[{"data":1,"prerenderedAt":2416},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"use-case-page":219,"fa-icon-regular-faFishingRod":1241,"fa-icon-regular-faPuzzlePiece":1245,"fa-icon-regular-faUserSecret":1247,"fa-icon-regular-faRadar":1249,"fa-icon-regular-faLaptopCode":1251,"fa-icon-regular-faSatelliteDish":1253,"fa-icon-regular-faShieldCheck":1255,"fa-icon-regular-faBrainCircuit":1257,"blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline":1259},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"yi7z404vj3c",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-uzfz7wwcyrs","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","1houqx9w6g8",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"8p1q0zmamto",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"b32avc60j84",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"c0zi9ojalyw",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,197],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":191,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":190},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},"ggckvjveswn",{"text":164,"url":165},{},1776256937553,1776256937540,[],"5qb3o27dq8o",{"createdDate":198,"id":199,"name":200,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":213,"lastUpdated":214,"firstPublished":215,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":216,"meta":217,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":108,"testimonial":204,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":205},{"query":206,"folders":207,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":208,"variations":209,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":210,"rev":212},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},"2hjaj4auy2w",{},1776256974140,1776256974130,[],{"breakpoints":218,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[220,404,523,642,760,880,1000,1120],{"createdDate":221,"id":222,"name":223,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":225,"data":231,"variations":392,"lastUpdated":393,"firstPublished":394,"testRatio":23,"screenshot":395,"createdBy":91,"lastUpdatedBy":396,"folders":397,"meta":398,"rev":403},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[226],{"@type":227,"property":228,"operator":229,"value":230},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":232,"customFonts":233,"seoTitle":281,"title":281,"tsCode":29,"seoDescription":282,"fontAwesomeIcon":283,"jsCode":29,"blocks":284,"url":230,"state":389},[],[234],{"family":235,"kind":236,"version":237,"lastModified":238,"files":239,"category":258,"menu":259,"subsets":260,"variants":263},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"800italic":248,"900italic":249,"700italic":250,"100italic":251,"italic":252,"regular":253,"200italic":254,"500italic":255,"300italic":256,"600italic":257},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[261,262],"latin","latin-ext",[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[285,384],{"@type":47,"@version":48,"tagName":286,"id":287,"children":288},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[289,306,314,321,333,348,359,370,376],{"@type":47,"@version":48,"layerName":290,"id":291,"component":292,"responsiveStyles":303},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":290,"options":293,"isRSC":61},{"title":281,"description":294,"points":295,"video":302},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[296,298,300],{"item":297},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":299},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":301},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":304},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},"transparent",{"@type":47,"@version":48,"id":307,"component":308,"responsiveStyles":311},"builder-96634044407e491299e291ed64669e39",{"name":309,"options":310,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":312},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},"#000",{"@type":47,"@version":48,"id":315,"component":316,"responsiveStyles":319},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":317,"options":318,"isRSC":61},"Diagonal",{"darkMode":34},{"large":320},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":323,"component":324,"responsiveStyles":331},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":322,"tag":322,"options":325,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":328,"description":329,"animatedTitle":29,"image":330,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":332},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":334,"component":335,"responsiveStyles":343},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":336,"options":337,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":340,"description":341,"reverse":34,"image":342},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":344},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":349,"component":350,"responsiveStyles":356},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":336,"options":351,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":353,"description":354,"reverse":6,"image":355},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":357},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},"36px",{"@type":47,"@version":48,"layerName":336,"id":360,"component":361,"responsiveStyles":367},"builder-42c32198083f4880acb37c5cb76934da",{"name":336,"options":362,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":364,"description":365,"reverse":34,"image":366},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":368},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},"47px",{"@type":47,"@version":48,"id":371,"component":372,"responsiveStyles":374},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":317,"options":373,"isRSC":61},{"darkMode":6},{"large":375},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":377,"component":378,"responsiveStyles":382},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":379,"tag":379,"options":380,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":381},"bg-black",{"large":383},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":385,"@type":47,"tagName":74,"properties":386,"responsiveStyles":387},"builder-pixel-j1w4n3vbtof",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":388},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":390},{"path":29,"query":391},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":399,"winningTest":61,"breakpoints":400,"kind":401,"hasLinks":6,"originalContentId":402,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","9hyzgkgfdi",{"createdDate":405,"id":406,"name":407,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":408,"data":411,"variations":515,"lastUpdated":516,"firstPublished":517,"testRatio":23,"screenshot":518,"createdBy":91,"lastUpdatedBy":396,"folders":519,"meta":520,"rev":403},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[409],{"@type":227,"property":228,"operator":229,"value":410},"/uc/browser-extension-security",{"seoDescription":412,"jsCode":29,"fontAwesomeIcon":413,"tsCode":29,"title":407,"seoTitle":407,"customFonts":414,"inputs":419,"blocks":420,"url":410,"state":512},"Shine a light on risky browser extensions.","faPuzzlePiece",[415],{"kind":236,"family":235,"version":237,"files":416,"category":258,"lastModified":238,"subsets":417,"variants":418,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"100italic":251,"italic":252,"regular":253,"900italic":249,"800italic":248,"700italic":250,"200italic":254,"300italic":256,"500italic":255,"600italic":257},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[],[421,507],{"@type":47,"@version":48,"tagName":286,"id":422,"meta":423,"children":424},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":287},[425,441,448,455,464,474,484,494,501],{"@type":47,"@version":48,"id":426,"meta":427,"component":428,"responsiveStyles":439},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":291},{"name":290,"options":429,"isRSC":61},{"title":407,"description":430,"points":431,"video":438},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[432,434,436],{"item":433},"Discover every browser extension in use",{"item":435},"Spot risky or unsanctioned