Across Australian checkouts, member log-ins, public portals and newsroom homepages, bots are no longer mere digital vermin.
They are consuming cloud spend, distorting revenue, testing stolen credentials and stripping content at scale — and the evidence now suggests that the real failure is not that they exist, but that too many organisations still treat them as an occasional incident instead of a permanent condition.
Automated traffic has moved from being a background nuisance to a structural issue for Australian websites. The strongest public evidence points in the same direction:
Globally, bad bots rose from about 30.2% of internet traffic in 2022 to 32% in 2023 and 37% in 2024, while total automated traffic reached 51% in 2024.
Australia-specific public data are patchier, but the available numbers are still striking:
Imperva reported that bots accounted for 36.4% of Australia’s total internet traffic in 2023, with bad bots alone at 30.2%; its 2025 report then placed Australia third in Asia-Pacific for share of bot attacks in 2024, at 18%.
In other words, Australia is not an edge case. It is a high-value target in a market with dense digital dependence across retail, finance, government and media.
For cybersecurity teams, the shift is qualitative as well as quantitative. Modern bot activity is not confined to simple crawling.
Recent official and industry reporting shows the threat mix now includes credential stuffing, account takeover, API abuse, scraping, fraud automation, DDoS and business-logic attacks.
Imperva found 44% of advanced bot traffic in 2024 targeted APIs, while APRA’s 2025 intervention in superannuation made clear that credential stuffing had exposed persistent weaknesses in authentication controls.
ACSC, meanwhile, reported responding to more than 200 DoS or DDoS incidents in FY2024–25, up more than 280% year on year.
For businesses, the significance is commercial. Bots degrade conversion, hoard inventory, scrape pricing, distort analytics, inflate ad fraud, and trigger customer complaints when defensive controls are clumsy.
For finance and government, the immediate issues are fraud, credential abuse and service availability. For media organisations, the AI-crawler surge has sharpened a new problem: automated extraction of content without commensurate referral traffic or payment.
When looking at the crawlers Cloudflare identifies by purpose, the composition of crawler traffic tells the story clearly:
- 52% of crawler requests are now for AI training as of June 2026, up from 22% in Spring 2025.
- Mixed-use crawlers (those blending search, agent use, and training) represent over 36% of activity.
- Pure search crawling now represents a small and declining share of overall crawler activity, despite remaining critical for publisher visibility.
For cloud economics, bot traffic is effectively a tax on consumption billing. The main cost multipliers are straightforward: more requests, more edge inspection, more cache misses, more origin compute, more API invocations, more logs, and in some architectures more outbound data transfer.
AWS, Google Cloud and Azure pricing documentation all confirm that these meters scale with traffic and data movement; AWS has even introduced CloudFront flat-rate plans explicitly marketed as protection against surprise overages during attacks.
The implication is that bot management is no longer only a security control. It is also a FinOps control.
The editorial conclusion is straightforward. Australian organisations should stop treating bots as a periodic security incident and start handling them as a permanent operating condition of the modern web.
That means measuring them, pricing for them, governing them, and building policy settings that distinguish legitimate automation from extraction, fraud and disruption.
The trend picture
The best high-confidence time series in the public domain is still global rather than purely Australian.
Thales/Imperva’s published figures show bad bots growing for six straight years, reaching 37% of all internet traffic in 2024, while automated traffic overall overtook human traffic at 51%.
The same research shows a marked recent jump rather than a gentle drift, consistent with the widening availability of AI-assisted automation tools.
Imperva reported that in 2023 bots made up 36.4% of Australia’s internet traffic and that Australia’s bad bot traffic reached 30.2%, up 23.2% year on year.
Its 2025 report then described Australia as accounting for 18% of all bot attacks in APAC in 2024.
Cloudflare Radar also maintains an Australia-specific bot traffic view, which confirms persistent bot activity in the local market, even if its public text view is less useful than the interactive charts for extracting a historical series.
The Australian government’s own incident reporting reinforces that direction. ACSC says DoS and DDoS activity has climbed sharply over the past several years:
More than 20 incidents in FY2021–22, more than 50 in FY2022–23, and more than 200 in FY2024–25. By FY2024–25, public administration and safety was the top reporting sector for DoS/DDoS incidents, followed by financial and insurance services.
Those figures don’t measure all bot traffic, but they do show that bot-enabled disruption is becoming more routine in Australia’s operating environment.

The short version of the trendline is this: the public evidence does not support the comforting thesis that bad bots are stable, containable background noise. It supports the opposite thesis — that automation is becoming the default state of the web, and malicious automation is growing faster than many organisations’ defences or budgets.
