The invisible traffic problem: why AI agents are your biggest blind spot
Date:
Wed, 24 Jun 2026 08:50:54 +0000
Description:
Companies should stop assuming that because something identifies itself as a known agent, it is legitimate. The cost of blind trust is too high.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Most executives have no idea
how much of their website traffic comes from AI agents.
If you were to ask which AI agents are legitimate and which are impersonating trusted names to scrape data, theyd struggle to tell them apart, a problem thats growing by the day. Benjamin Fabre Social Links Navigation
Co-Founder & CEO, DataDome. In early 2026, AI and bots generated billions of requests, outpacing internet traffic from humans. Latest Videos From Watch full video here:
This is no longer a fringe activity; AI agents are now a persistent, substantial portion of the traffic hitting websites.
Yet most organisations cant tell you what that traffic is doing, where its really coming from, and whether its helping or hurting their business. You
may like Managing the internets agentic middlemen The mobile app traffic your security team can't see and AI agents are generating it AI agents are the
new unmanaged endpoints The Volume Trap When organisations hear that AI agent traffic is creating billions of requests, the instinct is often to treat it
as a monolithic category. Its not. Lumping all AI agents together is like treating all humans as identical users; it misses the nuance that determines value.
Take two agents from the same company: one built to improve search relevance, potentially driving referral traffic back to a website, and another designed purely for large-scale data extraction to train AI models, offering zero benefit to organisations. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features
and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Both show up in traffic reports, both generate similar volumes, but only one has any upside for businesses. Without the ability to distinguish between them, companies cant make informed decisions about either. Organisations are flying blind, and the cost of that blindness is steep. The Trust Problem Here is where it gets trickier: even when an AI agent identifies itself, organisations cant trust it. Recent data shows that well-known, trusted AI agent names are being actively impersonated at scale. Meta-ExternalAgent was spoofed over 16 million times in early 2026. ChatGPT-User saw nearly 8
million fraudulent requests using its name. PerplexityBot had nearly 2.4% of all requests claiming to be legitimate turn out to be fake.
If website allowlists approved lists granted automatic access - certain AI agents by name, assuming they are legitimate crawlers, a fake agent string is essentially a skeleton key. Bad actors know this and are using trusted agent identities as cover to bypass defenses and extract whatever data they want. What to read next Shadow AI and agents like OpenClaw are hijacking corporate data too easily New report claims bot traffic is growing 6.5 times faster
than human users Why self-running agents are creating the biggest security crisis of 2026
The exposure isnt theoretical. Testing across 700k high-traffic websites revealed that the vast majority return full access to spoofed AI agent requests with no verification whatsoever. The Agentic Browser Challenge Traditional AI crawlers are only part of the story. A newer, more sophisticated vector is emerging: agentic browsers . These tools dont just request a page, they simulate full browser sessions and interact with a site like a human user.
Theyre harder to detect and harder to distinguish from legitimate traffic,
and they are showing up in force across the industries with the most valuable transactional data.
In February 2026, agentic browser traffic was concentrated in ecommerce and retail (about 20% of volume) and travel and tourism (15%). These sectors hold some of the most valuable transactional data on the internet: pricing data, inventory information, customer behavior patterns, and competitive intelligence.
For businesses in any of these sectors its time to start actively monitoring for agentic browser activity, as organisations may be leaking data without realising it. What This Means for Decision Makers The implications of this visibility gap are immediate and material. Invisible traffic is unmanaged traffic. Companies that cant identify traffic cant decide what to do with it. Should it block it? Throttle it? Allowlist it? Monetise it? Without clear visibility, decisions become guesswork.
High volume does not equal high value. Some AI agents drive search visibility and referral traffic. Others extract data and contribute nothing in return.
By treating them the same, organisations are subsidising data collection efforts with no upside for a business.
Relying on basic bot detection doesnt cut it anymore. Agentic browsers behave like real users and simple signal-based detection misses them. Organisations need behavioural analysis that accounts for session patterns, timing, interaction signatures, and other contextual indicators. Where to Start Getting control of AI agent traffic starts with visibility. Organisations
need to log and classify what is hitting sites, by agent type, behaviour, and claimed identity without relying solely on user-agent strings, as theyre easy to spoof.
Agent classification is an ongoing practice. As the AI agent ecosystem
evolves quickly, with new agents appearing regularly and existing ones changing behaviour, in-time assessments go stale fast.
Establish a tiered access framework, but make it session-specific, not agent-specific. The same AI agent can exhibit legitimate behaviour in one session and extractive behaviour in another.
Intent-based detection evaluates what an agent is doing in real time, not
just what it claims to be. Is it browsing product pages at a human pace or scraping an entire catalogue? The behaviour in each session should determine the response.
Companies should stop assuming that because something identifies itself as a known agent, it is legitimate. The cost of blind trust is too high. Verify everything.
AI agents are not going away. Their traffic will continue to grow, and their behaviour will continue to evolve. The organisations that thrive in this environment will be the ones that can see clearly what is happening on their websites and make deliberate, informed decisions about what to allow and what to block.
Right now, most organisations cant, and that needs to change. AI agents are already interacting with websites. The question is whether organisations know what theyre doing while theyre there. We feature the best website builders . This article was produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
https://www.techradar.com/pro/perspectives-how-to-submit
======================================================================
Link to news story:
https://www.techradar.com/pro/the-invisible-traffic-problem-why-ai-agents-are- your-biggest-blind-spot
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)