CYBERSECURITY | Edge security firm expands in Asia as bot traffic surges, report finds
A key focus of the report is headless bots, a class of automated browsers capable of simulating human behavior at scale.
Automated bot traffic now accounts for nearly a third of global internet activity, with financial institutions, e-commerce platforms, and media publishers in Asia-Pacific facing increasing pressure from both malicious automation and AI-driven crawlers, according to the latest Fastly Threat Insights Report.
Drawing from trillions of application and API requests analyzed between July 1 and September 30, 2025, the report found that bots made up 29% of all traffic in the third quarter, with unwanted bots accounting for 25%. “Examining Q3 traffic across human, unwanted bots, and wanted bots activity, humans comprise the most significant portion of traffic at 71%. Bots made up 29% of all traffic, with unwanted bots accounting for 25%,” the report states.
The data underscore a structural shift in how the web operates. Automated systems — whether malicious scrapers, credential-stuffing bots, or legitimate AI crawlers — are no longer marginal traffic sources. They are embedded in the architecture of modern digital services, affecting security, infrastructure costs, and revenue models.
A key focus of the report is headless bots, a class of automated browsers capable of simulating human behavior at scale. “Headless bots are fully functional automated browsers used to mimic real user behavior on websites, but at machine speed and scale,” the report explains. In Q3 alone, “we saw billions of requests from headless bots,” with “‘Common Headless Automation’ accounted for 94% of total headless bot traffic.”
The regional implications are significant. “Headless bots are targeting transaction-heavy industries. 89% of headless bot traffic targeted Financial Services and Commerce industries,” the report notes. In Southeast Asia, where digital wallets, super apps, and online marketplaces have become central to economic activity, the concentration of bot activity on financial and commerce platforms presents direct operational risk.
These bots are not simple scripts. “These bots can execute JavaScript and mimic human activities, allowing them to bypass more simplistic anti-bot solutions,” the report states. For banks, fintech firms, and large retailers in markets like Indonesia, Malaysia, and the Philippines, this means perimeter-based defenses are increasingly insufficient.
Beyond malicious bots, AI crawlers and fetchers are reshaping traffic flows. The report found that “Meta and ChatGPT account for the highest proportion of AI crawler and fetcher traffic. 60% of all AI crawler traffic is attributable to Meta, and 68% of all AI fetcher traffic is attributable to OpenAI’s ChatGPT.”
This shift has economic consequences, particularly for publishers. “AI serving content from within its own environment means users are getting the information without visiting the source site,” the report states. It adds that “only 8% of users, when presented with an AI overview for their query, actually clicked through to the source website.” For media companies across Asia-Pacific — including regional newsrooms competing for digital advertising revenue — declining click-through rates threaten already thin margins.
The report also found that organizations are beginning to respond. “We also found that 4% of all wanted bot requests are blocked, indicating that organizations are questioning whether these bots are truly wanted.” While still a small percentage, it signals a growing willingness to assert control over which AI systems can access proprietary content.
Overall, bot traffic continues to rise. Comparing Q2 and Q3, the report recorded an approximate 2% increase in combined wanted and unwanted bot traffic. “Regardless of how this distribution evolves, we can say with certainty that bot traffic isn’t going anywhere,” the report concludes. It warns that managing automation “is no longer optional,” noting that even relatively small shares of traffic “can still put undue strain on infrastructure, demanding a modern bot management solution.”
For Asia-Pacific, these findings intersect with rapid digital expansion. The region has seen accelerated adoption of cloud services, mobile payments, and cross-border e-commerce. Countries such as Japan and Singapore have mature cybersecurity frameworks, but emerging digital economies in Southeast Asia are still scaling both infrastructure and regulatory oversight.
In the Philippines, digital transformation has accelerated since the pandemic, driven by e-wallet adoption, online retail growth, and government digitalization initiatives. The Bangko Sentral ng Pilipinas has pushed financial institutions toward stronger cybersecurity controls, while the Department of Information and Communications Technology has emphasized zero-trust architectures and threat intelligence sharing. Yet many small and medium enterprises — which form the backbone of the Philippine economy — lack the resources to deploy advanced bot mitigation or API security tools.
The Philippines also faces elevated exposure to credential-based attacks and phishing campaigns, reflecting both high social media usage and expanding online banking penetration. As APIs proliferate across fintech apps, logistics platforms, and government portals, the attack surface expands accordingly. Headless bots capable of account takeover attempts or scraping dynamic pricing data pose particular risks to online marketplaces and digital lending platforms operating locally.
At the same time, Philippine publishers confront the same AI crawler dilemma described in the report. As generative AI tools increasingly summarize news content within their own interfaces, traffic diversion could further erode advertising revenues. Decisions about whether to allow, block, or monetize AI crawler access will carry direct financial implications.
The broader lesson from the report is that automation has become structurally embedded in digital ecosystems. AI-driven content consumption, headless browser abuse, and large-scale scraping are not temporary anomalies. They represent a persistent layer of activity riding atop every major web platform.
The company behind the report operates more than 100 global points of presence, including 36 across Japan and Asia-Pacific, and has identified the region as a priority growth engine through 2026. With $613 million in revenue as of Q3 and an estimated $33.2 billion total addressable market, it is expanding partnerships with managed service providers in markets such as the Philippines to deliver localized infrastructure and security services.
For enterprises across Asia-Pacific, the implications are clear: bot traffic now represents both a security challenge and a business variable. The question is no longer whether automated systems will interact with their platforms, but how much visibility and control they retain when they do.
————————————————————————-
WE ARE 10 YEARS OLD! TEN YEARS OF TECHSABADO, IMAGINE THAT.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
