The question has changed. For most of the past decade, security teams asked: is this traffic from a bot or a human? That binary was sufficient when bots were scripted tools with predictable signatures.
It is not sufficient now. Autonomous AI agents driven by large language models browse, research, shop, and transact on behalf of human users. Gartner forecasts that by 2035, 80% of internet traffic could be driven by AI agents. McKinsey projects $3 to $5 trillion in global revenue flowing through agentic commerce by 2030. Forrester reports that 36% of US consumers are already interested in using AI agents to transact online.
Forrester recognised this shift formally in Q4 2025, renaming its bot management category to "Bot and Agent Trust Management Software." The new name reflects what the problem has become: not blocking all automation, but governing a mixed traffic environment where some agents are legitimate commerce partners and others are fraud vectors.
This guide covers what the category means, how the leading platforms approach it differently, and how to choose the right solution for your organisation.
What Is Bot and Agent Trust Management Software?
Quick answer: Bot and agent trust management software identifies and analyses the intent of automated traffic directed at an application, establishing ongoing trust relationships with legitimate bots and AI agents while blocking or misdirecting malicious ones. The category was formally named by Forrester in Q4 2025.
Forrester's official category definition is precise: "software that identifies and analyzes the intent of automated traffic directed at an application, establishing ongoing trust relationships with good bots and agents while rejecting and misdirecting malicious bots and AI agents to protect legitimate customer business while also increasing attacker costs."
The operative word is intent. Earlier bot management tools asked whether traffic was automated. Bot and agent trust management asks what the automated traffic is trying to do.
This matters because the threat model has split in two:
- Legitimate AI agents — shopping assistants, research agents, and agentic commerce tools operating on behalf of real users. Blocking them creates friction for legitimate customers and removes a growing revenue channel.
- Malicious AI agents — agents designed for card testing, account creation fraud, scalping, credential stuffing, and content scraping. Allowing them causes direct financial and reputational harm.
Managing this environment requires more than a blocklist. It requires classification, intent scoring, and governance that can treat the same type of traffic differently depending on what it is attempting to do.
The Two Detection Architectures
Quick answer: Bot and agent trust management platforms split into two architectural camps: network-layer detection, which inspects HTTP headers, IP addresses, and request fingerprints before traffic reaches the application, and browser-layer detection, which runs inside the page and observes UI interaction patterns, timing, and session-level behaviour. These are not equivalent. Network tools cannot see what an agent does once it is inside a live page.
Understanding this distinction is the most important thing a CISO can take into a vendor evaluation.
Network-layer detection
Network-layer platforms sit at the CDN, WAF, or reverse proxy. They evaluate each request based on:
- IP address reputation and ASN ownership
- User-agent string and TLS fingerprint
- Request header combinations
- Known LLM platform IP ranges
- Rate and volume patterns
The advantage is low latency and straightforward deployment. The limitation is fundamental: a sophisticated AI agent arriving from a clean residential IP, presenting a standard Chrome fingerprint, and operating at human-plausible speed looks identical at the network layer to a legitimate user.
Browser-layer detection
Browser-layer platforms load a script inside the page itself, before and during interaction. They observe:
- Timing gaps between page events that reveal reasoning-based decision making
- UI interaction patterns that differ from human mouse movement and scroll behaviour
- Browser fingerprint consistency checks across the full session
- Suspicious network request sequences that emerge during page exploration
- VPN and proxy indicators visible only at the session level
This approach exposes signals that network inspection cannot reach. cside's own research found that AI agents bypassed traditional bot detection on 81 out of 100 controlled test attempts, specifically because those tools operated at the network layer and the agents were designed to pass network-level inspection.
The two approaches are not mutually exclusive. Some organisations run both. But for threats that deliberately evade network detection, browser-layer visibility is not optional.
The Leading Platforms
Quick answer: Five platforms lead the bot and agent trust management category in 2026: cside (browser-layer detection), DataDome Agent Trust (network/CDN edge), HUMAN Security AgenticTrust (network layer with session-level intelligence), Kasada (network layer with policy-driven enforcement), and Arkose Labs (challenge-based deterrence). Each takes a different architectural approach. The right choice depends on your threat model and existing stack.
cside
Detection layer: Browser layer
Primary use case: AI agent fraud detection, intent classification, per-page governance for ecommerce and SaaS
cside detects AI agents at the point of browser interaction, where agents reveal their behaviour through UI signals, interaction patterns, timing anomalies, and session fingerprints. It identifies named agents including OpenAI Operator, Amazon Buy For Me, and Perplexity Shopper, as well as unknown agents that do not self-declare their origin.
