Cequence launches bot detection tools for AI traffic

Cequence has launched two bot detection and verification products, Intent Graph and Biometric Check, aimed at web, mobile, API and AI agent traffic.

The products are intended to address a gap in existing bot defences as more automated activity moves through headless systems and agent-based commerce channels rather than conventional web browsers.

Traditional anti-bot tools often rely on browser-based checks such as CAPTCHAs, JavaScript challenges, device fingerprinting and transport-layer signals. Cequence argues those methods are less effective when attackers use real browsers and proxy networks at scale, and when AI agents interact through systems that do not present the same client-side signals.

The launch reflects a broader shift in how online services are accessed. Automated traffic now accounts for more than half of all web requests globally, according to figures from Cloudflare cited by Cequence, while AI-driven commerce flows are emerging across platforms including ChatGPT, Amazon and Google.

Behavioural model

Intent Graph is designed to identify what a user, bot or AI agent is doing within an application without relying on browser instrumentation. Rather than using a standard fingerprint, it builds a behavioural model for each application and tracks how legitimate users move through that specific environment.

Cequence says this allows a single detection layer to be used across websites, mobile apps, APIs and agentic AI interactions. It can be used to spot activity such as credential stuffing, scraping, account takeover, carding, data harvesting and other forms of business logic abuse.

Security teams can alter the behavioural signals used in detection and mitigation without changing application code, allowing models to be adjusted within minutes when attack patterns shift.

Cequence cited a recent enterprise deployment in which attackers changed their methods more than 10 times over two days using virtual browsers and rotating proxies. Intent Graph blocked each attempt without presenting CAPTCHAs or other challenges to legitimate users, it said.

Ameya Talwalkar, Chief Executive Officer and Co-Founder of Cequence, said the change in traffic patterns is forcing a rethink in bot protection.

"Client-side bot protection wasn't architected for AI-driven traffic, and enterprises are already feeling the consequences of this as automated traffic exceeds that from humans," Talwalkar said.

He said the company's model focuses on context and application activity.

"The Intent Graph tells you what a user, bot, or AI agent is actually doing on your application, regardless of how it got there. Intent Graph doesn't just detect bad actors; it maps their intent, so when attackers evolve their tactics in real time, adaptive behavioural intelligence has already moved to stop them. This is the posture enterprises need before the agentic inflection, not after," Talwalkar said.

Human check

Biometric Check is intended to replace verification steps such as CAPTCHAs, puzzles, SMS codes and email verification with hardware-based cryptographic attestation from a user device. Cequence says the process uses secure elements already present in devices, including the systems behind Touch ID, Face ID and Windows Hello.

When a session falls outside a configurable confidence threshold, the user is asked to complete a biometric action on a registered device. The device then returns signed proof that a real person completed the step, while the biometric data itself remains on the device.

Cequence says the approach offers a different way to handle false positives because each successful challenge shows that a legitimate user was interrupted. That gives security teams a direct measure of where detection policies may be too aggressive.

The same verification logic can also be applied to AI agent workflows, according to Cequence. Low-risk tasks can proceed without interruption, while higher-risk actions such as transfers, record retrieval or contract changes can trigger a human approval step at the point of action.

The model could be relevant in sectors where automated actions carry operational or regulatory consequences, including financial services, healthcare, business-to-business commerce and other sensitive API environments.

Shreyans Mehta, Chief Technology Officer and Co-Founder of Cequence, said defending AI-driven interactions requires a broader view than point products can offer.

"Building effective bot defence for MCP and agentic commerce requires institutional knowledge that most companies simply don't have," Mehta said.

He linked that argument to the company's scale in application and API monitoring.

"Agentic traffic doesn't respect categorical boundaries. Protecting them requires unified visibility across application protection, API security, and agentic interaction - something enterprises cannot assemble from separate point solutions retrofitted after the fact," Mehta said.

The two products are available to existing customers through Cequence's platform, which the company says processes more than 10 billion API interactions and protects 4 billion user accounts.