behavior",{"item":437},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":440},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":442,"meta":443,"component":444,"responsiveStyles":446},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":307},{"name":309,"options":445,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":447},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":449,"meta":450,"component":451,"responsiveStyles":453},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":315},{"name":317,"options":452,"isRSC":61},{"darkMode":34},{"large":454},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":456,"component":457,"responsiveStyles":462},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":322,"tag":322,"options":458,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":459,"description":460,"image":461,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":463},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":465,"meta":466,"component":467,"responsiveStyles":472},"builder-93738f98109a4009affb349afd7bb182",{"previousId":334},{"name":336,"options":468,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":469,"description":470,"reverse":34,"image":471},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":473},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":475,"meta":476,"component":477,"responsiveStyles":482},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":349},{"name":336,"options":478,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":479,"description":480,"reverse":6,"image":481},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":483},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":485,"meta":486,"component":487,"responsiveStyles":492},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":360},{"name":336,"options":488,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":489,"description":490,"reverse":34,"image":491},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":493},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":495,"meta":496,"component":497,"responsiveStyles":499},"builder-1a689287d1a1418997d57db578a71105",{"previousId":371},{"name":317,"options":498,"isRSC":61},{"darkMode":6},{"large":500},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":502,"component":503,"responsiveStyles":505},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":379,"tag":379,"options":504,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":506},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":508,"@type":47,"tagName":74,"properties":509,"responsiveStyles":510},"builder-pixel-sgkhwqafpcc",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":511},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":513},{"path":29,"query":514},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":401,"winningTest":61,"breakpoints":521,"lastPreviewUrl":522,"hasLinks":6,"originalContentId":222,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":524,"id":525,"name":526,"modelId":224,"published":13,"query":527,"data":530,"variations":633,"lastUpdated":634,"firstPublished":635,"testRatio":23,"screenshot":636,"createdBy":91,"lastUpdatedBy":637,"folders":638,"meta":639,"rev":403},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[528],{"@type":227,"property":228,"operator":229,"value":529},"/uc/account-takeover-detection",{"title":526,"customFonts":531,"jsCode":29,"seoTitle":526,"seoDescription":536,"fontAwesomeIcon":537,"tsCode":29,"blocks":538,"url":529,"state":630},[532],{"kind":236,"category":258,"variants":533,"menu":259,"files":534,"family":235,"subsets":535,"version":237,"lastModified":238},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"800italic":248,"700italic":250,"italic":252,"900italic":249,"600italic":257,"200italic":254,"regular":253,"100italic":251},[261,262],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[539,625],{"@type":47,"@version":48,"tagName":286,"id":540,"meta":541,"children":542},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":287},[543,559,566,573,582,592,602,612,619],{"@type":47,"@version":48,"id":544,"meta":545,"component":546,"responsiveStyles":557},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":291},{"name":290,"options":547,"isRSC":61},{"title":526,"description":548,"points":549,"video":556},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[550,552,554],{"item":551},"Identify credential-based ATO as it unfolds",{"item":553},"Surface hijacked sessions and token misuse",{"item":555},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":558},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":560,"meta":561,"component":562,"responsiveStyles":564},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":307},{"name":309,"options":563,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":565},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":567,"meta":568,"component":569,"responsiveStyles":571},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":315},{"name":317,"options":570,"isRSC":61},{"darkMode":34},{"large":572},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":574,"component":575,"responsiveStyles":580},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":322,"tag":322,"options":576,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":577,"description":578,"image":579,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":581},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":583,"meta":584,"component":585,"responsiveStyles":590},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":334},{"name":336,"options":586,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":587,"description":588,"reverse":34,"image":589},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":591},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":593,"meta":594,"component":595,"responsiveStyles":600},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":349},{"name":336,"options":596,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":597,"description":598,"reverse":6,"image":599},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":601},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":603,"meta":604,"component":605,"responsiveStyles":610},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":360},{"name":336,"options":606,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":607,"description":608,"reverse":34,"image":609},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":611},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":613,"meta":614,"component":615,"responsiveStyles":617},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":371},{"name":317,"options":616,"isRSC":61},{"darkMode":6},{"large":618},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":620,"component":621,"responsiveStyles":623},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":379,"tag":379,"options":622,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":624},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":626,"@type":47,"tagName":74,"properties":627,"responsiveStyles":628},"builder-pixel-v06dgltky8c",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":629},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":631},{"path":29,"query":632},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":640,"hasLinks":6,"originalContentId":222,"breakpoints":641,"winningTest":61,"kind":401,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":643,"id":644,"name":645,"modelId":224,"published":13,"query":646,"data":649,"variations":752,"lastUpdated":753,"firstPublished":754,"testRatio":23,"screenshot":755,"createdBy":91,"lastUpdatedBy":637,"folders":756,"meta":757,"rev":403},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[647],{"@type":227,"property":228,"operator":229,"value":648},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":650,"jsCode":29,"customFonts":651,"fontAwesomeIcon":656,"seoTitle":645,"title":645,"blocks":657,"url":648,"state":749},"Harden access paths with visibility,  detection, and guardrails.",[652],{"kind":236,"files":653,"version":237,"lastModified":238,"subsets":654,"menu":259,"category":258,"variants":655,"family":235},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"regular":253,"italic":252,"800italic":248,"500italic":255,"600italic":257,"200italic":254,"900italic":249,"700italic":250,"100italic":251,"300italic":256},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"faRadar",[658,744],{"@type":47,"@version":48,"tagName":286,"id":659,"meta":660,"children":661},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":540},[662,678,685,692,701,711,721,731,738],{"@type":47,"@version":48,"id":663,"meta":664,"component":665,"responsiveStyles":676},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":544},{"name":290,"options":666,"isRSC":61},{"title":645,"description":667,"points":668,"video":675},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[669,671,673],{"item":670},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":672},"Monitor how users actually log in across apps, flows, and