[{"data":1,"prerenderedAt":4591},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"use-case-page":220,"fa-icon-regular-faFishingRod":1242,"fa-icon-regular-faPuzzlePiece":1246,"fa-icon-regular-faUserSecret":1248,"fa-icon-regular-faRadar":1250,"fa-icon-regular-faLaptopCode":1252,"fa-icon-regular-faSatelliteDish":1254,"fa-icon-regular-faShieldCheck":1256,"fa-icon-regular-faBrainCircuit":1258,"blog/how-to-avoid-the-browser-security-buyers-trap":1260},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"unvl394l1ff",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"meta":41,"stageModifiedSincePublish":6,"query":45,"data":46,"variations":93,"lastUpdated":94,"firstPublished":95,"testRatio":23,"createdBy":96,"lastUpdatedBy":97,"folders":98,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",{"kind":42,"hasLinks":6,"breakpoints":43,"lastPreviewUrl":44,"hasAutosaves":6},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",[],{"url":29,"ctaText":47,"text":48,"blocks":49,"state":89},"ewrererw","testrfesssssssssss",[50,77],{"@type":51,"@version":52,"id":53,"component":54,"responsiveStyles":67},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":55,"tag":55,"options":56,"isRSC":66},"TopBannerContent",{"text":57,"ctaText":58,"url":59,"mainText":60,"cta":63},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":61,"fontSize":62},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":64,"fontSize":62,"url":65},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":68},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"marginTop":74,"marginBottom":74,"fontSize":75,"fontWeight":76},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":78,"@type":51,"tagName":79,"properties":80,"responsiveStyles":84},"builder-pixel-ai15x69e2lr","img",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":85},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},"block","hidden","none",{"deviceSize":90,"location":91},"large",{"path":29,"query":92},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],"o18okawif2",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":6,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":96,"lastUpdatedBy":96,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"gl87t1hkyib",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"qvea57rdy3",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":6,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":96,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"3wpax0f9a9i",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":6,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":96,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"189tpb5kfqi",{"text":165,"url":166},{},1776256937553,1776256937540,[],"2i04fm5wnrm",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":6,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":96,"lastUpdatedBy":96,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"j9gaytoq5z",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[221,405,524,643,761,881,1001,1121],{"createdDate":222,"id":223,"name":224,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":226,"data":232,"variations":393,"lastUpdated":394,"firstPublished":395,"testRatio":23,"screenshot":396,"createdBy":96,"lastUpdatedBy":397,"folders":398,"meta":399,"rev":404},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[227],{"@type":228,"property":229,"operator":230,"value":231},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":233,"customFonts":234,"seoTitle":282,"title":282,"tsCode":29,"seoDescription":283,"fontAwesomeIcon":284,"jsCode":29,"blocks":285,"url":231,"state":390},[],[235],{"family":236,"kind":237,"version":238,"lastModified":239,"files":240,"category":259,"menu":260,"subsets":261,"variants":264},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"800italic":249,"900italic":250,"700italic":251,"100italic":252,"italic":253,"regular":254,"200italic":255,"500italic":256,"300italic":257,"600italic":258},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[262,263],"latin","latin-ext",[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[286,385],{"@type":51,"@version":52,"tagName":287,"id":288,"children":289},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[290,307,315,322,334,349,360,371,377],{"@type":51,"@version":52,"layerName":291,"id":292,"component":293,"responsiveStyles":304},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":291,"options":294,"isRSC":66},{"title":282,"description":295,"points":296,"video":303},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[297,299,301],{"item":298},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":300},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":302},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":305},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},"transparent",{"@type":51,"@version":52,"id":308,"component":309,"responsiveStyles":312},"builder-96634044407e491299e291ed64669e39",{"name":310,"options":311,"isRSC":66},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":313},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},"#000",{"@type":51,"@version":52,"id":316,"component":317,"responsiveStyles":320},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":318,"options":319,"isRSC":66},"Diagonal",{"darkMode":34},{"large":321},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"layerName":323,"id":324,"component":325,"responsiveStyles":332},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":323,"tag":323,"options":326,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":329,"description":330,"animatedTitle":29,"image":331,"reverse":6,"descriptionPaddingHorizontal":66},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":333},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":335,"component":336,"responsiveStyles":344},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":337,"options":338,"isRSC":66},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":341,"description":342,"reverse":34,"image":343},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":345},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":347,"marginTop":348},"DM Sans, sans-serif","20px","0px",{"@type":51,"@version":52,"id":350,"component":351,"responsiveStyles":357},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":337,"options":352,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":354,"description":355,"reverse":6,"image":356},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":358},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},"36px",{"@type":51,"@version":52,"layerName":337,"id":361,"component":362,"responsiveStyles":368},"builder-42c32198083f4880acb37c5cb76934da",{"name":337,"options":363,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":365,"description":366,"reverse":34,"image":367},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":369},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},"47px",{"@type":51,"@version":52,"id":372,"component":373,"responsiveStyles":375},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":318,"options":374,"isRSC":66},{"darkMode":6},{"large":376},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":378,"component":379,"responsiveStyles":383},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":380,"tag":380,"options":381,"isRSC":66},"LatestResources",{"sectionHeading":29,"customClass":382},"bg-black",{"large":384},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":386,"@type":51,"tagName":79,"properties":387,"responsiveStyles":388},"builder-pixel-c2upyz8jfb5",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":389},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":391},{"path":29,"query":392},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":400,"winningTest":66,"breakpoints":401,"kind":402,"hasLinks":6,"originalContentId":403,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","cdrddgpo1vw",{"createdDate":406,"id":407,"name":408,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":409,"data":412,"variations":516,"lastUpdated":517,"firstPublished":518,"testRatio":23,"screenshot":519,"createdBy":96,"lastUpdatedBy":397,"folders":520,"meta":521,"rev":404},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[410],{"@type":228,"property":229,"operator":230,"value":411},"/uc/browser-extension-security",{"seoDescription":413,"jsCode":29,"fontAwesomeIcon":414,"tsCode":29,"title":408,"seoTitle":408,"customFonts":415,"inputs":420,"blocks":421,"url":411,"state":513},"Shine