What the bots are doing
The basic distinction between good and bad bots remains useful, but it is no longer sufficient on its own. Good bots still include search crawlers, uptime monitors, accessibility tools, performance scanners and benign integrations.
Yet the same infrastructure that serves those functions increasingly also carries AI crawlers, aggressive data harvesters, opportunistic scrapers and adversarial bots that imitate browsers and human interaction.
Cloudflare’s recent product changes — including AI crawler controls and traffic categorisation by purpose — reflect that the real issue is not merely whether traffic is automated, but what that automation is trying to achieve.
The threat mix that most clearly affects Australian websites clusters around six families. Credential stuffing and account takeover hit finance, retail, telco and member portals.
Scraping targets prices, content, listings and personal information. DDoS and low-capability swarms degrade public-facing services. Fraud automation attacks payment flows, loyalty programmes, promotions and ad-tech.
API abuse bypasses front-end controls to hit the business logic directly. SEO manipulation and fake engagement distort ranking, visibility and ad measurement. OAIC, APRA, ACSC and Imperva all document adjacent pieces of this pattern.
How automated traffic is pressuring Australian websites
Bot traffic is no longer a simple web-analytics nuisance. It now affects cyber security, fraud exposure, cloud hosting bills, publishing value, search data and customer trust across the Australian digital economy.
| Bot activity | What it typically does | Most exposed Australian sectors | Why it matters |
|---|---|---|---|
| Good crawlers and monitors Legitimate automation | Indexing, uptime checks and diagnostics. |
Media
E-commerce
Government
|
Necessary automation, but it can be confused with unwanted AI crawling if governance is weak. |
| Credential stuffing Account takeover risk | Tests reused credentials at scale to access accounts. |
Finance
Superannuation
Retail
Government portals
|
Drives account takeover, fraud, privacy breaches and support costs. |
| Scraping and data harvesting Commercial leakage | Extracts prices, listings, content or personal information. |
E-commerce
Travel
Media
Marketplaces
|
Erodes commercial advantage, privacy compliance and publisher value. |
| DDoS and disruptive swarms Availability risk | Floods services to degrade or block access. |
Government
Critical infrastructure
Finance
|
Hits availability, incident response budgets and customer trust. |
| Fraud bots Revenue loss | Abuses promotions, carts, gift cards, payment and ad systems. |
Retail
Marketing
Fintech
|
Converts traffic into direct financial loss and operational friction. |
| API abuse and business-logic attacks Harder to detect | Calls APIs directly to exploit workflows, leak data or automate fraud. |
Finance
Telecoms
Digital platforms
|
Harder to catch with legacy edge-only controls. |
| SEO and analytics manipulation Data integrity risk | Generates fake clicks, impressions, engagement or ranking signals. |
Media
Ad-tech
Publishers
Brands
|
Corrupts attribution and wastes media spend. |
Good crawlers and monitors
Legitimate automationIndexing, uptime checks and diagnostics.
Necessary automation, but it can be confused with unwanted AI crawling if governance is weak.
Credential stuffing
Account takeover riskTests reused credentials at scale to access accounts.
Drives account takeover, fraud, privacy breaches and support costs.
Scraping and data harvesting
Commercial leakageExtracts prices, listings, content or personal information.
Erodes commercial advantage, privacy compliance and publisher value.
DDoS and disruptive swarms
Availability riskFloods services to degrade or block access.
Hits availability, incident response budgets and customer trust.
Fraud bots
Revenue lossAbuses promotions, carts, gift cards, payment and ad systems.
Converts traffic into direct financial loss and operational friction.
API abuse and business-logic attacks
Harder to detectCalls APIs directly to exploit workflows, leak data or automate fraud.
Harder to catch with legacy edge-only controls.
SEO and analytics manipulation
Data integrity riskGenerates fake clicks, impressions, engagement or ranking signals.
Corrupts attribution and wastes media spend.
Two details deserve emphasis. First, bad bots are not only becoming more sophisticated; simple, high-volume attacks are also increasing because AI tools lower the entry barrier.
Second, APIs are now central terrain. Imperva found that 44% of advanced bot traffic in 2024 targeted APIs, and the sectors most exposed to account takeover were headed by financial services.
For an Australia with deep self-service digital finance and government channels, that is a strategic warning, not a niche statistic.
Recent academic work broadly supports the industry view that traditional signature-based detection is under strain.
BOTracle, a 2024 research framework evaluated on real e-commerce data, used a multi-stage detection pipeline; a 2026 lightweight passive method reported materially better performance from server-log and favicon heuristics than older baselines
The exact performance claims will vary by environment, but the academic direction matches the operational one: behaviour matters more than declared identity.
