Bots vs. Humans: How AI Tools Are Rewriting Who Uses the Internet
In June 2026, bot traffic vs human traffic flipped for the first time. Cloudflare Radar measured 57.4% of web requests as automated and 42.6% as human. AI tools drove the change. This article breaks down where bots dominate, which countries skew human, and what businesses building or buying AI tools should do about it.
Benediktas Kazlauskas
Last updated: Jul 08, 2026
5 min read

TL;DR
- Bots passed humans in June 2026 at 57.4% of web requests, per Cloudflare Radar.
- Six of the top 60 source countries already send more bot traffic than human traffic, led by Iran at 81.4%.
- AI-driven traffic grew about eight times faster than human traffic in 2025, per HUMAN Security.
- Blocking every bot blocks the AI tools your future customers use to find you, so classification beats a blanket wall.
How much of the internet is actually bots?
Bot traffic is any web request made by software rather than a person, including search crawlers, AI agents, scrapers, and malicious scripts. The share just crossed half. Here’s what the latest numbers show and where the split is most extreme.
On June 3, 2026, Cloudflare CEO Matthew Prince posted that automated systems generate 57.4% of HTTP requests to web content, against 42.6% from people, according to Cloudflare Radar. He had told an SXSW audience in March that the crossover wouldn’t arrive until 2027. It came more than a year early.
Decodo's analysis of Cloudflare Radar data shows the split varies sharply across countries. 6 of the top 60 traffic-source countries already run a majority of bots. Iran tops the list at 81.4% bot traffic, followed by Singapore at 73.7% and Ireland at 71.1%. Small, data center-dense markets sit at the extreme.
Country
Bot traffic
Human traffic
Iran
81.4%
18.6%
Singapore
73.7%
26.3%
Ireland
71.1%
28.9%
Netherlands
61.3%
38.7%
Finland
56.8%
43.2%
Hong Kong
55.6%
44.4%
Germany
45.0%
55.0%
United States
43.6%
56.4%
Why AI tools changed everything
The jump traces back to AI tools that read the web at machine speed. The numbers below show how fast that traffic grew and what it’s made of.
AI-driven traffic grew about 187% across 2025, roughly eight times faster than human traffic over the same months, per HUMAN Security's 2026 State of AI Traffic report. Agentic AI traffic, where software acts on a person's behalf, grew about 7,851% year over year in the same report.
The scale gap explains the rest. A person shopping for a camera might open a couple of websites. An AI agent doing the same task can query thousands. One agent requests fans out into thousands of page fetches.
Automated traffic splits into 3 groups:
- Training crawlers, which collect data to build and update AI models, still make up the largest slice of AI traffic.
- AI agents and fetchers, which pull live pages to answer a user's prompt or complete a task.
- Malicious bots, which run scraping, credential stuffing, and fraud.
Roughly a third of bot traffic is classified as malicious in public reporting, which leaves about two-thirds doing legitimate work.
A few operators dominate the legitimate side. OpenAI's bots account for about 69% of observed AI-driven traffic by volume, Meta about 16%, and Anthropic about 11%, per HUMAN Security. That concentration means an access decision about three companies shapes most of your AI traffic.
The traffic also clusters by sector. 3 verticals absorbed more than 95% of AI-driven traffic in 2025: retail and eCommerce, streaming and media, and travel and hospitality. Retail and eCommerce alone made up 62.5% of training-crawler traffic, the categories where structured, frequently updated data has the most commercial value.
Vaidotas Juknys, CEO at Decodo, noted, “We spent thirty years building the web for people who click. Now, most of the traffic doesn’t click, it queries. That’s the internet doing exactly what we asked AI to do.”
Where the bots come from: a geographic breakdown
Bot origin tracks data center capacity, not population. The table below ranks the countries that send the most automated traffic worldwide.
Country
Share of global bot traffic
Own bot %
United States
53.5%
43.6%
Germany
8.2%
45.0%
Netherlands
5.6%
61.3%
Singapore
5.4%
73.7%
France
3.9%
33.1%
China
3.9%
38.4%
India
3.5%
14.9%
The United States originates 53.5% of worldwide bot traffic, while running 43.6% of bot traffic at home. Germany, the second-largest source, runs 45% of bots. The Netherlands and Singapore sit higher on their own share, at 61.3% and 73.7%. Both host dense cloud infrastructure relative to their size.
Some markets stay overwhelmingly human. India runs 14.9% bot, Mexico 9.2%, and the Philippines 10.7%. Readers in those regions see a different web than readers routed through Frankfurt or Ashburn.
The cause is physical. Cloud regions and hosting providers cluster in a few places, and crawlers, agents, and proxies run from those machines. Traffic carries the flag of the data center, not the user. Ashburn and Frankfurt read as bot-heavy even when the people behind the requests sit elsewhere.
Sub-national data sharpens the pattern. In the United States, Virginia accounts for 27% of national bot traffic, California 9.9%, and Oregon 7.7%, the corridors where data centers cluster. England carries 96.3% of UK bot traffic, Hesse leads Germany at 46.1%, and North Holland leads the Netherlands at 55.9%.
Most popular target categories
Internal network data backs up the pattern – retail is where bots concentrate. Decodo's own anonymized user data over the past six months show that search engines and AI answer engines generate the largest share of all traffic, at roughly 72%. That volume is the infrastructure layer that feeds AI shopping results directly, which is precisely the channel a retailer risks losing by blocking bots wholesale.
