Cequence Launches Intent Graph and Biometric Check for AI Agents and Bot Traffic

As MCP and agentic commerce go live, new capabilities deliver behavioral detection and friction-free human verification across web, mobile, API, and agentic AI channels

Cequence Security, a pioneer in application security, announced the launch of Intent Graph and Biometric Check, two new capabilities that extend the behavioral architecture Cequence has built on since inception. Together, they give enterprises bot defense that works across web, mobile, API, and agentic AI traffic, without depending on the client-side signals that sophisticated bots have learned to defeat.

The architectural divide in bot defense is now unavoidable. While traditional bot defense relies on browser signals such as CAPTCHAs, JavaScript puzzles, device and machine fingerprints, and TLS characteristics, attackers have industrialized workarounds. Modern proxy providers now run real browsers that solve CAPTCHAs, pass puzzle runtimes, and present clean fingerprints at scale, making adversarial automation indistinguishable from real customer sessions.

The agentic shift has made this client-side approach structurally unworkable for several reasons. For example:

• AI agents operating on behalf of real customers often run in headless environments where puzzle runtimes don’t execute at all;
• MCP-based agents don’t use browsers, so client-side signals are simply absent;
• Fast-moving AI-forward companies ship products daily or weekly and can’t afford the time and resource penalty imposed by SDK instrumentation.

Automated traffic now accounts for more than half of all web requests globally, according to Cloudflare, and native agentic commerce is already live across ChatGPT, Amazon, Google’s Agent E-commerce Protocol, Visa’s agentic commerce standard, and Stripe’s payment primitives. A bot defense posture that assumes a web browser is both present and trustworthy cannot protect the channels where commerce is actually moving.

“Client-side bot protection wasn’t architected for AI-driven traffic, and enterprises are already feeling the consequences of this as automated traffic exceeds that from humans,” said Ameya Talwalkar, CEO and Co-Founder of Cequence.

Intent Graph: Behavioral detection across every channel
Talwalkar noted that MCP is becoming a first-class commerce channel alongside web, mobile, and API — one where there is no browser to fingerprint and no puzzle to serve. “The Intent Graph tells you what a user, bot, or AI agent is actually doing on your application, regardless of how it got there. Intent Graph doesn’t just detect bad actors; it maps their intent, so when attackers evolve their tactics in real time, adaptive behavioral intelligence has already moved to stop them. This is the posture enterprises need before the agentic inflection, not after.”

Intent Graph builds a behavioral model specific to each application, not a generic fingerprint, but a living map of how real users navigate that particular flow. Because the model is application-specific and behavior travels with the client, one detection layer covers the full surface:

• Web: credential stuffing, scraping, and account takeover
• Mobile: automated abuse that slips past app-level protections
• API: business logic abuse, carding, and data harvesting
• Agentic AI, including MCP: distinguishing legitimate AI agents from adversarial ones without relying on non-existent client-side instrumentation

What makes Intent Graph different from behavioral fingerprinting is what happens when the model needs to change. Security teams can adjust which behavioral vectors feed into detection and ultimately into mitigation without a code change or a ticket to engineering. When an attack emerges or the traffic profile shifts, the algorithm updates in minutes. No SDK, no JavaScript instrumentation, no application changes required.

In one recent enterprise deployment, adversaries retooled their attack more than ten times over two days using virtual browsers and rotating proxy networks. Cequence’s Intent Graph blocked every iteration, without any CAPTCHA, puzzle, or client challenge being shown to legitimate customers.

Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX

Biometric Check: Secure verification that users are already familiar with
Biometric Check replaces CAPTCHAs, puzzles, SMS codes, and email verification with hardware-bound cryptographic attestation via a device’s Secure Enclave. When bot detection flags a session outside a configurable, application-specific confidence threshold, the user completes a familiar biometric interaction — Touch ID, Face ID, Windows Hello — and the device returns signed proof that a real person on a registered device completed the action. The biometric itself never leaves the device and completes verification in less than a second.

This is categorically different from client-side challenges, which become less expensive to attack at scale. There is no Secure Enclave to virtualize and no fingerprint sensor to spoof from a cloud VM. Biometric Check is also the first bot verification mechanism that makes the enterprise’s actual false positive rate measurable rather than estimated. Every challenge passed is direct evidence that detection policy flagged a real customer, a signal to tighten detection, not just a number to report.

The same checkpoint logic extends to AI agents. For low-risk actions, agents operate freely. For high-stakes, irreversible actions such as wire transfers, record retrievals, or contract modifications, Biometric Check inserts a human-in-the-loop gate at the time of the action rather than at the front door. This is the model enterprises will need for agent workflows in financial services, healthcare, B2B commerce, and regulated API surfaces generally.

“Building effective bot defense for MCP and agentic commerce requires institutional knowledge that most companies simply don’t have,” said Shreyans Mehta, CTO and Co-Founder of Cequence.

Mehta noted that vendors relying on client-side architecture never accumulated the interaction data needed to challenge automated clients at scale — whereas Cequence has been building an unequaled behavioral understanding across more than 10 billion daily API interactions for Forbes Global 2000 customers. “Agentic traffic doesn’t respect categorical boundaries. Protecting them requires unified visibility across application protection, API security, and agentic interaction — something enterprises cannot assemble from separate point solutions retrofitted after the fact.”