The product classifies each session by intent rather than origin. A product listing page can have different governance rules than a checkout page or a login flow, which matters when the threat is card testing or account creation fraud happening at a specific point in the session. Governance options include allow, block, guide to a restricted flow, and escalate to human review.
cside also supports agentic commerce use cases: allowing verified shopping agents through at checkout while blocking unverified agents on the same page.
See how cside compares directly with DataDome and HUMAN Security.
DataDome Agent Trust
Detection layer: Network / CDN edge
Primary use case: LLM crawler management, agentic commerce access control, high-demand event queue management
DataDome is one of the most established bot protection platforms on the market. Its Agent Trust product, added in 2025, classifies AI traffic into four categories (AI Crawler, AI Assistant, Agentic Browser, and Autonomous Agent) using network signals: IP ranges, DNS records, user-agent strings, cryptographic signatures, and Web Bot Auth headers. Each session receives a dynamic 100-point trust score.
DataDome supports Know Your Agent (KYA) and Web Bot Auth verification, which allows agents that declare their origin cryptographically to receive higher trust scores. This is effective for known commercial agents operating transparently.
In May 2026, DataDome launched Priority Protect, a virtual waiting room built for high-demand events such as limited product drops and ticket sales. It controls which traffic types are queued or admitted during peak demand, applying agent classification to access management.
Agent Trust is included in all DataDome Bot Protect plans at no additional cost. DataDome publishes its pricing transparently, which no other vendor in this category currently does.
HUMAN Security AgenticTrust
Detection layer: Network layer
Primary use case: Consumer AI agent governance, agentic commerce visibility, session-level marketing intelligence
HUMAN Security's AgenticTrust product gives security, fraud, commerce, and marketing teams visibility into AI agent sessions across a customer journey, from product discovery to checkout. It uses the SATORI Threat Intelligence dataset, built on HUMAN's network, to classify agent traffic.
HUMAN recently launched HUMAN Verified AI Agent, an open-source framework for cryptographic agent identity verification, positioning the company as potential infrastructure for agent identity standards across the web. Session-level visibility extends to marketing and commerce teams, not just security teams.
Kasada
Detection layer: Network layer
Primary use case: API protection, content scraping prevention, agentic access governance
Kasada offers an AI Agent Trust Management product page built around the argument that blindly blocking or permitting AI agents is not viable. Its approach emphasises industry-specific and use-case-specific policy definition rather than a universal posture. Kasada does not publish statistics or cite research on its agent trust pages.
Arkose Labs
Detection layer: Challenge-based / session
Primary use case: Fraud deterrence, bot and agent challenge enforcement
Arkose Labs was named a Notable Vendor in the Forrester Bot and Agent Trust Management Software Landscape Q4 2025. Its approach centres on enforcement through interactive challenges designed to increase the cost of automated attacks, including AI agent-driven fraud. Arkose's challenge mechanism is designed to degrade the economics of bot and agent abuse rather than purely blocking requests.
Platform Comparison
Quick answer: The choice between platforms comes down to whether your threat model includes AI agents that mimic human browser sessions. If it does, browser-layer detection is essential. If your primary concern is high-volume LLM crawlers and known commercial agents that operate transparently, network-layer tools provide strong coverage.
| Capability | cside | DataDome Agent Trust | HUMAN AgenticTrust | Kasada | Arkose Labs |
|---|---|---|---|---|---|
| Detection layer | Browser | Network / CDN edge | Network | Network | Challenge-based |
| Named agent identification | Yes | Yes (4 categories) | Yes (SATORI) | Yes | Yes |
| Unknown agent detection | Yes (behavioural) | Partial (network signals) | Partial | Partial | Partial |
| Browser fingerprint analysis | Yes | No | No | No | No |
| UI interaction pattern analysis | Yes | No | No | No | No |
| Timing anomaly detection | Yes | No | No | No | No |
| Per-page governance rules | Yes | No | No | No | No |
| Session intent classification | Yes | No | Yes (session-level) | No | No |
| Agentic commerce allow-list | Yes | No | Yes | No | No |
| Queue management for high-demand events | No | Yes (Priority Protect) | No | No | No |
| Cryptographic agent verification | No | Yes (KYA / Web Bot Auth) | Yes (Verified AI Agent) | No | No |
| Challenge-based enforcement | No | No | No | No | Yes |
| Forrester landscape inclusion (Q4 2025) | Not confirmed | Yes | Not confirmed | No | Yes (Notable Vendor) |
| Transparent pricing | No | Yes | No | No | No |
How to Choose: Five Evaluation Questions
Quick answer: The evaluation framework for bot and agent trust management comes down to five questions about your threat model, your existing stack, and your agentic commerce strategy. Start with question one before evaluating any vendor.