a light on risky browser extensions.","faPuzzlePiece",[416],{"kind":237,"family":236,"version":238,"files":417,"category":259,"lastModified":239,"subsets":418,"variants":419,"menu":260},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"100italic":252,"italic":253,"regular":254,"900italic":250,"800italic":249,"700italic":251,"200italic":255,"300italic":257,"500italic":256,"600italic":258},[262,263],[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],[],[422,508],{"@type":51,"@version":52,"tagName":287,"id":423,"meta":424,"children":425},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":288},[426,442,449,456,465,475,485,495,502],{"@type":51,"@version":52,"id":427,"meta":428,"component":429,"responsiveStyles":440},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":292},{"name":291,"options":430,"isRSC":66},{"title":408,"description":431,"points":432,"video":439},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[433,435,437],{"item":434},"Discover every browser extension in use",{"item":436},"Spot risky or unsanctioned behavior",{"item":438},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":441},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":443,"meta":444,"component":445,"responsiveStyles":447},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":308},{"name":310,"options":446,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":448},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":450,"meta":451,"component":452,"responsiveStyles":454},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":316},{"name":318,"options":453,"isRSC":66},{"darkMode":34},{"large":455},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"layerName":323,"id":457,"component":458,"responsiveStyles":463},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":323,"tag":323,"options":459,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":460,"description":461,"image":462,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":464},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":466,"meta":467,"component":468,"responsiveStyles":473},"builder-93738f98109a4009affb349afd7bb182",{"previousId":335},{"name":337,"options":469,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":470,"description":471,"reverse":34,"image":472},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":474},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":51,"@version":52,"id":476,"meta":477,"component":478,"responsiveStyles":483},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":350},{"name":337,"options":479,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":480,"description":481,"reverse":6,"image":482},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":484},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":486,"meta":487,"component":488,"responsiveStyles":493},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":361},{"name":337,"options":489,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":490,"description":491,"reverse":34,"image":492},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":494},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":496,"meta":497,"component":498,"responsiveStyles":500},"builder-1a689287d1a1418997d57db578a71105",{"previousId":372},{"name":318,"options":499,"isRSC":66},{"darkMode":6},{"large":501},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":503,"component":504,"responsiveStyles":506},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":380,"tag":380,"options":505,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":507},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":509,"@type":51,"tagName":79,"properties":510,"responsiveStyles":511},"builder-pixel-6vdgn1l5los",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":512},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":514},{"path":29,"query":515},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":402,"winningTest":66,"breakpoints":522,"lastPreviewUrl":523,"hasLinks":6,"originalContentId":223,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":525,"id":526,"name":527,"modelId":225,"published":13,"query":528,"data":531,"variations":634,"lastUpdated":635,"firstPublished":636,"testRatio":23,"screenshot":637,"createdBy":96,"lastUpdatedBy":638,"folders":639,"meta":640,"rev":404},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[529],{"@type":228,"property":229,"operator":230,"value":530},"/uc/account-takeover-detection",{"title":527,"customFonts":532,"jsCode":29,"seoTitle":527,"seoDescription":537,"fontAwesomeIcon":538,"tsCode":29,"blocks":539,"url":530,"state":631},[533],{"kind":237,"category":259,"variants":534,"menu":260,"files":535,"family":236,"subsets":536,"version":238,"lastModified":239},[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"300italic":257,"500italic":256,"800italic":249,"700italic":251,"italic":253,"900italic":250,"600italic":258,"200italic":255,"regular":254,"100italic":252},[262,263],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[540,626],{"@type":51,"@version":52,"tagName":287,"id":541,"meta":542,"children":543},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":288},[544,560,567,574,583,593,603,613,620],{"@type":51,"@version":52,"id":545,"meta":546,"component":547,"responsiveStyles":558},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":292},{"name":291,"options":548,"isRSC":66},{"title":527,"description":549,"points":550,"video":557},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[551,553,555],{"item":552},"Identify credential-based ATO as it unfolds",{"item":554},"Surface hijacked sessions and token misuse",{"item":556},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":559},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":561,"meta":562,"component":563,"responsiveStyles":565},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":308},{"name":310,"options":564,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":566},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":568,"meta":569,"component":570,"responsiveStyles":572},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":316},{"name":318,"options":571,"isRSC":66},{"darkMode":34},{"large":573},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":575,"component":576,"responsiveStyles":581},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":323,"tag":323,"options":577,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":578,"description":579,"image":580,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":582},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":584,"meta":585,"component":586,"responsiveStyles":591},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":335},{"name":337,"options":587,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":588,"description":589,"reverse":34,"image":590},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":592},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":51,"@version":52,"id":594,"meta":595,"component":596,"responsiveStyles":601},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":350},{"name":337,"options":597,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":598,"description":599,"reverse":6,"image":600},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":602},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":604,"meta":605,"component":606,"responsiveStyles":611},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":361},{"name":337,"options":607,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":608,"description":609,"reverse":34,"image":610},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":612},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":614,"meta":615,"component":616,"responsiveStyles":618},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":372},{"name":318,"options":617,"isRSC":66},{"darkMode":6},{"large":619},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":621,"component":622,"responsiveStyles":624},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":380,"tag":380,"options":623,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":625},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":627,"@type":51,"tagName":79,"properties":628,"responsiveStyles":629},"builder-pixel-88ssijw4z6k",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":630},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":632},{"path":29,"query":633},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":641,"hasLinks":6,"originalContentId":223,"breakpoints":642,"winningTest":66,"kind":402,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":644,"id":645,"name":646,"modelId":225,"published":13,"query":647,"data":650,"variations":753,"lastUpdated":754,"firstPublished":755,"testRatio":23,"screenshot":756,"createdBy":96,"lastUpdatedBy":638,"folders":757,"meta":758,"rev":404},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[648],{"@type":228,"property":229,"operator":230,"value":649},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":651,"jsCode":29,"customFonts":652,"fontAwesomeIcon":657,"seoTitle":646,"title":646,"blocks":658,"url":649,"state":750},"Harden