Fastly

Organizations classified as 'Exceptional' in AppSec maturity are 3.7 times more likely than 'Emerging' programs to reduce negative user experiences by more than 20%.

The High Technology industry has 35.5% and the Travel and Hospitality industry has 18.3% of organizations classified as 'Exceptional' in AppSec maturity.

In December 2025, Japan had 18%, the UK had 16%, and the US had 12% of organizations classified as 'Exceptional' in AppSec maturity.

Organizations classified as 'Exceptional' in AppSec maturity are 1.9 times less likely to experience a data breach than Emerging programs.

Organizations classified as 'Exceptional' in AppSec maturity are 3.6 times more likely to report a 20% or greater improvement in application availability compared to the average.

Organizations classified as 'Exceptional' in AppSec maturity are 3.6 times more likely to achieve a 20% or greater improvement in developer productivity compared to those in the 'Evolving' category.

Bot requests increased by 2% in Q3 2025 compared to the prior quarter, representing billions of requests.

Bots account for 29% of all web traffic, with approximately 25% of this traffic classified as unwanted.

4% of wanted bot requests were blocked, reflecting concerns about data usage and revenue impact.

Only 1% of users click through to source websites that have an AI summary, indicating diminished referral traffic for Media and Entertainment publishers.

Meta’s AI crawler and OpenAI’s ChatGPT fetcher accounted for 60% and 68% of their respective traffic categories in Q3 2025.

In Q3 2025, commerce received 88% of crawler traffic, while the Public Sector received 96%, and Education had the highest fetcher volume at 77%

89% of headless bot traffic (which mimic human behavior at machine speed) in Q3 targeted transaction-heavy industries like Financial Services and Commerce.

North America accounts for nearly 90% of observed AI crawler traffic, receiving a heavy skew compared to other regions like Europe, Asia, and Latin America.

Analysis of traffic from mid-April to mid-July 2025 revealed that AI crawlers made up almost 80% of all AI bot traffic observed.

Fetcher bots, including those from ChatGPT and Perplexity, are driving massive real-time request volumes, with some cases exceeding 39,000 requests per minute.

ChatGPT generates the most real-time traffic to websites, with 98% of fetcher bot requests attributable to OpenAI’s bots

Meta’s AI bots generated 52% of AI crawler traffic, which is more than double that of Google (23%) or OpenAI (20%).

High technology organizations were the most targeted industry by bots overall, representing 35% of observed attacks.

Search engine crawlers accounted for 66% of wanted bot traffic.

37% of all observed internet traffic originated from bots.

Attacks on the commerce industry doubled, rising from 15% of all observed attacks in Q1 2024 to 31% of all observed attacks in Q1 2025.

Of the observed bot traffic, 89% was classified as unwanted.

Commerce websites attracted the largest proportion of unwanted bot traffic at 39%.

Attacks on the commerce industry doubled, rising from 15% of all observed attacks in Q1 2024 to 31% of all observed attacks in Q1 2025.

Attempted logins using compromised passwords averaged over 1.3 million per day in March 2025

Nearly half (46%) of organisations are unclear about who holds ultimate responsibility for cybersecurity incidents.

38% of IT decision makers have promised “increased scrutiny of security disclosure documentation from supervisory agencies”.

38% of IT decision makers say they improved legal support for cybersecurity staff, including liability insurance, and corporations have allocated more resources to security in the past year.

41% of organisations have increased CISO participation in strategic decisions at the board level.

Only 36% of IT decision makers have clearly delineated roles and responsibilities within their teams.

93% of organisations made policy changes over the preceding 12 months to address concerns about increased personal liability for CISOs.

92% of organisations implement at least one web application firewall (WAF), while 67% rely on multiple WAFs from different vendors.

Experts project a 39% increase in the number of web applications and websites within the next two years, rising from an average of 145 to 201 per organisation.

59% of IT professionals believe that cyber adversaries have the upper hand in leveraging AI for attacks.

The percentage of cybersecurity and IT professionals anticipating that more than half of their applications will use APIs is expected to increase from 32% to 80% in the next two years.

57% of midmarket and enterprise organisations have experienced web application and/or API attacks exploiting lesser-known vulnerabilities in the last 24 months.

32% of urveyed professionals noted that agile development processes make it difficult to maintain security.

Currently, 32% of applications use APIs, but this is expected to rise to 80% in the next 24 months.

59% of IT professionals and 55% of cybersecurity professionals believe that AI-powered automation gives adversaries an advantage.

67% indicated that their organisation uses multiple WAFs from a variety of vendors.

92% of respondents reported that their organisation has at least one Web Application Firewall (WAF).

56% with developer roles believed cyber-defenders hold the advantage when it comes to AI-powered automation.

41% of surveyed professionals indicated that the increasing use of cloud infrastructure is their biggest challenge.

70% of the time, a DDoS diversion in a broader attack was successful, impacting operations and causing data loss.

Organisations protect an average of 145 web applications and websites, and this number is expected to grow to 201 in the next 24 months, marking a 39% increase.

45% of those who experienced a DDoS attack noted it was a diversion in a broader attack.