Why checkbox bot management fails: outsmarted by automation
The F5 Labs 2025 Advanced Persistent Bot Report, which analyzes 200 billion real web and API transactions, demonstrates how automation today can confound traditional security measures, target specific industries and transactions, and exploit vulnerabilities with repeated attacks. Consider these key insights and steps to take next to protect your organization’s most valuable assets:
-
Bots easily outsmart basic defenses
-
Customer experience pays the price
-
Trust is easily exploited
Advanced bots double down after basic mitigation
- Even after mitigation, 10.2% of all traffic was automated, on average across industries, and 4.8% came from unwanted bots. They didn’t reach protected resources but persisted in trying.
- Malicious login attempts after mitigation still accounted for 10.6% of web login traffic. Credential stuffers were especially persistent against websites and the mobile APIs used in e-commerce and entertainment.
- Automation increased after mitigation on 57% of web traffic flows.
- More than 9 in 10 automated rating attempts were by advanced bots designed to bypass fraud detection.
Scrapers and reseller bots can’t be ignored
- 50% of all web content page requests and 22.3% of web searches came from unauthorized scrapers that degrade performance and the customer experience.
- Web content scraping increased 47.7% in 2024 vs. 2023. This increase aligns with the rise in AI.
- Reseller bots performed more than 1 in 5 add-to-cart transactions. This competitive scourge was the second most common attack in our study, particularly on the web.
Residential proxies slip past traditional defenses
- More than 20 families of proxyware are in use worldwide.
- Tens of millions of high-reputation IP addresses can be harnessed over time, rendering reputation-based security obsolete. So defeating bots hiding in residential proxies requires enriched threat intelligence and behavioral anomaly detection.
To fight back: Security solutions must adapt over time
To defeat today’s sophisticated automation, effective bot mitigation requires 3 key capabilities:
- Deep visibility
- Precision efficacy that minimizes false positives and customer friction
- Sophisticated adaptability to remain ahead of attackers
F5 Distributed Cloud Bot Defense meets the challenge
- Unparalleled observability to unmask the sneakiest bots
- High detection accuracy for minimal false positives
- Security designed for mobile APIs and modern traffic, including SDK-based detection
- Expert support that evolves faster than the attacks
Learn more about building a mitigation strategy for today’s persistent, intelligent threats in Outsmarting Automation: A Strategic Guide for Security and Fraud Prevention Leaders from F5.