access paths with visibility,  detection, and guardrails.",[653],{"kind":237,"files":654,"version":238,"lastModified":239,"subsets":655,"menu":260,"category":259,"variants":656,"family":236},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"regular":254,"italic":253,"800italic":249,"500italic":256,"600italic":258,"200italic":255,"900italic":250,"700italic":251,"100italic":252,"300italic":257},[262,263],[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],"faRadar",[659,745],{"@type":51,"@version":52,"tagName":287,"id":660,"meta":661,"children":662},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":541},[663,679,686,693,702,712,722,732,739],{"@type":51,"@version":52,"id":664,"meta":665,"component":666,"responsiveStyles":677},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":545},{"name":291,"options":667,"isRSC":66},{"title":646,"description":668,"points":669,"video":676},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[670,672,674],{"item":671},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":673},"Monitor how users actually log in across apps, flows, and tools",{"item":675},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":678},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":680,"meta":681,"component":682,"responsiveStyles":684},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":561},{"name":310,"options":683,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":685},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":687,"meta":688,"component":689,"responsiveStyles":691},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":568},{"name":318,"options":690,"isRSC":66},{"darkMode":34},{"large":692},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":694,"component":695,"responsiveStyles":700},"builder-dec0246085e1485c803f7152b1922a81",{"name":323,"tag":323,"options":696,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":697,"description":698,"image":699,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":701},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":703,"meta":704,"component":705,"responsiveStyles":710},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":584},{"name":337,"options":706,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":707,"description":708,"reverse":34,"image":709},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":711},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":51,"@version":52,"id":713,"meta":714,"component":715,"responsiveStyles":720},"builder-431d175c59004669b0b2776b07d71737",{"previousId":594},{"name":337,"options":716,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":717,"description":718,"reverse":6,"image":719},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":721},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":723,"meta":724,"component":725,"responsiveStyles":730},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":604},{"name":337,"options":726,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":727,"description":728,"reverse":34,"image":729},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":731},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":733,"meta":734,"component":735,"responsiveStyles":737},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":614},{"name":318,"options":736,"isRSC":66},{"darkMode":6},{"large":738},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":740,"component":741,"responsiveStyles":743},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":380,"tag":380,"options":742,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":744},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":746,"@type":51,"tagName":79,"properties":747,"responsiveStyles":748},"builder-pixel-6dp9sj3biri",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":749},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":751},{"path":29,"query":752},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":402,"lastPreviewUrl":759,"breakpoints":760,"hasLinks":6,"originalContentId":526,"winningTest":66,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":762,"id":763,"name":764,"modelId":225,"published":13,"query":765,"data":768,"variations":873,"lastUpdated":874,"firstPublished":875,"testRatio":23,"screenshot":876,"createdBy":96,"lastUpdatedBy":638,"folders":877,"meta":878,"rev":404},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[766],{"@type":228,"property":229,"operator":230,"value":767},"/uc/clickfix-protection",{"seoDescription":769,"fontAwesomeIcon":770,"customFonts":771,"seoTitle":776,"jsCode":29,"tsCode":29,"title":776,"blocks":777,"url":767,"state":870},"Block attacks that trick users into running malicious code.","faLaptopCode",[772],{"files":773,"subsets":774,"menu":260,"version":238,"kind":237,"family":236,"lastModified":239,"variants":775,"category":259},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"200italic":255,"800italic":249,"700italic":251,"600italic":258,"100italic":252,"italic":253,"regular":254,"300italic":257,"500italic":256,"900italic":250},[262,263],[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],"ClickFix protection",[778,865],{"@type":51,"@version":52,"tagName":287,"id":779,"meta":780,"children":781},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":660},[782,798,805,812,822,832,842,852,859],{"@type":51,"@version":52,"id":783,"meta":784,"component":785,"responsiveStyles":796},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":664},{"name":291,"options":786,"isRSC":66},{"title":776,"description":787,"points":788,"image":795},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[789,791,793],{"item":790},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":792},"Block malicious copy-and-paste actions before code is executed",{"item":794},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":797},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":799,"meta":800,"component":801,"responsiveStyles":803},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":680},{"name":310,"options":802,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":804},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":806,"meta":807,"component":808,"responsiveStyles":810},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":687},{"name":318,"options":809,"isRSC":66},{"darkMode":34},{"large":811},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":813,"meta":814,"component":815,"responsiveStyles":820},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":694},{"name":323,"tag":323,"options":816,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":817,"description":818,"reverse":6,"image":819},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":821},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":823,"meta":824,"component":825,"responsiveStyles":830},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":703},{"name":337,"options":826,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":827,"description":828,"reverse":34,"image