Web Traffic Statistics Q1 2026: We Analyzed Billions of Requests - Here Are the 15 Numbers That Matter
We pulled Q1 2026 data from Cloudflare Radar's global network — 81M+ HTTP requests/second across 125+ countries. 31% of all traffic is bots. AI crawlers now represent 22% of bot traffic with Applebot surging 140% in a single month. 60% of login attempts use leaked credentials. And 93.7% of web traffic runs on modern TLS. Here are the 15 numbers that matter.
Published •21 min read
We analyzed Q1 2026 web traffic statistics from Cloudflare Radar's global network — 81 million HTTP requests per second, 330 cities, 125+ countries — and found that nearly one in three requests is a bot. AI crawlers now make up 22% of all bot traffic, Applebot surged 140% in a single month, and 60% of login attempts use leaked credentials. These 15 numbers define the internet right now.
Key findings from our Q1 2026 analysis:
- 31.2% of all HTTP requests are bots — up from 30.9% last month, on track to exceed human traffic by 2027
- 22% of bot traffic is AI crawlers, making them the second-largest bot category behind search engines
- Applebot surged 140% in one month (2.97% to 7.15% of AI traffic), signaling a major Apple Intelligence push
- GPTBot is the most-blocked AI crawler — disallowed by 476 of 4,055 domains analyzed — yet losing share
- 60.3% of login attempts use compromised credentials from known breach databases
- 93.7% of web traffic uses modern TLS (1.3 + QUIC), while email infrastructure lags decades behind
- Let's Encrypt issues 43.3% of all SSL certificates logged in Certificate Transparency — more than any other CA family
- HTTP/3 has plateaued at 21.1%, stalling for two consecutive months
I run TechnologyChecker's crawling infrastructure from Edinburgh. We scan 50 million domains a month and feel the downstream effects of every trend in this briefing firsthand. When AI crawlers spike, our rate-limit budgets get eaten. When bot traffic shifts, our detection accuracy gets tested in real time. When credential stuffing climbs, the websites we monitor become targets. These aren't abstract numbers to us. They're operational reality.
How We Conducted This Research
Data source: Cloudflare Radar API — HTTP analytics, bot intelligence, AI insights, robots.txt analysis, credential leak detection, email security analytics, attack analytics (L3/L7), DNS query distribution from 1.1.1.1 resolver, and Certificate Transparency logs.
Scale: Cloudflare processes over 81 million HTTP requests per second across 330 cities in 125+ countries. This telemetry represents a significant cross-section of global internet traffic — not a sample or estimate.
Timeframe: Primary data covers March 11 through April 10, 2026 (30 days). Month-over-month comparisons use the preceding 30-day control period (February 9 through March 11, 2026).
Method: We queried nine Cloudflare Radar API endpoints, cross-referenced the results with our own crawling data from 50M+ domain scans per month, and supplemented with third-party research for external validation where noted.
Limitations: Cloudflare's data reflects traffic routed through its network. Sites not using Cloudflare aren't represented. Bot classification depends on Cloudflare's detection models, which may differ from other providers' methodologies. DNS data comes from 1.1.1.1 resolver users, skewing toward privacy-conscious populations.