tools",{"item":674},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":677},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":679,"meta":680,"component":681,"responsiveStyles":683},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":560},{"name":309,"options":682,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":684},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":686,"meta":687,"component":688,"responsiveStyles":690},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":567},{"name":317,"options":689,"isRSC":61},{"darkMode":34},{"large":691},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":693,"component":694,"responsiveStyles":699},"builder-dec0246085e1485c803f7152b1922a81",{"name":322,"tag":322,"options":695,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":696,"description":697,"image":698,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":700},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":702,"meta":703,"component":704,"responsiveStyles":709},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":583},{"name":336,"options":705,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":706,"description":707,"reverse":34,"image":708},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":710},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":712,"meta":713,"component":714,"responsiveStyles":719},"builder-431d175c59004669b0b2776b07d71737",{"previousId":593},{"name":336,"options":715,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":716,"description":717,"reverse":6,"image":718},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":720},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":722,"meta":723,"component":724,"responsiveStyles":729},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":603},{"name":336,"options":725,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":726,"description":727,"reverse":34,"image":728},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":730},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":732,"meta":733,"component":734,"responsiveStyles":736},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":613},{"name":317,"options":735,"isRSC":61},{"darkMode":6},{"large":737},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":739,"component":740,"responsiveStyles":742},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":379,"tag":379,"options":741,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":743},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":745,"@type":47,"tagName":74,"properties":746,"responsiveStyles":747},"builder-pixel-tdpp1n7sj2",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":748},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":750},{"path":29,"query":751},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":401,"lastPreviewUrl":758,"breakpoints":759,"hasLinks":6,"originalContentId":525,"winningTest":61,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":761,"id":762,"name":763,"modelId":224,"published":13,"query":764,"data":767,"variations":872,"lastUpdated":873,"firstPublished":874,"testRatio":23,"screenshot":875,"createdBy":91,"lastUpdatedBy":637,"folders":876,"meta":877,"rev":403},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[765],{"@type":227,"property":228,"operator":229,"value":766},"/uc/clickfix-protection",{"seoDescription":768,"fontAwesomeIcon":769,"customFonts":770,"seoTitle":775,"jsCode":29,"tsCode":29,"title":775,"blocks":776,"url":766,"state":869},"Block attacks that trick users into running malicious code.","faLaptopCode",[771],{"files":772,"subsets":773,"menu":259,"version":237,"kind":236,"family":235,"lastModified":238,"variants":774,"category":258},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"200italic":254,"800italic":248,"700italic":250,"600italic":257,"100italic":251,"italic":252,"regular":253,"300italic":256,"500italic":255,"900italic":249},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"ClickFix protection",[777,864],{"@type":47,"@version":48,"tagName":286,"id":778,"meta":779,"children":780},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":659},[781,797,804,811,821,831,841,851,858],{"@type":47,"@version":48,"id":782,"meta":783,"component":784,"responsiveStyles":795},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":663},{"name":290,"options":785,"isRSC":61},{"title":775,"description":786,"points":787,"image":794},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[788,790,792],{"item":789},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":791},"Block malicious copy-and-paste actions before code is executed",{"item":793},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":796},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":798,"meta":799,"component":800,"responsiveStyles":802},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":679},{"name":309,"options":801,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":803},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":805,"meta":806,"component":807,"responsiveStyles":809},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":686},{"name":317,"options":808,"isRSC":61},{"darkMode":34},{"large":810},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":812,"meta":813,"component":814,"responsiveStyles":819},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":693},{"name":322,"tag":322,"options":815,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":816,"description":817,"reverse":6,"image":818},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":820},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":822,"meta":823,"component":824,"responsiveStyles":829},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":702},{"name":336,"options":825,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":826,"description":827,"reverse":34,"image":828},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":830},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":832,"meta":833,"component":834,"responsiveStyles":839},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":712},{"name":336,"options":835,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":836,"description":837,"reverse":6,"image":838},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":840},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":842,"meta":843,"component":844,"responsiveStyles":849},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":722},{"name":336,"options":845,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":846,"description":847,"reverse":34,"image":848},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":850},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":852,"meta":853,"component":854,"responsiveStyles":856},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":732},{"name":317,"options":855,"isRSC":61},{"darkMode":6},{"large":857},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":859,"component":860,"responsiveStyles":862},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":379,"tag":379,"options":861,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":863},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":865,"@type":47,"tagName":74,"properties":866,"responsiveStyles":867},"builder-pixel-tdf58f8d0ze",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":868},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":870},{"path":29,"query":871},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":878,"originalContentId":644,"winningTest":61,"hasLinks":6,"kind":401,"breakpoints":879,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":881,"id":882,"name":883,"modelId":224,"published":13,"query":884,"data":887,"variations":992,"lastUpdated":993,"firstPublished":994,"testRatio":23,"screenshot":995,"createdBy":91,"lastUpdatedBy":637,"folders":996,"meta":997,"rev":403},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[885],{"@type":227,"property":228,"operator":229,"value":886},"/uc/incident-response",{"seoDescription":888,"customFonts":889,"title":883,"jsCode":29,"fontAwesomeIcon":894,"seoTitle":895,"tsCode":29,"blocks":896,"url":886,"state":989},"Investigate and respond faster with unique browser telemetry.",[890],{"kind":236,"subsets":891,"menu":259,"variants":892,"category":258,"family":235,"version":237,"lastModified":238,"files":893},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"900italic":249,"600italic":257,"200italic":254,"300italic":256,"100italic":251,"700italic":250,"800italic":248,"regular":253,"italic":252,"500italic":255},"faSatelliteDish","Browser based incident response",[897,984],{"@type":47,"@version":48,"tagName":286,"id":898,"meta":899,"children":900},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":659},[901,918,925,932,941,951,961,971,978],{"@type":47,"@version":48,"id":902,"meta":903,"component":904,"responsiveStyles":916},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":663},{"name":290,"options":905,"isRSC":61},{"title":906,"description":907,"points":908,"video":915},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[909,911,913],{"item":910},"Reconstruct what happened with real browser session context",{"item":912},"Investigate faster with real-world session