The Cequence Unified API Protection (UAP) platform 9.0 focuses on three areas that benefit API Security customers: a platform that keeps up with large API estates without slowing down, compliance coverage that is ready to use on day one, and an AI Assistant that makes the product accessible to any team regardless of API security expertise. This release also introduces meaningful improvements to how you document, organize, and detect risk across your APIs.
Fresh install required
Release 9.0 is intended for new customers and requires a fresh installation. Upgrade paths for existing customers on earlier releases will become available in a future release. Refer to the UAP 9.0 installation guide for prerequisites and installation steps.
Scale and performance
Release 9.0 raises the active endpoint ceiling to two million and delivers sub-five-second load times across all views and APIs regardless of endpoint count. A published, versioned OpenAPI specification for the API Security component is now available directly from the product and kept in sync with each release.
The published specification enables third-party integrations with any tool that can consume an OpenAPI spec, supports custom automation workflows with a stable documented contract, and provides predictable versioning so integrations built against one release continue to work and breaking changes are communicated in advance.
Compliance-ready risk rules
Release 9.0 ships with a risk rules library of 250 or more pre-built rules mapped to 25 or more global compliance and security frameworks. Covered frameworks include OWASP API Security Top 10, OWASP Web Top 10, PCI DSS, GDPR, HIPAA, SOC 2, ISO 27001, NIST CSF, LGPD (Brazil), SAMA (Saudi Arabia), and additional regional frameworks. All framework categories are available on install but disabled by default. It is recommended to start with the API Security Posture category, which is enabled by default, to tune your environment before expanding coverage and minimizing false positives from missing configuration.
Each risk rule includes a Test Expression panel where you can paste sample request and response data and verify whether the rule fires before activating it. Rules can also be set to observe traffic without creating formal issues by setting the risk score to zero. This makes it practical to enable new compliance categories incrementally without generating a flood of unreviewed findings.
Once a compliance category is enabled, you can generate an audit-ready report for that framework through the AI Assistant. Reports are built from your live data and include findings mapped to the framework's specific controls, risk scores by control area, and remediation guidance for each gap.
AI Assistant and MCP server preview
Release 9.0 previews a feature that exposes API Security capabilities through a built-in MCP (Model Context Protocol) server. MCP is an open standard that gives any AI agent a structured, tool-based interface to interact with the platform directly. This is the foundation for all AI interaction with the Cequence UAP platform, including the built-in AI Assistant.
The AI Assistant is accessible from the top-right corner of the interface and accepts natural language questions about your current environment. You can act on findings directly from the conversation without navigating the UI. The assistant can enable or disable risk rules, add authentication types, suppress sensitive data patterns, and generate compliance reports.
This capability is available to all customers at no additional licensing cost. Customers who need higher usage or prefer to use their own LLMs can supply their own API keys. Contact Cequence support for additional information.
On-premises deployments require outbound HTTPS access from the UAP cluster to the model provider's API endpoints. Configure firewall rules accordingly, or supply your own API key through a model provider accessible from your network. The assistant is disabled by default. To enable the assistant entirely, set aiAssistant.enabled: true in the Helm configuration.
API inventory
Endpoint classification terminology has been updated across the platform to use more intuitive language. Published is now Documented for endpoints defined in an API specification. Discovered is now Undocumented for endpoints present in traffic but absent from any specification. Shadow is unchanged. This applies across all dashboards, inventory views, filters, and risk posture displays. Update any saved reports, documentation, or internal processes that reference "Published" or "Discovered" endpoints.
The Summary Dashboard now reports on Active APIs, the count of APIs with observed traffic in the selected time window, rather than a total lifetime count. The count changes as you adjust the time range filter. The Posture Management dashboard has been reorganized to surface the most actionable information first, with risk findings grouped and filtered to support the triage workflow from identifying high-priority issues through to tracking remediation status.
API specifications and parameterization
API specifications now open in a built-in viewer with structured pretty-print and raw YAML, without requiring a download. When generating a spec from traffic, you can configure authentication on a per-endpoint basis and mark specific endpoints as intentionally public to prevent false positive "no authentication" findings on ungated APIs.
A new Clear Risk and Issues action is available on each API Definition. This clears all associated risks and issues without deleting the spec, and is useful after updating parameterization, uploading a revised spec version, or resolving underlying issues when you want a clean baseline for the next evaluation cycle.
Spec generation from traffic now fetches all endpoints associated with the target host in the background, so the resulting spec is complete regardless of endpoint count. This removes the previous limit of 1,000 endpoints visible in the current UI page.
Parameterization now supports four methods: position-based (available in previous releases), pattern-based using a regular expression, preceding-element-based for elements that follow a known keyword, and host-based for environments where the host itself contains variable elements. Custom rules are created through a guided wizard that includes a Preview Impact step showing which endpoints the rule would affect before you save it.
Parameterization must be applied before generating a spec. If you generate a spec first and then parameterize, you will need to delete the spec and its associated issues, apply parameterization, and regenerate.
If a spec is loaded for a service, parameterization defined in that spec takes precedence over all system and custom rules. To change parameterization for a spec-covered endpoint, update the spec itself.
