Latest News

The Agentic Internet Is Outpacing Enterprise Defenses

Agentic Internet Is Outpacing Enterprise Defenses

An Interview with Michael Cucchi, CMO of Hydrolix

Artificial intelligence is rapidly changing who, or what, businesses encounter online. Human visitors now share websites and digital marketplaces with large language models, AI assistants, commercial scrapers, autonomous agents and malicious bots that can be difficult to distinguish from legitimate customers.

Michael Cucchi, Chief Marketing and Product Officer of Hydrolix, brings more than 25 years of experience across enterprise technology, product strategy, and go-to-market leadership. At Hydrolix, he is helping businesses understand how agentic traffic is reshaping security, infrastructure, marketing attribution, and digital commerce.

Hydrolix’s recent research points to a growing divide between what enterprises believe they can see and what their current systems can actually detect. In this interview, Cucchi discusses how agentic traffic is reshaping security, marketing and digital commerce, and why companies may need a much deeper view of their data to keep pace.

Hydrolix recently highlighted a 56 point gap between enterprise confidence and actual readiness around AI bot detection. What does that gap reveal about how companies are thinking about this threat today?

I think people are underestimating how fast agentic AI is moving, and that’s really what this 56-point gap is telling us. Even teams steeped in technology are being caught off guard by how quickly this generation of agentic-driven bots has outpaced the last. The people responsible for protecting websites or managing SEO believe they’re adequately covered because they can’t see what they can’t measure. Most of the tooling in place today was built for a previous generation of scrapers and search bots, not the agentic traffic that showed up faster than anyone modeled. That’s a structural failure, not a readiness problem. Even marketing organizations still working out how to do GEO and show up inside LLM results are behind. Malicious actors, who are already using bleeding-edge agentic tech to scrape and probe sites at scale definitely have the edge at the moment. The gap isn’t confidence outpacing reality by a little. It’s a sign that the tools and instincts practitioners are relying on aren’t built for today’s agentic internet at all.

Why are AI bots becoming a broader business risk for enterprises, beyond the security team?

I wouldn’t frame it as “beyond security” so much as security’s scope has to grow fast. Internet-facing businesses such as ecommerce, fintech, media and entertainment, travel, and gaming are moving quickly, and security is racing to catch up. Some of the largest e-commerce companies are already announcing agent-to-agent marketplaces, and security teams are the ones who have to figure out how to protect that marketplace while marketing and product keep shipping next-generation agentic experiences. That’s the real tension: the business moves faster than security can secure it. Agent-to-agent and human-to-agent traffic is the new scope, whether the team is ready or not. This is genuinely hard because today’s agents behave like humans. It used to be easy to spot a search engine crawling your site. Agent workflows don’t look that different from a person clicking through a funnel, so you need technology to tell the difference and decide whether it’s good traffic or bad. I think it will take a few years before a survey like this one shows organizations are actually ahead of this.

Many enterprises already rely on WAFs, CAPTCHAs and rules-based tools. Where do those defenses fall short against today’s AI-driven bots?

I think of a WAF as the blanket perimeter across every web-facing property, and bot management as the layer customers put on critical funnels like checkout processes. Both have limits. They’re expensive, and they only retain a limited window of data across a limited slice of the site. CAPTCHAs are effectively going extinct. The uncomfortable truth is that sophisticated agentic bots can adapt their request patterns to get past a WAF, and they’ve gotten good enough to solve CAPTCHAs outright. That test isn’t hard anymore for a well-built agent. What’s actually happening underneath is that AI-driven traffic now shows up in distinct layers: one LLM training a model, a traditional scraper indexing a page to understand what a business offers, real-time queries where an LLM reaches out live for an answer, which is really a real-time version of GEO, and now agent workflows, which are small units of automated work like agents publishing pricing or availability updates. Each of those layers is a new traffic pattern, and CAPTCHA won’t help with any of them. Bot management is important, but there’s a data problem underneath it too: if you’re only sampling traffic, or only holding a few days of it, you can’t tell human from bot, or bad agent from good agent. That’s the real fix: behavior intent analytics, and it takes data to get there.

What happens when companies cannot tell the difference between legitimate users, AI bots, scrapers and malicious traffic?

