• Blog
• Bot & AI Agent Trust Management
• Beyond WAF: Why Context & Intent Are Essential in the Human–AI Web

Beyond WAF: Why Context & Intent Are Essential in the Human–AI Web

Brandon Borden

  | 

Bot & AI Agent Trust Management | October 14, 2025

Organizations are deeply invested in web application firewalls (WAFs) to protect websites and APIs from threats. They’re often the first line of defense against SQL injection, DDoS attacks, and cross-site scripting that put you, your customers, and data at risk. But here’s where the gaps in WAF protection appear:

• Detecting stealthy, malicious traffic with human-like behavior targeting web apps. Application-layer DDoS attacks have soared 74% year-over-year in Q2 2025, especially against financial services (43.6%), eCommerce (22.6%), and ICT service providers (18.2%) per IT Pro.
• Heavy-handed approach to blocking AI and bot traffic as seen by the discourse driven by Perplexity and Cloudflare that put discoverability and growth at risk as complex AI scrapers and agents become more prevalent. This approach has been the default as the CISO or CTO has owned “bot management and mitigation.” But, the market is shifting to Bot and Agent Trust Management where go-to-market leaders have a seat at the table with security experts defining how to detect, manage, and trust website visitors. This results in a nuanced understanding of who and what is engaging, and in what go-to-market context, that isn’t captured with WAF-only solutions today. 

While WAFs are critical, today’s dynamic threat landscape powered by a mix of human, bot, and AI web traffic is outpacing traditional rule-based defenses.

Automation and AI Are Changing the Traffic Landscape

• Our research highlights how automated traffic—good and bad—has increased on average by 50% YoY since 2022.
• The normalization of Bots-as-a-Service (BaaS) platforms. These platforms offer readily available, sophisticated automation tools that can be employed by individuals with minimal technical skills. For example, we detected a well-known BaaS platform driving a 14x increase in attempted fraudulent click-throughs, seemingly a deliberate attempt to deplete a travel brand’s PPC budget during a critical sales period.
• More bots are mimicking humans to evade detection. Sophisticated tools like undetected ChromeDriver and Puppeteer-extra-stealth-plugin, designed to mask automation signals and mimic human interactions more closely.
• CHEQ has detected a 60x increase in AI traffic from January 2025 to May 2025 alone. How we measure and manage AI and bot traffic has evolved. The old ways of thinking “all bots are bad” requires refinement. 

More is Required to Optimize Web Experiences

Similarly, not all AI traffic “looks” the same and now we must consider humans PLUS their agents researching and making buying decisions. This is where context and intent help you optimize web experiences based on who visits your site:

• If you can spot a real AI agent acting on behalf of a human, you may send it to an API-first, agent-optimized experience.
• If it’s an AI browser crawler, serve it a lightweight, structured version of your site.
• If it’s a malicious bot or fraudster, you block it.
• And if it’s a real human, you keep the standard UX flow.

Right now, most sites, including WAFs, can’t tell the difference. Everything “non-human” looks the same and gets treated as a threat. That’s a problem. You can even approach these from a vertical or industry-based perspective. No matter how you slice it, context and intent matters:

• An eCommerce retailer leverages a WAF to block generic bad bots, but misses a surge of AI-based shopping assistant bots that aren’t malicious. CHEQ segments these helpers from harmful bots, preserving conversion flows and marketing data.
• A loan provider sees escalating Layer 7 bot probing attempts blocked by WAF, but CHEQ flags credential stuffing attempts hidden amid human-like patterns, preventing account takeover without disrupting user experience.
• A market-facing media site experiences heavy scraper traffic. WAFs throttle URLs, but CHEQ assesses intent and context so that search engine crawlers can access content while blocking competitor scrapers—protecting both SEO visibility and content integrity.

So, let’s recap when you need more than just a WAF—because there are plenty of reasons. Here’s where CHEQ elevates the defense, and the business:

Why Moving to Bot and Agent Trust Management Framing is Perfect Timing

WAFs are strong, but the human–AI internet demands more. It demands nuance, inference, and behavioral context. WAFs alone can’t decipher the “who” “what” and “why” behind digital engagement. WAFs can stop attacks and unintentionally stop growth as AI scrapers and agents become more prevalent throughout the customer journey. This shift in thinking is reiterated by Forrester recently announcing the newly-minted Bot And Agent Trust Management category, outlining how brands must to weigh trust, customer experience, and growth while managing human, bot, and AI traffic. CHEQ provides that trusted, contextual layer. By enriching WAF defenses with AI-driven, intent-based visibility and classification, you ensure that your digital operations are not just secure, but built for the future of digital engagement. We’re here to help.

Author

Brandon Borden

Brandon Borden leads Demand Generation at CHEQ, where he blends strategy with firsthand experience as a former customer. He previously held marketing leadership roles at Twilio and Articulate.