When I joined Forrester in 2019 and started covering the bot management software market, bot management software helped companies answer a basic question (bot or not?) and protected against bots. Later, these tools helped answer a more nuanced question (good bot, bad bot, or human?) and enabled humans and good bots while protecting against bad bots. Today, with the explosion of generative AI and AI agents, firms need tools that tell them whether application traffic comes directly from a human, from a bot, or from AI, as well as what the intent of that traffic is, to enable proper protections.

At the same time, web application firewall (WAF) vendors have consolidated their offerings (which include WAF, API security, and bot management) into web application protection platforms, offering customers a bundle of related application security tools with a unified data model and UI. As web application protection platforms come together, the decision to go with platform versus best of breed is not automatic. We see some security leaders rely on a web application protection platform for many application protection functions and then add additional layers of protection from vendors specializing in bots and AI agents.

In short, a new market has emerged. Bot management use cases still matter and fit well within the purview of vendors that have added bot management to their bundle of application security offerings. But this new market, particularly vendors that are pushing the boundaries of customer experience and business enablement use cases, must address a wider range of traffic sources (think human customers and their bots and AI agents acting on their behalf) and a broader set of use cases.

For example, now this software must tie AI agent traffic back to a particular account and ensure a consistent and safe experience for that account. It must provide a seamless and trusted transaction experience for customers or anything acting on their behalf.

Ultimately, bot management is too narrow a name for where this market is going. Starting with our upcoming landscape report, we are changing the name from bot management software to bot and agent trust management software. Forrester defines this as:

Software that identifies and analyzes the intent of automated traffic directed at an application, establishing ongoing trust relationships with good bots and agents and rejecting and misdirecting malicious bots and AI agents to protect legitimate customer business while also increasing attacker costs.

Key points about this name change:

  • It’s no longer just about bots. While AI agent traffic is still a small fraction of internet traffic, we expect it to grow quickly. As it does, organizations will not just need to handle bot traffic but agent traffic, too. The rise of AI agents presents a challenge to companies looking to understand and manage customer traffic while still fighting malicious application layer attacks. It’s not enough to know whether inbound traffic is from an AI agent; you must also know if the AI agent is acting on behalf of a particular customer or partner.
  • Trust moves to the forefront. Bot management has traditionally focused on protecting organizations from a range of business logic attacks, such as account takeover, inventory hoarding, ad fraud, and influence fraud. While these scenarios still matter, they start to fall under a broader banner of establishing and continuously verifying trusted relationships with the range of AI agents and bots that engage with your applications on behalf of customers or as part of formal and informal business relationships. The decision isn’t “bot or not,” nor is it “good bot or bad bot” or “block or allow.” The decision is “How much do I trust this bot, AI agent, or human?” and then choosing actions based on the degree of trust.

I look forward to sharing our landscape report on bot and agent trust management software at the end of this year. In the meantime, please set up an inquiry or guidance session to discuss how bot and agent trust management software can help enable and protect your business. I hope you can also join me at Security & Risk Summit in November, where you will hear more about bots and agents during a panel discussion that I will be moderating with John Buten and Evelyn Mitchell-Wolf, “The Business Of Bots, Scrapers, And AI Agents.”