":829},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":831},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":51,"@version":52,"id":833,"meta":834,"component":835,"responsiveStyles":840},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":713},{"name":337,"options":836,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":837,"description":838,"reverse":6,"image":839},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":841},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":843,"meta":844,"component":845,"responsiveStyles":850},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":723},{"name":337,"options":846,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":847,"description":848,"reverse":34,"image":849},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":851},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":853,"meta":854,"component":855,"responsiveStyles":857},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":733},{"name":318,"options":856,"isRSC":66},{"darkMode":6},{"large":858},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":860,"component":861,"responsiveStyles":863},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":380,"tag":380,"options":862,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":864},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":866,"@type":51,"tagName":79,"properties":867,"responsiveStyles":868},"builder-pixel-q50587xx99",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":869},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":871},{"path":29,"query":872},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":879,"originalContentId":645,"winningTest":66,"hasLinks":6,"kind":402,"breakpoints":880,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":882,"id":883,"name":884,"modelId":225,"published":13,"query":885,"data":888,"variations":993,"lastUpdated":994,"firstPublished":995,"testRatio":23,"screenshot":996,"createdBy":96,"lastUpdatedBy":638,"folders":997,"meta":998,"rev":404},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[886],{"@type":228,"property":229,"operator":230,"value":887},"/uc/incident-response",{"seoDescription":889,"customFonts":890,"title":884,"jsCode":29,"fontAwesomeIcon":895,"seoTitle":896,"tsCode":29,"blocks":897,"url":887,"state":990},"Investigate and respond faster with unique browser telemetry.",[891],{"kind":237,"subsets":892,"menu":260,"variants":893,"category":259,"family":236,"version":238,"lastModified":239,"files":894},[262,263],[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"900italic":250,"600italic":258,"200italic":255,"300italic":257,"100italic":252,"700italic":251,"800italic":249,"regular":254,"italic":253,"500italic":256},"faSatelliteDish","Browser based incident response",[898,985],{"@type":51,"@version":52,"tagName":287,"id":899,"meta":900,"children":901},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":660},[902,919,926,933,942,952,962,972,979],{"@type":51,"@version":52,"id":903,"meta":904,"component":905,"responsiveStyles":917},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":664},{"name":291,"options":906,"isRSC":66},{"title":907,"description":908,"points":909,"video":916},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[910,912,914],{"item":911},"Reconstruct what happened with real browser session context",{"item":913},"Investigate faster with real-world session context",{"item":915},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":918},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":920,"meta":921,"component":922,"responsiveStyles":924},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":680},{"name":310,"options":923,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":925},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":927,"meta":928,"component":929,"responsiveStyles":931},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":687},{"name":318,"options":930,"isRSC":66},{"darkMode":34},{"large":932},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":934,"component":935,"responsiveStyles":940},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":323,"tag":323,"options":936,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":937,"description":938,"image":939,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":941},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":943,"meta":944,"component":945,"responsiveStyles":950},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":703},{"name":337,"options":946,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":947,"description":948,"reverse":34,"image":949},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":951},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":51,"@version":52,"id":953,"meta":954,"component":955,"responsiveStyles":960},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":713},{"name":337,"options":956,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":957,"description":958,"reverse":6,"image":959},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":961},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":963,"meta":964,"component":965,"responsiveStyles":970},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":723},{"name":337,"options":966,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":967,"description":968,"reverse":34,"image":969},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":971},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":973,"meta":974,"component":975,"responsiveStyles":977},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":733},{"name":318,"options":976,"isRSC":66},{"darkMode":6},{"large":978},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":980,"component":981,"responsiveStyles":983},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":380,"tag":380,"options":982,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":984},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":986,"@type":51,"tagName":79,"properties":987,"responsiveStyles":988},"builder-pixel-75hfav0flyl",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":989},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":991},{"path":29,"query":992},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":402,"breakpoints":999,"originalContentId":645,"winningTest":66,"lastPreviewUrl":1000,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1002,"id":1003,"name":1004,"modelId":225,"published":13,"query":1005,"data":1008,"variations":1113,"lastUpdated":1114,"firstPublished":1115,"testRatio":23,"screenshot":1116,"createdBy":96,"lastUpdatedBy":638,"folders":1117,"meta":1118,"rev":404},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1006],{"@type":228,"property":229,"operator":230,"value":1007},"/uc/shadow-saas",{"seoTitle":1009,"seoDescription":1010,"customFonts":1011,"fontAwesomeIcon":1016,"title":1017,"jsCode":29,"tsCode":29,"blocks":1018,"url":1007,"state":1110},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1012],{"kind":237,"variants":1013,"files":1014,"family":236,"version":238,"subsets":1015,"lastModified":239,"category":259,"menu":260},[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"300italic":257,"500italic":256,"regular":254,"900italic":250,"italic":253,"100italic":252,"200italic":255,"600italic":258,"700italic":251,"800italic":249},[262,263],"faShieldCheck","Secure shadow SaaS",[1019,1105],{"@type":51,"@version":52,"tagName":287,"id":1020,"meta":1021,"children":1022},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":899},[1023,1039,1046,1053,1062,1072,1082,1092,1099],{"@type":51,"@version":52,"id":1024,"meta":1025,"component":1026,"responsiveStyles":1037},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":903},{"name":291,"options":1027,"isRSC":66},{"title":1009,"description":1028,"points":1029,"video":1036},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1030,1032,1034],{"item":1031},"Discover every SaaS app users access, managed or