Quick Brief
- The Recognition: Forrester named Alibaba Cloud Web Application Firewall (WAF) a Notable Vendor in “The Bot And Agent Trust Management Software Landscape, Q4 2025” report examining 19 vendors in the emerging category.
- The Threat Scale: AI crawler traffic quadrupled across enterprise networks in 2025, surging from 2.6% to 10.1% of verified bot requests by August, while agentic traffic volume grew 6900%.
- The Protection Gap: Only 2.8% of websites deployed full bot protection in 2025, down from 8.4% in 2024, as 64% of AI bot traffic reached form pages and 23% targeted login endpoints.
- The Technology: Alibaba Cloud’s WAF combines large language model (LLM) analysis with behavioral heuristics to distinguish malicious AI crawlers from legitimate automated agents.
Forrester Research designated Alibaba Cloud Web Application Firewall as a Notable Vendor in its Q4 2025 report examining bot and agent trust management software, recognizing 19 vendors addressing the industry’s shift from blocking all automation to governing AI agents acting on behalf of human users. The December 2025 report marks Forrester’s formal acknowledgment of a new software category as enterprises confront AI-driven traffic that now comprises more than one in ten verified bot requests.
AI Crawler Attacks Trigger Category Redefinition
Forrester’s report responds to a fundamental infrastructure challenge: DataDome detected nearly 1.7 billion requests from OpenAI crawlers in a single month during 2025, part of a broader pattern where LLM crawler traffic quadrupled year-over-year. Legacy defenses like CAPTCHA and static device fingerprinting fail against AI-powered bots that leverage machine learning to mimic human behavior with increasing fidelity, enabling large-scale data theft while triggering DDoS-like conditions that elevate infrastructure costs.
The research firm defines bot and agent trust management software as systems that “help organizations identify and understand the intent behind automated traffic, ensuring real customers can transact seamlessly while deflecting bot- and agent-based attacks“. This shift from security-first to trust-first architecture reflects market reality: blocking AI agents wholesale means blocking paying customers as autonomous agents increasingly mediate digital transactions.
Website vulnerability reached critical levels in 2025, with protection rates declining from 8.4% in 2024 to just 2.8%, while 88.9% of domains disallow GPTBot in their robots.txt files, a configuration that AI crawlers routinely ignore. Analysis reveals 64% of AI bot traffic reached form pages, 23% targeted login endpoints, and 5% penetrated checkout flows, demonstrating the precision of modern automated attacks.
Alibaba Cloud’s Digital Immune System Architecture
Alibaba Cloud’s WAF implements what the company terms a “Digital Immune System” infused with business intelligence, deploying intelligent rule recommendation engines that synthesize traffic patterns, device fingerprints, and behavioral heuristics into dual-layered “Business + Intent” profiles. The platform’s “Sense-Decide-Execute” closed-loop architecture enables dynamic generation of context-aware security policies deployable with one-click enforcement.
| Feature | Capability | Defense Target |
|---|---|---|
| Endpoint Coverage | Full-stack integration across Web, App, Mini-programs | Defense bypass prevention |
| Policy Framework | Built-in rule library + custom strategies | Diverse bot attack vectors |
| Behavioral Analysis | Low-frequency, long-cycle statistics | Stealthy attack intent identification |
| Algorithm Rotation | Dynamic challenge algorithm updates | Algorithm cracking, bulk simulation attacks |
The system goes beyond conventional blocking by deciphering underlying intent of AI-driven traffic, effectively neutralizing malicious activity while guaranteeing high availability for legitimate human users and authorized AI agents.
Enterprise Impact During Peak Transaction Periods
The 6900% growth in agentic traffic volume throughout 2025 produced measurable operational consequences during high-volume commerce periods, according to HUMAN Security’s analysis of the Forrester landscape vendors. During Black Friday through Cyber Monday 2025, agent traffic across monitored clients rose approximately 28%, while traffic targeting e-commerce sites specifically surged 144.7%.
Behavioral patterns reveal sophisticated targeting: 83.3% of agent activity during the sales period focused on product and search pages, while payment and checkout attempts rose from less than 1% of traffic in October to more than 2% during the holiday period. This concentration demonstrates AI agents’ evolving capability to navigate complete transaction flows rather than limiting activity to reconnaissance-phase scraping.
The threat extends beyond e-commerce, with DataDome reporting AI crawler traffic rising from 2.6% of verified bot traffic in January to over 10.1% by August 2025 across all monitored industries. Organizations face dual pressure: maintaining frictionless customer experiences while blocking automated attacks that now exhibit human-equivalent browsing patterns.
Regulatory and Competitive Landscape Evolution
Forrester’s landscape report positions bot and agent trust management as a maturation of traditional bot defense, requiring vendors to establish ongoing trusted relationships with customers both directly and via agents while identifying and reporting on AI agent traffic intent. Trust, safety, and security leaders must now select from a diverse vendor ecosystem varying by size, offering type, geography, and use case differentiation.
The industry’s pivot toward open standards including OWASP Agentic Security Initiative and AGNTCY.org contributions signals vendor recognition that trust frameworks require shared conventions beyond proprietary implementations. Collaborative efforts aim to establish baseline protocols for agent identification, intent verification, and human-to-agent attribution across platforms.
Deployment Timeline and Integration Requirements
Alibaba Cloud positions its WAF for immediate deployment with flexible policy configuration supporting both pre-built rules and custom strategies responsive to evolving bot attack methodologies. The platform’s long-term behavioral analysis overcomes limitations of traditional frequency-based detection by accurately identifying stealthy attack intent through extended observation cycles.
Organizations implementing bot trust management face dual imperatives: accurately identifying agent intent while connecting agents back to human users, all while maintaining frictionless experiences that avoid customer abandonment. Success requires moving beyond blanket blocking to nuanced governance as agentic AI traffic becomes normalized across digital channels.
Frequently Asked Questions (FAQs)
What is bot and agent trust management software?
Bot and agent trust management software identifies automated traffic intent, enabling legitimate customer transactions while blocking malicious bots and governing AI agents acting for human users.
Why did Forrester recognize Alibaba Cloud in this report?
Forrester named Alibaba Cloud WAF a Notable Vendor for combining LLM technology with behavioral analysis to distinguish malicious AI crawlers from authorized agents through intent-based profiling.
How severe is the AI crawler threat in 2025?
AI crawler traffic quadrupled in 2025, rising from 2.6% to 10.1% of verified bot requests, with DataDome detecting 1.7 billion OpenAI crawler requests monthly.
What percentage of websites have adequate bot protection?
Only 2.8% of websites deployed full bot protection in 2025, declining from 8.4% in 2024, while 64% of AI bot traffic successfully reached form pages.
