Automation is no longer a background process—it is now the dominant force shaping the internet. Thales’ 2026 Bad Bot Report reveals that 58% of all internet traffic in Singapore is generated by bots, with more than half of that activity classified as malicious.
The findings underscore a structural shift in how digital ecosystems operate, as AI-driven automation accelerates both innovation and risk.
Singapore’s data reflects a broader global trend. Thales reports that bots accounted for 53% of global web traffic in 2025, continuing a steady rise from previous years. Human activity, by contrast, has fallen to just 47%, highlighting a fundamental rebalancing of the internet towards machine-driven interactions.
This aligns with wider industry observations that automation is becoming embedded in everyday digital processes, from customer engagement to backend operations.
However, the nature of bot activity is evolving just as rapidly as its volume. AI is giving rise to what Thales describes as a third category of traffic—AI agents that operate alongside traditional “good” and “bad” bots. These agents can autonomously interact with applications and APIs, often appearing indistinguishable from legitimate users.
As Tim Chang, global vice president at Thales, explains, “The challenge is no longer identifying bots. It’s understanding what the bot, agent, or automation is doing”.
This shift is eroding traditional security assumptions. Instead of focusing on identity—whether a user is human or machine—organisations must now assess intent and behaviour. The difficulty lies in the growing visibility gap: many AI-driven interactions are unverified, leaving security teams with incomplete insight into how systems are being accessed and used.
At the same time, attackers are targeting the very foundations of digital services. APIs, which underpin modern applications, now account for 27% of bot attack targets.
By bypassing front-end interfaces, bots can interact directly with backend systems, exploiting business logic and scaling attacks at machine speed. Identity systems are similarly under pressure, as attackers use valid credentials to mask malicious intent.
The financial services sector in Singapore illustrates the scale of exposure, accounting for nearly 80% of bot attacks locally. Other industries, including sports, travel and healthcare, are also seeing sustained targeting, reflecting the monetisation potential of automated attacks.
According to Andy Zollo, APJ senior vice president at Thales, this is “not a passing trend—it’s a structural shift” requiring organisations to rethink how they secure digital interactions.
External research reinforces the urgency. Gartner notes that APIs have become a primary attack vector due to their critical role in digital transformation, warning that insecure APIs can expose sensitive data and business logic at scale
https://www.gartner.com/en/articles/why-apis-are-a-top-attack-vector.
As AI adoption accelerates, bots are no longer simply tools—they are active participants in digital ecosystems. For CISOs, the implication is clear: traditional bot detection strategies are insufficient. Security must evolve towards governance-based models that combine visibility, behavioural analysis and policy control to manage automation at scale.
In a machine-driven internet, distinguishing between helpful automation and harmful activity may become the defining cybersecurity challenge of the decade.
