Current release: v7.7.0

Deprecation Notice

Cequence is announcing the deprecation of Basic Authorization in headers.

As of the 7.7 release of the Cequence Unified API Protection (UAP) platform, authentication using Basic Auth in a header is still available, but will be removed in a future release.

Next Steps

If you are using Basic Auth in headers, consider sending the Basic Auth request in the body of a POST request.

Contact Cequence Support to devise a migration plan.

Additional Information

If you have additional questions, contact Cequence Support.

Release Highlights

The 7.7 release of the Cequence Unified API Protection (UAP) platform is generally available as of April 22, 2025.

This release introduces significant improvements to the visibility, actionability and performance aspects of specific aspects of the Cequence UAP platform. These enhancements improve the user experience, streamline API risk management, and enhance comprehensive API protection.

New Features

The new features in the 7.7 release require version 5.3.2 or newer of Cequence Bridge and 5.3.2 or newer of Cequence Defender.

UX Improvements

The user experience overhaul adds sticky page-level filters across API Inventory and Risk Posture pages, reducing scrolling. Risk visualization focuses on actual issue instances rather than just issue types, with a new bar widget replacing the previous pie chart. Count indicators have been added to filter options, showing the number of endpoints or issues for each selection.
Navigation has been streamlined with persistent filter settings between pages and consistent time filters carried from the Executive Dashboard. The Risk Details page now prioritizes affected endpoints above metadata. App Tags implementation has been standardized with both include and exclude functionality. "Exposure Types" has been renamed to "Scopes" throughout the platform, and the Executive Dashboard's Comply Widget now aligns with the new issue count methodology.

Enhanced Auto-Classification of APIs

The Cequence UAP platform's accuracy when classifying Internal APIs has improved, particularly for Kubernetes clusters. API classification now only classifies an API as Internal or External facing until you specify a set of internal domains.

Third-party API classification requires you to specify a set of domains under your control, and you must enable it explicitly after specifying such a set of domains.

You can now override an API's classification as third-party in the unlikely circumstance that an internal or external API is misclassified as third-party.

Dashboard API Updates

The Dashboard API has been restructured to enhance the functionality of dashboard widgets. In addition to the Summary-metrics and /Summary-inventory endpoints, the new /Summary-api-end-points endpoint populates the top widget.

Note this change if you use dashboard APIs to populate your own applications.

Request Count Visibility Improvements

New facets offer greater insight into the composition of the request count. You can now divide the total requests into Processed, Analyzed, Legitimate, Malicious, Successful Login, Failed Login, and Mitigated.

Detection Tab Enhancements in Transactions Page

The detection tab's performance has been improved, with better loading and pagination speeds. Quick filters and export functionality further enhance this page's usability.

Attack Feature Detection UI for Advanced Users

Advanced users can now run an attack feature detection model from the ML configuration page, setting parameters such as endpoint values, fingerpringts, rules, and timeframe. You can enable automatic policy and rule creation after the model's run (this behavior is disabled by default).

You can also specify a path hierarchy to enhance the configuration of your data extractions.

Resolved Issues

Story

CEQASP-7719 [Bot-Analyzer] | Revert change to enforce host field lowercase

CEQASP-7628 API Sentinel: change the name of the API summary tab to API definitions

CEQASP-7560 Keycloak - Update Access Token Lifespan from 5 min to 25 min

CEQASP-7366 Enhancements to Detection Transactions Page

CEQASP-7308 Custom auth not detected - Test upgrade from 7.5 to master to make sure it fixes issue without intervention

CEQASP-7282 Vulnerability Fixes Spartan / Sentinel for 7.7

CEQASP-7209 Resource Discovery Vulnerability Fixes and POM Cleanup

CEQASP-7140 Restart Component Config after import is successful

CEQASP-7128 API Sentinel: change Internal Domain heading to Third Party API Detection under scopes

CEQASP-7070 'Clear Filters' not centered with the sticky filters

CEQASP-7068 Rename 'Application Tags' left nav item to 'App Tags'

CEQASP-7067 Update sticky filters to say no <filter-name> instead of 'no item'

CEQASP-7058 Keep App Tag values sticky when navigating between the Risk Posture and the API Inventory pages

CEQASP-7057 When navigating from Exec Dashboard to the API Inventory or the Risk Posture pages, honor the same time filter

CEQASP-7019 [Sensor / PE] Make filters common for CQAI and sentinel

CEQASP-7016 Update Comply Widget on Exec Dashboard to account for New Issue count on Risk Posture Page

CEQASP-7015 "Exec Dashboard links to External, Internal, 3rd party endpoints should set the filters appropriately when navigating to the API Inventory page the API Inventory "

CEQASP-7014 Risk Details Page: Show Recommendations| Vectors | Weaknesses | Impacts | References *below* endpoints

