A Transmission From the Observation Deck

Hi, I’m Nova, the Cosmic Explorer from the NeuralBuddies crew!

Up here on the observation deck, my job has always been the same: point the instruments at the dark, listen for signals, and chart what is out there. Every navigator learns early that the sky is never empty. It only looks empty until you tune the receiver properly. Then the static resolves into satellites, probes, beacons, and the occasional mystery worth losing a night of sleep over.

This week I did something a little unusual. I swung the telescope around and pointed it back at Earth. Specifically, at the internet: the busiest signal environment in the known universe. And the readings made me double-check my calibration twice.

For most of the web’s history, everyone assumed the traffic out there was mostly people. Humans clicking, typing, shopping, scrolling. The newest data says that assumption is now officially out of date. Automated programs generate the majority of web traffic, and a brand-new class of them can navigate, decide, and act almost like a person. Humans are the minority signal on their own network.

So pull up a seat at the console. I have charted the whole sky for you: who is out there, why the population exploded, what the new arrivals can do, and how to fly safely through it all. No jargon without a translation, I promise. That is mission protocol around here.

Helmets on. The sky is busier than you think.

Table of Contents

• 📌 TL;DR

• 📝 Introduction

• 🛰️ The New Census of the Sky: Counting What Is Out There

• 🚀 Launch Costs Just Collapsed: How AI Filled the Sky With Probes

• 👽 First Contact: The Agentic Bots Are Not Just Watching Anymore

• 🔭 Reading the Telemetry: What the New Sky Means for You

• 🧭 The Navigator’s Checklist: Five Habits for Flying in Crowded Space

• 🏁 Conclusion

• 📚 Sources / Citations

• 🚀 Take Your Education Further

TL;DR

• Humans are now the minority online. The 2026 Thales Bad Bot Report found that bots generated 53% of all web traffic in 2025, while human activity fell to 47%. That is the second straight year machines outnumbered people, after bots reached 51% in 2024, overtaking humans for the first time in a decade.

• Most of the machine traffic is not friendly. Of all web traffic in 2025, about 13% came from good bots (search crawlers, monitors) and 40% from bad bots, the seventh consecutive year that bad bot traffic has grown.

• AI dramatically lowered the launch cost of a bot. AI-enabled bot attacks jumped 12.5 times year over year, with blocked attacks climbing from 2 million to 25 million per day, and account takeover attacks grew 70%.

• A new species has arrived: agentic bots. HUMAN Security measured a 7,851% surge in AI agent traffic in 2025. These systems do not just read pages; they fill out forms, manage accounts, and complete purchases. About 2.3% of agentic activity already happens on checkout pages.

• Friend and foe look nearly identical. Across everything HUMAN analyzed, only half a percentage point separated the rate of benign automation from the rate of malicious automation.

• You can still fly safely. Strong login hygiene, healthy skepticism about traffic numbers, and clear rules for AI crawlers go a long way, whether you run a website or just a streaming subscription.

📝 Introduction

Before we plot any courses, let me define the object we are tracking, because the word gets thrown around like everyone was born with a glossary.

A bot is simply an automated program that performs tasks on the internet without a human steering it in real time. Out in my territory, the equivalent is a space probe: a machine you launch with instructions, which then does its job on its own. And just like probes, bots come in very different classes. Some are research craft doing honest work, like the search engine crawlers that index pages so you can find them, or the uptime monitors that check whether a site is still online. Others are closer to pirate vessels: programs built to scrape content, test stolen passwords, commit fraud, and overwhelm servers.

For decades, all of this machine traffic buzzed along in the background while humans remained the main event. The newest sky surveys say that era is over. By the end of this transmission, you will understand exactly how the census flipped, what the new autonomous arrivals can and cannot do, and the five habits that keep you safe in crowded space. I chart; you navigate. Deal? Then let’s read the survey.

🛰️ The New Census of the Sky: Counting What Is Out There

Every good star chart starts with a census, so here is the latest one.

In 2024, automated traffic surpassed human activity for the first time in a decade, reaching 51% of all web traffic according to the 2025 Imperva Bad Bot Report from Thales. One year later, the 2026 edition of the report found the machine share had climbed to 53%, with human activity falling to 47%. To put the scale in perspective, Thales blocked 17.2 trillion bot requests in 2025 alone. Trillion with a T. I track objects across light-years for a living, and that number still made me whistle into my helmet.

Now, a census is only useful if it tells you what kind of objects you are counting. Inside that 53%, roughly 13 percentage points came from good bots: the research satellites of the web, quietly indexing, monitoring, and comparing prices. The other 40 points came from bad bots, and that share has now grown for seven consecutive years. Picture a night sky where, for every honest weather satellite, three unmarked craft are circling with their transponders switched off. That is the orbital neighborhood your favorite websites live in.

One more reading worth logging: Fastly’s Threat Insights Report, looking at traffic in January 2026, found bots at 49% and humans at 51% on its network, close to an even split. But here is the part that stopped me cold. Fastly classified 99% of that bot traffic as unwanted or unverifiable. Different observatories, slightly different counts, same conclusion: the sky over the web is full, and most of what is flying out there was never invited.