Bot traffic is becoming a measurable cost for Australian website operators
Bot traffic is becoming a measurable cost for Australian website operators, even where the activity does not result in a direct cyber breach.
The clearest public figure is in digital advertising, where Australian advertisers are estimated to be losing about $5 billion a year to online ad fraud, with 2026 audit findings showing some major campaigns losing 30% of digital ad budgets to fake clicks and bots.
For publishers, retailers and digital platforms, that cost does not stop at advertising waste. Bot traffic consumes bandwidth, triggers security inspection, fills logs, inflates analytics, causes cache misses and can push more traffic back to origin servers.
Fastly’s 2026 analysis found AI-generated traffic was growing 6.5 times faster than human traffic in early 2026, while more than half of AI requests required content to be fetched from origin servers, compared with fewer than 9% of human requests.
The larger shift is that automated traffic is now moving from a background nuisance to a structural operating cost.
Cloudflare-linked 2026 data shows bots and AI agents now account for about 57% of web HTTP requests, meaning many websites are serving machines more often than people.
For Australian website operators, the practical impact is that bot mitigation is no longer just a cyber security control; it is now part of cost management, infrastructure planning and digital revenue protection.
The difficult part is that there is no single public Australia-only figure showing how much bot traffic adds to hosting and cloud bills.
However, the available 2026 indicators point in the same direction: billions are already being lost through bot-driven advertising fraud, while rising AI and bot traffic is increasing the volume of paid infrastructure events across bandwidth, WAF inspection, serverless functions, logging,
CDN requests and origin compute. For website operators, this means “blocked” traffic can still cost money, and “non-human” traffic can still consume real cloud resources.
Australian case studies
The public-sector and critical-infrastructure picture is visible in ACSC’s annual reporting. In FY2024–25 it handled more than 200 DoS/DDoS incidents, and in FY2023–24 it published a case study in which a New South Wales energy supplier lost remote SCADA connectivity at two sites after a brute-force-driven DDoS incident flooded a SonicWall VPN boundary device.
MFA prevented login success, but the volume still disrupted remote visibility. That is an important reminder: good authentication can stop account compromise without stopping availability harm.
E-commerce has an official though anonymised illustration in OAIC’s January–June 2023 breach report. It describes a retail customer portal hit by credential stuffing, with unauthorised access to 500 customer accounts containing identity information; the business later uplifted to mandatory MFA.
OAIC also warned that large-scale breaches raise the risk of credential reuse and mosaic-style data aggregation. For retailers, the message is plain: if a log-in flow still depends mainly on email-plus-password, the wider breach ecosystem will eventually come calling.
Media is the sector where the bot story has become most visibly political as well as technical.
In 2025 the Australian Financial Review reported that AI firms were crawling major Australian news websites at high frequency, and in 2025–26 Cloudflare built a series of publisher-facing controls around blocking, pricing and classifying AI crawler access.
The issue here is not a classic breach but an asymmetry: content is scraped at scale while referrals and monetisation lag. That turns bot management into part copyright strategy, part platform negotiation and part infrastructure defence.
The broader governance lesson from these Australian examples is that bot incidents rarely stay in one lane. What begins as cybersecurity often becomes fraud prevention, privacy compliance, customer-experience management, public communications and cloud-cost containment, all at once.
Law and regulation
Australian law does not have a single dedicated “bot act”, so the regulatory picture is layered. At the federal level, the Privacy Act 1988 and the Australian Privacy Principles are central whenever bots collect, expose or misuse personal information.
OAIC states plainly that organisations must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, including as a result of unlawful scraping, and that notifiable data breach obligations may be triggered when serious harm is likely.
Since December 2024, APP 11 explicitly clarified that “reasonable steps” include technical and organisational measures.
The criminal law also matters. The Criminal Code Act 1995 includes offences covering unauthorised access, modification and impairment of data and electronic communications.
Not every bot operation will fall neatly into those provisions, but credential stuffing, destructive automation and disruptive attack campaigns plainly sit within a criminal law frame, not just a terms-of-service dispute.
For finance, APRA’s prudential framework is now one of the most consequential regulatory levers.
CPS 234 requires information-security capability commensurate with threats and vulnerabilities, and APRA’s 2025 action on superannuation explicitly tied recent credential-stuffing attacks to inadequate authentication controls.
In practice, that means bot resilience in regulated finance is no longer discretionary hygiene; it is increasingly an issue of prudential compliance and board accountability.
