Automated bot traffic now accounts for 58% of all internet traffic in Singapore — with 52% of that activity classified as malicious — according to the Thales 2026 Bad Bot Report released today. The findings mark a significant divergence from the global average, where bots made up 53% of web traffic in 2025.

The report, which analyses full-year 2025 data from Thales’ threat research teams, identifies AI-driven automation as the primary force reshaping how the internet operates — and complicating how organisations defend against it.

AI agents emerge as a third category of traffic

Beyond the traditional distinction between legitimate and malicious bots, Thales researchers identify AI agents as a new and distinct category of internet traffic. These agents interact directly with applications and APIs to retrieve data and perform tasks, often using valid authentication and well-formed requests — making them difficult to distinguish from authorised activity.

In 2025, AI-driven bot attacks surged 12.5 times compared to the prior year globally. The report warns that the resulting visibility gap means organisations are making security decisions with an incomplete picture of automated activity on their systems.

The challenge is no longer identifying bots. It’s understanding what the bot, agent, or automation is doing, whether it aligns with business intent, and how it interacts with critical systems. — Tim Chang, Global VP and General Manager, Application Security, Thales

Financial services bear the brunt in Singapore

In the Singapore context, financial services accounted for 79% of all bot attacks — reflecting how automation is being directed at sectors where the monetisation of cyberattacks is most immediate. The computing and IT industry recorded the highest rate of account takeover attempts at 45% of incidents, while the gambling sector tracked 100% bad bot traffic.

Sports (55%), travel (40%) and healthcare (29%) were the top three industries targeted by advanced bots locally.

APIs have become the primary attack surface, with 27% of bot attacks now targeting API endpoints directly — bypassing user interfaces to manipulate backend business logic at scale.

The Singapore findings are a wake-up call for how AI-driven automation is reshaping our digital landscape. Without clear visibility into how automation is interacting with their systems, businesses are making security decisions in the dark. — Andy Zollo, APJ Senior VP, Application and Data Security, Thales

A shift in how security must respond

Thales argues that traditional bot-blocking approaches are no longer adequate. The report recommends organisations move toward a governance model that combines visibility, policy enforcement and behavioural analysis — including defining which AI agents are permitted to interact with systems and implementing controls at the API and identity layer.