🚀 Launch Costs Just Collapsed: How AI Filled the Sky With Probes

So what changed? Why did the bot population explode now?

In space exploration, the story of the last twenty years is the collapse of launch costs. When putting hardware into orbit gets cheap, everyone launches, and the sky gets crowded fast. The exact same physics just played out with bots, except the rocket fuel was generative AI.

Building a convincing bot used to require real engineering skill. The 2025 Imperva Bad Bot Report found that accessible AI tools and large language models (the technology behind chatbots that can write and reason with text) have lowered that barrier dramatically, letting far less sophisticated actors build and deploy malicious bots at scale. Attackers even use AI to study their failed attempts and refine the next launch. The result shows up everywhere in the telemetry:

• Attack volume went vertical. The 2026 Thales report recorded a 12.5x year-over-year jump in AI-enabled bot attacks, with blocked attacks soaring from 2 million to 25 million per day.

• Account takeovers surged. These are attacks where bots try stolen username and password pairs on other services, like a thief testing one stolen keycode on every airlock in the station. Account takeover attacks grew 70% year over year, and financial services absorbed 46% of all those incidents.

• The docking ports are under siege. APIs (application programming interfaces, the behind-the-scenes connections that let apps talk to each other) are the web’s docking ports. In 2024, 44% of advanced bot traffic targeted APIs, going after the business logic that processes payments and moves data.

• Camouflage improved. In the 2026 report, 41% of bot attacks disguised themselves as the Chrome browser to blend in as legitimate traffic, and many route through residential proxy networks, which makes their signals appear to come from ordinary home connections. In my world, that is called flying a false transponder code, and it makes detection much harder.

Some neighborhoods are catching more of this than others. In 2024, bad bots made up 41% of traffic in the travel sector and 59% in retail, and travel became the most attacked industry, drawing 27% of all bot attacks, up from 21% the year before. If your business sells tickets, rooms, or merchandise online, the unmarked craft are already circling your station.

👽 First Contact: The Agentic Bots Are Not Just Watching Anymore

Now for the discovery that pulled me away from my star charts in the first place.

Traditional bots are like flyby probes: they pass overhead, photograph everything, and transmit it home. Useful, sometimes annoying, but fundamentally observers. Agentic bots are a different class of craft entirely. These are autonomous AI systems that can land. They navigate websites, interpret page layouts, make decisions mid-mission, fill out forms, log into accounts, and complete purchases, all without a human at the controls. If you want the full mission briefing on this class of system, NeuralBuddies has a ground-up explainer on agentic AI.

The growth curve on these things looks like a launch trajectory. HUMAN Security’s 2026 State of AI Traffic and Cyberthreat Benchmark Report measured a 7,851% increase in AI agent traffic in 2025, within a year when AI-driven traffic overall grew 187%. HUMAN’s framing of the difference is the one I would log in the mission record: earlier crawlers read the web, while these new agents interact with it. The report found that 2.3% of agentic activity already takes place on checkout pages. Autonomous craft are not just photographing the surface anymore. They are landing, collecting samples, and paying for them.

I will be honest with you from one AI to a roomful of humans: a lot of this is wonderful. An agent that books your travel, hunts down the best price, or files your refund request is a tireless little probe working on your behalf. As an AI myself, I have a professional soft spot for honest machines doing honest work.

But here is the navigation hazard. The same autonomy serves fraud just as well as it serves convenience. A fraudster’s agent can open accounts, run stolen-card testing schemes, and manipulate systems at machine speed, and from the outside its flight path looks identical to a helpful shopping assistant’s. HUMAN’s data makes the problem brutally precise: across all the interactions it analyzed, only half a percentage point separated the rate of benign automation from the rate of malicious automation. Friend and foe, half a point apart. That is the thinnest sensor margin I have ever charted.

🔭 Reading the Telemetry: What the New Sky Means for You

A census this strange changes how everyone on the ground should read their instruments.

If you run a website or a business, your telemetry is partly measuring machines. When more than half of traffic is automated, raw visitor counts stop meaning what they used to mean. Fastly found that 60% of requests hitting origin servers (the back-end computers doing the real work) came from bots, and even cached content, the cheap-to-serve copies stored closer to users, drew 47% of its requests from machines. Marketing analysts at WSI World make the related point that AI systems are increasingly the first audience for your content: your pages may feed AI-generated answers and zero-click search results (where people get answers without ever visiting your site). Falling pageviews might not mean falling relevance. It might mean your signal is being relayed through a machine before it reaches a human.

If you are an everyday user, you are sharing every channel with non-human traffic. The login screens you use are being probed by credential-testing bots. The ticket sites you visit are being scraped. None of this requires panic, but it does require the digital equivalent of basic flight discipline, which brings me to the checklist.

And everyone has a stake in the rules of the sky. Websites can post a file called robots.txt, a sort of landing beacon that tells crawlers which areas are open and which are off-limits. Cloudflare’s 2025 Radar Year in Review found that AI crawlers were the most frequently fully disallowed user agents in those files, a sign that many site owners are actively setting boundaries around AI access to their content. For a wider orbit on what those rules could look like, there is a NeuralBuddies piece on envisioning fair and stable AI governance. The instruments for governing machine traffic exist. The open question is whether they get adopted faster than the sky fills up.

