June 6, 2026 – Security firm cside today released findings on two fast-growing threats to subscription and SaaS revenue: AI agents that defeat traditional fraud defenses, and widespread account sharing that drains recurring income. The company published two detailed analyses to help businesses measure and respond to both. Each problem, it argues, is getting harder to spot at the same time it is getting more expensive.

The first is about a change in how automated traffic looks. For years, bad bots gave themselves away through their infrastructure: data-center IP addresses and headless browsers that detection tools learned to flag and filter. cside’s research says that era is closing. More and more automated activity now comes from AI agents that run inside real browser sessions, often on residential IP addresses, and behave a lot like human shoppers. They load pages, scroll, fill out forms, and work out what to do next. In cside’s testing, conventional bot-detection tools failed to catch these AI agents about 81% of the time.

The damage shows up in familiar places, just faster and at a larger scale. Take card testing, where stolen card numbers get checked against a checkout one after another. It gets cheaper to run once an AI agent can work through the flow on its own. Fake-account creation, used to farm referral bonuses, claim promo credits, or launder transactions, loses the friction that used to slow it down. A single run of promo-code abuse can turn a marketing campaign into a liability overnight. The pattern, cside says, is that defenses built for an older kind of bot tend to wave this traffic straight through, because the tells that once separated human from machine have mostly vanished.

cside’s comparison of AI-agent detection tools looks at how the leading platforms handle the problem and where each one tends to leave gaps. Its point is that the job is no longer to block every bit of automated traffic. It is to classify that traffic accurately, because the same technology behind fraudulent agents is starting to power legitimate ones too.

The second analysis deals with a quieter loss: account and credential sharing. One login passed around a group of people sets off no alarm. The account is real, the payment clears, and nothing looks broken. But every extra person using it is someone who never paid, and that revenue simply never arrives. For a long time plenty of companies wrote this off as a cost of doing business, worried that cracking down would annoy the customers they did have. cside’s report makes the opposite case: shared logins are recoverable income, not acceptable leakage.

Streaming offers the clearest proof. After one major platform started enforcing limits on password sharing in 2023, the backlash everyone predicted never really landed. Instead the platform added more than 50 million new paid subscribers as freeloading viewers turned into customers. That one episode shifted how a lot of subscription businesses think about sharing, moving it from a touchy customer-relations problem to a revenue line they could actually win back.

Catching it is trickier than it sounds. Going by IP address alone throws off too many false positives. It flags the customer on a work trip and the family with five devices, while missing the determined sharer hiding behind a VPN. cside’s guide to detecting and preventing account sharing walks through how device fingerprinting and multi-signal detection can tell ordinary behavior, like a traveling user or a multi-device household, apart from real abuse. Put a few signals together, such as a device nobody has seen before, a login from an unexpected place, and several sessions running at once that no single person could manage, and sharing patterns come into view without leaning on IP address and without treating every household like a suspect.

“Both of these threats are getting harder to see at exactly the moment they’re getting more expensive,” said Simon Wijckmans, founder and CEO of cside. “AI agents now look like real customers, and shared logins look like loyal ones. The businesses protecting their revenue are the ones that stop guessing and start measuring what’s actually happening on their sites.”

Both reports land on the same advice: classify first, then respond in proportion, instead of blocking traffic across the board. cside argues that heavy-handed filtering can cost more than the fraud it stops, because subscription businesses live on conversion, and every real customer turned away at signup or checkout is recurring revenue gone. A low-risk oddity might deserve nothing more than a quick prompt to confirm an email. A stronger signal can call for step-up authentication. Only the clearest cases need hard enforcement. The same ladder works for account sharing, where a gentle nudge about how many devices a plan covers tends to recover more revenue, with far less friction, than a sudden lockout.

The approach also gets businesses ready for a future where not all automation is the enemy. As people start handing real purchases to AI assistants that shop, compare, and book for them, some agent traffic will be perfectly legitimate, and occasionally worth a lot. A company that blocks every bot today could end up turning away paying customers tomorrow.

“Not every AI agent is hostile. Some will soon be doing real shopping on a customer’s behalf,” Wijckmans said. “Companies that can tell the difference will keep those sales. Companies that block everything they don’t recognize will turn paying customers away. Either way, the first step is visibility. You cannot defend revenue you are not measuring.”

cside’s recommendation is to size up the exposure on both fronts before reaching for any controls: measure how much automated traffic is hitting sensitive flows like signup and checkout, and estimate how much paid usage is being shared rather than bought. Fraud that nobody counts, the company notes, tends to go unaddressed, and revenue that leaks quietly almost never comes back.

About cside

cside is a security company focused on the browser and client-side layer. It helps businesses spot AI agents, prevent online fraud, and protect recurring revenue across subscription, SaaS, and e-commerce platforms, with research aimed at the point where users, browsers, and websites meet. More information is available at cside.com.

Media Contact
Company Name: Cside
Contact Person: Simon
Email: Send Email
Country: United States
Website: https://cside.com/