The Future of Web Security Depends on the Browser

The browser runtime is the middle-man on every session that takes place between your website <> customers, bots, AI agents, and fraudsters. Yet, it stays outside the perimeter of traditional web security, leaving a gap for attackers and costing multi-million dollar penalties for organizations.

The risk of this visibility gap has fundamentally changed with the popularization of AI agents. Consumer agents can be manipulated by code injections on compromised third-party code. Malicious agents are cheap to build, evade legacy bot detection, and amplify every bot-driven fraud vector.

report preview cside future of web security 2026

In this report:

We tested legacy bot detection tools. They failed 81% of our attempts.

Forum discussions around bot traffic were up 275% in our analysis.

'User-action' AI bots increased by 15x in 2025. AI agent traffic is no longer just "crawlers for search and LLM model training".

Responses from our survey to web developers and web security practitioners on how they are preparing for AI-agent driven fraud.

In a world of locally hosted stealth browsers, a combination of browser-layer signals (fingerprinting, behavioral analysis, + more) are needed to understand intent, not just identity.

Get the Report

Fill out the form to access the full report.

Who this report is for

Security teams that use CSPs but want a better automated method to monitor third party script activity on your website.

Fraud teams that defend against bot abuse (scraping, card testing, promo abuse, fake sign ups) that will get amplified by AI-agent driven fraud.

Preview of this report

Investigating a rise in reported bot traffic

In January 2026, we noticed something peculiar in our own analytics. An enormous spike in traffic from China. Strange. Our Cloudflare setup has China completely geo-blocked. After making our settings more aggressive the China traffic was routed out. And then... spikes from Norway, Singapore, Hong Kong.

We carried out quantifiable research to understand if this was a wider trend:

3.1 Bot Traffic Discussions Spiked Sharply

⇧ 275%

Increase in forum discussions about bot traffic on websites despite existing filtering in place.

Basic preventative measures failed:

• Block by country: New countries show up (rotating proxies)
• Block user-agents: New user-agents with similar actions show up.
• Basic WAF rules: Typically failed to stop this surge in bots.

Small websites immediately suffered:

• Server bills became unfeasible due to network requests
• Analytics "poisoned" by bots, ruining ad or web funnel metrics

Defense tips that worked:

• Configure WAF rules to be more robust (which may require tier upgrades)
• Block based on language (like zh-CN)
• Block specific ASNs (like Tencent, Alibaba)

Comparing January to March 2025 with January to March 2026.
Across forums r/webdev, r/cloudflare, and r/googleanalytics.
Original analysis by cside. Raw data scraped with public APIs and manually reviewed.

How web developers are preparing for AI agent traffic

We asked security practitioners: "Are you preparing for AI agents as a new type of threat, or handling them with existing bot traffic controls?"

cside industry survey ai agent fraud preparation — Graphic: cside industry survey on AI agent fraud preparation

Graphic cside survey responses AI agent fraud defenses

Existing bot-fraud vectors will be amplified by AI agents

The Merchant Risk Council (whose members include companies like Airbnb and Blizzard) reported that in 2025 the most common payment fraud types were:

First-party misuse (83% of members affected)
Card testing (71%)
Refund abuse (60%)

AI agents will significantly amplify each of these fraud vectors. In this report, we break down how browser-layer signals can mitigate this increase.