context",{"item":914},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":917},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":919,"meta":920,"component":921,"responsiveStyles":923},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":679},{"name":309,"options":922,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":924},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":926,"meta":927,"component":928,"responsiveStyles":930},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":686},{"name":317,"options":929,"isRSC":61},{"darkMode":34},{"large":931},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":933,"component":934,"responsiveStyles":939},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":322,"tag":322,"options":935,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":936,"description":937,"image":938,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":940},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":942,"meta":943,"component":944,"responsiveStyles":949},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":702},{"name":336,"options":945,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":946,"description":947,"reverse":34,"image":948},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":950},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":952,"meta":953,"component":954,"responsiveStyles":959},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":712},{"name":336,"options":955,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":956,"description":957,"reverse":6,"image":958},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":960},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":962,"meta":963,"component":964,"responsiveStyles":969},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":722},{"name":336,"options":965,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":966,"description":967,"reverse":34,"image":968},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":970},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":972,"meta":973,"component":974,"responsiveStyles":976},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":732},{"name":317,"options":975,"isRSC":61},{"darkMode":6},{"large":977},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":979,"component":980,"responsiveStyles":982},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":379,"tag":379,"options":981,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":983},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":985,"@type":47,"tagName":74,"properties":986,"responsiveStyles":987},"builder-pixel-npdwr13f8cs",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":988},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":990},{"path":29,"query":991},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":401,"breakpoints":998,"originalContentId":644,"winningTest":61,"lastPreviewUrl":999,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1001,"id":1002,"name":1003,"modelId":224,"published":13,"query":1004,"data":1007,"variations":1112,"lastUpdated":1113,"firstPublished":1114,"testRatio":23,"screenshot":1115,"createdBy":91,"lastUpdatedBy":637,"folders":1116,"meta":1117,"rev":403},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1005],{"@type":227,"property":228,"operator":229,"value":1006},"/uc/shadow-saas",{"seoTitle":1008,"seoDescription":1009,"customFonts":1010,"fontAwesomeIcon":1015,"title":1016,"jsCode":29,"tsCode":29,"blocks":1017,"url":1006,"state":1109},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1011],{"kind":236,"variants":1012,"files":1013,"family":235,"version":237,"subsets":1014,"lastModified":238,"category":258,"menu":259},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"regular":253,"900italic":249,"italic":252,"100italic":251,"200italic":254,"600italic":257,"700italic":250,"800italic":248},[261,262],"faShieldCheck","Secure shadow SaaS",[1018,1104],{"@type":47,"@version":48,"tagName":286,"id":1019,"meta":1020,"children":1021},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":898},[1022,1038,1045,1052,1061,1071,1081,1091,1098],{"@type":47,"@version":48,"id":1023,"meta":1024,"component":1025,"responsiveStyles":1036},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":902},{"name":290,"options":1026,"isRSC":61},{"title":1008,"description":1027,"points":1028,"video":1035},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1029,1031,1033],{"item":1030},"Discover every SaaS app users access, managed or not",{"item":1032},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1034},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1037},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1039,"meta":1040,"component":1041,"responsiveStyles":1043},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":919},{"name":309,"options":1042,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1044},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1046,"meta":1047,"component":1048,"responsiveStyles":1050},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":926},{"name":317,"options":1049,"isRSC":61},{"darkMode":34},{"large":1051},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1053,"component":1054,"responsiveStyles":1059},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":322,"tag":322,"options":1055,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1056,"description":1057,"image":1058,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1060},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1062,"meta":1063,"component":1064,"responsiveStyles":1069},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":942},{"name":336,"options":1065,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1066,"description":1067,"reverse":34,"image":1068},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1070},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1072,"meta":1073,"component":1074,"responsiveStyles":1079},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":952},{"name":336,"options":1075,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1076,"description":1077,"reverse":6,"image":1078},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1080},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1082,"meta":1083,"component":1084,"responsiveStyles":1089},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":962},{"name":336,"options":1085,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1086,"description":1087,"reverse":34,"image":1088},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1090},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1092,"meta":1093,"component":1094,"responsiveStyles":1096},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":972},{"name":317,"options":1095,"isRSC":61},{"darkMode":6},{"large":1097},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1099,"component":1100,"responsiveStyles":1102},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":379,"tag":379,"options":1101,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1103},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1105,"@type":47,"tagName":74,"properties":1106,"responsiveStyles":1107},"builder-pixel-u2eniqrkjo",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1108},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1110},{"path":29,"query":1111},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":882,"winningTest":61,"lastPreviewUrl":1118,"breakpoints":1119,"kind":401,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1121,"id":1122,"name":1123,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":1124,"data":1127,"variations":1233,"lastUpdated":1234,"firstPublished":1235,"testRatio":23,"screenshot":1236,"createdBy":91,"lastUpdatedBy":396,"folders":1237,"meta":1238,"rev":403},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1125],{"@type":227,"property":228,"operator":229,"value":1126},"/uc/shadow-ai",{"seoTitle":1128,"fontAwesomeIcon":1129,"title":1130,"seoDescription":1131,"customFonts":1132,"tsCode":29,"jsCode":29,"blocks":1137,"url":1126,"state":1230},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1133],{"version":237,"files":1134,"kind":236,"family":235,"lastModified":238,"category":258,"variants":1135,"subsets":1136,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"700italic":250,"100italic":251,"600italic":257,"italic":252,"300italic":256,"200italic":254,"500italic":255,"800italic":248,"900italic":249,"regular":253},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[261,262],[1138,1225],{"@type":47,"@version":48,"tagName":286,"id":1139,"meta":1140,"children":1141},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1019},[1142,1158,1165,1172,1182,1192,1202,1212,1219],{"@type":47,"@version":48,"id":1143,"meta":1144,"component":1145,"responsiveStyles":1156},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1023},{"name":290,"options":1146,"isRSC":61},{"title":1130,"description":1147,"points":1148,"image":1155},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1149,1151,1153],{"item":1150},"Discover