not",{"item":1033},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1035},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1038},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":1040,"meta":1041,"component":1042,"responsiveStyles":1044},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":920},{"name":310,"options":1043,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":1045},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":1047,"meta":1048,"component":1049,"responsiveStyles":1051},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":927},{"name":318,"options":1050,"isRSC":66},{"darkMode":34},{"large":1052},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1054,"component":1055,"responsiveStyles":1060},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":323,"tag":323,"options":1056,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":1057,"description":1058,"image":1059,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1061},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1063,"meta":1064,"component":1065,"responsiveStyles":1070},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":943},{"name":337,"options":1066,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":1067,"description":1068,"reverse":34,"image":1069},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1071},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":51,"@version":52,"id":1073,"meta":1074,"component":1075,"responsiveStyles":1080},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":953},{"name":337,"options":1076,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":1077,"description":1078,"reverse":6,"image":1079},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1081},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1090},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":963},{"name":337,"options":1086,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":1087,"description":1088,"reverse":34,"image":1089},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1091},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":1093,"meta":1094,"component":1095,"responsiveStyles":1097},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":973},{"name":318,"options":1096,"isRSC":66},{"darkMode":6},{"large":1098},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1100,"component":1101,"responsiveStyles":1103},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":380,"tag":380,"options":1102,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":1104},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":1106,"@type":51,"tagName":79,"properties":1107,"responsiveStyles":1108},"builder-pixel-wj1ktz99hbf",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":1109},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":1111},{"path":29,"query":1112},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":883,"winningTest":66,"lastPreviewUrl":1119,"breakpoints":1120,"kind":402,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1122,"id":1123,"name":1124,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":1125,"data":1128,"variations":1234,"lastUpdated":1235,"firstPublished":1236,"testRatio":23,"screenshot":1237,"createdBy":96,"lastUpdatedBy":397,"folders":1238,"meta":1239,"rev":404},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1126],{"@type":228,"property":229,"operator":230,"value":1127},"/uc/shadow-ai",{"seoTitle":1129,"fontAwesomeIcon":1130,"title":1131,"seoDescription":1132,"customFonts":1133,"tsCode":29,"jsCode":29,"blocks":1138,"url":1127,"state":1231},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1134],{"version":238,"files":1135,"kind":237,"family":236,"lastModified":239,"category":259,"variants":1136,"subsets":1137,"menu":260},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"700italic":251,"100italic":252,"600italic":258,"italic":253,"300italic":257,"200italic":255,"500italic":256,"800italic":249,"900italic":250,"regular":254},[265,266,267,268,269,270,76,271,272,273,274,275,276,277,278,279,280,281],[262,263],[1139,1226],{"@type":51,"@version":52,"tagName":287,"id":1140,"meta":1141,"children":1142},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1020},[1143,1159,1166,1173,1183,1193,1203,1213,1220],{"@type":51,"@version":52,"id":1144,"meta":1145,"component":1146,"responsiveStyles":1157},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1024},{"name":291,"options":1147,"isRSC":66},{"title":1131,"description":1148,"points":1149,"image":1156},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1150,1152,1154],{"item":1151},"Discover every AI tool and agent active across your workforce",{"item":1153},"Detect sensitive data being submitted to AI apps",{"item":1155},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1158},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":306},{"@type":51,"@version":52,"id":1160,"meta":1161,"component":1162,"responsiveStyles":1164},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1040},{"name":310,"options":1163,"isRSC":66},{"AllPartners":34,"backgroundTransparent":6},{"large":1165},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"backgroundColor":314},{"@type":51,"@version":52,"id":1167,"meta":1168,"component":1169,"responsiveStyles":1171},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1047},{"name":318,"options":1170,"isRSC":66},{"darkMode":34},{"large":1172},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1174,"meta":1175,"component":1176,"responsiveStyles":1181},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1054},{"name":323,"tag":323,"options":1177,"isRSC":66},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":1178,"description":1179,"image":1180,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1182},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1184,"meta":1185,"component":1186,"responsiveStyles":1191},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1063},{"name":337,"options":1187,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":1188,"description":1189,"reverse":34,"image":1190},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1192},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":51,"@version":52,"id":1194,"meta":1195,"component":1196,"responsiveStyles":1201},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1073},{"name":337,"options":1197,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":1198,"description":1199,"reverse":6,"image":1200},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1202},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":359},{"@type":51,"@version":52,"layerName":337,"id":1204,"meta":1205,"component":1206,"responsiveStyles":1211},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1083},{"name":337,"options":1207,"isRSC":66},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":1208,"description":1209,"reverse":34,"image":1210},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1212},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73,"paddingTop":370},{"@type":51,"@version":52,"id":1214,"meta":1215,"component":1216,"responsiveStyles":1218},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1093},{"name":318,"options":1217,"isRSC":66},{"darkMode":6},{"large":1219},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"@type":51,"@version":52,"id":1221,"component":1222,"responsiveStyles":1224},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":380,"tag":380,"options":1223,"isRSC":66},{"sectionHeading":29,"customClass":382},{"large":1225},{"display":69,"flexDirection":70,"position":71,"flexShrink":72,"boxSizing":73},{"id":1227,"@type":51,"tagName":79,"properties":1228,"responsiveStyles":1229},"builder-pixel-45jh57egrzo",{"src":81,"aria-hidden":82,"alt":29,"role":83,"width":72,"height":72},{"large":1230},{"height":72,"width":72,"display":86,"opacity":72,"overflow":87,"pointerEvents":88},{"deviceSize":90,"location":1232},{"path":29,"query":1233},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1240,"hasLinks":6,"originalContentId":1003,"winningTest":66,"breakpoints":1241,"kind":402,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1243,"h":1244,"d":1245},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1244,"h":1244,"d":1247},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1243,"h":1244,"d":1249},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1244,"h":1244,"d":1251},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1244,"d":1253},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1244,"h":1244,"d":1255},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1244,"h":1244,"d":1257},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1244,"h":1244,"d":1259},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1261,"title":1262,"authorsCollection":1263,"content":1271,"extension":2168,"hashTags":66,"meta":2169,"metaTitle":1262,"ogImage":66,"publishedDate":2170,"relatedBlogPostsCollection":2171,"slug":4567,"stem":4568,"subtitle":66,"summary":4569,"synopsis":4580,"sys":4581,"tagsCollection":4584,"__hash__":4590},"blog/blog/how-to-avoid-the-browser-security-buyers-trap.json","How