This points to a broader trend: businesses are increasingly blocking AI traffic amid growing concerns over content theft and data misuse.

Unfortunately, robots.txt directions do not reliably protect against unwanted AI-driven traffic. While robots.txt is designed to guide compliant crawlers, it is not a security mechanism. LLMs and AI crawlers can easily ignore or bypass these directives. 

During our analysis, we found that:

• 6% of websites responded to robots.txt requests with a CAPTCHA challenge, indicating attempts to guard access to this file even though it is explicitly designed to be publicly accessible to bots. 
• A large number of sites had syntax errors or malformed robots.txt files, which can result in unintended access permissions or ineffective controls.

Taken together, these findings highlight the growing complexity of managing AI-driven traffic and the limitations of relying solely on protocol-based approaches like robots.txt.

AI traffic: From crawling to acting

Across DataDome’s global customer network, AI-driven traffic was more than quadrupled in the first eight months of 2025, rising from 2.6% of verified bot traffic in January to more than 10% by August. In that same month, DataDome detected 1.7 billion requests from OpenAI crawlers only, including GPTBot and ChatGPT-User agents.

LLM crawlers and AI agents are sweeping the web to gather training data and execute user-driven actions, from browsing and summarizing content to interacting with forms and checkout flows. AI traffic isn’t just indexing content anymore; it’s engaging with business-critical endpoints. In our dataset:

• 64% of AI bot traffic hit forms
• 23% reached login pages
• 5% interacted with checkout flows

These interactions, often carried out without the website owner’s consent or appropriate security controls, introduce new risks around data theft, fraud, and compliance.

The rise of agentic AI and what it means for fraud & online security

Agentic AI refers to autonomous systems that can reason, plan, and act online. These tools are now being weaponized by attackers to simulate human users, bypass CAPTCHAs, and adapt in real time. Even low-skill threat actors can deploy these AI-augmented bots thanks to prepackaged kits available on underground markets.

DataDome’s research shows that AI democratizes sophistication, enabling almost anyone to carry out high-efficacy fraud campaigns. As AI blurs the line between helpful automation and malicious exploitation, DataDome’s report argues for a paradigm shift in detection. The question is no longer “Is this a bot or a human?” but “What is the intent behind this action?”

Intent-based detection, powered by real-time behavioral analysis, is becoming the new standard for protecting digital ecosystems from both traditional and AI-enhanced threats.

Download the full report

The AI findings are just one part of the Global Bot Security Report 2025, which also uncovers:

• How only 2.8% of global websites are fully protected against bots (down from 8.4% last year)
• Which industries are most exposed to automated fraud
• Why bot mitigation vendors show massive gaps in real-world performance

Download the full report to explore how bot threats are evolving and how your organization can stay one step ahead in the age of AI-driven automation.