General availability: 15 July 2026
The 9.1 release of the Cequence Unified API Protection (UAP) platform refines the inventory and risk-scoring engine introduced in release 9.0, reduces noise in the API inventory, gives administrators more direct control over managing risk rules and issues, and adds finer-grained access control for Risk Posture data.
Upgrading from 8.x
Most customers upgrading to release 9.1 come directly from release 8.x rather than from release 9.0. Read this article together with the Cequence UAP 9.0 release note, which covers the full set of changes introduced since release 8.x, including inventory scale, compliance-ready risk rules, the built-in AI Assistant and MCP server, and updated terminology. Also read the Cequence UAP 8.x to 9.x upgrade and rollback guide, which covers what carries forward, what needs to be redone, and how to plan your upgrade window. This article covers only what changed and what was fixed in release 9.1.
API inventory
Release 9.1 applies a stricter default standard to Undocumented and Shadow endpoints before adding them to inventory. Only response codes that indicate a real endpoint (2xx or 3xx) qualify. Documented endpoints (those matched to a spec) are unaffected and continue to accept any response code. This change keeps automated scanners and probes hitting nonexistent paths from polluting your inventory counts.
When you upload a spec or create a custom parameterization rule, the Cequence UAP platform automatically collapses and removes the previously seen raw, unparameterized endpoints that the new spec or rule replaces. Counts update immediately across the Inventory, Executive Summary, and Posture Management dashboards, so you don't need a separate manual cleanup step afterward.
Risk Posture
A new bulk action on any risk rule, Clear all issues associated with this risk, enables you to remove every issue tied to that rule in a single step. The confirmation dialog shows the issue count before and after the action, so you can see the impact before you commit. Use this action when a misconfigured or noisy rule floods Risk Posture with findings that you want to clear and re-triage from a clean slate.
Once a single risk rule accumulates 1,000 open issues, new issue creation for that rule pauses automatically. The underlying risk stays visible, but the rule stops generating further issues until you act. An in-UI indicator prompts you to tune the rule (through parameterization, authentication, or specs) or manually resume issue creation. This prevents a single misfiring rule from overwhelming Risk Posture with repetitive findings.
Risk Posture now has its own dedicated Admin and Viewer roles, separate from the existing Inventory Admin and Viewer roles. This enables you to restrict who can see risk findings independently of who can see general API inventory data, which is useful for organizations that separate security-posture visibility from API-catalog access.
Not in this release
A few items on the near-term roadmap are not in the initial 9.1 release.
| Item | Planned availability |
| CSV export from API Inventory | Temporarily unavailable in 9.1. Cequence plans to reintroduce it, enhanced, in a future release. |
| Bulk spec upload and deletion | Specs are added and deleted one at a time in 9.1. Bulk actions are targeted for a future release. |
| Multiple hosts in a single Cequence-generated spec | A generated spec is scoped to one host in 9.1. You can add hosts to an existing spec through the spec-update process. Automatic multi-host generation is targeted for a future release. |
| Custom risk categories for grouping custom rules | Not included in 9.1. Still planned for a future release. |
Data plane version dependency
The inventory and parameterization improvements in release 9.1 depend on a current data plane. When you ingest traffic through Cequence's own sensors, the components listed below must meet the following minimum versions to support the new behavior in this release.
| Component | Version required |
| Defender | 6.3 or later |
| Network Sensor | 5.2 or later |
| Cequence Bridge | Current release |
| eBPF Sensor | Current release |
| Sensor-bridge plugins | Current release |
An older sensor continues to function against a release 9.1 control plane but does not apply the new inventory and parameterization behavior. If your traffic instead arrives through a third-party integration or an API-based ingestion path, for example a gateway or API management platform pushing data through the Platform API, there is no data-plane version dependency for this release. Only the Cequence UAP platform version applies.
The Platform 9.1 Release and Upgrade Guide covers full upgrade sequencing and prerequisites.
Fixed issues
This section lists issues resolved in the 9.1 release line.
9.1.0 fixed issues
Very large or highly nested inventory records no longer hit indexing limits in Elasticsearch.
Inventory no longer represents the same endpoint more than once, correcting a class of endpoint ID deduplication issues.
This release resolves risk rule evaluation logic issues introduced with the 9.0 CEL-based rules engine.
This release hardens the validation checks that run during a version upgrade, catching configuration issues earlier and more clearly.