to avoid the browser security buyer's trap",{"items":1264},[1265],{"fullName":1266,"firstName":1267,"jobTitle":1268,"profilePicture":1269},"Alex Henshall","Alex","Product Team",{"url":1270},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"json":1272,"links":2042},{"nodeType":1273,"data":1274,"content":1275},"document",{},[1276,1285,1294,1301,1308,1312,1322,1329,1341,1353,1360,1363,1371,1378,1384,1391,1398,1514,1521,1524,1533,1540,1603,1619,1625,1632,1635,1643,1650,1658,1665,1672,1694,1701,1709,1716,1723,1730,1738,1745,1752,1759,1762,1770,1782,1789,1796,1804,1811,1818,1826,1833,1896,1912,1931,1939,1946,1954,1961,1968,1975,1981,1989,1996,2003,2009,2016,2023,2030,2036],{"nodeType":1277,"data":1278,"content":1284},"embedded-entry-block",{"target":1279},{"sys":1280},{"id":1281,"type":1282,"linkType":1283},"5CPZ96xixlhgh6oqQ2rfmO","Link","Entry",[],{"nodeType":1286,"data":1287,"content":1288},"paragraph",{},[1289],{"nodeType":1290,"value":1291,"marks":1292,"data":1293},"text","When a security team evaluates browser security solutions, they're usually asking the right question: “How do we protect our users as they work in the browser?”",[],{},{"nodeType":1286,"data":1295,"content":1296},{},[1297],{"nodeType":1290,"value":1298,"marks":1299,"data":1300},"But the answer they get from many vendors is shaped by a fundamentally different threat model — one that treats the browser as a piece of software to be hardened against exploitation, rather than as the arena where your users’ identities get stolen.",[],{},{"nodeType":1286,"data":1302,"content":1303},{},[1304],{"nodeType":1290,"value":1305,"marks":1306,"data":1307},"This distinction has enormous consequences for your security posture and the return you can expect from your investment in a new solution.",[],{},{"nodeType":1309,"data":1310,"content":1311},"hr",{},[],{"nodeType":1313,"data":1314,"content":1315},"heading-1",{},[1316],{"nodeType":1290,"value":1317,"marks":1318,"data":1321},"Two different problems, dressed the same",[1319],{"type":1320},"bold",{},{"nodeType":1286,"data":1323,"content":1324},{},[1325],{"nodeType":1290,"value":1326,"marks":1327,"data":1328},"When it comes to protecting users as they work in the browser, security tools typically fall into one of two camps:",[],{},{"nodeType":1286,"data":1330,"content":1331},{},[1332,1337],{"nodeType":1290,"value":1333,"marks":1334,"data":1336},"The first camp:",[1335],{"type":1320},{},{"nodeType":1290,"value":1338,"marks":1339,"data":1340}," represented by solutions like Seraphic (now CrowdStrike) — is built around the threat of attacking the browser itself. The architecture is designed to scramble the browser’s JavaScript runtime and prevent exploits from detonating and breaking out of the browser sandbox. This is browser hardening: defending the browser as software against exploitation by attackers who want to compromise the underlying device.",[],{},{"nodeType":1286,"data":1342,"content":1343},{},[1344,1349],{"nodeType":1290,"value":1345,"marks":1346,"data":1348},"The second camp:",[1347],{"type":1320},{},{"nodeType":1290,"value":1350,"marks":1351,"data":1352}," and the one Push Security occupies uniquely, focuses on what happens inside the browser when a user is working normally. Phishing pages harvesting credentials. Session tokens being stolen. Malicious OAuth applications being granted access through social engineering. Adversary-in-the-middle proxies intercepting authentication flows. These attacks don't exploit the browser. They exploit the human — and now agents — using it via the browser's legitimate capabilities (think of it as LOTL, browser edition).",[],{},{"nodeType":1286,"data":1354,"content":1355},{},[1356],{"nodeType":1290,"value":1357,"marks":1358,"data":1359},"The question for any security team evaluating this space: which of these threat models presents the greatest risks to my organization?",[],{},{"nodeType":1309,"data":1361,"content":1362},{},[],{"nodeType":1313,"data":1364,"content":1365},{},[1366],{"nodeType":1290,"value":1367,"marks":1368,"data":1370},"How organizations are actually being breached",[1369],{"type":1320},{},{"nodeType":1286,"data":1372,"content":1373},{},[1374],{"nodeType":1290,"value":1375,"marks":1376,"data":1377},"Let's look at the major breach campaigns of the last three years without the marketing filter and a pattern emerges immediately. Scattered Spider and its successors breached MGM Resorts, Caesars, M&S, JLR, and Salesforce customers — not through browser exploits, but through social engineering, phishing and Adversary-in-the-Middle attacks that stole session tokens and SSO credentials. ",[],{},{"nodeType":1277,"data":1379,"content":1383},{"target":1380},{"sys":1381},{"id":1382,"type":1282,"linkType":1283},"2qIMTiyyIsQFAyGJ9Ikyej",[],{"nodeType":1286,"data":1385,"content":1386},{},[1387],{"nodeType":1290,"value":1388,"marks":1389,"data":1390},"In every case, the attack happened in the browser — using stolen identities to log into legitimate cloud services — not on the browser through exploitation of the browser engine itself.",[],{},{"nodeType":1286,"data":1392,"content":1393},{},[1394],{"nodeType":1290,"value":1395,"marks":1396,"data":1397},"The data from major threat intelligence sources is unambiguous:",[],{},{"nodeType":1399,"data":1400,"content":1401},"unordered-list",{},[1402,1422,1441,1460,1479,1494],{"nodeType":1403,"data":1404,"content":1405},"list-item",{},[1406],{"nodeType":1286,"data":1407,"content":1408},{},[1409,1413,1418],{"nodeType":1290,"value":1410,"marks":1411,"data":1412},"Identity weaknesses played a material role in ",[],{},{"nodeType":1290,"value":1414,"marks":1415,"data":1417},"almost 90% of Unit 42 incident response investigations",[1416],{"type":1320},{},{"nodeType":1290,"value":1419,"marks":1420,"data":1421}," (Palo Alto Networks Unit 42 IR Report)",[],{},{"nodeType":1403,"data":1423,"content":1424},{},[1425],{"nodeType":1286,"data":1426,"content":1427},{},[1428,1432,1437],{"nodeType":1290,"value":1429,"marks":1430,"data":1431},"Credential abuse and phishing combined accounted for ",[],{},{"nodeType":1290,"value":1433,"marks":1434,"data":1436},"38% of all breaches",[1435],{"type":1320},{},{"nodeType":1290,"value":1438,"marks":1439,"data":1440},", making identity the single largest breach vector (Verizon DBIR 2025)",[],{},{"nodeType":1403,"data":1442,"content":1443},{},[1444],{"nodeType":1286,"data":1445,"content":1446},{},[1447,1451,1456],{"nodeType":1290,"value":1448,"marks":1449,"data":1450},"Cloud-conscious intrusions — attackers using stolen identities to access cloud services — rose ",[],{},{"nodeType":1290,"value":1452,"marks":1453,"data":1455},"37% in 2025",[1454],{"type":1320},{},{"nodeType":1290,"value":1457,"marks":1458,"data":1459},", up 266% among state-nexus actors (CrowdStrike 2026 Global Threat Report)",[],{},{"nodeType":1403,"data":1461,"content":1462},{},[1463],{"nodeType":1286,"data":1464,"content":1465},{},[1466,1470,1475],{"nodeType":1290,"value":1467,"marks":1468,"data":1469},"In cloud-related incidents, identity issues drove initial access in ",[],{},{"nodeType":1290,"value":1471,"marks":1472,"data":1474},"83% of cases",[1473],{"type":1320},{},{"nodeType":1290,"value":1476,"marks":1477,"data":1478}," (Mandiant / Google Cloud Threat Horizons H1 2026)",[],{},{"nodeType":1403,"data":1480,"content":1481},{},[1482],{"nodeType":1286,"data":1483,"content":1484},{},[1485,1490],{"nodeType":1290,"value":1486,"marks":1487,"data":1489},"82% of attack detections are now malware-free",[1488],{"type":1320},{},{"nodeType":1290,"value":1491,"marks":1492,"data":1493}," — they