every AI tool and agent active across your workforce",{"item":1152},"Detect sensitive data being submitted to AI apps",{"item":1154},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1157},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1159,"meta":1160,"component":1161,"responsiveStyles":1163},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1039},{"name":309,"options":1162,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1164},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1166,"meta":1167,"component":1168,"responsiveStyles":1170},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1046},{"name":317,"options":1169,"isRSC":61},{"darkMode":34},{"large":1171},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1173,"meta":1174,"component":1175,"responsiveStyles":1180},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1053},{"name":322,"tag":322,"options":1176,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1177,"description":1178,"image":1179,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1181},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1183,"meta":1184,"component":1185,"responsiveStyles":1190},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1062},{"name":336,"options":1186,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1187,"description":1188,"reverse":34,"image":1189},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1191},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1193,"meta":1194,"component":1195,"responsiveStyles":1200},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1072},{"name":336,"options":1196,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1197,"description":1198,"reverse":6,"image":1199},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1201},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1210},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1082},{"name":336,"options":1206,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1207,"description":1208,"reverse":34,"image":1209},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1211},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1213,"meta":1214,"component":1215,"responsiveStyles":1217},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1092},{"name":317,"options":1216,"isRSC":61},{"darkMode":6},{"large":1218},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1220,"component":1221,"responsiveStyles":1223},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":379,"tag":379,"options":1222,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1224},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1226,"@type":47,"tagName":74,"properties":1227,"responsiveStyles":1228},"builder-pixel-keiefuqsmy",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1229},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1231},{"path":29,"query":1232},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1239,"hasLinks":6,"originalContentId":1002,"winningTest":61,"breakpoints":1240,"kind":401,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1242,"h":1243,"d":1244},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1243,"h":1243,"d":1246},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1242,"h":1243,"d":1248},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1243,"h":1243,"d":1250},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1243,"d":1252},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1243,"h":1243,"d":1254},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1243,"h":1243,"d":1256},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1243,"h":1243,"d":1258},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1260,"title":1261,"authorsCollection":1262,"content":1270,"extension":2382,"hashTags":61,"meta":2383,"metaTitle":2384,"ogImage":61,"publishedDate":2385,"relatedBlogPostsCollection":2386,"slug":2388,"stem":2389,"subtitle":61,"summary":2390,"synopsis":2401,"sys":2402,"tagsCollection":2405,"__hash__":2415},"blog/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline.json","Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline",{"items":1263},[1264],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":1268},"Kelly Davenport","Kelly","Product Team",{"url":1269},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":1271,"links":2228},{"nodeType":1272,"data":1273,"content":1274},"document",{},[1275,1284,1308,1320,1327,1336,1343,1367,1374,1381,1388,1400,1407,1411,1420,1436,1457,1573,1579,1586,1592,1601,1608,1620,1627,1633,1640,1664,1671,1678,1681,1689,1696,1704,1711,1727,1734,1741,1749,1756,1763,1771,1778,1785,1788,1796,1803,1811,1818,1825,1832,1839,1847,1854,1887,1894,1901,1907,1914,1922,1929,2007,2013,2021,2037,2044,2050,2057,2073,2076,2084,2091,2098,2104,2111,2157,2164,2171,2178,2184,2187,2195,2202,2209],{"nodeType":1276,"data":1277,"content":1278},"paragraph",{},[1279],{"nodeType":1280,"value":1281,"marks":1282,"data":1283},"text","In March, our threat hunting engine flagged something it hadn’t seen before.",[],{},{"nodeType":1276,"data":1285,"content":1286},{},[1287,1291,1304],{"nodeType":1280,"value":1288,"marks":1289,"data":1290},"Our research team had already been tracking the growing use of ",[],{},{"nodeType":1292,"data":1293,"content":1299},"entry-hyperlink",{"target":1294},{"sys":1295},{"id":1296,"type":1297,"linkType":1298},"2U6QpQ9rkY8x5ES48okHZB","Link","Entry",[1300],{"nodeType":1280,"value":1301,"marks":1302,"data":1303},"malvertising",[],{},{"nodeType":1280,"value":1305,"marks":1306,"data":1307}," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",[],{},{"nodeType":1276,"data":1309,"content":1310},{},[1311,1315],{"nodeType":1280,"value":1312,"marks":1313,"data":1314},"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",[],{},{"nodeType":1280,"value":1316,"marks":1317,"data":1319},"But how to separate signal from noise?",[1318],{"type":275},{},{"nodeType":1276,"data":1321,"content":1322},{},[1323],{"nodeType":1280,"value":1324,"marks":1325,"data":1326},"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",[],{},{"nodeType":1276,"data":1328,"content":1329},{},[1330],{"nodeType":1280,"value":1331,"marks":1332,"data":1335},"Of those, one was novel. ",[1333],{"type":1334},"bold",{},{"nodeType":1276,"data":1337,"content":1338},{},[1339],{"nodeType":1280,"value":1340,"marks":1341,"data":1342},"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",[],{},{"nodeType":1276,"data":1344,"content":1345},{},[1346,1351,1362],{"nodeType":1280,"value":1347,"marks":1348,"data":1350},"We had found our first in-the-wild ",[1349],{"type":1334},{},{"nodeType":1292,"data":1352,"content":1356},{"target":1353},{"sys":1354},{"id":1355,"type":1297,"linkType":1298},"7bG71Eo43crbIHKzczooVS",[1357],{"nodeType":1280,"value":1358,"marks":1359,"data":1361},"InstallFix attack",[1360],{"type":1334},{},{"nodeType":1280,"value":1363,"marks":1364,"data":1366},".",[1365],{"type":1334},{},{"nodeType":1276,"data":1368,"content":1369},{},[1370],{"nodeType":1280,"value":1371,"marks":1372,"data":1373},"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",[],{},{"nodeType":1276,"data":1375,"content":1376},{},[1377],{"nodeType":1280,"value":1378,"marks":1379,"data":1380},"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",[],{},{"nodeType":1276,"data":1382,"content":1383},{},[1384],{"nodeType":1280,"value":1385,"marks":1386,"data":1387},"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",[],{},{"nodeType":1276,"data":1389,"content":1390},{},[1391,1396],{"nodeType":1280,"value":1392,"marks":1393,"data":1395},"So, can AI agents replace human threat researchers?",[1394],{"type":1334},{},{"nodeType":1280,"value":1397,"marks":1398,"data":1399}," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",[],{},{"nodeType":1401,"data":1402,"content":1406},"embedded-entry-block",{"target":1403},{"sys":1404},{"id":1405,"type":1297,"linkType":1298},"3OiZ7BrViCTTMmHUAbloEt",[],{"nodeType":1408,"data":1409,"content":1410},"hr",{},[],{"nodeType":1412,"data":1413,"content":1414},"heading-1",{},[1415],{"nodeType":1280,"value":1416,"marks":1417,"data":1419},"Why scaling browser threat detection requires more than more analysts",[1418],{"type":1334},{},{"nodeType":1276,"data":1421,"content":1422},{},[1423,1427,1432],{"nodeType":1280,"value":1424,"marks":1425,"data":1426},"Already this year, we’ve ",[],{},{"nodeType":1280,"value":1428,"marks":1429,"data":1431},"tripled",[1430],{"type":1334},{},{"nodeType":1280,"value":1433,"marks":1434,"data":1435}," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",[],{},{"nodeType":1276,"data":1437,"content":1438},{},[1439,1443,1453],{"nodeType":1280,"value":1440,"marks":1441,"data":1442},"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",[],{},{"nodeType":1292,"data":1444,"content":1448},{"target":1445},{"sys":1446},{"id":1447,"type":1297,"linkType":1298},"211Dd0EIrXPOFpvRgs0fEE",[1449],{"nodeType":1280,"value":1450,"marks":1451,"data":1452},"Browser & Identity Attacks Matrix",[],{},{"nodeType":1280,"value":1454,"marks":1455,"data":1456}," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",[],{},{"nodeType":1458,"data":1459,"content":1460},"unordered-list",{},[1461,1472,1496],{"nodeType":1462,"data":1463,"content":1464},"list-item",{},[1465],{"nodeType":1276,"data":1466,"content":1467},{},[1468],{"nodeType":1280,"value":1469,"marks":1470,"data":1471},"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ",[],{},{"nodeType":1462,"data":1473,"content":1474},{},[1475],{"nodeType":1276,"data":1476,"content":1477},{},[1478,1482,1492],{"nodeType":1280,"value":1479,"marks":1480,"data":1481},"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",[],{},{"nodeType":1292,"data":1483,"content":1487},{"target":1484},{"sys":1485},{"id":1486,"type":1297,"linkType":1298},"5DmCqTU2Tg4adYScA5vT2x",[1488],{"nodeType":1280,"value":1489,"marks":1490,"data":1491},"device code phishing attacks",[],{},{"nodeType":1280,"value":1493,"marks":1494,"data":1495}," across our install base. ",[],{},{"nodeType":1462,"data":1497,"content":1498},{},[1499],{"nodeType":1276,"data":1500,"content":1501},{},[1502,1506,1516,1520,1529,1533,1543,1547,1556,1559,1569],{"nodeType":1280,"value":1503,"marks":1504,"data":1505},"We were also the first to detect a novel post-authorization attack we dubbed ",[],{},{"nodeType":1292,"data":1507,"content":1511},{"target":1508},{"sys":1509},{"id":1510,"type":1297,"linkType":1298},"71EaaK7lfl6bQBbkAU0qjv",[1512],{"nodeType":1280,"value":1513,"marks":1514,"data":1515},"ConsentFix",[],{},{"nodeType":1280,"value":1517,"marks":1518,"data":1519}," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",[],{},{"nodeType":1292,"data":1521,"content":1524},{"target":1522},{"sys":1523},{"id":1355,"type":1297,"linkType":1298},[1525],{"nodeType":1280,"value":1526,"marks":1527,"data":1528},"InstallFix technique",[],{},{"nodeType":1280,"value":1530,"marks":1531,"data":1532}," described earlier; and detected an array of other ",[],{},{"nodeType":1292,"data":1534,"content":1538},{"target":1535},{"sys":1536},{"id":1537,"type":1297,"linkType":1298},"2YmiesBvJHGw4wiKEKzLUq",[1539],{"nodeType":1280,"value":1540,"marks":1541,"data":1542},"creative",[],{},{"nodeType":1280,"value":1544,"marks":1545,"data":1546}," ",[],{},{"nodeType":1292,"data":1548,"content":1551},{"target":1549},{"sys":1550},{"id":1296,"type":1297,"linkType":1298},[1552],{"nodeType":1280,"value":1553,"marks":1554,"data":1555},"phishing",[],{},{"nodeType":1280,"value":1544,"marks":1557,"data":1558},[],{},{"nodeType":1292,"data":1560,"content":1564},{"target":1561},{"sys":1562},{"id":1563,"type":1297,"linkType":1298},"6Zosy4SU0LpjlaSWX75peb",[1565],{"nodeType":1280,"value":1566,"marks":1567,"data":1568},"campaigns",[],{},{"nodeType":1280,"value":1570,"marks":1571,"data":1572}," tied to malvertising scams.",[],{},{"nodeType":1401,"data":1574,"content":1578},{"target":1575},{"sys":1576},{"id":1577,"type":1297,"linkType":1298},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":1276,"data":1580,"content":1581},{},[1582],{"nodeType":1280,"value":1583,"marks":1584,"data":1585},"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",[],{},{"nodeType":1401,"data":1587,"content":1591},{"target":1588},{"sys":1589},{"id":1590,"type":1297,"linkType":1298},"1u00uFbC4xsvP9lqahXbgD",[],{"nodeType":1593,"data":1594,"content":1595},"heading-2",{},[1596],{"nodeType":1280,"value":1597,"marks":1598,"data":1600},"Scaling behavioral detections, not just making bigger blocklists",[1599],{"type":1334},{},{"nodeType":1276,"data":1602,"content":1603},{},[1604],{"nodeType":1280,"value":1605,"marks":1606,"data":1607},"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",[],{},{"nodeType":1276,"data":1609,"content":1610},{},[1611,1616],{"nodeType":1280,"value":1612,"marks":1613,"data":1615},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",[1614],{"type":1334},{},{"nodeType":1280,"value":1617,"marks":1618,"data":1619},"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",[],{},{"nodeType":1276,"data":1621,"content":1622},{},[1623],{"nodeType":1280,"value":1624,"marks":1625,"data":1626},"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",[],{},{"nodeType":1401,"data":1628,"content":1632},{"target":1629},{"sys":1630},{"id":1631,"type":1297,"linkType":1298},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":1276,"data":1634,"content":1635},{},[1636],{"nodeType":1280,"value":1637,"marks":1638,"data":1639},"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",[],{},{"nodeType":1276,"data":1641,"content":1642},{},[1643,1648,1659],{"nodeType":1280,"value":1644,"marks":1645,"data":1647},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",[1646],{"type":1334},{},{"nodeType":1292,"data":1649,"content":1653},{"target":1650},{"sys":1651},{"id":1652,"type":1297,"linkType":1298},"1qegIy4rMdm5XZXnIEoKpE",[1654],{"nodeType":1280,"value":1655,"marks":1656,"data":1658},"Pyramid of Pain",[1657],{"type":1334},{},{"nodeType":1280,"value":1660,"marks":1661,"data":1663},", the indicators that are hardest for attackers to change.",[1662],{"type":1334},{},{"nodeType":1276,"data":1665,"content":1666},{},[1667],{"nodeType":1280,"value":1668,"marks":1669,"data":1670},"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",[],{},{"nodeType":1276,"data":1672,"content":1673},{},[1674],{"nodeType":1280,"value":1675,"marks":1676,"data":1677},"We did this not by replacing researchers, but by continuously activating their expertise.",[],{},{"nodeType":1408,"data":1679,"content":1680},{},[],{"nodeType":1412,"data":1682,"content":1683},{},[1684],{"nodeType":1280,"value":1685,"marks":1686,"data":1688},"Core principles for agentic threat hunting",[1687],{"type":1334},{},{"nodeType":1276,"data":1690,"content":1691},{},[1692],{"nodeType":1280,"value":1693,"marks":1694,"data":1695},"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",[],{},{"nodeType":1593,"data":1697,"content":1698},{},[1699],{"nodeType":1280,"value":1700,"marks":1701,"data":1703},"Context matters more than custom models",[1702],{"type":1334},{},{"nodeType":1276,"data":1705,"content":1706},{},[1707],{"nodeType":1280,"value":1708,"marks":1709,"data":1710},"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",[],{},{"nodeType":1276,"data":1712,"content":1713},{},[1714,1718,1723],{"nodeType":1280,"value":1715,"marks":1716,"data":1717},"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",[],{},{"nodeType":1280,"value":1719,"marks":1720,"data":1722},"3 million browsers worldwide",[1721],{"type":1334},{},{"nodeType":1280,"value":1724,"marks":1725,"data":1726},", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",[],{},{"nodeType":1276,"data":1728,"content":1729},{},[1730],{"nodeType":1280,"value":1731,"marks":1732,"data":1733},"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",[],{},{"nodeType":1276,"data":1735,"content":1736},{},[1737],{"nodeType":1280,"value":1738,"marks":1739,"data":1740},"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",[],{},{"nodeType":1593,"data":1742,"content":1743},{},[1744],{"nodeType":1280,"value":1745,"marks":1746,"data":1748},"Agents are only as good as the context you give them. Good context is researcher-led",[1747],{"type":1334},{},{"nodeType":1276,"data":1750,"content":1751},{},[1752],{"nodeType":1280,"value":1753,"marks":1754,"data":1755},"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",[],{},{"nodeType":1276,"data":1757,"content":1758},{},[1759],{"nodeType":1280,"value":1760,"marks":1761,"data":1762},"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",[],{},{"nodeType":1593,"data":1764,"content":1765},{},[1766],{"nodeType":1280,"value":1767,"marks":1768,"data":1770},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",[1769],{"type":1334},{},{"nodeType":1276,"data":1772,"content":1773},{},[1774],{"nodeType":1280,"value":1775,"marks":1776,"data":1777},"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",[],{},{"nodeType":1276,"data":1779,"content":1780},{},[1781],{"nodeType":1280,"value":1782,"marks":1783,"data":1784},"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",[],{},{"nodeType":1408,"data":1786,"content":1787},{},[],{"nodeType":1412,"data":1789,"content":1790},{},[1791],{"nodeType":1280,"value":1792,"marks":1793,"data":1795},"How the agentic detection pipeline runs",[1794],{"type":1334},{},{"nodeType":1276,"data":1797,"content":1798},{},[1799],{"nodeType":1280,"value":1800,"marks":1801,"data":1802},"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",[],{},{"nodeType":1593,"data":1804,"content":1805},{},[1806],{"nodeType":1280,"value":1807,"marks":1808,"data":1810},"Example 1: Autonomous threat