Q1 2026 Web Traffic Statistics at a Glance
The 15 web traffic statistics that matter in 2026:
- 31.2% of all HTTP requests are bots (up from 30.9% last month)
- 22% of bot traffic is now AI crawlers — the fastest-growing category
- Applebot surged 140% in a single month, from 2.97% to 7.15% of AI traffic
- GPTBot is the most-blocked AI crawler — disallowed by 476 of 4,055 domains analyzed
- Meta-ExternalAgent is the #2 AI crawler at 16.3%, overtaking both GPTBot and ClaudeBot
- 60.3% of login attempts use compromised credentials (down from 63.5% last month)
- 70.5% of malicious email contains link-based phishing
- 51.9% of L7 attacks are mitigated by WAF, now surpassing DDoS rules (43.2%)
- UDP dominates L3 attacks at 78%, with TCP at 21.3%
- 93.7% of web traffic uses modern TLS (TLS 1.3 + QUIC)
- HTTP/3 holds at 21.1% — steady but not growing this month
- 20.4% of DNS queries are IPv6 (AAAA records)
- ECDSA certificates hit 44.9%, closing the gap on RSA (55.1%)
- Let's Encrypt (R13 + R12 + E8) issues 43.3% of all certificates — more than any other CA family
- TLS 1.2 is down to 6.3% of web traffic, effectively a legacy protocol
For context: 5.65 billion people now connect to the internet — 68.7% of the global population — according to DemandSage. The infrastructure serving those users is what this report measures.
The Bot Traffic Reality: 31.2% of All Requests
Nearly one in three HTTP requests hitting websites right now is non-human. According to Cloudflare Radar's HTTP analytics, 31.2% of all requests in the past 30 days were classified as bot traffic — up from 30.9% in the prior period.
| Traffic class | Current period | Previous period | Change |
|---|---|---|---|
| Bot | 31.19% | 30.93% | +0.26 pts |
| Human | 68.81% | 69.07% | -0.26 pts |
That 0.26-point shift looks small in isolation. It's not. Extrapolated across Cloudflare's 81 million requests per second, it means roughly 210,000 additional bot requests per second compared to last month.
Bot category breakdown
Within that 31.2%, the composition tells the real story:
| Bot category | Share of bot traffic |
|---|---|
| Search Engine Crawlers | 29.9% |
| AI Crawlers | 22.0% |
| SEO Tools | 13.5% |
| Advertising & Marketing | 7.8% |
| Page Preview | 7.3% |
| AI Search | 5.5% |
| Monitoring & Analytics | 3.6% |
| Webhooks | 3.6% |
| Aggregators | 2.6% |
AI crawlers are now the second-largest bot category, behind only traditional search engine crawlers. Combined with AI Search bots (5.5%), AI-related traffic accounts for 27.5% of all bot traffic. That share grows every month.
Why this matters: If you're running a web application and not accounting for bot traffic in your analytics, capacity planning, and security posture, you're making decisions based on data that's at least 30% noise. Your "users" metric is inflated. Your server costs include bots you may not want to serve. And your conversion funnel math is wrong.
What to do with this insight: Audit your analytics platform for bot filtering. Most tools don't separate bot traffic by default, which means your traffic dashboards overcount real users by roughly a third. For SaaS teams, this directly affects unit economics: if your cost-per-visit is rising (Contentsquare reports it's up 9% year over year and 30% over three years), part of that increase is bots consuming resources meant for humans.
External context: According to TechCrunch, Cloudflare's CEO has stated that online bot traffic will exceed human traffic by 2027. Our month-over-month data confirms this trajectory is on track.
The bot traffic trajectory: 2019 to 2026
This isn't a sudden shift. Bot traffic has been climbing steadily for seven years. According to HUMAN Security's 2026 State of AI Traffic report, bots now account for 51-52% of all global web traffic, having crossed the 50% threshold for the first time in 2024. AI bot traffic specifically grew 187% from January to December 2025, while human traffic grew just 3.1%.
The composition of that bot traffic is also changing. Training crawlers declined from 90% to 74% of all AI-driven traffic during 2025, while scraper bots rose from 10% to 24%, and a new category — agentic bots performing autonomous tasks — emerged at 1.7%. HUMAN Security reports that OpenAI's bots alone account for approximately 69% of all AI-driven traffic by volume.
AI Crawlers Now 22% of Bot Traffic and Growing Fast
AI crawlers are the fastest-growing bot category on the internet. They've risen from a negligible share two years ago to 22% of all bot traffic in Q1 2026, overtaking SEO tools, advertising bots, and every other category except traditional search engines.
