What to Expect in the Bot Management Landscape in 2026

A shorter version of this article was published in vmblog.com, This version includes additional insight and perspective.

A year ago, I predicted that bots would continue evolving and the most advanced would continue challenging the effectiveness of bot management products. Throughout the year, my team and I at Akamai made significant progress by advancing the bot-detection engine, obfuscating the JavaScript used to collect client-side data to slow down reverse engineering, and protecting the payload sent to the detection engine to verify its authenticity. But, as I predicted, the problem is far from solved. What I had not expected, however, was the explosion of agentic traffic and the emergence of a multitude of new protocols designed to enable Agentic commerce, content monetization, and authentication of AI agents. Users are increasingly interacting with the web through their trusted AI agents, rather than through a traditional web browser or mobile app. This shift in user behavior challenges the established bot management models and strategies, where it is no longer only about detecting humans vs. bots but also about adding AI agents to this already complex equation, assessing their intents, and detecting abusive behavior.

The Protocols of Agentic Commerce

In 2025, we saw the emergence of several protocols, such as web-bot-auth, to authenticate bots and agents. Skyfire, developed and released the Know Your Agent (KYA), supported by the established Know Your Business (KYB) and Know Your Customer (KYC) models, to authenticate the individuals and/or businesses behind agents and “good bots”. KYAPay by Skyfire, Visa’s Trusted Agent Protocol, Mastercard’s Agent Pay, and the Agent Payment Protocol (A2P) are other protocols designed to enable agentic commerce. To support the media and publishing industry, the Real Simple Licensing (RSL) standard aims to help establish licensing agreements between content owners and AI agents. This year saw the introduction of new protocols and industry standards. But ultimately, these protocols will only matter once they get adopted by AI platforms. In 2026, I expect and hope for some consolidation among the proposed standards to make implementation and adoption easier for the industry. Bot management products will need to evolve to help simplify and obfuscate the complexity of these protocols, enabling easier adoption by merchants and website owners. The new authentication protocols, when adopted, will provide a more accurate means to authenticate and categorize bot traffic and provide more actionable insights for website owners using these products.

Bots will likely continue to be evasive

Not surprisingly, bots continued to find ways to evade detection in 2025, but monitoring the chatter from the web scraping and broader community building bots, I see clear signs of struggle. Their job of reverse-engineering JavaScript logic has become harder, and the botnet architecture needed for their success is much more sophisticated than ever, increasing the cost of data collection and the barrier to entry into the botting world. AI agents may have made building a bot software easier, but the cost of infrastructure to scale up the operation is increasing to a point that the whole operation is less profitable than before. To gain more ground in 2026, bot detection engines need to become more aggressive. More aggressive detection methods sometimes lead to higher false-positive rates. To prevent this, bot management products will need to combine their most aggressive detection methods with a secondary detection layer that can challenge users exhibiting anomalous fingerprints or behaviors, enabling deeper assessment and more accurate decision-making and avoiding false positives. The detection engine will need to be intelligent enough to decide the type of challenge, transparent (no user interaction), or interactive (some kind of CAPTCHA), to collect the appropriate type of data to help it make an accurate decision. Unlike the traditional model, where security professionals would choose a response strategy (deny, challenge, tarpit) for all evasive bots, more advanced products will become more intelligent, deciding what next step to take to either refine their decision or outright block the traffic, ultimately yielding better accuracy and less friction with end users.

The concept of intent

In 2025, bot detection became more nuanced by introducing the notion of intent. Bots are used for a range of purposes, including credential stuffing, account-opening abuse, scalping, and simple data collection through scraping. The intent behind credential stuffing is clearly fraud and account takeover, while account-opening abuse and scalping tend to go together, and the legality of such activity is clearly challenged in some countries, like the US, under the BOT Act. Finally, scraping is a lot more nuanced in terms of intent. For the most part, the intent is commercial use for competitive analysis, while in some cases it could simply support public safety, societal research, opinion analysis, or support investment strategies. The reaction to scraping is driven mainly by the lack of transparency about the entity that initiates the scraping and how the collected data will be used. But by providing more context into the nature of the activity and declaring the intent for data usage, web security professionals could refine their decision on how to respond to specific bot activity.

Conclusion

There are three trends to watch in 2026: first, how the battle for the agentic commerce protocols will evolve, and whether AI platforms will adopt them. This will likely require the industry as a whole to rally behind some of them and advocate for their adoption. Bot management products will play a key role in their adoption. Second, botnets will remain evasive, but the complexity and cost of the infrastructure and maintenance will continue to rise if they want to ensure continuous service. Finally, the concept of intent will be defined, providing security professionals with more context to refine and nuance their decisions on how to respond to bot activity.