Cequence Security, a pioneer in application security, today announced the launch of Intent Graph and Biometric Check, two new capabilities that extend the behavioural architecture Cequence has built on since inception. Together, they give enterprises bot defence that works across web, mobile, API, and agentic AI traffic, without depending on the client-side signals that sophisticated bots have learned to defeat.
 
The architectural divide in bot defence is now unavoidable. While traditional bot defence relies on browser signals such as CAPTCHAs, JavaScript puzzles, device and machine fingerprints, and TLS characteristics, attackers have industrialised workarounds. Modern proxy providers now run real browsers that solve CAPTCHAs, pass puzzle runtimes, and present clean fingerprints at scale, making adversarial automation indistinguishable from real customer sessions.
 
The agentic shift has made this client-side approach structurally unworkable for several reasons. For example:
AI agents operating on behalf of real customers often run in headless environments where puzzle runtimes don’t execute at all;
MCP-based agents don’t use browsers, so client-side signals are simply absent; 
Fast-moving AI-forward companies ship products daily or weekly and can’t afford the time and resource penalty imposed by SDK instrumentation.
 
Automated traffic now accounts for more than half of all web requests globally, according to Cloudflare, and native agentic commerce is already live across ChatGPT, Amazon, Google's Agent E-commerce Protocol, Visa's agentic commerce standard, and Stripe's payment primitives. A bot defence posture that assumes a web browser is both present and trustworthy cannot protect the channels where commerce is actually moving.
 
“Client-side bot protection wasn't architected for AI-driven traffic, and enterprises are already feeling the consequences of this as automated traffic exceeds that from humans,” said Ameya Talwalkar, CEO and Co-Founder of Cequence.
 
Intent Graph: Behavioural detection across every channel
Talwalkar noted that MCP is becoming a first-class commerce channel alongside web, mobile, and API — one where there is no browser to fingerprint and no puzzle to serve. "The Intent Graph tells you what a user, bot, or AI agent is actually doing on your application, regardless of how it got there. Intent Graph doesn't just detect bad actors; it maps their intent, so when attackers evolve their tactics in real time, adaptive behavioural intelligence has already moved to stop them. This is the posture enterprises need before the agentic inflection, not after."
 
Intent Graph builds a behavioural model specific to each application, not a generic fingerprint, but a living map of how real users navigate that particular flow. Because the model is application-specific and behaviour travels with the client, one detection layer covers the full surface:
 
Web: credential stuffing, scraping, and account takeover
Mobile: automated abuse that slips past app-level protections
API: business logic abuse, carding, and data harvesting
Agentic AI, including MCP: distinguishing legitimate AI agents from adversarial ones without relying on non-existent client-side instrumentation
 
What makes Intent Graph different from behavioural fingerprinting is what happens when the model needs to change. Security teams can adjust which behavioural vectors feed into detection and ultimately into mitigation without a code change or a ticket to engineering. When an attack emerges or the traffic profile shifts, the algorithm updates in minutes. No SDK, no JavaScript instrumentation, no application changes required.
 
In one recent enterprise deployment, adversaries retooled their attack more than ten times over two days using virtual browsers and rotating proxy networks. Cequence’s Intent Graph blocked every iteration, without any CAPTCHA, puzzle, or client challenge being shown to legitimate customers.
 
Biometric Check: Secure verification that users are already familiar with
Biometric Check replaces CAPTCHAs, puzzles, SMS codes, and email verification with hardware-bound cryptographic attestation via a device’s Secure Enclave. When bot detection flags a session outside a configurable, application-specific confidence threshold, the user completes a familiar biometric interaction — Touch ID, Face ID, Windows Hello — and the device returns signed proof that a real person on a registered device completed the action. The biometric itself never leaves the device and completes verification in less than a second.
 
This is categorically different from client-side challenges, which become less expensive to attack at scale. There is no Secure Enclave to virtualise and no fingerprint sensor to spoof from a cloud VM. Biometric Check is also the first bot verification mechanism that makes the enterprise’s actual false positive rate measurable rather than estimated. Every challenge passed is direct evidence that detection policy flagged a real customer, a signal to tighten detection, not just a number to report.
 
The same checkpoint logic extends to AI agents. For low-risk actions, agents operate freely. For high-stakes, irreversible actions such as wire transfers, record retrievals, or contract modifications, Biometric Check inserts a human-in-the-loop gate at the time of the action rather than at the front door. This is the model enterprises will need for agent workflows in financial services, healthcare, B2B commerce, and regulated API surfaces generally.
 
"Building effective bot defence for MCP and agentic commerce requires institutional knowledge that most companies simply don't have," said Shreyans Mehta, CTO and Co-Founder of Cequence.
 
Mehta noted that vendors relying on client-side architecture never accumulated the interaction data needed to challenge automated clients at scale — whereas Cequence has been building an unequaled behavioural understanding across more than 10 billion daily API interactions for Forbes Global 2000 customers. "Agentic traffic doesn't respect categorical boundaries. Protecting them requires unified visibility across application protection, API security, and agentic interaction — something enterprises cannot assemble from separate point solutions retrofitted after the fact."
 
Intent Graph and Biometric Check are immediately available to Cequence customers as part of the Cequence platform. To learn more or discuss how these capabilities apply to specific traffic patterns, request a demo at https://www.cequence.ai/demo/bot-management/.
 
About Cequence Security
Cequence protects the applications and data that power enterprises in the agentic era. More than a decade of bot defence and API security experience has established Cequence as the leader of safe and secure agentic AI adoption. The Cequence platform delivers deep insight into user, entity, and agent behaviour, enabling organisations to secure and control agentic AI interactions while protecting against bad actors and rogue agents. Cequence delivers value in minutes rather than days or weeks with a highly scalable, no-code approach. Trusted by the largest and most demanding private and public sector organisations, Cequence protects more than 10 billion daily API interactions and 4 billion user accounts. To learn more, visit www.cequence.ai.