1. Does your threat model include agents that mimic human browser sessions?
This is the threshold question. If your fraud team is seeing anomalies at checkout, login, or account creation that network tools are not explaining, the answer is likely yes. Card-testing agents, account creation bots, and scalpers are increasingly designed to pass network inspection. Browser-layer detection is the only architectural response to this specific threat.
If your primary concern is LLM crawlers consuming bandwidth or scraping content, network-layer tools are effective and simpler to deploy.
2. Do you need to govern agents at specific points in a session?
Card testing happens at checkout. Account creation fraud happens at registration. Content scraping happens on product and pricing pages. If your fraud operations team needs different rules at different page types, you need per-page governance. That requires browser-layer visibility.
Network-layer tools apply policy per request, not per page within a session.
3. Do you need to allow some AI agents through while blocking others?
Agentic commerce is growing. Shopping agents operating on behalf of real users are legitimate customers. A platform that can only block or allow all AI agents will create false positives that drive away real revenue.
cside and HUMAN Security AgenticTrust both offer session-level visibility into agent intent. DataDome's trust scoring gives known commercial agents a higher score. Kasada and Arkose Labs focus more on enforcement than on positive agent governance.
4. Are you managing a high-demand inventory or ticketing use case?
If your site runs product drops, ticket sales, or flash sales where AI agents can manipulate queue position or drain inventory, DataDome's Priority Protect is the only platform currently offering dedicated queue management for this use case. cside's per-page guardrails can restrict agent behaviour on these pages but do not include a virtual waiting room.
5. Does the platform integrate with your existing fraud stack?
Bot and agent trust management is not a replacement for payment fraud tools, identity verification, or SOC operations. It is a detection and governance layer. Before committing to a platform, confirm how it surfaces session data to your SIEM, fraud platform, or operations dashboard.
Frequently Asked Questions
What is bot and agent trust management software?
Bot and agent trust management software identifies and analyses the intent of automated traffic directed at an application, establishing ongoing trust relationships with legitimate bots and AI agents while blocking or misdirecting malicious ones. Forrester formalised the category name in Q4 2025, reflecting the shift from binary bot blocking to governing mixed human and AI traffic environments.
What is the difference between network-layer and browser-layer agent detection?
Network-layer detection inspects HTTP headers, IP addresses, TLS fingerprints, and user-agent strings before a request reaches the application. Browser-layer detection runs inside the page, observing UI interaction patterns, timing anomalies, fingerprint consistency, and session-level network request sequences. Network tools cannot see what an agent does once it is inside a live page. Browser-layer tools can.
Which vendors are named in the Forrester Bot and Agent Trust Management Software Landscape?
The Forrester Bot and Agent Trust Management Software Landscape Q4 2025 named several vendors in the category, including DataDome and Arkose Labs as confirmed inclusions. Access to the full landscape requires a Forrester subscription. The category definition is publicly available on the Forrester blog.
Does bot and agent trust management software replace my existing bot protection?
Not necessarily. Some platforms such as DataDome Agent Trust are extensions of existing bot protection products, adding agent classification on top of network-layer bot blocking. Others such as cside operate at the browser layer and complement rather than replace network-layer tools. The right architecture depends on whether your threat model includes agents that mimic human browser sessions.
What should a CISO evaluate when choosing a bot and agent trust management platform?
Five questions matter most: (1) Does the platform detect agents that mimic human browser sessions, not just self-identifying crawlers? (2) Can it classify agent intent rather than just agent origin? (3) Does it provide per-page governance for high-risk surfaces like checkout and login? (4) Can it allow verified shopping agents through while blocking unverified ones? (5) Does it integrate with your existing fraud operations stack without requiring a full replacement?