CEQASP-7012 Refresh button missing from API Inventory page

CEQASP-6995 Filter button/menu usability enhancements

CEQASP-6971 Add Global topic metrics to resource dictionary

CEQASP-6947 Consistent implementation of App Tags (earlier referred to as Applications) across Sentinel

CEQASP-6943 Remove 'Manage Applications' Page from GUI

CEQASP-6942 New Bar Widget for Risk Posture Page

CEQASP-6941 Show count of issues next to each sticky filter (app tag, scope, labels etc. (honoring specified time filters)) on the Risk Posture Page

CEQASP-6940 Show count of issues next to each sticky filter (app tag, scope, labels etc. (honoring specified time filters)) on the API Inventory Page

CEQASP-6935 Do not accept Basic Auth Headers in Keycloak (Telstra pentest)

CEQASP-6930 Add Additional Restricted Classes to MVEL and JEXL scripts, configurable from helm

CEQASP-6875 Risk Posture: Page filter (outside of MUI grid widget) for Severity

CEQASP-6861 Include existing Sentinel automated tests as part of QA automation prior to pushing to flux-forge

CEQASP-6856 Risk Posture: Page filter (outside of MUI grid widget) for Risk Categories

CEQASP-6855 Risk Posture: Page filter (outside of MUI grid widget) for Auth

CEQASP-6853 Risk Posture: Show number of Issues for each Host, Application, Scope, Auth Type, Label

CEQASP-6852 API Inventory: Show number of endpoints for each Host, Application, Scope, Auth Type, Label

CEQASP-6824 Bot Analyzer Vulnerability Fixes

CEQASP-6804 Automate end-to-end deployment of code in SaaS (with automation)

CEQASP-6778 Backend APIs to call ML models

CEQASP-6724 Fix confusing UX in the Sentinel dashboard

CEQASP-6681 UX: Mock for Risk Posture enhancements

CEQASP-6678 Risk Posture: Show bars on the Issue Widget as clickable elements

CEQASP-6677 Risk Posture: Show Issue Instances instead of Issue Types

CEQASP-6676 Risk Posture: Page filter (outside of MUI grid widget) for Scopes

CEQASP-6675 Risk Posture: Page filter (outside of MUI grid widget) for Applications

CEQASP-6674 Risk Posture: Page filter (outside of MUI grid widget) for Labels

CEQASP-6673 Risk Posture: Page filter (outside of MUI grid widget) for API Hosts

CEQASP-6671 API Inventory: Rename exposure types to scopes (incl. in Inventory settings)

CEQASP-6670 API Inventory: Page filter (outside of MUI grid widget) for Scopes

CEQASP-6669 API Inventory: Page filter (outside of MUI grid widget) for App Tags

CEQASP-6668 API Inventory: Page filter (outside of MUI grid widget) for Labels

CEQASP-6667 API Inventory: Page filter (outside of MUI grid widget) for API Hosts

CEQASP-6597 API Sentinel: Inventory Export All Option

CEQASP-6579 Paginated loading of the Detected Transactions page

CEQASP-6577 Detected Transactions Filter Improvements

CEQASP-6569 Rename 'Domain' terminology on Data Extractions page

CEQASP-6568 UI Cleanup of App Tags Page

CEQASP-6293 [CC] BotAnalyzer Data Skew - Only process Pivots that are used in rules

CEQASP-5949 Show "Total Processed Requests" in the trend chart

CEQASP-5678 API Sentinel: enhancement for internal/external/3rd party detection

CEQASP-5741 Implementation of hierarchical data extractions

Bugs

CEQASP-7641 [UI] Blank screen seen when trying to generate 'Adhoc report' from Inventory Dashboard page

CEQASP-7627 Detection Dashboard - Processed count api returning "0" for 24 hrs interval which is resulting in incorrect charts

CEQASP-7610 Changing the Pivot type on transactions pages is not loading the transactions by default

CEQASP-7568 API Sentinel: Refresh button on Sentinel Dashboard only call 1 of 3 apis

CEQASP-7559 the scope options on risk posture is incorrect

CEQASP-7556 The bottom 3 widgets on the dashboard should all call the "ALL" filter

CEQASP-7510 [UI][SentinelDashboard] The total API counts on the dashboard page and the inventory page are not matching

CEQASP-7505 NullPointerException in ResourceDiscoveryTopologyConfig causing Discovery service crash

CEQASP-7476 Processed count. Missed adding AppTags to Spartan known endpoints.

CEQASP-7454 Mitigation Policy Is not working for Defender-5.4.0

CEQASP-7449 API host selected from dashboard does not persist in the inventory filter

CEQASP-7412 Screen turning white when we include "," (DataShack, LC) as an org/isp in the Policy

CEQASP-7386 Transactions tab give an error : Failed to retrieve transactions

CEQASP-7387 Testing Issues: Simple frontend for AFD

CEQASP-7378 Remaining stories:Backend APIs to call ML models

CEQASP-7367 host name in Dashboard filter is case sensitive

CEQASP-7292 Flux forge - UI - Inventory and Risk posture not loading

CEQASP-7276 Risk Details: UX lands user in the wrong risk for an endpoint

CEQASP-7146 Numeric character in Real IP Extraction produces UI error.