hunt",[1809],{"type":1334},{},{"nodeType":1276,"data":1812,"content":1813},{},[1814],{"nodeType":1280,"value":1815,"marks":1816,"data":1817},"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",[],{},{"nodeType":1276,"data":1819,"content":1820},{},[1821],{"nodeType":1280,"value":1822,"marks":1823,"data":1824},"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",[],{},{"nodeType":1276,"data":1826,"content":1827},{},[1828],{"nodeType":1280,"value":1829,"marks":1830,"data":1831},"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",[],{},{"nodeType":1276,"data":1833,"content":1834},{},[1835],{"nodeType":1280,"value":1836,"marks":1837,"data":1838},"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",[],{},{"nodeType":1593,"data":1840,"content":1841},{},[1842],{"nodeType":1280,"value":1843,"marks":1844,"data":1846},"Example 2: Human-initiated threat hunt",[1845],{"type":1334},{},{"nodeType":1276,"data":1848,"content":1849},{},[1850],{"nodeType":1280,"value":1851,"marks":1852,"data":1853},"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",[],{},{"nodeType":1276,"data":1855,"content":1856},{},[1857,1861,1866,1870,1875,1878,1883],{"nodeType":1280,"value":1858,"marks":1859,"data":1860},"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",[],{},{"nodeType":1280,"value":1862,"marks":1863,"data":1865},"*pages.dev",[1864],{"type":1334},{},{"nodeType":1280,"value":1867,"marks":1868,"data":1869},", ",[],{},{"nodeType":1280,"value":1871,"marks":1872,"data":1874},"*workers.dev",[1873],{"type":1334},{},{"nodeType":1280,"value":1867,"marks":1876,"data":1877},[],{},{"nodeType":1280,"value":1879,"marks":1880,"data":1882},"*squarespace.com",[1881],{"type":1334},{},{"nodeType":1280,"value":1884,"marks":1885,"data":1886},", etc.",[],{},{"nodeType":1276,"data":1888,"content":1889},{},[1890],{"nodeType":1280,"value":1891,"marks":1892,"data":1893},"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",[],{},{"nodeType":1276,"data":1895,"content":1896},{},[1897],{"nodeType":1280,"value":1898,"marks":1899,"data":1900},"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",[],{},{"nodeType":1401,"data":1902,"content":1906},{"target":1903},{"sys":1904},{"id":1905,"type":1297,"linkType":1298},"4IWOrWuvbwzWRJUkINiwKH",[],{"nodeType":1276,"data":1908,"content":1909},{},[1910],{"nodeType":1280,"value":1911,"marks":1912,"data":1913},"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",[],{},{"nodeType":1593,"data":1915,"content":1916},{},[1917],{"nodeType":1280,"value":1918,"marks":1919,"data":1921},"What infrastructure is needed for agentic threat hunting?",[1920],{"type":1334},{},{"nodeType":1276,"data":1923,"content":1924},{},[1925],{"nodeType":1280,"value":1926,"marks":1927,"data":1928},"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",[],{},{"nodeType":1458,"data":1930,"content":1931},{},[1932,1947,1962,1977,1992],{"nodeType":1462,"data":1933,"content":1934},{},[1935],{"nodeType":1276,"data":1936,"content":1937},{},[1938,1943],{"nodeType":1280,"value":1939,"marks":1940,"data":1942},"A flight recorder: ",[1941],{"type":1334},{},{"nodeType":1280,"value":1944,"marks":1945,"data":1946},"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",[],{},{"nodeType":1462,"data":1948,"content":1949},{},[1950],{"nodeType":1276,"data":1951,"content":1952},{},[1953,1958],{"nodeType":1280,"value":1954,"marks":1955,"data":1957},"A knowledge base:",[1956],{"type":1334},{},{"nodeType":1280,"value":1959,"marks":1960,"data":1961}," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",[],{},{"nodeType":1462,"data":1963,"content":1964},{},[1965],{"nodeType":1276,"data":1966,"content":1967},{},[1968,1973],{"nodeType":1280,"value":1969,"marks":1970,"data":1972},"Agents as tools: ",[1971],{"type":1334},{},{"nodeType":1280,"value":1974,"marks":1975,"data":1976},"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",[],{},{"nodeType":1462,"data":1978,"content":1979},{},[1980],{"nodeType":1276,"data":1981,"content":1982},{},[1983,1988],{"nodeType":1280,"value":1984,"marks":1985,"data":1987},"Humans in the loop: ",[1986],{"type":1334},{},{"nodeType":1280,"value":1989,"marks":1990,"data":1991},"Human researchers who collaborate with agents to initiate hunts and tune detections.",[],{},{"nodeType":1462,"data":1993,"content":1994},{},[1995],{"nodeType":1276,"data":1996,"content":1997},{},[1998,2003],{"nodeType":1280,"value":1999,"marks":2000,"data":2002},"Platform controls: ",[2001],{"type":1334},{},{"nodeType":1280,"value":2004,"marks":2005,"data":2006},"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",[],{},{"nodeType":1401,"data":2008,"content":2012},{"target":2009},{"sys":2010},{"id":2011,"type":1297,"linkType":1298},"7FY0vCBUXOt4vnudFuKALC",[],{"nodeType":1593,"data":2014,"content":2015},{},[2016],{"nodeType":1280,"value":2017,"marks":2018,"data":2020},"What are the best practices for agentic threat detection?",[2019],{"type":1334},{},{"nodeType":1276,"data":2022,"content":2023},{},[2024,2028,2033],{"nodeType":1280,"value":2025,"marks":2026,"data":2027},"To be effective, agents must specialize and focus. This is the ",[],{},{"nodeType":1280,"value":2029,"marks":2030,"data":2032},"agents as tools",[2031],{"type":1334},{},{"nodeType":1280,"value":2034,"marks":2035,"data":2036}," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",[],{},{"nodeType":1276,"data":2038,"content":2039},{},[2040],{"nodeType":1280,"value":2041,"marks":2042,"data":2043},"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",[],{},{"nodeType":1401,"data":2045,"content":2049},{"target":2046},{"sys":2047},{"id":2048,"type":1297,"linkType":1298},"3fzJCknMUmh4Z7YnhBSbsT",[],{"nodeType":1276,"data":2051,"content":2052},{},[2053],{"nodeType":1280,"value":2054,"marks":2055,"data":2056},"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",[],{},{"nodeType":1276,"data":2058,"content":2059},{},[2060,2064,2069],{"nodeType":1280,"value":2061,"marks":2062,"data":2063},"It's vital too that the agent uses ",[],{},{"nodeType":1280,"value":2065,"marks":2066,"data":2068},"privacy-preserving methods and infrastructure.",[2067],{"type":1334},{},{"nodeType":1280,"value":2070,"marks":2071,"data":2072}," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",[],{},{"nodeType":1408,"data":2074,"content":2075},{},[],{"nodeType":1412,"data":2077,"content":2078},{},[2079],{"nodeType":1280,"value":2080,"marks":2081,"data":2083},"The compounding effect and how it benefits Push customers",[2082],{"type":1334},{},{"nodeType":1276,"data":2085,"content":2086},{},[2087],{"nodeType":1280,"value":2088,"marks":2089,"data":2090},"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",[],{},{"nodeType":1276,"data":2092,"content":2093},{},[2094],{"nodeType":1280,"value":2095,"marks":2096,"data":2097},"The outer loop feeds the inner loop, and vice versa.",[],{},{"nodeType":1401,"data":2099,"content":2103},{"target":2100},{"sys":2101},{"id":2102,"type":1297,"linkType":1298},"1Jjqll7IIX2QRxN37gjFMH",[],{"nodeType":1276,"data":2105,"content":2106},{},[2107],{"nodeType":1280,"value":2108,"marks":2109,"data":2110},"Customers benefit from this approach because it means they:",[],{},{"nodeType":1458,"data":2112,"content":2113},{},[2114,2137,2147],{"nodeType":1462,"data":2115,"content":2116},{},[2117],{"nodeType":1276,"data":2118,"content":2119},{},[2120,2124,2133],{"nodeType":1280,"value":2121,"marks":2122,"data":2123},"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",[],{},{"nodeType":2125,"data":2126,"content":2128},"hyperlink",{"uri":2127},"/help/audience/engineering/resources/custom-detections",[2129],{"nodeType":1280,"value":2130,"marks":2131,"data":2132},"custom detections",[],{},{"nodeType":1280,"value":2134,"marks":2135,"data":2136},", too, for environment-specific use cases.)",[],{},{"nodeType":1462,"data":2138,"content":2139},{},[2140],{"nodeType":1276,"data":2141,"content":2142},{},[2143],{"nodeType":1280,"value":2144,"marks":2145,"data":2146},"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",[],{},{"nodeType":1462,"data":2148,"content":2149},{},[2150],{"nodeType":1276,"data":2151,"content":2152},{},[2153],{"nodeType":1280,"value":2154,"marks":2155,"data":2156},"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",[],{},{"nodeType":1276,"data":2158,"content":2159},{},[2160],{"nodeType":1280,"value":2161,"marks":2162,"data":2163},"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",[],{},{"nodeType":1276,"data":2165,"content":2166},{},[2167],{"nodeType":1280,"value":2168,"marks":2169,"data":2170},"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",[],{},{"nodeType":1276,"data":2172,"content":2173},{},[2174],{"nodeType":1280,"value":2175,"marks":2176,"data":2177},"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",[],{},{"nodeType":1401,"data":2179,"content":2183},{"target":2180},{"sys":2181},{"id":2182,"type":1297,"linkType":1298},"607jrBjlD1vtcbkDfD04DE",[],{"nodeType":1408,"data":2185,"content":2186},{},[],{"nodeType":1412,"data":2188,"content":2189},{},[2190],{"nodeType":1280,"value":2191,"marks":2192,"data":2194},"Learn