Fastly Research: Commerce Industry Attacks Double as Bots Represent More Than One-Third of All Traffic

SAN FRANCISCO--(BUSINESS WIRE)--Fastly, Inc. (NYSE: FSLY), a leader in global edge cloud platforms, today released its Q1 2025 Threat Insights Report, providing an overview of security trends, attack vectors and threat activity across the application security landscape. The report reveals that the commerce industry’s attack volume doubled from 15% in Q1 2024 to 31% in Q1 2025, signaling a shift in attacker focus. Additionally, the report found that 37% of all observed internet traffic is from automated traffic or bots, with 89% of that bot traffic classified as unwanted, further illustrating the challenges faced by online businesses.

Identifying wanted and unwanted bot traffic is crucial for businesses. Unwanted bot traffic, including malicious bot traffic, can conduct account takeovers, ad fraud or data theft. Conversely, search engine crawlers, which accounted for 66% of wanted bot traffic, can drive visibility and traffic to websites. Recognizing and managing this distinction empowers businesses to block harmful activity without impeding essential services.

“As bots make up a growing portion of internet traffic, the ability to tell the difference between useful and unwanted automation is becoming more important,” said Simran Khalsa, Staff Security Researcher at Fastly. “If you’re not actively managing bot traffic you could be spending on infrastructure, bandwidth, or performance that is effectively being wasted on serving malicious or non-productive traffic.”

Fastly’s quarterly threat insights report draws from 6.5 trillion monthly requests¹ across Fastly’s Next-Gen WAF, Bot Management, and DDoS Protection solutions, which collectively help secure over 130,000 apps and APIs² across a wide range of industries, including leading e-commerce, streaming, media and entertainment, financial services, and technology companies.

Key Q1 2025 findings include:

• Attacks on the commerce industry doubled, rising to 31% of all observed attacks in Q1 2025 from 15% of all observed attacks in Q1 2024
• 37% of all observed traffic originated from bots, with 89% of bot traffic classified as unwanted
• Commerce websites attracted the largest proportion of unwanted bot traffic at 39%
• High technology organizations were the most targeted industry overall, representing 35% of observed attacks
• Attempted logins using compromised passwords averaged over 1.3 million per day in March 2025, driven in part by the use of proxy services to automate activities

Security teams can reference the insights in this report to help harden their defenses, prioritize resources, and respond more effectively to common threats. From bot management to application-layer DDoS to compromised credentials, the Q1 report provides actionable guidance grounded in real-world telemetry.

To access the Fastly Q1 2025 Threat Insights Report, visit https://learn.fastly.com/security-threat-insights-report.

About Fastly, Inc.

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver online experiences that are fast, safe, and engaging through edge compute, delivery, security, and observability offerings that improve site performance, enhance security, and empower innovation at global scale. Compared to other providers, Fastly’s powerful, high-performance, and modern platform architecture empowers developers to deliver secure websites and apps with rapid time-to-market and demonstrated, industry-leading cost savings. Organizations around the world trust Fastly to help them upgrade the internet experience, including Reddit, Neiman Marcus, Universal Music Group, and SeatGeek.

Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

¹ Trailing six-month average as of April 22, 2025.
² As of April 22, 2025.

Source: Fastly, Inc.