CEQASP-7130 Risk posture - Low issue count off

CEQASP-7107 API Sentinel: Custom Auth is not being detected

CEQASP-7039 Api to clean Dictionary for irrelevant shadow endpoints

CEQASP-7013 Entries take too long to render in API Hosts (sticky) filter

CEQASP-6948 Email address sensitive data detection is broken in 7.6 BETA

CEQASP-6921 API Sentinel: parameterized published endpoint not recognized, creating shadow API endpoints

CEQASP-6915 API Sentinel: Parent Endpoint does not contain full path details of Children

CEQASP-6881 The ML Model download issues in TMobile

CEQASP-6879 API Sentinel: Enpoint details, transaction tab, linking to transaciton events not working correctly

CEQASP-6827 On Mitigated Transaction page column modal position is wrong

CEQASP-6715 Missing ability to create a Sentinel risk category for one or more specific API definitions

CEQASP-6695 The /actuator/info endpoint fails due to TrafficStatsData model mismatch with Elasticsearch data

CEQASP-6501 [Resource Discovery] High number of URLs causing High Disk Usage

CEQASP-6422 API Sentinel: Auth out of spec not working

CEQASP-6395 UI: In UAP, Diagnostics -> system component: defender list

Upgrade considerations

The material in this section addresses several different upgrade scenarios.

Recommended Upgrade Path

7.5.x: From the 7.5.8 release or later, use the standard Helm upgrade commands.

7.6.x: From the 7.6.5 release or later, use the standard Helm upgrade commands.

Supported Upgrade Paths

For any 7.5 release prior to 7.5.8, or for any 7.6 release prior to 7.6.3, perform the following procedure to remove certain shadow endpoints.

1. Set up port forwarding to access the Resource Dictionary service.
2. Optionally, but as a best practice, perform a dry run by running the following command.

   curl -X POST 'localhost:5000/api/clean-up/resource-dictionary?dryRun=true' -H 'Content-Type: application/json'

   To perform a dry run for a particular specification, run the following command instead.

   curl -X POST 'localhost:5000/api/clean-up/resource-dictionary/{spec-id}?dryRun=true' -H 'Content-Type: application/json'

   Check the resource-dictionary logs for a list of what the operation will actually delete.
3. To perform cleanup on all specifications, run the following command.

   curl -X POST 'localhost:5000/api/clean-up/resource-dictionary' -H 'Content-Type: application/json'

   To perform cleanup on a particular specification, run the following command instead.
   

   curl -X POST 'localhost:5000/api/clean-up/resource-dictionary/{spec-id}' -H 'Content-Type: application/json'

   Replace {spec-id} with the specification ID of the specification to clean up.ce {spec-id} with your actual specification ID.

Non-Supported Upgrade Path

No upgrade paths are supported for releases 7.3 and earlier.

Upgrade Impact

Some fixes in this release have specific upgrade impacts.

CEQASP-6930 Add Additional Restricted Classes to MVEL and JEXL scripts, configurable from helm

When the value of the scriptProtectionEnabled flag is false, there is no upgrade impact from this fix. This is the default behavior.

When the value of the scriptProtectionEnabled flag is true, Data Extractions and Fraud Rules do not execute when a Restricted Classe is used, such as java.io.File.

CEQASP-6778: Backend APIs to call ML models

When there is an existing Airflow Install, check the Airflow privileges after the upgrade. See the following example.

CLOPS-12304: Update Airflow "User" role privileges

Run the following script before upgrading the Cequence UAP platform.

#!/bin/bash
NAMESPACE="your-namespace" # Replace with your namespace
# Get the scheduler pod name
SCHEDULER_POD=$(kubectl get pods -n $NAMESPACE -l component=scheduler -o jsonpath="{.items[0].metadata.name}")
if [ -z "$SCHEDULER_POD" ]; then
echo "Error: Scheduler pod not found in namespace $NAMESPACE"
exit 1
fi
# Execute the command in the scheduler pod
kubectl exec -it $SCHEDULER_POD -n $NAMESPACE -- airflow roles add-perms \
-a can_create can_delete can_edit can_read menu_access \
-r Variables \
-v User
echo "Permissions updated successfully"

Compatibility Matrix

The Cequence UAP platform release 7.7 requires the following minimum versions of other Cequence components.

Component	Version
Cequence Defender	5.3.2
Cequence Bridge	5.3.2
Cequence Sensor	4.1

On-Premises Deployments

Package	Version	Location
Helm Chart	7.7.0	https://cequence.gitlab.io/helm-charts/