We probed 95 popular sites across 15 verticals for the anti-bot stack they actually run, from public HTTP signatures. Here is the market share, the difficulty spread, and the raw data - reviewed July 2026.
Share of tracked sites observed running each bot-management family. Counted once per site per vendor, so the denominator is honest - a site running two Akamai products still counts once for Akamai. Akamai is the most commonly observed family, on 46 of 95 tracked sites (48%), as of July 2026.
Where the hard targets cluster. The toughest tracked vertical is Jobs & Recruitment, where 100% of sites are hard targets.
| Vertical | Sites | Hard | % hard | Most common vendor |
|---|---|---|---|---|
| Retail & E-commerce | 36 | 20 | 56% | Akamaidone-for-you |
| Online Marketplaces | 12 | 6 | 50% | Cloudflaredone-for-you |
| Travel & Hospitality | 11 | 8 | 73% | Akamaidone-for-you |
| Real Estate & Property Listings | 8 | 5 | 63% | Akamaidone-for-you |
| Social Platforms | 4 | 1 | 25% | Cloudflaredone-for-you |
| Tickets & Live Events | 4 | 2 | 50% | DataDome |
| Automotive | 3 | 2 | 67% | Cloudflare |
| Jobs & Recruitment | 3 | 3 | 100% | Cloudflare |
| Reviews & Ratings | 3 | 3 | 100% | Cloudflare |
| Sneakers & Limited Drops | 3 | 3 | 100% | Cloudflare |
| Classifieds | 2 | 1 | 50% | DataDome |
| Food Delivery | 2 | 1 | 50% | Cloudflare |
| Online Learning & Other | 2 | 2 | 100% | Cloudflare |
| Data & Business Intelligence | 1 | 0 | 0% | Cloudflare |
| Reservations & Dining | 1 | 1 | 100% | Imperva (Incapsula) |
Each detection comes from a public HTTP response signature - a vendor cookie, header or challenge asset that actually fired. A site with no canonical signature is not listed. Nothing is guessed.
Market share counts each site at most once per vendor family, so a site running two products from one vendor is not double-counted. The denominator is the full tracked set.
Reviewed July 2026. Vendors change their stack over time, so every figure is a dated data point you can re-check yourself against the live site.
This documents the defense that exists, in the spirit of BuiltWith or Wappalyzer. It is never a per-site bypass guide. Respect robots.txt, Terms of Service and applicable law.
Movements changelog. This is edition one. We re-run the detector on a recurring basis and publish the diffs - which sites changed vendor or moved difficulty tier - so you can watch the defended web shift over time. If your target just added a new layer, that is usually the moment a pipeline breaks.
The census tells you what defends a site. Here is honestly how to collect it - from DIY proxies to a fully managed pipeline.
Best when: You have engineers and 1-2 easy targets
Best when: Light, unprotected pages at low volume
Best when: 1-3 hard, defended targets like a hard target
Point us at it. Data Works cracks it in a paid pilot on real 4G/5G carrier IPs and delivers the data - before you commit to anything.
Each site is probed for public HTTP response signatures - cookies, headers and challenge assets that identify a bot-management vendor. Only evidence-backed detections are recorded; a site with no canonical signature is not listed. The current edition covers 95 sites across 15 verticals, reviewed July 2026.
A hard target runs enterprise bot management (DataDome, Cloudflare Bot Management, Akamai Bot Manager, HUMAN/PerimeterX, Kasada or Imperva) that scores IP reputation and browser signals before the page renders. 61% of tracked sites fall in this tier.
Yes. The dataset is free to download and cite (CSV, NDJSON or JSON) with attribution to proxies.sx. It is a read-only technical reference in the spirit of BuiltWith or Wappalyzer - it documents the defense that exists, never a per-site bypass.
This is the first edition. We re-run the detector on a recurring basis and publish the differences as a dated "Movements" changelog, so you can see which sites changed vendor or difficulty tier over time.