Every year, DataDome tests thousands of high-traffic websites worldwide to measure how efficiently they detect and block common automated threats. For the 2025 edition of our Global Bot Security Report, we analyzed nearly 17,000 popular domains spanning 22 industries. 

Like previous years, the results confirm that most websites are still unable to detect even the simplest automated attacks. However, the data also reveals significant variation across different industries. While bot protection capabilities have improved among websites in certain sectors, others are lagging behind.

Three out of five websites remain unprotected

Across the full sample, the majority of websites still fail to detect a single test bot. Only 2.8% of the domains we tested correctly identified all our bots (we classify these as being fully protected), while 36% identified at least some bots (partial protection). A concerning 61.2% were completely unprotected, meaning they let every single test bot through.

These results indicate that weak or incomplete bot protection remains the norm, exposing online businesses to scraping, credential stuffing, carding, fake account creation, and other automated threats.

Government, non-profit, & telecom websites show the weakest bot protection efficiency

Our 2025 test results reveal particularly low protection rates in the following industries:

• Government: 77.5% of tested domains were unprotected. Many government websites handle sensitive citizen data and deliver critical digital services, making the lack of protection especially concerning.
• Non-profit: 76.9% unprotected. Budget and staffing constraints likely contribute to limited adoption of bot mitigation tools, leaving donation and membership systems exposed.
• Telecoms: 73% unprotected. Telecom providers are frequent targets for automated account fraud, and weak verification flows can be exploited for SIM-swap fraud, yet most sites still lack basic safeguards.
• Technology & software: 69.9% unprotected. Even companies operating digital infrastructure often fail to block simple bots probing APIs and developer tools.
• Gaming: 69.8% unprotected. Automated abuse continues to threaten player accounts, in-game economies, and platform trust.

Travel, gambling, & real estate websites rank best

In the following sectors, we observed above-average protection rates:

• Travel & hospitality: 56.2% of websites showed at least partial protection, with 7.1% fully protected. This is a welcome improvement in an industry long affected by scalping and loyalty fraud.
• Gambling: 50.6% of these websites detected at least some of our test bots, reflecting ongoing investment in fraud prevention for real-money platforms.
• Real estate: 46.3% of the websites we tested had full or partial protection, as digital listings and lead generation continue to attract large volumes of automated scraping.
• Construction and Retail & e-commerce followed closely, each with roughly 45% of domains showing at least some bot protection capability.

The wide variation in bot protection levels underscores where digital risk is most concentrated. But even in the best-performing industries, full protection remains rare, and partial measures alone are insufficient against today’s advanced automated threats.

How AI is raising the stakes

A lack of protection against simple bot attacks already leaves security gaps. But now, AI-powered bots and agentic AI tools are further reshaping the risk profile in key industries. To mention just a few examples:

In retail, agentic commerce is gaining traction, with AI agents managing carts, checking out, and making real-time purchasing decisions. This creates new vectors for price scraping, inventory fraud, and automated undercutting.

In travel & hospitality, AI agents search, compare, and book flights or hotels autonomously. This opens an entirely new attack surface, including the risk of AI agent takeover and manipulation.

For media outlets, LLM crawlers are harvesting content at scale for training and redistribution. The results include IP theft, SEO dilution, and lost revenue.

If your website handles sensitive data or high-value transactions, ensuring efficient protection against automated threats is now a mission-critical task.

Download the full report

The findings discussed above are just part of the story. The Global Bot Security Report 2025 also explores:

• How AI-powered bots and LLM crawlers are reshaping the automated threat landscape
• Why vendor performance varies widely in real-world bot mitigation tests
• Why intent-based detection is emerging as a critical layer of defense.

Download the full report to explore more detailed data about how bot and AI-driven threats are evolving in 2025.