Key Takeaways
- Akamai has published its first commerce edition of the SOTI security report in three years, revealing that AI bots accounted for 47.9% of commerce traffic as of December 2025
- New attack techniques target the intelligent storefront itself, including chatbot logic manipulation, prompt injection against back-end AI agents, and AI token freeloading
- As shopping agents go mainstream, telling good bots from bad ones is becoming structurally difficult, and ecommerce operators need risk-based bot governance rather than blanket blocking
The Commerce SOTI Report Returns After Three Years

The SOTI Security report examines how agentic AI is disrupting commerce security, scaling API abuse, and driving up infrastructure costs.
www.akamai.comOn July 15, 2026, Akamai released the commerce edition of its State of the Internet (SOTI) security report, titled Securing the Agentic Storefront: Attacks on Commerce. It is the first time in three years, since 2023, that the company has dedicated a SOTI report to the commerce sector. The biggest change over that period is the rise of agentic commerce. AI-driven product discovery and delegated purchasing have become real, and as the report title suggests, attackers have also chosen the agentic storefront as their new primary battleground.
The headline figure says it all. As of December 2025, AI bots made up 47.9% of commerce traffic across Akamai's global network. Nearly half of the visitors arriving at ecommerce sites are already not human.
The Reality of Bots Taking Half the Traffic
Breaking down that 47.9% shows what is actually happening. AI bot traffic grew 19% year over year in 2025, with the retail vertical leading the increase. More than 70% of AI bot triggers came from training crawlers collecting product data and pricing for LLM development, and the top three AI bots observed belonged to OpenAI, ByteDance, and Anthropic. In other words, the current protagonists are not shopping agents but data-hungry crawlers, and merchants' product information is being read at scale every day as training material for large language models.
Regional numbers show a striking skew.
| Region | AI bot activity change (2025) | Notes |
|---|---|---|
| North America | Up 7% | 33 billion bot counts, the largest volume |
| EMEA | Up 16% | 26 billion bot counts (July to December 2025) |
| APAC | Up 63% | Largest growth rate |
| LATAM | Up 48% | Second-fastest growth after APAC |
The surge in browser impersonators deserves particular attention. These automated bots masquerade as legitimate web browsers to evade detection, serving as footholds not only for scraping but also for fraud and DDoS attacks. The more bots pretend to be human, the harder the good-bot-versus-bad-bot problem discussed later becomes.
Meanwhile, defenders are strikingly passive. According to the press release, commerce organizations placed more than 90% of AI bot activity in a monitor-only category and allowed roughly three quarters of the remaining activity to pass unrestricted. The industry is essentially watching traffic it cannot yet classify as friend or foe.
The Intelligent Storefront Itself Becomes the Attack Surface
The most novel argument in this report is that AI chatbots and autonomous agents, the intelligent storefront itself, have become an attack surface. Akamai groups the attacker playbook into three techniques.
The first target is the consumer-facing AI chatbot. Attackers methodically manipulate input parameters to trick chatbots into overriding business rules, in what the report calls leaky faucet attacks. Picture a chatbot being talked into approving discounts or return conditions that should never apply, through gaps in its conversation logic.
More serious is prompt injection against conversational AI agents running in the back end. These agents hold deep integrations and execution authority over business systems such as inventory lookups and order processing, so an attacker who succeeds in jailbreaking one can carry out unauthorized operations disguised as legitimate workflows. The blast radius is far larger than that of a customer-facing chatbot.
The third technique is what the report calls AI token freeloading. Using automated scripts and bot networks, threat actors route their own processing workloads and model-training queries through a retailer's public-facing AI endpoints. Since LLM inference carries usage-based costs, an unprotected AI chatbot looks to attackers like compute that runs on someone else's wallet, leaving the merchant to absorb ballooning infrastructure costs and degraded performance.
Organized actors are already bundling these techniques. The report names the Iran-aligned hacktivist group 313 Team, which has combined AI-assisted Mirai-derived IoT botnets, browser impersonation, and complex DDoS into multi-vector attacks against ecommerce APIs.
