The State of Bot Attack Preparedness

The DataDome Advanced Threat Research team recently assessed over 14,000 of the largest transactional websites for bot attack preparedness. The findings highlight the prevailing state of bot protection across regions, industries, and business sizes, variations in the performance of different bot detection systems, effective bot attack vectors, and how well different endpoints are protected.?

The analysis zeroes in on the persistent risk presented by simple bots—automated tools that rely on straightforward scripts to carry out tasks like data scraping, account fraud, payment fraud, and similar activities.? Our study reveals that 65% of simple bots evade detection entirely, leaving two-thirds of organizations vulnerable to bot-driven attacks. Other key findings include:

• Advanced bots were detected less than 5% of the time, indicating a high risk of advanced threats like account fraud and payment fraud.

• The two least protected regions were Europe and North America.

• The least-protected industries are Health, Luxury, and E-commerce.

• Larger businesses, by both number of employees and average web traffic per month, were more likely to be protected against simple bots—indicating an ability to invest in protection. Still, even the largest company size (10,000+ employees) allowed all of our test bots through over half the time.

• Fake Chrome bots remain the most difficult type of simple bot to detect, leaving businesses open to layer 7 DDoS attacks, account fraud, and more.

• Among tested domains using some form of bot protection, bots were still able to completely penetrate 45%—and less than 5% of these “protected” domains were completely protected against all test bots.

• In regard to endpoints, we found all bots allowed to attack 65% of default home pages. Cart and login pages had 56.9% and 56.2% failure rates, respectively a significantly lower percentage of full protection against all bot types.

To learn more about this study, visit datadome.co/botreport?