Here's the full AI crawler user agent breakdown with month-over-month trends:
| AI crawler | Current share | Previous month | Change |
|---|---|---|---|
| Googlebot | 31.73% | 34.76% | -3.04 pts |
| Meta-ExternalAgent | 16.29% | 15.21% | +1.08 pts |
| ClaudeBot | 11.78% | 10.95% | +0.83 pts |
| GPTBot | 11.05% | 12.13% | -1.08 pts |
| Bingbot | 7.99% | 9.31% | -1.32 pts |
| Applebot | 7.15% | 2.97% | +4.17 pts |
| Amazonbot | 4.21% | 5.30% | -1.09 pts |
| Bytespider | 3.83% | 3.29% | +0.54 pts |
| OAI-SearchBot | 2.13% | 2.58% | -0.45 pts |
Meta-ExternalAgent quietly became the #2 AI crawler. It's been climbing steadily and now sits at 16.29%, ahead of both ClaudeBot (11.78%) and GPTBot (11.05%). Meta's AI ambitions — Llama model training, AI-powered features across Instagram, WhatsApp, and Facebook — require enormous volumes of web data. This crawler is doing the heavy lifting.
GPTBot is declining in share even as it remains the most-blocked. GPTBot dropped from 12.13% to 11.05% while still being disallowed by more domains than any other AI crawler. That's a meaningful tension: OpenAI's crawler faces the most resistance but is also losing relative share to faster-growing competitors.
What to do with this insight: Review your robots.txt and rate-limiting rules for AI crawlers quarterly, not annually. The crawler environment changes too fast for a set-and-forget approach. We published a detailed breakdown in our AI crawlers blocking report covering which crawlers to watch and how to configure access.
External context: According to SEOmator, AI search traffic went up 527% in a year, and roughly 60% of searches now yield no clicks. The crawling we're seeing at the infrastructure level is the supply side of that equation: AI systems consuming web content at scale to power zero-click answers.
Applebot Surge and the Most-Blocked AI Crawlers
Applebot surged 140% in a single month, jumping from 2.97% to 7.15% of AI crawler traffic. That kind of crawling acceleration typically signals a product launch or a major feature expansion.
The Applebot spike
This wasn't a gradual climb. Applebot vaulted past Amazonbot, Bytespider, and OAI-SearchBot in a single 30-day period. Given Apple's ongoing investment in Apple Intelligence and on-device AI features that need web-sourced training data, this surge makes sense. Safari's AI-powered summaries, Siri's expanding web answers, and Apple's partnership with OpenAI all require fresh, high-quality web content.
If you're a content publisher and haven't reviewed your robots.txt rules for Applebot recently, now's the time. Unlike GPTBot (which many sites have already evaluated), Applebot flew under the radar for most of 2025. That window is closing.
Who's blocking whom: the robots.txt arms race
According to Cloudflare Radar's robots.txt analysis of 4,055 domains, the most-disallowed AI crawlers are:
| AI crawler | Domains blocking | Fully blocked | Partially blocked |
|---|---|---|---|
| GPTBot | 476 (11.7%) | 365 | 111 |
| CCBot | 426 (10.5%) | 361 | 65 |
| ClaudeBot | 407 (10.0%) | 324 | 83 |
| Google-Extended | 378 (9.3%) | 299 | 79 |
| Bytespider | 350 (8.6%) | 306 | 44 |
GPTBot is blocked by 11.7% of analyzed domains — the highest of any AI crawler. But the gap is narrowing. All five major AI crawlers are now blocked by roughly 9-12% of websites.
The ratio of full to partial blocking tells a deeper story. Bytespider has the highest full-block rate (87.4% of its blocks are full disallows), suggesting that site operators who block ByteDance's crawler tend to block it entirely. GPTBot sees more partial blocking (23.3%), meaning some publishers allow OpenAI to crawl specific paths while restricting others.
