UK businesses are among the least protected worldwide against automated online threats, according to new research from cyberfraud protection company DataDome.
The company’s 2025 Global Bot Security Report, which analysed more than 16,900 websites across 22 industries, found that only 1.77% of major UK domains are fully protected against both simple and advanced bots. This compares with a European average of 2.52% and a global rate of 2.8%.
The findings come amid a surge in AI-driven online traffic. DataDome said that crawler traffic from large language models (LLMs) such as OpenAI’s GPTBot quadrupled this year, rising from 2.6% of verified bot requests in January to more than 10% by August. The company alone recorded 1.7 billion crawler requests from OpenAI in a single month.
Jérôme Segura, Vice President of Threat Research at DataDome, said: “Despite being a technologically mature market, the UK is one of the least-protected countries worldwide when it comes to bots. Back in May 2025, the National Cyber Security Centre (NCSC) warned about a digital divide between systems keeping pace with AI-enabled threats and those that are more vulnerable. Our data on low bot protection rates provides concrete evidence that this is already happening.”
Segura said the gap stems from structural weaknesses in the UK business environment, including reliance on resource-constrained small and medium-sized enterprises, a persistent cybersecurity skills shortage, and a business culture that underinvests in digital defence.
The report found that legacy bot defences are failing. Globally, just 2.8% of websites were fully protected in 2025, down sharply from 8.4% in 2024. Even among companies with more than 10,000 employees, only 2.2% had full protection, and 61% had none at all.
AI traffic is increasingly targeting high-value digital touchpoints. According to DataDome, 64% of AI bot traffic in 2025 reached online forms, 23% targeted login pages, and 5% reached checkout flows — creating risks of fraud, account takeover, and compliance breaches.
While many organisations are trying to block AI bots, the measures are often ineffective. The report noted that 88.9% of domains disallow GPTBot in their robots.txt files, but many AI crawlers ignore these directives.
Segura warns that traditional defences are no longer adequate. “AI agents are rewriting the rules of online engagement. They mimic human behaviour, spawn synthetic browsers, bypass CAPTCHAs, and adapt in real time. Traditional defences, built to spot static automation, are collapsing under this complexity. Businesses can’t tell if the AI traffic they’re seeing is good or bad, which leaves them both exposed to fraud and blind to opportunity.”
The report also highlighted sector differences. Government, non-profit, and telecoms websites had the weakest protection, while travel, hospitality, gambling, and real estate scored highest on partial and full defences — though even in these industries, comprehensive protection remained rare.