For critical infrastructure, the Security of Critical Infrastructure Act 2018 creates enhanced cyber-security obligations for designated assets and systems of national significance.
Bot-enabled disruption and abuse are not named in the title, but the logic is obvious: if your web, API or remote access layer is part of a critical service, repeated automated disruption becomes a resilience and compliance issue, not merely an IT incident.
On scraping, policy is moving but not settled. Treasury’s 2023 discussion paper on screen scraping sought views on regulating credential-sharing data access and explicitly raised the possibility of banning screen scraping where Consumer Data Right is a viable alternative.
OAIC’s submission supported prohibition in that circumstance. The deeper policy point is that Australia is slowly shifting from accepting scraping as a tolerated convenience to treating some forms of automated extraction as an avoidable security design failure.
The law adds further complexity. OAIC notes that most states and territories have their own public-sector privacy legislation, and some jurisdictions layer state health-privacy regimes over the federal system. In the narrower field of ticketing,
Australia still has a patchwork of anti-scalping and anti-bot rules rather than a single federal framework; South Australia, for example, expressly bans the use of ticket bots, and earlier federal regulatory analysis noted that ticket-buying bots were illegal only in New South Wales at the time.
That patchwork is a reminder that Australian bot governance is still sectoral and uneven.
Defences, costs and cloud economics
The mitigation stack is now reasonably well understood. Basic rate limiting, IP reputation, WAF rules and CAPTCHA still matter, but they are not enough by themselves against modern browser-mimicking or API-native automation.
The stronger approaches combine edge controls, behavioural analytics, device and browser telemetry, bot scoring, step-up authentication, API-specific protections, and business-logic-aware rules.
That is also where the cost rises: the more precise the defence, the more likely it is to require specialist tooling, tuning and ongoing operations.
How website defences compare on cost, effectiveness and complexity
Bot protection is most effective when controls are layered. Basic WAF rules and rate limits provide a practical baseline, while MFA, API security, behavioural analytics and specialist bot management protect the higher-risk parts of a digital business.
Basic WAF managed rules
Good for commodity abuse, known attack patterns and baseline filtering. Weaker against human-like bots and advanced browser-mimicking automation.
Baseline protection for all public websites, especially WordPress, news sites, landing pages and common business websites.
Rate limiting
Useful against noisy bursts and repeated abuse. Less effective against distributed, low-and-slow attacks that spread requests across many IP addresses.
Login pages, search forms, checkout pages, password reset flows, comment forms and API endpoints.
CAPTCHA and JavaScript challenge
Adds useful friction for suspicious sessions, but can be bypassed and may damage user experience when used too broadly.
Step-up challenges for suspicious behaviour. Avoid blanket deployment across every visitor or every page.
Bot-management platform
Stronger against obfuscated bots, automated browsers and traffic designed to look human. Requires tuning and ongoing review.
High-value consumer sites, media publishers, finance, marketplaces, e-commerce and high-traffic public platforms.
Behavioural analytics and ML scoring
Increasingly important for modern bots, automated browsers and agentic browsing. Works best when connected to session, device and behaviour signals.
Protecting logins, APIs, payment flows, fraud-sensitive actions and high-value accounts.
MFA and step-up authentication
Extremely effective against credential stuffing when properly enforced, especially where attackers rely on reused or stolen passwords.
Finance, superannuation, member portals, administrator access, account changes, payments and other risky actions.
API-specific security and business-logic controls
Strong where bots bypass the front end and call APIs directly. Requires schema awareness, rate design and business-logic controls.
Mobile back ends, fintech, self-service platforms, telecoms, marketplaces and digital account services.
CDN plus edge shielding
Strong for DDoS absorption, origin protection, cache offload and reducing the amount of unwanted traffic that reaches the expensive part of the stack.
Public sites with global reach, frequent traffic spikes, media assets, e-commerce platforms and cloud-hosted applications.
Cost, however, is not confined to security tooling. Bot traffic also maps directly onto mainstream cloud billing models. AWS WAF bills per web ACL, rule and inspected request, with Bot Control adding its own subscription and request charges.
- AWS Lambda pricing combines request charges with compute-duration charges. API Gateway charges per API call and data transfer out.
- Google Cloud charges for outbound network traffic and Cloud Armor requests, and Cloud Armor Enterprise can add data-processing fees on top.
- Azure bills outbound bandwidth beyond the free allowance. The cloud bill can therefore rise even when the attack “fails” from a security perspective. Inspection, challenge, logging and transfer still cost money.
How bot traffic turns into real cloud bills
Bot activity does not only create a cyber security problem. It can also increase the cost of running websites, applications and APIs by pushing more traffic through bandwidth, inspection, compute, logging and protection layers.
