The Internet Is No Longer Human: Why Imperva's 2026 Bad Bot Report Means CAPTCHAs Are Theatre

TL;DR

Imperva (a Thales company) published the 2026 Bad Bot Report last week. The headline numbers are extraordinary even by 2026 standards:

• AI-driven bot attacks: 2 million per day → 25 million per day in a single year. 12.5x YoY.
• Bots are now 53.1% of all web traffic, up from 51% in 2024 — the majority of internet activity is no longer human.
• ~40% of all web traffic is malicious bot activity (credential stuffing, scraping, API abuse, account takeover, content theft, ad fraud).
• United States is the most attacked country, followed by Australia, UK, France.
• The report's framing has shifted: bots are no longer something you block, they are something you must manage. Imperva calls it "the agentic age."

The strategic takeaway is the part most security teams are still missing: the bot vs. human binary is dead. The new reality has three tiers — humans, legitimate AI agents acting on humans' behalf, and malicious AI agents impersonating humans or other agents. Every defensive control built on the old binary (CAPTCHA, IP rate limits, user-agent filtering) is now structural debt.

This is the signal Lyrie has been building against for three years. The defensive paradigm of 2026 is intent verification, behavior fingerprinting, and agent-aware authorization — not "are you a robot?".

What Happened

April 30, 2026 — Imperva published the 2026 Bad Bot Report, subtitled "Bots in the Agentic Age." It's the eleventh edition of an annual research artifact tracking automated traffic across Imperva's protected customer base — a corpus large enough that the trends are statistically meaningful, not anecdotal.

Coverage has been heavy across UK and EU press (Independent, Security Boulevard, Global Security Mag), with the Lefaroll Hebrew cyber Telegram channel surfacing it in the Israeli infosec community at the same time.

Key findings:

1. AI-driven attacks went vertical

"Daily AI-enabled bot attacks rose from 2 million to 25 million in a single year." — Imperva 2026 Bad Bot Report

That's a 12.5x year-over-year increase. Not 25%. Not 250%. 1,250%. The single biggest YoY change in the report's eleven-year history.

The drivers, per Imperva's own analysis:

• LLM-powered scraping that defeats traditional rate-limit detection by mimicking human pacing and browsing patterns
• Agent frameworks (LangChain, AutoGen, CrewAI, browser-use, Playwright + LLM) commoditizing tooling that was previously a custom build
• OpenAI/Anthropic/Google Computer Use APIs giving low-skill operators bot-building primitives that are nearly indistinguishable from real users at the click/scroll/type level
• Cheap residential proxy availability ($30/month for 1M rotating residential IPs) eliminating the IP-reputation defensive layer

2. Bots are now the majority of the web

53.1% of all web traffic in 2025. Most of the internet is not humans. This crossed 50% in 2024 — but the 2026 report is the first time it's a stable, consolidated trend rather than a noisy crossover.

Of that 53%:

• ~13% is legitimate bots (Googlebot, Bingbot, monitoring tools, RSS readers, accessibility crawlers, AI training crawlers with proper UA strings)
• ~40% is malicious bots — credential stuffing, scraping, API abuse, ATO, content/price scraping, ad fraud, vulnerability scanning, inventory hoarding (sneakers, concert tickets, GPUs)

One in three requests to your application is malicious automation. That's the operating environment for every public-facing service in 2026.

3. Industries: nobody is safe

Imperva tracked AI bot attacks across retail, finance, healthcare, government, education, business services, gaming, media, telecom. Every vertical hit. The report explicitly notes that vertical-specific defenses don't transfer — a healthcare API faces different attack patterns than a retail checkout, but both face the same fundamental problem: traffic that looks human but isn't.

4. The framing has shifted at the vendor level

Tim Chang, GM of Applications & Security at Thales (Imperva's parent), in the report's executive summary:

"AI is transforming automation from something organisations try to block into something they must also manage. The challenge is no longer identifying bots. It's understanding what the bot, agent, or automation is doing — whether it aligns with business intent, and how it interacts with critical systems."

That sentence is the entire 2026 security industry pivot in one paragraph. Detection is solved. Intent verification is the new problem.

Why Traditional Anti-Bot Defenses Are Now Theatre

CAPTCHA

CAPTCHA's threat model assumes the attacker is constrained by cognitive cost. In 2026:

• GPT-5, Claude Sonnet 4-6, and Gemini 3 Pro all solve reCAPTCHA v2 image puzzles with >95% accuracy
• OpenAI's Computer Use mode drives reCAPTCHA v3 to invisible-pass with a session that scores higher than most human users (because the model doesn't make the kind of inattention errors humans make)
• CAPTCHA-solving services (2captcha, anti-captcha) cost $0.0007 per CAPTCHA. At scale that's cheaper than the API call making the rate-limited request.