don't touch the endpoint and abuse legitimate access and functionality (CrowdStrike 2026 Global Threat Report)",[],{},{"nodeType":1403,"data":1495,"content":1496},{},[1497],{"nodeType":1286,"data":1498,"content":1499},{},[1500,1505,1510],{"nodeType":1290,"value":1501,"marks":1502,"data":1504},"49",[1503],{"type":1320},{},{"nodeType":1290,"value":1506,"marks":1507,"data":1509},"% of organizations",[1508],{"type":1320},{},{"nodeType":1290,"value":1511,"marks":1512,"data":1513}," suffered a successful browser-based attack in the last 12 months (Omdia 2026)",[],{},{"nodeType":1286,"data":1515,"content":1516},{},[1517],{"nodeType":1290,"value":1518,"marks":1519,"data":1520},"These aren't edge cases. This is now the primary attack playbook.",[],{},{"nodeType":1309,"data":1522,"content":1523},{},[],{"nodeType":1525,"data":1526,"content":1527},"heading-2",{},[1528],{"nodeType":1290,"value":1529,"marks":1530,"data":1532},"The economics of attack choice",[1531],{"type":1320},{},{"nodeType":1286,"data":1534,"content":1535},{},[1536],{"nodeType":1290,"value":1537,"marks":1538,"data":1539},"Attackers are rational actors. They pick the cheapest, most reliable path to their objective. The economics of browser exploitation versus identity theft tell the whole story:",[],{},{"nodeType":1399,"data":1541,"content":1542},{},[1543,1558,1573,1588],{"nodeType":1403,"data":1544,"content":1545},{},[1546],{"nodeType":1286,"data":1547,"content":1548},{},[1549,1553],{"nodeType":1290,"value":1550,"marks":1551,"data":1552},"Chrome sandbox RCE exploit (bug bounty value): ",[],{},{"nodeType":1290,"value":1554,"marks":1555,"data":1557},"$250,000",[1556],{"type":1320},{},{"nodeType":1403,"data":1559,"content":1560},{},[1561],{"nodeType":1286,"data":1562,"content":1563},{},[1564,1568],{"nodeType":1290,"value":1565,"marks":1566,"data":1567},"IAB-provided IdP admin account: ",[],{},{"nodeType":1290,"value":1569,"marks":1570,"data":1572},"~$3,000",[1571],{"type":1320},{},{"nodeType":1403,"data":1574,"content":1575},{},[1576],{"nodeType":1286,"data":1577,"content":1578},{},[1579,1583],{"nodeType":1290,"value":1580,"marks":1581,"data":1582},"1-year phishing kit rental (PhaaS): ",[],{},{"nodeType":1290,"value":1584,"marks":1585,"data":1587},"~$1,000",[1586],{"type":1320},{},{"nodeType":1403,"data":1589,"content":1590},{},[1591],{"nodeType":1286,"data":1592,"content":1593},{},[1594,1598],{"nodeType":1290,"value":1595,"marks":1596,"data":1597},"Bulk stolen credential list: ",[],{},{"nodeType":1290,"value":1599,"marks":1600,"data":1602},"~$15",[1601],{"type":1320},{},{"nodeType":1286,"data":1604,"content":1605},{},[1606,1610,1615],{"nodeType":1290,"value":1607,"marks":1608,"data":1609},"Browser zero-days accounted for just ",[],{},{"nodeType":1290,"value":1611,"marks":1612,"data":1614},"9% of all zero-days reported to Google in 2025",[1613],{"type":1320},{},{"nodeType":1290,"value":1616,"marks":1617,"data":1618}," — described by Google's own researchers as a \"historic low.\" Chrome's sandbox architecture, site isolation, and hardware-backed security features are the result of years of sustained hardening investment. When a browser vulnerability is discovered, Google typically deploys a patch within days.",[],{},{"nodeType":1277,"data":1620,"content":1624},{"target":1621},{"sys":1622},{"id":1623,"type":1282,"linkType":1283},"5XWKHTT5J06yWcgZIOL95t",[],{"nodeType":1286,"data":1626,"content":1627},{},[1628],{"nodeType":1290,"value":1629,"marks":1630,"data":1631},"The bottom line: browser exploits are extraordinarily expensive to develop, increasingly difficult to execute reliably against a hardened modern browser, and patched rapidly when discovered. In sharp contrast, identity attacks are cheap to run, highly scalable, and have a low technical barrier to adoption — that’s why they’re responsible for the overwhelming majority of enterprise breaches. Attackers have voted with their resources.",[],{},{"nodeType":1309,"data":1633,"content":1634},{},[],{"nodeType":1313,"data":1636,"content":1637},{},[1638],{"nodeType":1290,"value":1639,"marks":1640,"data":1642},"What you're actually buying with each vendor",[1641],{"type":1320},{},{"nodeType":1286,"data":1644,"content":1645},{},[1646],{"nodeType":1290,"value":1647,"marks":1648,"data":1649},"Understanding the core architectural choice each vendor has made helps decode what their solution can and cannot protect you from.",[],{},{"nodeType":1525,"data":1651,"content":1652},{},[1653],{"nodeType":1290,"value":1654,"marks":1655,"data":1657},"Seraphic (CrowdStrike)",[1656],{"type":1320},{},{"nodeType":1286,"data":1659,"content":1660},{},[1661],{"nodeType":1290,"value":1662,"marks":1663,"data":1664},"Seraphic's architecture is built to inject into the browser's JavaScript runtime at the OS layer, scrambling browser internals to prevent exploits from executing. This is a technically sophisticated approach to a technically interesting problem that is, by every threat intelligence measure, not the problem causing enterprise breaches at scale.",[],{},{"nodeType":1286,"data":1666,"content":1667},{},[1668],{"nodeType":1290,"value":1669,"marks":1670,"data":1671},"Beyond the threat model mismatch, there are structural concerns with the approach itself. Injecting an agent into the browser's JS runtime is a technique with well-documented stability consequences. This is the same approach antivirus vendors have used for years, often at the cost of system stability. Seraphic now runs alongside the CrowdStrike Falcon sensor on managed devices, combining two heavyweight agents on the same machine. For any organization with CrowdStrike already deployed, the question isn't theoretical: how has that combination been validated in production environments?",[],{},{"nodeType":1286,"data":1673,"content":1674},{},[1675,1679,1690],{"nodeType":1290,"value":1676,"marks":1677,"data":1678},"There's also the managed-device limitation. Seraphic requires a kernel-level agent, which means it loses meaningful capability on unmanaged devices, BYOD machines, and contractor endpoints. This is not a niche concern: according to Omdia's 2026 browser security survey, 32% of users access corporate applications from unmanaged devices at least occasionally. Agent-based solutions are blind to nearly a third of your actual attack surface by design. The Okta breach began on a support engineer's personal device, where ",[],{},{"nodeType":1680,"data":1681,"content":1683},"hyperlink",{"uri":1682},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[1684],{"nodeType":1290,"value":1685,"marks":1686,"data":1689},"corporate credentials had synced",[1687],{"type":1688},"underline",{},{"nodeType":1290,"value":1691,"marks":1692,"data":1693}," via Chrome's built-in profile sync. No agent, no visibility.",[],{},{"nodeType":1286,"data":1695,"content":1696},{},[1697],{"nodeType":1290,"value":1698,"marks":1699,"data":1700},"Teams evaluating Seraphic today are also buying into an integration roadmap, not a shipped capability. The acquisition by CrowdStrike closed in early 2026. The work of wiring browser telemetry into Falcon Fusion and correlating it with endpoint signals is currently a promise, not a production feature.",[],{},{"nodeType":1525,"data":1702,"content":1703},{},[1704],{"nodeType":1290,"value":1705,"marks":1706,"data":1708},"SquareX (Zscaler)",[1707],{"type":1320},{},{"nodeType":1286,"data":1710,"content":1711},{},[1712],{"nodeType":1290,"value":1713,"marks":1714,"data":1715},"SquareX's core capability is sandboxing suspicious file downloads inside disposable browser containers before they reach the endpoint. This is a legitimate approach to a real but declining problem. 