Outbound data transfer / egress
Bandwidth costScrapers and content bots force the platform to send bytes, sometimes repeatedly.
Google and Azure price outbound bandwidth. Google notes ingress is free, while data transfer out is charged per GiB.
Scraping-heavy sites can pay materially more even without origin compromise.
Request-based security inspection
WAF and bot filteringWAF, bot-control and challenge services inspect every candidate request.
AWS WAF and Google Cloud Armor both meter inspected requests.
Blocked traffic can still generate billable security line items.
Origin compute
VMs, containers and app serversCache misses and dynamic requests hit VMs, containers or application servers.
Standard usage-based compute models apply across clouds. AWS and Google both emphasise origin-load reduction through CDN and caching.
Security teams that reduce bot-origin traffic are saving compute, not just reducing risk.
Serverless invocations
Functions and API callsBots trigger per-request functions and duration billing.
AWS Lambda and API Gateway are explicitly usage-based.
Small per-request costs become meaningful when abuse scales into large automated request volumes.
Logging and observability
Telemetry costSuspicious traffic generates access logs, WAF logs and telemetry.
AWS CloudWatch bills log ingestion. CloudFront flat-rate plans now bundle logs partly to reduce unpredictability.
During spikes, observability can become its own cost centre.
Premium protection tiers
Enterprise security add-onsBetter bot defences often sit in enterprise plans or paid add-ons.
Cloudflare Bot Management is enterprise-oriented, while Cloud Armor Enterprise and AWS Bot Control add paid protection layers.
The cost of protection itself must be budgeted as part of digital operations.

That schematic shows the usual order of pain rather than a measured invoice. For content-heavy or scraping-heavy properties, egress is often the silent killer. For API-heavy digital products, it is more often the stack of per-request charges — WAF, gateway, function execution, logs — that compounds.
In both cases the strategic response is the same: block or throttle malicious traffic as far to the edge as possible, before it reaches the expensive part of the architecture.
AWS’s new flat-rate CloudFront plans are notable here because they explicitly market “no overage charges” during spikes or attacks, effectively turning security architecture into cost-shaping architecture.
The business impacts are wider than infrastructure. ACSC reports average self-reported cybercrime cost per business report rose to $80,850 in FY2024–25, with large businesses averaging $202,700.
OAIC says compromised credentials caused a quarter of all data breaches in the July–December 2023 period.
If one adds distorted analytics, abandoned carts, fraud losses, call-centre load, brand erosion and defensive friction imposed on real users, the full cost of bots is substantially larger than the security budget line suggests.
What Australia should do next
For businesses, the practical playbook is not mysterious, but it must be treated as a board-level operating issue. Start with measurement: separate human, good-bot and suspicious-bot traffic in analytics and reporting.
Protect the money paths first — log-ins, password reset, account change, checkout, gift cards, loyalty, search and API endpoints. Enforce MFA or strong step-up controls for risky actions, not just administrator access.
Move inspection to the edge, tune cache strategy to collapse duplicate requests, and integrate FinOps with security so that bot spikes are visible both as threat signals and as cost anomalies. These are not “nice to haves” in regulated finance or high-volume retail; they are baseline controls.
For regulators, three priorities stand out. The first is clarity: Australia would benefit from more explicit guidance on organisation responsibilities for protecting against automated scraping and credential abuse, especially outside heavily regulated sectors.
The second is interoperability: Treasury’s screen-scraping work should continue so that safer, consented data-sharing mechanisms displace insecure credential-sharing models.
The third is evidence: agencies should publish more structured, Australia-specific data on bot-related incidents, sectors and costs, so that public debate is not forced to rely primarily on vendor telemetry.
For media and publishers, the future looks increasingly like controlled access rather than open extraction. The combination of AI crawlers, falling referral value and rising infrastructure cost means publisher bot policy is becoming a commercial strategy.
Blocking, licensing, metering and purpose-based access controls will likely become standard features of digital publishing in Australia, particularly after Cloudflare’s 2025–26 moves and new local licensing deals such as Nine’s Microsoft arrangement.
The future outlook is less about a neat victory over bots than about a tougher sorting problem. Some automation is essential. Some is economically tolerable.
Some is malicious and should be blocked. And some sits in a grey zone — especially AI agents and crawlers that are technically legitimate in form but extract more value than they return.
The organisations that handle this best will not be the ones with the loudest anti-bot slogans. They will be the ones that can tell, in near real time, which automation is worth serving, which should be challenged, and which should never be allowed past the edge.
