Bot mitigation is simply the reduction of hostile bot traffic coming into a web asset (a site, web application, API, etc.).
Strictly speaking, the term implies that a full reduction (i.e., an elimination) of the bot traffic is not occurring. And indeed, traditional methods of bot detection cannot identify all–possibly not even most–of the hostile bots in modern web traffic.
For example, methods such as blacklisting and rate limiting can be evaded when bots rotate IP addresses. Signature detection can be defeated by spoofing. JavaScript injection tests can be passed by modern headless browsers. CAPTCHA and reCAPTCHA can be solved by automated methods over 94 percent of the time. And so on.
Therefore, given the seriousness of the bot threat today, something more than mere mitigation is needed. That’s why bot management is becoming more widely discussed.