The 7.6 release of the Cequence Unified API Protection (UAP) platform is generally available as of February 25, 2025. This release has several new features which are described below.

Viewing Mitigated Transaction Details

Users can view details of transactions that have been mitigated by Cequence Defenders. Users can click a transaction listed on the Mitigation page to display transaction details, such as the policies that mitigated the transactions or client information such as IP address, fingerprint, and organization. Detected transactions continue to be displayed on a separate tab of the Transactions page.

Users can also search for transactions by request ID. The request ID is unique for each transaction and is automatically assigned by Cequence during traffic processing.

Displaying Mitigated Transactions

Searching all data while querying on the Detection page

Security analysts often create Application Tags on the fly while investigating incidents and look up information about that tag on the Detection page. Security analysts can now use App Tags to search historical data across the entire retention period on the Detection page. This functionality enables security analysts to find relevant transactions that pre-date the creation of the App Tag, ensuring comprehensive analysis of newly configured tags.

Search All Data functionality on the Detection page

Disabling individual rules within API Risk Categories

Individual risk rules with risk categories, also known as contributors, can now be enabled and disabled. Prior to this release, Risk Categories could only be enabled or disabled in their entirety. Now, individual risk rules within a category can be selectively disabled, granting organizations finer control.

Additionally, customization of Risk Rules has been improved to enable seamless updates from Cequence without conflicts with user-defined modifications. When a risk rule is customized, the original system rule is disabled, and a cloned version is created for customization. System rules, managed by Cequence, remain visible and regularly updated for reference but remain disabled if a customized version is in place.

Enabling or disabling specific rules within API Risk Categories

Additionally, the API Inventory now enables users to customize and save their preferred column views, ensuring a personalized experience. Previously, column selections were not persistent and would reset even upon refreshing the page. With this update, users' column preferences will remain intact, even after logging out and back in.

Multi Geo Crawlers and Enhanced Reporting in Attack Surface Discovery

Cequence's API attack surface discovery has been enhanced with new functionality:

• Multi-region Crawlers, available for North America, Europe, Middle East, Asia and Australia, enable comprehensive discovery even with geo-fencing restrictions. Customers can choose which regions to run crawls from – these are used to crawl all domains within a tenant organization. Additionally, Cequence now gives customers visibility into the IP addresses/ranges assigned to the crawlers, making it possible to add these IPs to allow-lists for perimeter security infrastructure.

Configuring multi-region crawlers

• Updated PDF Reports, that have been refreshed to better reflect the product's goals - identify where APIs are hosted in a customer environment. This includes the ability to identify Edge, Infrastructure and App Gateway providers so that executive stakeholders can better understand their API footprint without needing to log in to the product. Additionally, recommendations are now available for each of the different value propositions (API Hosts, API Providers, API Findings) that Cequence discovers.

API Security Testing

API Security Testing has been enhanced with many noteworthy new capabilities:

Enhanced Authentication Profiles, with support for additional authentication types, such as OAuth with PKCE. Authentication profiles are now easier to share across multiple test plans. Specifically, there is now a central place in the API Security Testing section for users to see all authentication profiles that are available to the platform. Additionally, it is now possible to add or replace authentication profiles from within a test plan, which removes the need for a user to recreate a test plan after changing their authentication profile.

Note the following:

• Users cannot change authentication type after creating an authentication profile. Changing from API Keys to OAuth, for example, requires the creation of a new authentication profile. However, users can generate a new profile, whether specifically for that test plan (local scope) or for any test plan (global scope), without having to generate a new test plan.
• For the OAuth with PKCE authentication profile, users must manually provide a token while executing the test run. This limitation prevents users from running these authentication profiles in automated CI/CD pipelines. For manual invocation of test plans, users will be able to leverage the ad-hoc “Run from UAP” mode of test run execution.

• Test Run Progress is now visible to authorized users - this helps them understand if a test run has been initiated, is in process, or has errored out, and works for test runs initiated on developer systems, in CI/CD pipelines, or from the UAP Platform itself.
• Inline Test Plan Archival allows users to archive the current test plan in the process of updating to a new version of the test plan. While users will still need to recreate a test plan if their APIs or test cases have changed, this capability simplifies and accelerates the user experience.