Automated traffic now accounts for more than half of all web requests, according to Cloudflare, and the tools built to distinguish bots from humans were not designed for a world where AI agents make purchases, invoke APIs, and operate workflows on behalf of real customers.
Cequence Security announced on Monday two capabilities that extend its bot defence platform beyond the browser: Intent Graph, which builds a behavioural model of what any user, bot, or AI agent is doing on an application regardless of how it arrived, and Biometric Check, which replaces CAPTCHAs and SMS codes with hardware-bound cryptographic attestation through a device's Secure Enclave.
The problem both products address has been building for years. Traditional bot defences rely on browser signals — JavaScript execution, puzzle runtimes, TLS characteristics, device fingerprints — and attackers have industrialised workarounds: proxy networks now run real browsers that pass every client-side check. The agentic shift has removed the browser assumption entirely. MCP-based agents have no browser to fingerprint. AI agents operating on behalf of customers typically run in headless environments. Intent Graph sidesteps the client-side layer by modelling what is happening in the application, not how the visitor arrived. The model is application-specific and updates in minutes when attack patterns shift, without a code change or SDK instrumentation.
"Client-side bot protection wasn't architected for AI-driven traffic, and enterprises are already feeling the consequences of this as automated traffic exceeds that from humans," said Ameya Talwalkar, CEO and Co-Founder of Cequence.
In one deployment cited by the company, attackers retooled more than ten times over two days using virtual browsers and rotating proxy networks; Intent Graph blocked every iteration without serving a single challenge to legitimate customers.
Biometric Check takes a different approach to the verification step. When detection flags a session outside a configurable confidence threshold, the user completes a familiar biometric interaction — Touch ID, Face ID, Windows Hello — and the device returns signed proof that a real person completed it. The biometric never leaves the device; verification completes in under a second. The commercial logic is that there is no Secure Enclave to virtualise from a cloud VM, making it categorically harder to automate at scale than a CAPTCHA or SMS code. For AI agents executing high-stakes actions such as wire transfers or contract modifications, the same checkpoint logic inserts a human-in-the-loop gate at the action itself rather than at login.
Native agentic commerce is now live across ChatGPT, Amazon, Google's Agent E-commerce Protocol, Visa's agentic commerce standard, and Stripe's payment primitives — channels where traditional browser-based defence has no foothold. Cequence has been processing more than 10 billion daily API interactions for Forbes Global 2000 customers and says that depth of interaction data is what makes the behavioural model viable for adversarial AI traffic.
Intent Graph and Biometric Check are available immediately as part of the Cequence platform.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