Retail and eCommerce sites are the largest commercial category behind that, making up about 13% of all successful requests. Everything else trails far behind – travel and cargo carriers sit at 0.4%, and real estate, news, jobs, and finance platforms each account for a fraction of a percent. That drop-off shows bots return most often to sites with fast-changing prices, inventory, and listings.
Industry
Share of total requests
Search engines & AI assistants
~72%
Retail & eCommerce
~13%
Travel, airlines & cargo
~0.4%
News & media
~0.2%
Real estate
~0.2%
Jobs & professional data
~0.2%
Finance
~0.1%
Good bots vs. bad bots: what it means for business
Blocking every bot blocks the AI tools your future customers use to find you. The task is sorting legitimate automation from abuse, which the following points lay out.
- AI assistants fetch your pages to answer buyer questions, so a blanket block removes you from those answers.
- Training crawlers shape how models describe your brand and products, which affects what AI tools tell users about you.
- Malicious bots still need stopping, so the goal is a policy that separates the two by behavior, identity, and rate.
Agentic traffic now lands where buyers decide. In 2025, 77% of agentic AI activity hit product and search pages, 8.8% account pages, 5% authentication flows, and 2.3% checkout. A store that blocks those agents drops out of AI shopping results, while competitors stay in.
Cloudflare has moved toward a pay-to-crawl model, returning a 402 response with a crawler price and settling payment before serving the page. A companion standard, Web Bot Auth, uses cryptographic signatures so crawlers cannot spoof a friendly identity.
Identity is the sticking point. In August 2025, Cloudflare accused the AI search startup Perplexity of stealth crawling, fetching pages while disguising its bot. A bot that hides its name cannot be allowed or charged, which is why verification now matters as much as detection.
The math behind pay-to-crawl is a crawl-to-refer ratio: pages a bot takes versus visits it sends back. Cloudflare Radar tracks it, and the spread is wide. Google crawls about five pages per referral, while some AI crawlers pull thousands of pages for each visit they make. That gap is why publishers now price access instead of giving it away.
Vaidotas Juknys, CEO at Decodo, noted, “The instinct to block every bot is understandable, but it’s like locking your storefront because some visitors don’t buy. The agents crawling your site today might be how your customers will discover you tomorrow.”
What does this mean if you build or buy AI tools?
The crossover changes daily work for 3 groups. Each has a clear move to make.
For teams building AI tools and agents
Reliable, structured, geo-distributed access to public web data becomes core infrastructure. An agent that can’t reach a site, or that reads a blocked or geo-shifted version of it, returns a worse answer. Proxies and data collection solutions, like Decodo’s Web Scraping API, give agents, LLMs, and tools the ability to fetch real-time results across 195+ countries.
Geography decides what an agent sees. A price, a product list, or a search result in Madrid differs from the same page in Chicago. An agent that always exits through one region reads one version of the web and misses the rest. Routing requests through residential IPs in the target market returns the page a local user would see, which keeps the answer accurate.
For teams selling to humans
Agentic traffic is a new audience for your analytics and content. A session count that mixes 5K agent fetches with five human visits misreads demand. Tag automated traffic, then read human and machine engagement separately, so pricing and content decisions rest on clean inputs.
For security and data teams
The job shifts from blocking to distinguishing. Set rules based on behavior and verified identity. Allow the crawlers that drive discovery, rate-limit the unknown, and stop the patterns tied to credential stuffing and scraping fraud.
“Reliable access to public web data has become as fundamental as cloud computing. If you’re building an AI tool, the quality of what your agents can see and fetch is now a competitive advantage,” CEO at Decodo, Vaidotas Juknys, added.
What comes next: the agentic web
Three shifts are already in motion. They point to a web that serves machines as first-class visitors.
- Pay-to-crawl pricing, where sites charge per request and settle through a merchant of record, with Cloudflare customers already sending more than one billion 402 responses a day.
- Agent identity and verification, where cryptographic signatures replace user-agent strings that bots can fake.
- Machine-readable site design, where pages expose structured data so agents fetch facts without scraping rendered HTML.
The split between training and search crawlers is also widening. Anthropic now runs ClaudeBot for training and Claude-SearchBot for live answers, mirroring OpenAI's GPTBot and OAI-SearchBot. That separation lets a site allow the crawler that drives discovery and block the one that only extracts.
Bottom line
Bots send 57.4% of web requests, and 6 major economies already run a majority of bots. AI tools caused the shift, and they keep growing at about 8 times the rate of human traffic. Sort legitimate automation from abuse, feed your agents clean data access, and read machine and human traffic as totally separate audiences.
Collect public data faster
Power up your business with real-time data from any website online with our Web Scraping API.
About the author

Benediktas Kazlauskas
Content & PR Team Lead
Benediktas is a content professional with over 8 years of experience in B2C, B2B, and SaaS industries. He has worked with startups, marketing agencies, and fast-growing companies, helping brands turn complex topics into clear, useful content.
Connect with Benediktas via LinkedIn.
All information on Decodo Blog is provided on an as is basis and for informational purposes only. We make no representation and disclaim all liability with respect to your use of any information contained on Decodo Blog or any third-party websites that may belinked therein.