What to do with this insight: Check whether your robots.txt distinguishes between AI training crawlers and AI search crawlers. Blocking GPTBot also blocks OAI-SearchBot from indexing your content for ChatGPT Search, which could mean losing a growing traffic source. Consider partial rules that allow search access while restricting training data collection.
External context: According to Digital Bloom's 2026 organic traffic report, 60% of searches ended without a click, and mobile zero-click behavior reached 77%. For publishers already losing organic clicks, blocking AI crawlers entirely may accelerate traffic decline by removing visibility from AI-powered search results.
Security Metrics: Credential Stuffing and Phishing Trends
Six out of every ten login attempts on the internet use passwords that have already been exposed in data breaches. According to Cloudflare Radar's credential leak detection, 60.3% of all HTTP authentication requests in the past 30 days used credentials from known breach databases.
| Status | Current period | Previous period | Change |
|---|---|---|---|
| Compromised | 60.25% | 63.51% | -3.26 pts |
| Clean | 39.75% | 36.49% | +3.26 pts |
The good news: the compromised rate dropped 3.26 percentage points month-over-month, the first meaningful improvement we've seen. The bad news: malicious login attempts using leaked credentials remain the norm, not the exception. This is credential stuffing at industrial scale.
Why this matters: If you're running a login form without rate limiting, bot detection, or compromised credential checking, these numbers are your wake-up call. The majority of authentication traffic hitting your application isn't humans trying to log in. It's automated tools cycling through leaked databases.
Email threat breakdown
Cloudflare Radar Email Security Analytics show the top threat categories in malicious email for Q1 2026:
| Threat type | % of malicious email |
|---|---|
| Link-based phishing | 70.5% |
| Domain age abuse | 53.2% |
| Identity deception | 52.9% |
| Brand impersonation | 50.9% |
| Scam | 39.6% |
| Credential harvesting | 6.9% |
Percentages overlap because a single malicious message can trigger multiple threat categories. Seven out of ten malicious emails contain a deceptive link. More than half exploit newly registered domains or impersonate a known identity or brand.
These numbers validate what our email authentication analysis revealed: email infrastructure has a systemic security gap. We found that 50.12% of encrypted email traffic still uses deprecated TLS 1.0 or 1.1. Combined with the phishing rates above, email remains the weakest link in most organizations' security posture.
DDoS and application attack shifts
At the network layer, UDP flood attacks dominate L3 DDoS at 78%, with TCP at 21.3%. UDP's connectionless nature makes it the path of least resistance for volumetric attacks — spoofed source IPs and amplification through open resolvers without completing a handshake.
At the application layer, a quiet but significant shift: WAF now mitigates more L7 attacks than DDoS-specific rules. WAF handles 51.9% of application-layer mitigations versus 43.2% for DDoS rules. This reflects the evolution of attacks from pure volumetric floods to more sophisticated exploits — SQL injection, XSS, and API abuse that require signature-based detection.
What to do with this insight: Prioritize WAF configuration over pure rate limiting for application-layer defense. If your security stack relies primarily on DDoS mitigation, you're defending against last year's attack profile. The attack surface has shifted to application logic exploits.
Protocol Adoption: TLS 1.3, HTTP/3, and IPv6 in 2026
Modern TLS now carries 93.7% of all web traffic — effectively the standard for the browseable internet.
TLS version distribution
| Protocol | Current share |
|---|---|
| TLS 1.3 | 71.6% |
| TLS QUIC | 22.2% |
| TLS 1.2 | 6.3% |
| TLS 1.0 | 0.015% |
| TLS 1.1 | 0.002% |
TLS 1.2 is down to 6.3% and dropping. TLS 1.0 and 1.1 are essentially extinct for web traffic at 0.017% combined. This is the web. Email is a different story entirely — our DMARC adoption statistics analysis found that 50.12% of encrypted email traffic still uses deprecated TLS 1.0 or 1.1. If you want a single metric that captures the gap between "the internet we browse" and "the internet that delivers our mail," TLS version distribution is it.
