資安專欄

機器人流量首度超越人類:AI 代理時代的企業資安新課題

更新日期:2026.06.06 00:17
機器人流量首度超越人類:AI 代理時代的企業資安新課題

網路世界剛剛跨過一個象徵性的門檻。根據網路基礎設施業者公布的觀測數據,全球網路流量中由機器人產生的比例,已首度超越人類,來到 57.5%,人類流量則退居 42.5%。更值得注意的是,這個交叉點比業界原先預測的時間,足足提早了一年到來。

「比我預想的還快發生了。」這句來自業者高層的感嘆,點出了背後真正的推力——不是過去那種單純抓資料的爬蟲,而是快速崛起的「代理型」(agentic)AI 流量。

一、機器人的「用途」正在改變

過去談到機器人流量,多半聯想到搜尋引擎索引或惡意掃描。但這一波成長的主角不同:是替使用者「代為辦事」的 AI 代理。它們會主動閱讀產品頁面、查詢即時價格、比較航班、為大型語言模型抓取內容,甚至代為訂餐、比價與處理客服。

換句話說,越來越多造訪你網站的,不再是人,而是替人做決定的軟體代理。這對企業而言,是機會也是挑戰。

二、為什麼這是資安課題,而不只是流量數字

需要先釐清一個重點:57.5% 衡量的是「HTTP 請求量」,不是使用者的停留時間或互動深度。真人在影音串流、社群滑動、App 使用上,仍占據大多數的「黏著時間」,因為人類是來「消費內容」,而機器人是來「抓取資料」。

但正因如此,企業不能再用「人類訪客」的假設來設計防護。當近六成請求來自自動化代理時,新的風險浮現

  • 難以辨識善意代理與惡意爬蟲,傳統「擋掉所有機器人」的做法可能誤傷正當的 AI 服務
  • 內容與定價資料被大規模抓取,影響商業競爭與資料主權
  • 自動化請求量暴增,墊高頻寬成本並可能成為服務阻斷的破口
  • VPN 搭配自動化工具的濫用,使惡意流量更難從來源辨別

值得一提的是,各地區的機器人流量占比差異極大,部分地區甚至超過七成,且往往與資料中心分布、以及 VPN 搭配自動化爬取工具的使用習慣高度相關。這代表企業的防護策略,必須具備依來源與行為動態判斷的能力,而非一刀切。

三、企業可以採取的具體行動

面對機器人流量成為常態,企業需要的不是恐慌,而是把「流量治理」正式納入資安架構。我們建議從幾個方向著手

  • 部署能區分善意代理、搜尋引擎與惡意爬蟲的流量辨識機制,而非全部封鎖
  • 針對機敏內容與定價資訊,建立存取速率限制與抓取防護
  • 強化 WAF 與 CDN 層的行為分析,及早識別異常的自動化模式
  • 為「歡迎的 AI 代理」與「不歡迎的爬取」訂出明確政策與技術邊界

四、結語:辨識,是新時代的資安起點

機器人流量超越人類,不是一則聳動的新聞,而是企業營運環境的結構性轉變。當網路的主要使用者逐漸從「人」變成「代理」,能不能精準辨識「誰在敲門、為何而來」,將直接決定企業的資安韌性與商業安全。

對企業而言,現在正是重新檢視流量防護、存取控管與內容防抓取策略的時機。把辨識能力建立起來,才能在 AI 代理大量湧入的時代,既擋住威脅,又不錯失機會。

The web just crossed a symbolic threshold. According to data published by an internet infrastructure provider, the share of global web traffic generated by bots has surpassed humans for the first time, reaching 57.5%, with human traffic falling to 42.5%. More notably, this crossover arrived a full year earlier than the industry had predicted.

"Welp, that happened faster than I predicted." That remark from an executive captures the real driver — not the simple data-scraping crawlers of the past, but the fast-rising tide of "agentic" AI traffic.

1. The "purpose" of bots is changing

In the past, bot traffic mostly evoked search-engine indexing or malicious scanning. But the protagonist of this wave is different: AI agents acting on a user's behalf. They proactively read product pages, check live prices, compare flights, fetch content for large language models, and even order food, compare deals, and handle customer service.

In other words, more and more of what visits your site is no longer a person, but a software agent making decisions on a person's behalf. For enterprises, this is both an opportunity and a challenge.

2. Why this is a security issue, not just a traffic number

One point needs clarifying: the 57.5% measures HTTP request volume, not dwell time or engagement depth. Humans still dominate "sticky time" in video streaming, social scrolling, and app usage, because humans come to consume content while bots come to fetch data.

But precisely for that reason, enterprises can no longer design defenses on the assumption of "human visitors." When nearly 60% of requests come from automated agents, new risks emerge

  • It is hard to tell well-meaning agents from malicious crawlers; the traditional "block all bots" approach may harm legitimate AI services
  • Content and pricing data get scraped at scale, affecting competition and data sovereignty
  • Surging automated requests raise bandwidth costs and can become a vector for denial of service
  • The abuse of VPNs combined with automation makes malicious traffic harder to identify by source

It is worth noting that bot-traffic shares vary enormously by region — some areas exceed 70% — and often correlate strongly with data-center distribution and the local habit of pairing VPNs with automated scraping tools. This means an enterprise's defense strategy must judge dynamically by source and behavior, rather than applying a blanket rule.

3. Concrete actions enterprises can take

With bot traffic becoming the norm, enterprises need not panic but should formally fold "traffic governance" into their security architecture. We suggest starting from several directions

  • Deploy traffic-identification mechanisms that distinguish friendly agents, search engines, and malicious crawlers, rather than blocking everything
  • Apply rate limiting and anti-scraping protection to sensitive content and pricing data
  • Strengthen behavioral analysis at the WAF and CDN layers to spot abnormal automation patterns early
  • Define clear policy and technical boundaries between "welcome AI agents" and "unwanted scraping"

4. Conclusion: identification is the starting point of security in the new era

Bots surpassing humans is not a sensational headline but a structural shift in the operating environment. As the web's primary users gradually shift from "people" to "agents," the ability to precisely identify "who is knocking and why" will directly determine an enterprise's security resilience and commercial safety.

For enterprises, now is the time to re-examine traffic protection, access control, and anti-scraping strategy. Building identification capability is what allows you to block threats without missing opportunities in an age flooded with AI agents.