Cequence targets agentic commerce blind spot with behavioural AI tools

Two new capabilities replace CAPTCHA-era bot detection for AI agents operating across MCP, payments, and regulated API surfaces.

By Disrupts Editorial Team
A brightly lit data center aisle features parallel rows of black server racks displaying glowing green and blue indicator lights, extending into the distance under overhead fluorescent lighting.

Cequence Security has launched Intent Graph and Biometric Check, two capabilities designed to close a structural gap in enterprise security: the inability of legacy bot-detection systems to police traffic generated by AI agents rather than human browsers.

The announcement arrives as agentic commerce moves from prototype to production. Autonomous agents now transact across ChatGPT's shopping layer, Amazon's agentic stack, Google's Agent E-commerce Protocol, and Visa's agentic commerce standard. None of those channels requires a browser, which makes conventional defences built around JavaScript puzzles, CAPTCHAs, and device fingerprints structurally inadequate.

"Client-side bot protection wasn't architected for AI-driven traffic, and enterprises are already feeling the consequences as automated traffic exceeds that from humans," said Ameya Talwalkar, CEO and co-founder of Cequence.

Intent without a browser

Intent Graph addresses the detection problem. Rather than relying on client-side signals that AI agents simply do not generate, it builds a behavioural model specific to each application, mapping how real users, bots, and agents navigate particular flows. Security teams can adjust which behavioural vectors feed into detection and mitigation without a code change or an engineering ticket. The company says the model updates in minutes when an attack profile shifts.

The practical stakes are significant. Cloudflare data cited in the release puts automated traffic above half of all global web requests. In one enterprise deployment Cequence describes, adversaries retooled their attack more than ten times over 48 hours using virtual browsers and rotating proxy networks. Intent Graph blocked every iteration without serving a single challenge to legitimate customers.

Biometric Check addresses the verification problem at the other end of the pipeline. It replaces CAPTCHA-style gates with hardware-bound cryptographic attestation via a device's Secure Enclave, Touch ID, Face ID, or Windows Hello. The biometric never leaves the device, and the attestation completes in under a second. For AI agent workflows, a threshold-based gate applies: low-risk actions proceed unimpeded, while high-stakes irreversible transactions, wire transfers, contract modifications, regulated data retrievals, trigger a human-in-the-loop step at the moment of action.

The convergence angle: agentic AI meets financial services security

The product launch is narrow in scope, but the market problem it addresses is broad. As agentic AI embeds into financial services, healthcare, and B2B commerce, the security perimeter shifts from the front door to the individual transaction. That is a meaningful architectural change for regulated sectors. Banks and insurers operating under frameworks such as PSD2 in Europe, or pursuing open-banking API mandates globally, are already grappling with how to enforce authentication when the counterparty is an AI model rather than a verified human.

Cequence's position, protecting more than 10 billion daily API interactions across Forbes Global 2000 customers, according to the company, gives it a dataset that newer entrants cannot replicate quickly. That accumulated behavioural intelligence is the moat the company is explicitly advertising. CTO Shreyans Mehta stated that "vendors relying on client-side architecture never accumulated the interaction data needed to challenge automated clients at scale."

The capital landscape around this problem is intensifying. API security and bot management have attracted sustained investment over the past three years as enterprise attack surfaces expanded with cloud-native and mobile-first architectures. The addition of agentic AI as a first-class attack vector is likely to accelerate a fresh round of consolidation. Larger security platforms, those with identity, endpoint, and network layers already unified, will face pressure to acquire or build behavioural API intelligence rather than leave the agentic traffic layer exposed.

For cross-sector strategists, the read-across is clear: any enterprise deploying agentic workflows in a regulated context must now treat bot-and-agent authentication as a board-level infrastructure question, not a security-team configuration task. The window between the activation of agentic commerce standards and the maturation of defences capable of policing them is, by Cequence's own framing, already closing.

Intent Graph and Biometric Check are available immediately to Cequence platform customers.

Sector

Topic

Geography