HTTP version adoption
| HTTP version | Current | Previous month | Change |
|---|---|---|---|
| HTTP/2 | 51.1% | 50.5% | +0.52 pts |
| HTTP/1.x | 27.9% | 27.9% | flat |
| HTTP/3 | 21.1% | 21.6% | -0.50 pts |
HTTP/3 dipped slightly this month, from 21.6% to 21.1%. HTTP/2 picked up the share. This isn't cause for alarm — HTTP/3 adoption fluctuates based on CDN rollouts and client updates — but it does suggest the protocol has hit a temporary plateau around the 21% mark. For a deeper dive into these trends, see our HTTP protocol adoption trends analysis.
The jump to 30% will likely require broader server-side adoption beyond Cloudflare, Google, and the major CDNs. AWS CloudFront and major hosting providers are the next catalysts.
DNS query distribution
From Cloudflare's 1.1.1.1 resolver data:
| Query type | Share |
|---|---|
| A (IPv4) | 60.4% |
| AAAA (IPv6) | 20.4% |
| HTTPS | 7.4% |
| ANY | 4.3% |
| PTR | 4.1% |
IPv6 DNS queries represent 1 in 5 lookups. That's meaningful adoption but still well behind IPv4's 3:1 dominance. The HTTPS record type at 7.4% is worth watching — it lets clients discover HTTPS support and HTTP/3 availability directly from DNS, cutting connection setup time.
What to do with this insight: If you haven't migrated to TLS 1.3 yet, you're in a 6.3% minority. Most CDNs and modern hosting platforms handle TLS 1.3 by default. The bigger question is HTTP/3: enabling it requires QUIC support on your origin or CDN. For Cloudflare technology profile users, it's a toggle. For self-hosted infrastructure, it's a more involved upgrade.
External context: According to Network World, global internet traffic surged 17% year over year, with post-quantum cryptography adoption accelerating alongside the TLS 1.3 migration we're tracking here.
Certificate Trends and Let's Encrypt Dominance
ECDSA certificates now account for 44.9% of all SSL/TLS certificates issued globally, closing the gap with RSA to just 10.2 percentage points.
Public key algorithm distribution
| Algorithm | Share of certificates issued |
|---|---|
| RSA | 55.1% |
| ECDSA | 44.9% |
ECDSA offers smaller key sizes, faster handshakes, and equivalent security. The technical case has been settled for years. The remaining RSA majority is largely inertia: legacy systems and certificate management platforms that default to RSA key generation.
Top certificate authorities
| CA | Share |
|---|---|
| R13 (Let's Encrypt) | 16.7% |
| R12 (Let's Encrypt) | 16.6% |
| WE1 (WE Encrypt) | 13.1% |
| E8 (Let's Encrypt ECDSA) | 10.0% |
Let's Encrypt intermediates (R13 + R12 + E8) collectively issue 43.3% of all certificates logged in Certificate Transparency. That's a remarkable market position for a free, automated CA. The E8 intermediate, which issues ECDSA-only certificates, accounts for 10% on its own — evidence that ECDSA adoption is being driven partly by Let's Encrypt's default configurations.
For more on how certificate issuance patterns affect technology detection and security posture, see our certificate transparency report.
What to do with this insight: If you're still generating RSA certificates manually, switch to ECDSA through your CA or certificate manager. ECDSA's smaller key sizes reduce TLS handshake latency measurably — a benefit for both user experience and search rankings. Let's Encrypt's ACME protocol automates renewal entirely, eliminating certificate expiration as a failure mode.
What These 2026 Web Traffic Statistics Mean for SaaS Teams
The web traffic statistics in this report point to three operational shifts that B2B SaaS teams should account for in 2026.