CAPTCHA in 2026 is friction for legitimate users and a $0.001 toll for attackers. It is structurally more harmful than helpful.

IP-based rate limiting

Residential proxy networks (Bright Data, Oxylabs, Smartproxy, IPRoyal) provide:

• 70M+ rotating residential IPs across 195 countries
• Per-request IP rotation
• Real ISP backing (Comcast, Spectrum, BT, Deutsche Telekom)
• Sub-second IP rotation latency

Your "100 requests per IP per minute" rate limit is defended against by an attacker who simply rotates 100 different residential IPs across 100 requests. Rate limit per-IP is now equivalent to no rate limit.

User-Agent filtering

Modern bot frameworks set realistic, rotating User-Agent headers, populate every browser fingerprint header (Sec-CH-UA, Accept-Language, sec-fetch-*), even spoof TLS fingerprints (JA3, JA4) to match real browsers. You cannot tell a 2026 LLM-driven bot from a Chrome user via headers. Period.

Browser fingerprinting

The headline shift in 2025-2026: browser-use libraries built on Playwright, Puppeteer, and Chrome DevTools Protocol now produce indistinguishable browser fingerprints from real Chrome. The libraries that were detectable a year ago (because they triggered subtle automation flags in window.navigator.webdriver) have all been patched.

Tools like puppeteer-extra-stealth, playwright-stealth, and the newer browserforge reproduce real-browser fingerprints with statistical accuracy that defeats commercial fingerprinting services.

The Real 2026 Defensive Stack

If the bot/human binary is dead, what works?

1. **Behavioral biometrics with continuous scoring**

Not "is this a bot?" but "does this user's mouse-movement-velocity, keystroke-timing, and scroll-acceleration profile match the same user from 30 days ago?" Identity continuity, not identity verification.

Vendors here: HUMAN Security, Castle, BehavioSec. Lyrie's LyrieBehaviorEngine ships in the same category.

2. **API intent verification**

For machine-to-machine traffic, the question shifts from "is this a bot?" (yes, by definition) to "is this bot authorized to do this specific thing with this specific intent?"

Implementations:

• OAuth scope enforcement at fine-grained resource level — not "read user data" but "read user's last 30 days of order history for personalization"
• Per-agent rate budgets tied to declared use case — an agent declaring "I'm fetching pricing for a comparison shopping site" gets a different budget than one declaring "I'm accessing user account data"
• Proof-of-work or attestation tokens for high-value endpoints (sign-up, password reset, checkout)

3. **Agent-aware authorization (the new frontier)**

When OpenAI Atlas, Anthropic's Claude, and Google's Gemini are legitimately operating users' accounts on their behalf, the question becomes: *how do you let the user's agent through while blocking attackers' agents?*

Emerging standards:

• Web Bot Auth (IETF draft) — cryptographic agent identity
• HTTP Message Signatures (RFC 9421) — provable authentication of programmatic requests
• Cloudflare's Verified Bots program — vendor-attested agent identity
• OAuth Agent Delegation (work-in-progress at IETF) — letting users explicitly authorize a specific agent for specific scopes

None of these are universally deployed yet. The next 18 months will determine whether the web becomes more permission-aware or more anti-bot-arms-race.

4. **Anomaly detection on the application layer, not the network layer**

Where 2018 bot defense ran on the L4/L7 boundary (WAF, rate limit, IP rep), 2026 bot defense runs inside the application:

• "This user's purchase pattern doesn't match their previous behavior."
• "This API client is making request sequences that don't match any documented client SDK."
• "This session is interacting with form fields in an order no human user has ever produced."

This requires application telemetry that most teams don't yet collect.

Lyrie Assessment

The Bad Bot Report's framing change — from "blocking bots" to "managing automation" — is the single most important strategic signal in 2026 application security.

The vendor ecosystem is bifurcating:

• Old guard (Cloudflare bot management, Akamai Bot Manager, Imperva itself, PerimeterX) — built on signature/IP/header detection, retrofitting AI-bot detection on top of legacy architectures. Still effective for low-sophistication attacks. Increasingly ineffective against LLM-driven traffic.
• New paradigm (HUMAN Security's BotGuard, Castle, Stytch on the auth side, Lyrie on the agentic-defense side) — built on continuous behavioral identity, intent declaration, and agent-aware authorization. Fundamentally different threat model.