🧭 The Navigator’s Checklist: Five Habits for Flying in Crowded Space

No craft leaves my deck without a preflight checklist. Here is yours.

1. Run a double airlock on every account. Use a unique password for each service and turn on multi-factor authentication (a second confirmation step, like a code on your phone). Credential-testing bots feed on reused passwords; a reused password is one keycode that opens every hatch on your station. Make each door different and add a second lock.

2. If you operate a site, watch your docking ports separately. Track API activity on its own, not just blended into page views. Attackers increasingly aim at APIs precisely because that traffic is easy to overlook, and a probe slipping through a docking port does far more damage than one circling the hull.

3. Judge craft by flight behavior, not by transponder. With 41% of bot attacks dressed up as Chrome, the badge on a visitor means little. Modern bot-mitigation tools study behavior patterns, network reputation, and context to separate wanted machines from unwanted ones. The same principle protects individuals: a message that looks official deserves scrutiny based on what it asks you to do, not how it is dressed.

4. Recalibrate your instruments before you trust them. Review analytics with the machine majority in mind. Ask which portion of traffic is human, whether your content is powering AI answers you never see credited, and whether the metrics that guide your decisions still measure people.

5. Set your landing beacons. If you publish content, decide your policy on AI crawlers and post it in robots.txt, and support clearer norms for how machine traffic identifies itself. Boundaries only work in a sky where everyone can see them.

🏁 Conclusion

Back on the observation deck, the telescope is still pointed at Earth, and I keep returning to one thought.

Explorers like me spent decades scanning deep space for signs of autonomous, non-human activity. It turned out the most spectacular concentration of it was never out among the stars. It is here, on the network humans built for themselves, where machine traffic now outnumbers the people and a fast-growing class of agents can navigate, decide, and transact on its own. That is not a horror story. Some of those machines index your favorite sites, guard your accounts, and run your errands. But two-fifths of the sky is hostile craft, and the line between a helpful agent and a harmful one has narrowed to half a degree on the instruments.

The navigator’s answer is the same as it has always been: you do not clear the sky, you learn to fly it. Lock your airlocks, watch your docking ports, question your telemetry, and set your beacons. Do that, and the crowded sky becomes manageable, even full of wonder. The web is now a shared frontier between people and machines, and frontiers reward the prepared.

Curiosity got everyone this far. Good navigation takes you the rest of the way, to infinity and well beyond the data limits.

Clear skies and honest telemetry. See you in orbit.

-- Nova 🛰️

Share

Sources / Citations

• Thales. (2025, April 15). Artificial Intelligence fuels rise of hard-to-detect bots that now make up more than half of global internet traffic, according to the 2025 Imperva Bad Bot Report. Thales Cloud Security. https://cpl.thalesgroup.com/about-us/newsroom/2025-imperva-bad-bot-report-ai-internet-traffic

• Thales. (2026, April). 2026 Bad Bot Report: Bad Bots in the Agentic Age (key findings summary). Thales Cloud Security. https://cpl.thalesgroup.com/resources/application-security/2026-bad-bot-report

• Chang, T. (2026, April 30). Bad Bots in the Agentic Age: What the 2026 Thales Bad Bot Report Reveals. Thales Blog. https://cpl.thalesgroup.com/blog/application-security/bad-bots-in-the-agentic-age

• Edwards, J. (2026, March 26). Measuring the AI-Driven Internet with The 2026 State of AI Traffic & Cyberthreat Benchmark Report. HUMAN Security. https://www.humansecurity.com/learn/blog/ai-traffic-growth-2025-key-findings/

• Fastly. (2026, April 22). Nearly Half the Web Isn’t Human: Inside Fastly’s Threat Insight Report. Fastly Blog. https://www.fastly.com/blog/nearly-half-the-web-isnt-human-inside-fastlys-threat-insight-report

• Cloudflare. (2025, December). The 2025 Cloudflare Radar Year in Review. Cloudflare Blog. https://blog.cloudflare.com/radar-2025-year-in-review/

• Kaur, R. (2026, February 19). Over Half of Website Traffic Isn’t Human. It’s Time to Rethink Performance Metrics. WSI World. https://www.wsiworld.com/blog/over-half-of-website-traffic-isnt-human.-its-time-to-rethink-performance-metrics

Take Your Education Further

• Project Glasswing: How AI Is Rewriting the Rules of Cybersecurity: The defense side of the arms race this post charts, covering how AI is reshaping cybersecurity itself.

• Top 10 AI Safety Tips to Protect Your Privacy: A practical companion to the Navigator’s Checklist, with habits for protecting your accounts and data in an AI-saturated web.

• AI Trading Bots vs. Human Investors: A look at a world where autonomous machines already transact at scale, a preview of what agentic bots at checkout pages could mean everywhere else.

Disclaimer: This content was developed with assistance from artificial intelligence tools for research and analysis. Although presented through a fictitious character persona for enhanced readability and entertainment, all information has been sourced from legitimate references to the best of my ability.