DataDome has already recorded nearly 8 billion AI agent requests in 2026, a 5% QoQ increase

DataDome, the leader in bot and agent trust management, today released The AI Traffic Report: High Volume, Low Visibility, and a Growing Risk, an analysis of the scale, composition, and risks of AI agent traffic in early 2026.

AI agents are crawling, indexing, and interacting with websites at a volume most organizations are ill-equipped to handle. What the data reveals is not just a traffic challenge, but an identity crisis, and a visibility gap that compounds both.

“Invisible traffic is unmanaged traffic. And right now, most organizations cannot see this clearly enough to do anything meaningful about it," said Jérôme Segura, VP of Threat Research at DataDome. “AI agent traffic is complex. Billions of requests are hitting sites every month, from agents with different identities, different purposes, and varying degrees of transparency about who they are.”

Key Findings:

• AI agent traffic is already at scale. DataDome's network recorded 7.9 billion AI agent requests in January and February 2026 alone, a 5% increase over Q4 2025. For one customer, agentic traffic accounted for 9.75% of total traffic over a 30-day window.
• Known agents are being actively impersonated. Meta-externalagent was the most impersonated with 16.4M spoofed requests, followed by ChatGPT-User with 7.9M. PerplexityBot had the highest rate of impersonation, with nearly 2.4% of requests found to be fraudulent.
• Agentic browsers are an underappreciated risk. This traffic is concentrated in the industries with the most valuable transactional data: e-commerce and retail (~20% of volume), real estate (17%), and travel and tourism (15%).
• High-volume agents are not the same as high-value agents. Meta ExternalAgent accounted for nearly 25% of top AI agent traffic on DataDome's network in February 2026. ChatGPT-User followed at 19.1%, and Meta WebIndexer at 14.3%. One agent may drive referral value while another harvests data with no benefit to the site it visits.

The report highlights a core challenge for organizations managing high-traffic websites: without the ability to accurately classify AI agents by identity and intent, neither blocking nor allowlisting can be done with confidence. Sites that allowlist known crawlers based solely on user-agent strings are exposed; a spoofed PerplexityBot or ChatGPT-User string can turn an allowlist into an attack surface.

For the full findings from DataDome's report, click here. Follow DataDome on YouTube and LinkedIn for regular updates from Galileo, DataDome's threat research team, and to learn how DataDome's bot protection can help your organization manage the next generation of automated threats.

About DataDome

DataDome delivers real-time bot and agent trust management, providing complete visibility and control over all traffic—whether human, bot, or AI. Named a Leader in The Forrester Wave™ for Bot Management in 2024, DataDome is trusted by enterprises like Etsy, PayPal, and SoundCloud. Acting as a traffic control plane, DataDome's multi-layered AI engine leverages thousands of models and 5 trillion signals daily to analyze intent and stop fraud in under 2 milliseconds, letting legitimate users through seamlessly across websites, apps, APIs, and MCPs. A recognized Leader on G2 across several categories, DataDome stops 20K+ attacks every second, delivering protection that outperforms.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260316802695/en/