Platform observability (on-premises)
On-premises deployments can now enable an optional observability stack, including Grafana, Prometheus, Tempo, and OpenTelemetry, that provides end-to-end tracing across the API Security pipeline. Pre-built dashboards show API call volumes, error rates, and slowest queries. Trace IDs are surfaced in UI error messages so they can be included in support tickets when troubleshooting specific incidents. The bundle is disabled by default and must be explicitly enabled at installation time.
Removed in this release
The following capabilities are removed in release 9.0.
| Removed capability | Context |
| API Definition Groups | Removed pending a cleaner implementation. Will be addressed when the Teams feature is introduced, targeted for Q4 2026. |
| Hosts page | Removed. Host-level information is accessible through the API Inventory and API Definitions views. |
| Sensitive Data Dashboard | Temporarily removed pending a redesign. Sensitive data detection and configuration remain fully functional through Posture Management > Configuration > Sensitive Data Expressions and the Risk Posture view. Will return in a future release. |
Not in this release
The following items were on the roadmap for release 9.0 but did not ship. Planned availability is noted where confirmed.
| Item | Planned availability |
| CSV export from API Inventory | Targeting release 9.1. |
| Bulk spec upload | Under investigation due to host collision logic. Targeted for a future release. |
| Parameterization rules in Cequence-generated specs | Targeted for a future release as part of enhanced spec management. |
| Multiple hosts in a single Cequence-generated specification | Customers can modify existing specifications to add multiple hosts manually. |
| Automatic endpoint deletion when a spec is deleted | Will be reintroduced in a future release. |
| Custom risk categories for grouping custom rules | Will be introduced in a future release. |
| OpenAPI 2.x (Swagger) official support | Subject to market demand. |
Defender compatibility
The following table summarizes Defender compatibility requirements for this release.
| UAP release | Defender release | Compatibility |
| 8.6.x | 6.1.0 or later | Compatible |
| 9.0.0 or later | 6.2.0 or later | Required |
Fixed issues
Release 9.0.0
Risk rule CEL expressions now match their rule titles and descriptions, ensuring accurate detection across all system-defined risk rules.
Endpoint exposure classification now correctly identifies private and loopback IP-literal hosts (RFC1918, CGNAT, loopback, link-local) as internal.
User sessions no longer end unexpectedly before the configured expiry time due to a race condition in the silent token refresh flow.
Image references in the ceqasp Helm chart now resolve correctly for the 9.0.x release branch.
API definitions can now be generated from the API Endpoint detail modal in environments with more than 1,000 discovered endpoints.
The Risk Details panel header now displays the correct section title and field layout.
Table search now operates across all available rows, not only the currently loaded page.
API specification uploads of up to 50 MB and 10,000 endpoints now complete successfully.
Issue count indicators on the Summary Dashboard Run-Time card now display within the card boundary without overflow or clipping.
Leading and trailing spaces are now stripped from URLs entered in the URL Parameterization field, including values that are copied and pasted.
Active API counts on the Summary Dashboard Inventory card now match the sum of internal, external, and third-party endpoint counts.
Percentage change indicators have been removed from the Inventory tile on the Executive Dashboard to prevent misleading display of zero-change values.
Navigating to Posture Management by selecting the Active APIs count on the Summary page now correctly pre-selects the Active Endpoints filter.
Host and IP parameterization system rules are now visible and configurable in the UAP interface.
API Security license usage data now displays correctly on the System Usage license dashboard.
System URL discovery rules delivered to Defender 6.2 from UAP 9.0 now match the expected rule set from prior releases, with the intended additions.
The Score filter on the Endpoints screen now accepts values across the full 0–100 range used by custom risk rules.
A CEL expression escaping error in the risk rule for error response information leakage has been corrected, and the rule now evaluates without compilation errors.
Applying filters on the Risk Details page no longer causes status tab counts to display as zero, and the Clear Filters control now functions correctly.
The API Definitions count on the Posture Management dashboard now reflects the correct value for the selected API host filter.
Custom risk rules with a score of zero no longer generate issues in the Risk Posture view.
Navigating from the Endpoint details Transaction tab to the Transactions screen now applies the correct filters and clears previously active filters.
Elasticsearch index lifecycle management retention policies are now applied to the API Security V2 indices introduced in 9.0, preventing unbounded index growth.
The page size selector on the Endpoints screen now retains its displayed value correctly after filter changes.
The authentication detection used by risk rules now consults the full auth-types catalog configured in inventory settings, eliminating false positives and false negatives for custom and query-parameter-based auth types.
The Auth filter dropdown on the Risk Details page no longer displays duplicate entries for auth types such as No Auth and Basic Auth.
Sorting by the API Definition column on the Endpoints screen now functions correctly in both ascending and descending order.
The cequence-airflow component now starts correctly in standard installations following a regression introduced when adding support for read-only filesystem environments.
Sorting has been removed from the Sensitive Data and Risks columns on the Endpoints screen, where multi-value content made alphabetical sorting misleading.
Deleting an API definition while a search filter is active no longer requires clearing the search to reflect the deletion in the table.