Security vendors and their customers have spent considerable time debating where to draw the line between “legitimate” AI agents and “malicious” bots. A 31-day campaign against a major consumer platform’s authentication infrastructure settled the argument. In the context of unauthorized API access at machine speed, the two can be the same problem.
The threat wore a friendly face
This particular attack did not come from a criminal botnet. It grew out of an open-source Python library that let AI assistants, home automation platforms, and custom agents log into the platform on behalf of legitimate users and pull their data. The library began life as a convenience tool, but it ended as a globally distributed authentication weapon.
Three properties turned a helpful utility into a security event. It authenticated at machine speed, firing login requests from thousands of IP addresses at rates no human flow approaches. It carried no legitimate session context, posting credentials straight to the mobile login endpoint and skipping the browser session that real users establish. And it operated at ecosystem scale, embedded across home automation integrations, AI assistant connectors, and chat tools that aggregated traffic from hundreds of thousands of end users at once.
Across the time window, Cequence detected and blocked more than 3.51 million unauthorized authentication attempts, peaking at 241,000 blocks in a single day.
What was at risk
The stakes ran in two directions. Every request still consumed real infrastructure, and millions of machine-speed login attempts forced the platform to provision compute, bandwidth, and scaling headroom to absorb traffic that returned no legitimate value. A third party’s automation became a direct line item on the platform’s cloud bill, causing costs to escalate in lockstep with the attack.
The second risk was sharper. These were authentication endpoints, and the accounts behind them held personally identifiable information alongside health and fitness data subject to regulatory protection. Programmatic access at this volume, with no human anywhere in the loop, turns that surface into a standing data-leakage and compliance exposure. Cost was the visible problem, but sensitive data was the one that mattered most.
Why client-side defense never had a chance
AI agents do not run browsers. They issue direct HTTP requests, frequently from clean residential IPs, with plausible headers and valid credentials. That breaks the assumptions behind most bot defenses. JavaScript challenges, browser SDK telemetry, and device fingerprinting all depend on a client that executes their code. These agents execute nothing.
So, detection was entirely network-based. The primary mechanism, Cequence’s Intent Graph capability, analyzes behavior rather than headers or user agents. Agent-driven clients never establish a normal browser session before authenticating, and their cookie handling is statistically distinct from human sessions. That one signal accounted for 3.09 million of the 3.51 million blocks, across just 118 unique fingerprints. No amount of header spoofing reproduces genuine browser cookie orchestration.
Supporting models filled the gaps. Authentication flow analysis flagged anomalous request-context distributions. Machine learning models trained on years of API traffic caught timing, parameter, and sequencing patterns that diverged from the human norm. Geographic anomaly policies caught single fingerprints driving logins from dozens of countries at once.
The most telling number: 82 percent of blocked traffic scored below 50 on the bot confidence scale. These agents were not obviously bot-like. They were caught because their behavior, not their headers, gave them away.
The adversary fought the wrong war
What makes this case instructive is that the attacker community ran its evasion effort in public, across code repositories and forum threads. Every theory was visible, and every theory was unsuccessful.
Operators rotated user-agent strings across ten variants, convinced user agent (UA) diversity triggered the blocks. They switched SSO constants and rewrote headers, shipping sixteen commits in 48 hours. They migrated from cloud runners to self-hosted infrastructure, assuming IP reputation was the cause. Finally, they reached for Playwright, driving headless Chromium to mimic a real browser session. Each pivot failed, because none of them touched the behavioral fingerprint underneath.
Cequence amplified the confusion deliberately. Short cache lifetimes let blocked fingerprints expire intermittently, producing occasional successes that read as progress. When one operator believed UA rotation was working, the cache lifetime jumped to 24 hours and the successes stopped. He reverted to a static user agent, concluded rotation was the problem, and never found the real vector.
Here is the asymmetry that matters. The defender operated from behavioral truth, while the attackers chased surface-level theories. They never identified Cequence at all, attributing every block to the platform’s own infrastructure. Detection that does not telegraph itself forces the adversary to debug a system they cannot see.
The library was officially deprecated weeks into the campaign. Its maintainer cited authentication barriers that could not be overcome. The downstream ecosystem collapsed with it.
What defenders should take away
Three lessons carry beyond this one incident.
Treat AI agents as bots.
Whether traffic comes from a developer script, a home automation plugin, or an AI assistant, unauthorized API access at machine speed is a bot attack. Intent does not change the security profile.
Move detection to the server.
The client is no longer a reliable place to observe anything. Behavioral analysis trained on real API traffic is the only layer that sees an agent for what it is.
Trust behavior over presentation.
Headers, user agents, and IPs are presentation layer, and attackers tune them freely. Cookie orchestration, session sequencing, and request-context distributions reflect how a client actually behaves, and library code cannot fake them at scale.
The agentic AI threat is not coming. It is here, and it looks exactly like a bot attack.
Contact us with your agentic AI and bot management concerns and we’ll give you a personalized demo of how we can help.