Reading 200 Billion Attacks in Context
Behind the new techniques, conventional attacks keep growing in volume. The key figures line up as follows.
| Metric | Figure | Period and notes |
|---|---|---|
| Application and API attacks | Over 200 billion | 2024 to 2025 combined, the most targeted industry |
| Growth in API-targeted attacks | Up 9% year over year | Q4 2024 to Q4 2025 |
| Layer 7 DDoS attacks | Nearly 3 trillion | 2025, with 31% targeting APIs |
| Share of DDoS hitting retail | 84% | Of all Layer 7 DDoS against commerce |
| Region with largest L7 DDoS growth | APAC, up 39% | 2024 to 2025 |
The shift toward APIs is unmistakable, with initial entry points moving from web applications to APIs. Yet defenders' visibility has not caught up. While 85% of commerce respondents experienced at least one API-related incident in the past year, only 22% know which of their APIs expose sensitive data. The report also cites exploitation of WordPress plug-ins (Jupiter X Core and WooCommerce-related flaws) as concrete entry points, a reminder that the third-party assets underpinning the long tail of ecommerce are part of the attack surface.
The Structural Problem of Separating Good Bots from Bad
What runs through all these numbers is a structural change: the simple equation of bots with malice no longer holds. Patrick Sullivan, Akamai's Chief Technology Officer of Security Strategy, put it this way in the press release.
We are securing a digital frontier where the 'customer' is increasingly an AI agent operating on behalf of the human user.
Pam Lindemoen of RH-ISAC, the threat intelligence sharing body for retail and hospitality, contributed a guest column and described this as a signal-masking problem. As legitimate AI shopping agents learn to mimic human micro-behaviors down to fine-grained interaction habits, traditional bot detection loses the very axis it relied on, namely signals of humanness. She also points to loyalty points being targeted as a highly liquid shadow currency and to the rise of synthetic identity fraud, arguing that the speed of converting threat intelligence into defensive action is what matters now.
The perspective of those promoting agentic commerce is worth holding alongside this. In a blog post titled the agentic tug-of-war, IDC analysts note that 84.7% of consumers favor using digital assistants when shopping and 30.7% already use AI chat tools like ChatGPT for product research. Agent-driven buying is estimated to affect 15 to 20% of ecommerce sales today, leaving retailers squeezed between the incentive to welcome agents for revenue and wariness about data extraction and brand disintermediation.
A caveat applies: Akamai sells bot management and API security products and has an incentive to emphasize threats, so the framing should be read with that discount. The 47.9% figure is an observation on Akamai's own network, not a direct proxy for the entire ecommerce market. Even so, with OpenAI and Google pushing standards for purchasing agents, growth in benign bots is a given, and the direction of travel toward harder discrimination between bots is unlikely to change.
Defenses Ecommerce Operators Can Start On Now
The report's recommendations are written for CISOs, but they translate to merchants without a dedicated security organization. The framework has four pillars: mapping the revenue chain (continuous inventory of APIs, including shadow APIs), governing automation (classifying bots by intent and business value under risk-based management instead of a binary allow-or-block), minimizing the blast radius (microsegmentation and risk-based authentication), and building cooperation between security and fraud prevention teams.
In practical terms, the order of work looks like this.
Inventory your APIs. Establish which APIs expose product, pricing, and customer data. Only 22% of organizations know, making this the biggest visibility gap
Design a bot classification policy. Separate training crawlers, shopping agents, and malicious bots, and apply allow, restrict, or block policies to each. Move past the state of monitoring 90% of activity without acting
Put guardrails on AI chatbots. Keep decisions that touch business rules such as discounts and returns out of the chatbot's authority, and test prompt injection resistance on a regular schedule
Add rate limits and authentication to public AI endpoints. Cap usage and identify callers to prevent token freeloading
Run DDoS drills for peak season. Assume attacks concentrate during sales events and verify that edge rate controls and IP reputation checks hold up
There is no need to build everything at once. API visibility and bot classification are the two highest-priority items, and they double as the groundwork for safely welcoming legitimate shopping agents, not just for blocking malicious ones.
Conclusion
The advance of agentic commerce is redefining who counts as a customer for an ecommerce site. What the 47.9% observation shows is a storefront where human customers and AI customers mix, while the machinery for distinguishing automation to welcome from automation to reject has yet to catch up. The bot question has moved from whether to block to governance design over who gets through and how far. For merchants who want to capture agent-driven revenue, building that infrastructure of identification and defense is the priority for the second half of 2026.