more",[2193],{"type":1334},{},{"nodeType":1276,"data":2196,"content":2197},{},[2198],{"nodeType":1280,"value":2199,"marks":2200,"data":2201},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":1276,"data":2203,"content":2204},{},[2205],{"nodeType":1280,"value":2206,"marks":2207,"data":2208},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1276,"data":2210,"content":2211},{},[2212,2216,2224],{"nodeType":1280,"value":2213,"marks":2214,"data":2215},"Book a ",[],{},{"nodeType":2125,"data":2217,"content":2219},{"uri":2218},"/demo",[2220],{"nodeType":1280,"value":2221,"marks":2222,"data":2223},"live demo",[],{},{"nodeType":1280,"value":2225,"marks":2226,"data":2227}," to learn more.",[],{},{"entries":2229},{"inline":2230,"hyperlink":2231,"block":2265},[],[2232,2237,2241,2245,2249,2253,2257,2261],{"sys":2233,"__typename":2234,"title":2235,"slug":2236},{"id":1296},"BlogPosts","How cyber criminals power malvertising scams with stolen accounts","cyber-criminal-ecosystem-analysis",{"sys":2238,"__typename":2234,"title":2239,"slug":2240},{"id":1355},"InstallFix: How attackers are weaponizing malvertised install guides  ","installfix",{"sys":2242,"__typename":2234,"title":2243,"slug":2244},{"id":1447},"Introducing the Browser & Identity Attacks Matrix","introducing-the-browser-and-identity-attacks-matrix",{"sys":2246,"__typename":2234,"title":2247,"slug":2248},{"id":1486},"Device code phishing attacks have skyrocketed: here’s what you need to know","device-code-phishing",{"sys":2250,"__typename":2234,"title":2251,"slug":2252},{"id":1510},"ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants","consentfix",{"sys":2254,"__typename":2234,"title":2255,"slug":2256},{"id":1537},"Google Search malvertising campaign continues, now impersonating Ahrefs","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"sys":2258,"__typename":2234,"title":2259,"slug":2260},{"id":1563},"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","uncovering-a-calendly-themed-phishing-campaign",{"sys":2262,"__typename":2234,"title":2263,"slug":2264},{"id":1652},"Our design philosophy: Detecting what matters","our-design-philosophy-detecting-what-matters",[2266,2288,2296,2329,2337,2345,2353,2367,2374],{"sys":2267,"__typename":2268,"content":2269,"name":2287,"title":61},{"id":1405},"InsightTextBlockComponent",{"json":2270},{"nodeType":1272,"data":2271,"content":2272},{},[2273,2280],{"nodeType":1276,"data":2274,"content":2275},{},[2276],{"nodeType":1280,"value":2277,"marks":2278,"data":2279},"In this article, we’ll outline how Push uses AI agents as a force multiplier for identifying emerging threats that target organizations via the browser — think: ClickFix, vibecoded phishing sites, AiTM kits, cloned login pages, ConsentFix attacks, malicious OAuth apps, device code phishing, sites impersonating Claude Code installers, etc. — and share what we’ve learned. ",[],{},{"nodeType":1276,"data":2281,"content":2282},{},[2283],{"nodeType":1280,"value":2284,"marks":2285,"data":2286},"We’ll cover the architectural decisions we made that enable the successful implementation of agents and some emerging best practices we’ve identified; discuss why our hunts focus on extracting techniques, not indicators; and illustrate how Push customers are benefitting from this agentic pipeline.",[],{},"Agentic Threat Hunting Blog IB1",{"sys":2289,"__typename":2290,"title":1450,"caption":2291,"layoutMode":61,"file":2292},{"id":1577},"Image","Browser and identity-based techniques have exploded since we first launched our attack matrix",{"url":2293,"width":2294,"height":2295},"https://images.ctfassets.net/y1cdw1ablpvd/L0Yc77y9vzrKVD72BQGX2/4ffe0bf61bd62f025262b8efd74394b7/Browser___Identity_Attacks_Matrix__1_.png",6160,4432,{"sys":2297,"__typename":2268,"content":2298,"name":2328,"title":61},{"id":1590},{"json":2299},{"nodeType":1272,"data":2300,"content":2301},{},[2302,2321],{"nodeType":1276,"data":2303,"content":2304},{},[2305,2309,2317],{"nodeType":1280,"value":2306,"marks":2307,"data":2308},"Push researchers are seeing ",[],{},{"nodeType":2125,"data":2310,"content":2312},{"uri":2311},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[2313],{"nodeType":1280,"value":2314,"marks":2315,"data":2316},"extensive evidence of LLM use",[],{},{"nodeType":1280,"value":2318,"marks":2319,"data":2320}," in attacks we detect, from LLM-generated phishing kits and tools to vibe-coded cloned pages, demonstrating how much adversaries have embraced these tools to expedite their work. ",[],{},{"nodeType":1276,"data":2322,"content":2323},{},[2324],{"nodeType":1280,"value":2325,"marks":2326,"data":2327},"In particular, we’ve observed operator-gated payload delivery that greatly reduces the likelihood that malicious sites will be flagged and added to known-bad detection lists because they’re only served to active targets, using gated landing pages, anti-bot checks, and other methods to evade proactive infrastructure scanning. This reinforces the need for browser-based detection at the point the user interacts with the page.",[],{},"Agentic Threat Hunting Blog IB2",{"sys":2330,"__typename":2290,"title":2331,"caption":2332,"layoutMode":61,"file":2333},{"id":1631},"Sample detection - blog article - custom branding","Sample detection details in the Push admin console for a blocked phishing event",{"url":2334,"width":2335,"height":2336},"https://images.ctfassets.net/y1cdw1ablpvd/6k8qVn1iYXbBl6lcHvphIa/dd802537d883cf6ddafdd78034c3412a/sample_detection.png",1999,766,{"sys":2338,"__typename":2290,"title":2339,"caption":2340,"layoutMode":61,"file":2341},{"id":1905},"Dissect agent output - agentic threat hunting blog","Summary from the work of Push’s deep investigation AI agent on the initial InstallFix attack detected by Push.",{"url":2342,"width":2343,"height":2344},"https://images.ctfassets.net/y1cdw1ablpvd/6t86kpGUwCVvrJEfVic1Cr/f41986585203764155d736d26cee2176/agentic_summary_example_installfix.png",1998,1428,{"sys":2346,"__typename":2290,"title":2347,"caption":2348,"layoutMode":61,"file":2349},{"id":2011},"Detection engine diagram - agentic threat blog","The Push detection engine combines deep browser telemetry with agentic workflows to rapidly respond to emerging threats.  ",{"url":2350,"width":2351,"height":2352},"https://images.ctfassets.net/y1cdw1ablpvd/1zbE1t82gPo7pgqkAayTcZ/72046ea5db9b80c77053343223025163/platform_diagram_v3.png",1134,762,{"sys":2354,"__typename":2268,"content":2355,"name":2366,"title":61},{"id":2048},{"json":2356},{"data":2357,"content":2358,"nodeType":1272},{},[2359],{"data":2360,"content":2361,"nodeType":1276},{},[2362],{"data":2363,"marks":2364,"value":2365,"nodeType":1280},{},[],"Use agents as an excuse to operationalize your internal knowledge once and for all. Every security team has a venerable silo of knowledge — that one person who just knows how to do that one major thing. Now, that can be an AI resource accessible to all, at any time, whenever you need it most.","Agentic Threat Hunting Blog IB4",{"sys":2368,"__typename":2290,"title":2369,"caption":2370,"layoutMode":61,"file":2371},{"id":2102},"Learning loops diagram - agentic threat blog","Two learning loops for known and unknown threats create a compounding effect for Push’s ability to defend against browser-based attacks.",{"url":2372,"width":2373,"height":2336},"https://images.ctfassets.net/y1cdw1ablpvd/6TQdqvjhG4AYHITcR1MV9s/b1e1c337f50005186f6022004543023b/learning_loops_v3.png",1001,{"sys":2375,"__typename":2376,"type":2377,"ctaText":2378,"buttonLabel":2379,"buttonColour":2380,"buttonUrl":2381},{"id":2182},"CtaWidget","Custom","Book a demo to learn more about our agentic threat hunting capabilities and how they can benefit your security team.","Book a Demo","sunny orange","https://site.dev.pushsecurity.com/demo/","json",{},"How we built an agentic threat hunting pipeline at Push","2026-05-12T00:00:00.000Z",{"items":2387},[],"can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline","blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"json":2391},{"data":2392,"content":2393,"nodeType":1272},{},[2394],{"data":2395,"content":2396,"nodeType":1276},{},[2397],{"data":2398,"marks":2399,"value":2400,"nodeType":1280},{},[],"What does agentic threat hunting against modern browser-based attacks actually look like? At Push, we built an end-to-end threat hunting and detection engineering capability that uses AI agents as a force multiplier, tripling the number of new detections we’re shipping each month. Here’s how it works.","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.",{"id":2403,"publishedAt":2404},"1jfqiWQlL6qkn3i9yjNbFB","2026-05-12T12:20:10.830Z",{"items":2406},[2407,2411],{"sys":2408,"name":2410},{"id":2409},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2412,"name":2414},{"id":2413},"4ksQNCFeBf8H4QIORqpRLw","Detection & response","PzExAo0vWai3bFIcaYiJihR-LAp8eWSRDh0ohLXoiuM",1778605817614]