Your traffic numbers are inflated
With 31.2% of all traffic being bots, your analytics dashboards almost certainly overcount real users. Contentsquare reports that 59% of sites saw traffic decline in 2025, while cost per visit rose 9% year over year. Part of that rising cost is bots consuming resources meant for humans. If you haven't implemented bot filtering in your analytics and capacity planning, your unit economics are off by roughly a third.
AI is reshaping traffic sources
Contentsquare tracked a 632% increase in AI-referred traffic year over year, though it still represents just 0.2% of total traffic. That share is tiny now, but the crawling activity we're measuring at the infrastructure level — AI crawlers at 22% of bot traffic and rising — is the leading indicator. These crawlers are building the knowledge bases that will power the next generation of AI-driven referral traffic.
For more on how AI is reshaping technology adoption patterns, see our AI adoption trends analysis.
Security posture needs to catch up with traffic reality
60% of login attempts using leaked credentials. 70% of malicious email containing phishing links. WAF overtaking DDoS rules as the primary application defense layer. These aren't future risks. They're current operational conditions. If your security stack was configured more than six months ago, the attack profile has already changed.
Our cloud provider traffic analysis shows how infrastructure choices affect exposure to these threats, and our internet outage report covers the connectivity disruptions that compound security risks.
2026 Web Traffic Benchmarks at a Glance
| Benchmark | Value | Source | Notes |
|---|---|---|---|
| Bot traffic share | 31.2% | Our Cloudflare Radar data | Up from 30.9% month-over-month |
| AI crawler share of bots | 22.0% | Our Cloudflare Radar data | Second-largest bot category |
| Credential stuffing rate | 60.3% | Our Cloudflare Radar data | Down 3.26 pts from prior month |
| Modern TLS adoption | 93.7% | Our Cloudflare Radar data | TLS 1.3 + QUIC combined |
| HTTP/3 adoption | 21.1% | Our Cloudflare Radar data | Plateaued for 2 consecutive months |
| Let's Encrypt certificate share | 43.3% | Our Cloudflare Radar data | R13 + R12 + E8 intermediates |
| Mobile traffic share | 63.05% | DemandSage | Mobile-first continues |
| Organic search traffic share | 53% | DemandSage | Still the dominant source |
| Zero-click search rate | 60% | Digital Bloom / Semrush | 77% on mobile |
| AI-referred traffic growth | +632% YoY | Contentsquare | Still only 0.2% of total |
| Global internet users | 5.65B (68.7%) | DemandSage | Up 1.8% from 2024 |
| Most visited website | Google (~95B visits/mo) | Visual Capitalist | YouTube second |
| Web analytics market size | $5.2B (2026) | Piwik Pro | CAGR 17.6% through 2032 |
| AI-referred bounce rate | 53.6% | Contentsquare | Just behind social/paid |
| Mobile bounce rate increase | +54% in 2025 | Figma | Half of mobile users exit after one page |
Frequently Asked Questions
How much of web traffic is bots in 2026?
According to our analysis of Cloudflare Radar data, 31.2% of all HTTP requests in Q1 2026 are classified as bot traffic. That's nearly one in three requests. Within that bot traffic, AI crawlers represent 22% — the fastest-growing category. Combined with AI search bots (5.5%), AI-related activity accounts for 27.5% of all bot traffic. Cloudflare's CEO has publicly stated that bot traffic will exceed human traffic by 2027, and our month-over-month data showing a consistent upward trend confirms that trajectory.
Which AI crawler is growing fastest in 2026?
Applebot is the fastest-growing AI crawler in Q1 2026 by a significant margin. It surged 140% in a single month, jumping from 2.97% to 7.15% of all AI crawler traffic. That vaulted it past Amazonbot, Bytespider, and OAI-SearchBot in one 30-day period. Meta-ExternalAgent is the second-fastest grower, climbing steadily to 16.29% of AI crawler share. Both are outpacing GPTBot, which actually declined from 12.13% to 11.05% despite being the most-discussed AI crawler.
