Context Usage Breakdown
You can now see a breakdown of your agent's context usage.
Use these stats to diagnose context issues and improve your setup across rules, skills, MCPs, and subagents.
Model controls, spend management, and usage analytics
This release introduces updates for Enterprise admins: a new system for model controls, updated spend management, and more detail for usage analytics.
Model access controls
Admins can now set more granular allow or blocklists at the model and provider level. You can block entire providers or specific model configurations for speed and context window size.
Enterprises also have the option to block new providers or model versions by default.
Customers with existing blocklists will need to migrate to the new system by June 1st. Admins should go to their team model settings in the Cursor dashboard to get started.
Soft spend limits and intelligent alerts
Admins can now set soft limits instead of hard limits to avoid blocking users. Cursor can also monitor usage and sends automatic alerts to users reaching 50%, 80%, and 100% of their soft or hard limits.
This keeps users productive while giving admins and users visibility into consumption patterns.
Go to the spend management settings in the Cursor dashboard to get started.
Updated usage analytics tab
Admins can now filter usage by specific users, or break it down by product surface: clients, Cloud Agents, automations, Bugbot, and Security Review.
Go to the usage analytics tab in the Cursor dashboard to get started.
Team Marketplace Updates
Admins can now create a team marketplace without connecting a repository first. Add, remove, and configure install behavior for first-party plugins directly in team marketplace settings.
Plugins bundle capabilities like MCP servers, skills, subagents, rules, and hooks that extend agents with custom functionality. Each plugin can be distributed in one of three ways:
- Default Off: users can discover and opt in
- Default On: users get the plugin installed by default, but can opt out
- Required: users always have the plugin and cannot uninstall it
Get started in the Cursor dashboard.
Cursor Security Review
Cursor Security Review is now in beta on Teams and Enterprise plans. You can run two types of always-on security agents: Security Reviewer and Vulnerability Scanner.
Security Reviewer
Security Reviewer checks every PR for security vulnerabilities, auth regressions, privacy and data-handling risks, agent tool auto-approvals, and prompt injection attacks. It will leave inline comments at the exact diff location with severity and remediation.
Vulnerability Scanner
Vulnerability Scanner runs scheduled scans of your codebase to check for known vulnerabilities, outdated dependencies, and configuration issues. You can configure it to send updates of its findings in Slack.
Customize Cursor-managed security agents by adjusting triggers, adding your own instructions, giving them custom tooling, and choosing how outputs are shared. For example, you can plug in MCP servers for your existing SAST, SCA, and secrets scanners for Cursor to use as part of the review.
We're also continuously improving the runtime, harness, and models powering Cursor Security Review for a strong out-of-the-box experience.
Security agents draw from your existing usage pool. Admins can enable Security Review in the Cursor dashboard to get started.
Build programmatic agents with the Cursor SDK
We're introducing the Cursor SDK so you can build agents with the same runtime, harness, and models that power Cursor.
The agents that run in the Cursor desktop app, CLI, and web app are now accessible with a few lines of TypeScript. Run it on your machine or on Cursor's cloud against a dedicated VM, with any frontier model.
Run npm install @cursor/sdk to get started. You can also use Cursor's native /sdk skill to help you start building.
import { Agent } from "@cursor/sdk";
const agent = await Agent.create({
apiKey: process.env.CURSOR_API_KEY!,
model: { id: "composer-2" },
local: { cwd: process.cwd() },
});
const run = await agent.send("Summarize what this repository does");
for await (const event of run.stream()) {
console.log(event);
}We built a few sample projects that you can access from a public repo. Fork and extend them for your own use case.
The Cursor SDK is now available for all users in public beta and is billed based on standard, token-based consumption pricing. Learn more in our announcement and docs.
- Reworked the API around durable agents and per-prompt runs, so follow-ups, status, streaming, and cancellation are now run-scoped.
- Added first-class run streaming with SSE events, reconnect support via
Last-Event-ID, and clearer terminal states. - Added explicit agent lifecycle controls with archive, unarchive, and permanent delete.
- Standardized v1 response and error shapes, including structured error codes,
itemslist responses, and separateagent/runobjects.