Decoding the world of cybersecurity

Cequence puts agents inside API security

Cequence Platform 9.0 adds an AI assistant and MCP server, bringing agent-operated workflows into API security, compliance evidence, and control changes.

Cequence puts agents inside API security
Summary
  • Cequence Platform 9.0 adds an AI assistant, open MCP server, compliance-mapped rules, and a rebuilt API security engine.
  • The company says read actions can run freely, while write actions require explicit human approval.
  • Agent-operated security tools need governance over access, change control, audit trails, and production impact.

Cequence Security has released Platform 9.0, adding an AI assistant and an open Model Context Protocol server that allows agents and automation workflows to query, investigate, and act on API security data.

The company says the release exposes platform capabilities through MCP tools, allowing its built-in assistant, a SOAR platform, a custom automation workflow, or a third-party agent to interact with the product. Platform 9.0 also includes compliance-mapped risk rules, audit-ready reporting, and a rebuilt API security engine designed for large API estates.

Cequence says the assistant can answer plain-language questions using live platform data, classify APIs, identify risks, draft rules, and create reports. Read actions can run freely, while proposed write actions show the exact change and require explicit human approval before execution.

The release reflects a wider move in security tooling. Products are beginning to expose capabilities to agents rather than relying only on dashboards and menus. That changes how security work is performed, how evidence is gathered, and how authority is delegated to automation.

API security is a natural fit for that change because large organisations struggle to discover APIs, classify sensitive data flows, identify broken authorisation, map risk to compliance controls, and keep pace with application delivery. AI agents are also increasing API traffic and changing interaction patterns as customer, employee, and machine workflows become more automated.

Agent-operated security creates a new control plane. If an assistant can draft rules, change configurations, query sensitive API telemetry, or trigger response workflows, governance has to cover who can prompt it, what data it can access, how actions are recorded, and how approval works when a change affects production controls.

Cequence’s human approval model for write actions and its visibility into tool calls address part of that control burden. Enterprises will still need role-based access, segregation of duties, logging, model governance, change control, and testing before allowing agents to operate security platforms.

The compliance packaging is also significant. Cequence says Platform 9.0 includes more than 250 pre-built risk rules mapped to 25 frameworks, including GDPR, PCI DSS, ISO 27001, NIST CSF, DORA, and NIS2. API risk is often difficult to evidence in audits because discovery, exposure, authentication, authorisation, data handling, and remediation data can sit across multiple teams and tools.

Mapping live findings to control areas could reduce reporting friction where the evidence is complete and auditable. It also places more importance on the integrity of the platform’s data, rule logic, approval records, and change history.

Security platforms are moving from dashboards towards conversational and agent-driven operation. That can reduce time-to-answer, but it also places responsibility on architecture, permissioning, and auditability. A security assistant that can see and act across APIs becomes part of the organisation’s risk surface.

×