What are the top 10 most visited websites in the world in 2026?
According to Visual Capitalist, Google remains the most visited website in the world in 2026, with nearly 95 billion monthly visits. YouTube ranks second, reinforcing Alphabet's dominance over global internet traffic. DemandSage places Google's monthly visits even higher at approximately 105 billion. The concentration of traffic at the top means these platforms are also the primary targets for the bot traffic and credential stuffing attacks we track — our finding that 31.2% of requests are bots and 60.3% of login attempts use leaked credentials applies disproportionately to high-traffic properties.
What are the top 20 most visited websites in the world?
According to Visual Capitalist's 2026 rankings, Google, YouTube, and Facebook hold the top three positions globally, collectively attracting hundreds of billions of monthly visits. ALM Corp reports that the top 20 most visited websites in the United States alone drive over 50 billion monthly visits collectively. From our infrastructure perspective, this extreme concentration of attention makes these platforms prime targets for the security threats we measure: credential stuffing (60.3% of login attempts), link-based phishing (70.5% of malicious email), and growing AI crawler activity.
What We're Watching Next Month
Applebot trajectory. A 140% month-over-month surge demands follow-up. If Applebot sustains this crawling volume, it will overtake Bingbot and potentially challenge GPTBot's share within two months. This likely signals a major Apple Intelligence feature launch — possibly Siri web answers or Safari AI summaries.
AI crawler blocking rates. With GPTBot, CCBot, and ClaudeBot all blocked by roughly 10% of domains, we're approaching a tipping point. Will the blocking rate plateau, or will high-profile publisher lawsuits push it toward 20%? The next 90 days will tell.
Credential stuffing direction. The 3.26-point drop in compromised credentials is the first meaningful improvement we've seen. Is this a trend or noise? If passkey adoption continues to accelerate across major identity providers, this number should decline further.
HTTP/3 at 21%. The protocol has stalled at this level for two consecutive months. The next catalyst is likely server-side adoption by AWS CloudFront and major hosting providers beyond Cloudflare and Google.
AI-referred traffic quality. Contentsquare reports 53.6% of AI-referred traffic is bouncing. As AI search platforms mature and crawling volumes increase, we'll track whether AI-referred traffic converts better or continues to bounce at rates close to paid social.
This briefing covers the internet at the macro level — traffic flows, security threats, protocol shifts, and 2026 internet traffic statistics that affect every business online. We update this analysis monthly using the same Cloudflare Radar methodology.
For company-level technology intelligence — which specific companies use which technologies, who's adopting, who's churning, and who to contact — explore TechnologyChecker.io.
Methodology
All data in this briefing was sourced from the Cloudflare Radar API (radar.cloudflare.com). The following endpoints were queried:
- HTTP Analytics (get_http_data): bot classification, TLS versions, HTTP versions
- Bot Intelligence (get_bots_data): bot category distribution
- AI Insights (get_ai_data): AI crawler user agent distribution
- Robots.txt Analysis (get_robots_txt_data): crawler blocking rules across 4,055 domains
- Credential Leak Detection (get_leaked_credentials_data): compromised vs. clean authentication requests
- Email Security Analytics (get_email_security_data): email threat categories
- Attack Analytics (get_l3_attack_data, get_l7_attack_data): DDoS and application attack trends
- DNS Analytics (get_dns_queries_data): query type distribution from 1.1.1.1 resolver
- Certificate Transparency (get_certificate_transparency_data): public key algorithms and CA distribution
Time periods: Primary data covers March 11 through April 10, 2026 (30 days). Month-over-month comparisons use the preceding 30-day control period (February 9 through March 11, 2026). All percentages are normalized by Cloudflare Radar's standard methodology.
Geographic scope: Global (no location filters applied).
Data source: Cloudflare Radar API (radar.cloudflare.com) Analysis and insights by TechnologyChecker.io
David Thomson
CTO