Lyrie's position: the 25-million-attacks-per-day number is the floor, not the ceiling. The trajectory points to a 2027 web where bot traffic is 60-65% of total, AI-driven attacks are 100M+ daily, and the cost-per-attack continues falling because LLM inference gets cheaper while attack tooling gets better.

The defenders who survive that environment are the ones who:

1. Stop trying to identify bots — that battle is structurally lost

2. Identify legitimate user-agent pairs via continuous behavioral identity

3. Identify legitimate agent intent via declared-purpose authorization

4. Use autonomous defense that adapts to novel attack patterns in seconds — because by the time a CISO writes a static rule, attackers have shipped a new variant

This is exactly what Lyrie's architecture is built for. Our LyrieIntentEngine (Q3 2026 ship) classifies traffic into [human, declared-agent, undeclared-agent, malicious-agent] tiers and applies graduated response: human gets normal flow, declared-agent gets scoped access, undeclared-agent gets challenge, malicious-agent gets blocked + telemetry.

CAPTCHA was a 2010 defense for a 2010 internet. We're in 2026. Time to retire the friction and ship the new defensive primitives.

Recommended Actions

Strategic (this quarter)

1. Audit your anti-bot stack. If your defenses still revolve around CAPTCHA, IP rate limits, and User-Agent filtering — you are defending against 2018 attackers. Plan migration.

2. Inventory your high-value endpoints. Login, signup, password reset, checkout, API key issuance, account modifications. These are where bot economics make abuse profitable. Apply behavioral defenses here first.

3. Adopt one behavioral signal even imperfectly. Mouse-movement entropy, typing cadence, scroll patterns. Even a basic implementation is more useful than CAPTCHA in 2026.

Tactical (this month)

4. Implement OAuth scope tightening. If your API tokens currently grant broad access, refactor to per-resource per-action scopes. Reduces blast radius when (not if) tokens leak.

5. Add Web Bot Auth or HTTP Message Signatures support for any API consumed by legitimate agents (search engines, AI assistants integrating with your service). Be ready to permission them in.

6. Deploy WAF rules that flag known LLM/agent framework user-agents and known stealth library fingerprints. Legitimate identification helps your team understand the traffic mix even when you don't block.

Long-term (this year)

7. Plan for an "agent permission" UX. When users start asking your service "let my Anthropic Claude agent access my account on my behalf" — be ready with a real authorization model, not a generic "API access" toggle.

8. Subscribe to the data sources. Imperva's annual report, HUMAN's Quadrillion report, Cloudflare Radar, academic research from Princeton/Stanford on agent benchmarks. The threat model is moving fast.

For Lyrie users

Our LyrieIntentEngine rule pack ships in Q3 2026. It implements the human-vs-declared-agent-vs-malicious-agent tiering described above, with continuous behavioral identity scoring backed by our autonomous-defense baseline. Customers running our agent on web-application infrastructure will see the [human / declared-agent / undeclared-agent / malicious-agent] traffic breakdown live in their dashboard, and can apply differentiated policies per tier with one-click.

Sources

1. Imperva. "Bad Bot Report 2026: Bots in the Agentic Age." https://www.imperva.com/blog/bad-bot-report-2026-bots-agentic-age/

2. Security Boulevard. "Bad Bot Report 2026: The Internet Is No Longer Human and It's Changing How Business Works." https://securityboulevard.com/2026/04/bad-bot-report-2026-the-internet-is-no-longer-human-and-its-changing-how-business-works/

3. The Independent. "AI bot attacks increase 10-fold, report reveals." https://www.independent.co.uk/tech/security/ai-bots-bad-bot-report-thales-b2966754.html

4. Global Security Mag. "Thales 2026 Bad Bot Report: KI-gesteuerte Bot-Angriffe nehmen um das 12,5-Fache zu." https://www.globalsecuritymag.de/thales-2026-bad-bot-report-ki-gesteuerte-bot-angriffe-nehmen-um-das-12-5-fache.html

5. Lefaroll Telegram channel coverage (Hebrew). https://t.me/Lefaroll

6. IETF — Web Bot Auth draft. https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth/

7. RFC 9421 — HTTP Message Signatures. https://www.rfc-editor.org/rfc/rfc9421.html

---

Lyrie.ai Cyber Research Division