The first failure mode is misidentifying a human as a bot and blocking them. That’s the cardinal sin. We’ve seen customers misidentify indexing engines and LLMs, blocking them outright and losing millions of dollars because they stopped ranking and stopped being discovered. The opposite failure is just as costly. If you misidentify malicious traffic or bad agents as legitimate, you burn real web and cloud resources serving content to non-humans. A lot of today’s more intelligent bots bypass web caches entirely and hit the origin, eating CPU, memory, and session capacity that should be serving customers. Then there’s the security side. Attacks like credential stuffing, session hijacking, denial of service, and data theft can do lasting damage to a company’s reputation and put it at real legal exposure. So you’re managing two failure directions at once. Give good traffic — human or agent — a good experience, and give bad traffic no experience at all. Get that balance wrong in either direction, and the business pays for it, whether through lost discovery, wasted infrastructure spend, stolen data, or a DDoS event that takes services down entirely.

How can AI bot activity distort campaign performance, analytics, lead quality or customer acquisition data?

Heavily and from a marketing seat, this is a genuinely hard moment. We’re losing visibility we used to have, right as the traditional web-tracking stack is being taken apart and traffic patterns shift under us. A couple of years ago, marketing’s instinct was to avoid anything that looked like AI content and design purely for humans because people could spot AI content from a mile away. Now we have to design for two audiences at once — the human internet and the AI internet — which requires relearning attribution, funnel management, and conversion tracking from the ground up because both require real visibility into who, or what, is actually on the other end of a session. This isn’t just AI and LLMs breaking the old way of measuring lead source and campaign effectiveness. Marketers are also investing directly in AI-driven conversion paths themselves. The old measurement model isn’t holding up, and the new one hasn’t fully arrived, which is exactly why marketing teams are scrambling to hold onto the priorities they know today while inventing and discovering the ones they don’t yet.

Why does real-time, queryable traffic visibility matter more as AI-driven traffic becomes harder to distinguish from human behavior?

You can’t make a good call about whether traffic is human or agent, or whether an agent is good or bad, after the fact. That decision has to happen in real time because you can’t hold a web session or an agent request while you think about it. But there’s a second piece, which is the abandonment threshold. A human shopping online will wait a couple of seconds for a page to load before deciding the site’s broken or hard to use and heading off to a competitor. In an agent-to-agent transaction, that tolerance drops to under a second. Agents operate with sub-second sensitivity, and whether an interaction succeeds or fails is a sub-second problem. So the requirement is really two things stacked together: categorize traffic in real time, and recognize that the agent-to-agent internet is inherently a sub-second environment. Real-time isn’t a nice-to-have anymore. It’s table stakes.

How does Hydrolix help enterprises identify, understand and act on AI bot traffic differently than traditional observability or security tools?

At our roots, we’re a real-time data platform, and everything we’ve built starts from the assumption that you shouldn’t have to throw away critical data just to afford to store it. We built our platform for long-term retention at high compression, so customers can keep years of telemetry and web session data without sampling or dropping anything. Most bot management solutions on the market today operate on 30 days of web traffic because that’s what their architecture can afford to store. Thirty days isn’t enough to reliably tell an agent from a human. Hydrolix can keep years of data, and that depth is what makes real behavioral analytics possible. Agentic traffic actually stands out once you have enough history to see the pattern. On top of that, we’re built for internet scale with a linearly scalable analytics engine that returns answers in sub-seconds. During the 2025 Super Bowl, we ran queries against 1.4 petabytes of data a day — 17.5 GB a second — in under a second, because we needed to know what was normal and what wasn’t, fast enough to act on it. Hydrolix is already integrated into more than 90% of the world’s CDNs, so we’re already seeing this traffic and can integrate into anyone’s digital stack quickly. We deliver the analytics and insights to help companies build the policies and management layer for the next generation of agentic traffic on top of what they already have today.

Where do you see the AI bot problem heading over the next 12 to 24 months, and what should enterprise leaders be preparing for now?

Honestly, I found our own survey scary to look at. This space is moving faster than most people realize, and we’re now in two arms races at once. One is competitive, where businesses fight to stand out to humans and, increasingly, to AI agents and LLMs. The other is criminal, where malicious actors use the same bleeding-edge tech to steal data and run DDoS attacks. Attackers are always operating at the edge of what’s technically possible, and this survey tells me practitioners aren’t there yet. Marketing and security teams are still naive to how fast the agent-driven internet is actually accelerating. We’re at a point where governments are pausing models because they’ve found vulnerabilities serious enough to threaten national infrastructure, which tells you how fast this is moving. Yet our own data shows practitioners feeling confident they’ve got it handled. They don’t because the data says they’re miscalculating how much AI-driven traffic is already on their sites by 2x. My advice for the next 12 to 24 months is to assume the gap between what you think is happening and what’s actually happening is wider than you believe, and go get the data that closes it, fast.

 

Comments

TechBullion

FinTech News and Information

Copyright © 2026 TechBullion. All Rights Reserved.

To Top

Pin It on Pinterest

Share This