40% Bad. 17.5% Good. 42.5% Human.
Imperva's 2026 Bad Bot Report documents that malicious automated traffic now accounts for 40% of all internet traffic, up from 37% in 2024. Good bot traffic (search crawlers, monitoring tools, legitimate AI agents) accounts for 17.5%. Human traffic has fallen to 42.5% — less than half of all web requests come from actual people. This is the seventh consecutive year of growth in bad bot traffic share.
The composition of bad bot traffic has shifted dramatically. AI-enabled bot attacks — using large language models to generate realistic form submissions, bypass CAPTCHAs, craft credential stuffing payloads, and mimic human browsing patterns — increased 12.5x year-over-year. Daily blocked AI-powered attacks rose from 2 million to 25 million across Imperva's customer base.
The Framework Exposure Gradient
Bad bots exploit different attack surfaces depending on the target's web framework. WordPress sites face credential stuffing against wp-login.php, XML-RPC abuse, REST API enumeration, and plugin vulnerability scanning. Imperva's data shows WordPress sites receive 3-5x more bad bot traffic per page than static sites, because bots target the dynamic endpoints that WordPress exposes by default.
Static site generators — Hugo, Astro, Eleventy — present a fundamentally smaller attack surface. There is no login page to brute-force, no database to inject, no API endpoint to enumerate. Bad bots still crawl static sites (for content scraping and competitive intelligence), but the high-impact attack vectors — credential stuffing, vulnerability exploitation, data exfiltration — do not apply. The framework choice is a bot exposure decision.
AI Crawlers: The Good Bot Surge
Within the 17.5% good bot segment, AI crawlers have emerged as the dominant category. Cloudflare's data shows AI crawler traffic now represents 26.7% of all verified bot traffic and is growing at approximately 1% per month. GPTBot, ClaudeBot, PerplexityBot, Google-Extended, and dozens of smaller AI training crawlers are requesting pages at unprecedented scale.
For site owners, AI crawlers present a strategic choice. Blocking them preserves bandwidth but forfeits visibility in AI-generated responses. Allowing them provides training data that may surface the site's content in AI answers — the emerging equivalent of search engine indexing. WebPulse's AI-Readiness scores measure how well a site serves this new class of consumer. Sites that serve clean, structured, semantic content are better positioned regardless of whether they allow or block AI crawlers.
The Account Takeover Economy
Account takeover (ATO) attacks — where bots use stolen credentials to access user accounts — grew 54% year-over-year according to Imperva's data. The financial services sector absorbs the highest volume, followed by ecommerce and travel. ATO attacks are the monetization layer of the bad bot ecosystem: credential stuffing bots test stolen passwords, successful logins are sold or exploited, and the account owner discovers the breach days or weeks later.
The ATO attack chain depends on the target having user accounts with password-based authentication. WordPress sites with WooCommerce, membership plugins, or user registration are direct targets. Static sites without user accounts are immune to ATO entirely — another dimension where architectural choices determine security exposure.
The 57.5% Reality
Combined, good and bad bots account for 57.5% of all web traffic — confirming Cloudflare CEO Matthew Prince's widely cited figure from early 2026. The web is no longer primarily a human medium. It is a machine medium that humans also use. This inversion has implications for every aspect of web infrastructure: performance optimization must account for bot traffic patterns, security must defend against automated attacks at scale, and content strategy must serve both human readers and machine consumers.
WebPulse's framework intelligence surfaces this reality for individual sites. The 'Check Your Site' scan reports framework detection, security posture, and AI-Readiness — the three dimensions that determine how a site performs in a 57.5% automated web. The sites that thrive in this environment are the ones built for it: clean architecture, minimal attack surface, structured content, and framework-level security rather than plugin-layer patches.