82% of attack detections are now malware-free (CrowdStrike 2026 Global Threat Report) — attacks don't arrive as files to be sandboxed, they arrive as authenticated sessions. And the delivery channel shift makes the picture even starker: across Push's customer base, 1 in 3 phishing payloads are now delivered outside of email entirely — via social media, ads, and messaging platforms — and 4 in 5 ClickFix payloads arrive through search engines, not email. The threat that SquareX was architecturally designed to address is a shrinking share of the actual attack surface, and it's shrinking fast.",[],{},{"nodeType":1286,"data":1717,"content":1718},{},[1719],{"nodeType":1290,"value":1720,"marks":1721,"data":1722},"Zscaler already has sandboxing built into ZIA. For an existing Zscaler customer evaluating SquareX, the honest question is: what does this add beyond some extension analysis capability and what you already have? The AiTM phishing campaign that stole your user's credentials and accessed your cloud applications generates no malicious file, triggers no sandbox, and produces no network signal for Zscaler's traffic inspection to catch — because it happened entirely inside a browser session using legitimate authentication flows.",[],{},{"nodeType":1286,"data":1724,"content":1725},{},[1726],{"nodeType":1290,"value":1727,"marks":1728,"data":1729},"The acquisition also raises product focus questions. Being absorbed into a network-centric platform means SquareX is now optimized for Zscaler's priorities, not for standalone browser detection and response. Teams that care about investigation, threat hunting, and incident response should ask specifically what SquareX adds in those workflows under Zscaler ownership.",[],{},{"nodeType":1525,"data":1731,"content":1732},{},[1733],{"nodeType":1290,"value":1734,"marks":1735,"data":1737},"LayerX",[1736],{"type":1320},{},{"nodeType":1286,"data":1739,"content":1740},{},[1741],{"nodeType":1290,"value":1742,"marks":1743,"data":1744},"LayerX is primarily a policy enforcement and risk scoring platform focused on internal governance — controlling which applications employees access, what data moves through the browser, and whether behavior complies with internal rules.",[],{},{"nodeType":1286,"data":1746,"content":1747},{},[1748],{"nodeType":1290,"value":1749,"marks":1750,"data":1751},"Push Security covers that ground too. Push provides full visibility over AI tool usage, shadow SaaS, unmanaged identities, and data loss vectors — including sensitive data submitted through AI prompts, file uploads to personal cloud destinations, and OAuth grants to third-party applications. The same browser telemetry that detects external attacks also surfaces insider risks and powers DLP controls and compliance audit evidence, all from a single extension.",[],{},{"nodeType":1286,"data":1753,"content":1754},{},[1755],{"nodeType":1290,"value":1756,"marks":1757,"data":1758},"The critical difference is that Push goes significantly further. Where LayerX scores risk and enforces policy, Push detects active external attack techniques in real time: AiTM phishing kits as they execute, session tokens being stolen, ClickFix lures through behavioral analysis of page structure. These are the attacks causing the most damaging breaches today, and they don't surface on a risk score until after the damage is done. Push addresses both the governance problem and the external threat problem from the same platform. LayerX addresses only the first.",[],{},{"nodeType":1309,"data":1760,"content":1761},{},[],{"nodeType":1313,"data":1763,"content":1764},{},[1765],{"nodeType":1290,"value":1766,"marks":1767,"data":1769},"Securing the organization via the browser: Push Security",[1768],{"type":1320},{},{"nodeType":1286,"data":1771,"content":1772},{},[1773,1778],{"nodeType":1290,"value":1774,"marks":1775,"data":1777},"Push Security is built on a different architectural premise:",[1776],{"type":1320},{},{"nodeType":1290,"value":1779,"marks":1780,"data":1781}," the browser is not primarily a piece of software to harden against exploitation. It is the primary workplace, the primary SaaS access point, and the arena where the majority of modern identity attacks play out. The goal is to secure the organization via the browser — not just to secure the browser itself.",[],{},{"nodeType":1286,"data":1783,"content":1784},{},[1785],{"nodeType":1290,"value":1786,"marks":1787,"data":1788},"This means Push's detection surface is built around the attacks that are actually causing breaches: adversary-in-the-middle phishing, ClickFix and its many variants, credential stuffing against shadow identities, session token theft and replay, OAuth consent abuse, and the full spectrum of identity-based initial access techniques that dominate the modern threat landscape.",[],{},{"nodeType":1286,"data":1790,"content":1791},{},[1792],{"nodeType":1290,"value":1793,"marks":1794,"data":1795},"The deployment model reflects the threat model. Push deploys as a lightweight browser extension — no kernel-level agent, no device dependency, no migration to a new browser. It works on managed and unmanaged devices, across every traditional, enterprise and AI browser where employees are doing work and attackers are targeting them. The operational overhead is minimal by design: Push has been deployed to 100,000 users in under one hour during normal business hours.",[],{},{"nodeType":1525,"data":1797,"content":1798},{},[1799],{"nodeType":1290,"value":1800,"marks":1801,"data":1803},"Detection philosophy: targeting what attackers can't change",[1802],{"type":1320},{},{"nodeType":1286,"data":1805,"content":1806},{},[1807],{"nodeType":1290,"value":1808,"marks":1809,"data":1810},"Push's detection approach targets attacker TTPs rather than indicators of compromise that attackers can rotate in minutes. 95% of attacks detected by Push used some form of bot protection service — meaning the specific domain and IP were deliberately obscured. If your primary detection relies on blocklists, recent reports tell us that 89% of phishing domains will evade you: because they're active for less than two days, they can be spun up, down, and replaced faster than blocklists can keep up.",[],{},{"nodeType":1286,"data":1812,"content":1813},{},[1814],{"nodeType":1290,"value":1815,"marks":1816,"data":1817},"Behavioral detection of the attack technique — the AiTM relay structure, the credential entry on a cloned login page, the anomalous session context — remains valid regardless of what domain the attack is hosted on or which PhaaS kit was used to build it.",[],{},{"nodeType":1525,"data":1819,"content":1820},{},[1821],{"nodeType":1290,"value":1822,"marks":1823,"data":1825},"Measuring the identity attack surface (it's bigger than you realize)",[1824],{"type":1320},{},{"nodeType":1286,"data":1827,"content":1828},{},[1829],{"nodeType":1290,"value":1830,"marks":1831,"data":1832},"Because Push has visibility into actual login behavior across thousands of organizations, it can quantify the attack surface that identity-based attacks exploit. Of the last million logins observed by Push:",[],{},{"nodeType":1399,"data":1834,"content":1835},{},[1836,1851,1866,1881],{"nodeType":1403,"data":1837,"content":1838},{},[1839],{"nodeType":1286,"data":1840,"content":1841},{},[1842,1847],{"nodeType":1290,"value":1843,"marks":1844,"data":1846},"15 corporate identities were identified per employee",[1845],{"type":1320},{},{"nodeType":1290,"value":1848,"marks":1849,"data":1850}," used to access cloud apps",[],{},{"nodeType":1403,"data":1852,"content":1853},{},[1854],{"nodeType":1286,"data":1855,"content":1856},{},[1857,1862],{"nodeType":1290,"value":1858,"marks":1859,"data":1861},"1 in 4",[1860],{"type":1320},{},{"nodeType":1290,"value":1863,"marks":1864,"data":1865}," were password logins, not SSO",[],{},{"nodeType":1403,"data":1867,"content":1868},{},[1869],{"nodeType":1286,"data":1870,"content":1871},{},[1872,1877],{"nodeType":1290,"value":1873,"marks":1874,"data":1876},"2 in 5",[1875],{"type":1320},{},{"nodeType":1290,"value":1878,"marks":1879,"data":1880}," were not protected by MFA",[],{},{"nodeType":1403,"data":1882,"content":1883},{},[1884],{"nodeType":1286,"data":1885,"content":1886},{},[1887,1892],{"nodeType":1290,"value":1888,"marks":1889,"data":1891},"1 in 5",[1890],{"type":1320},{},{"nodeType":1290,"value":1893,"marks":1894,"data":1895}," used a weak, breached, or reused password",[],{},{"nodeType":1286,"data":1897,"content":1898},{},[1899,1903,1908],{"nodeType":1290,"value":1900,"marks":1901,"data":1902},"And it's not just login hygiene. Across Push's customer base, ",[],{},{"nodeType":1290,"value":1904,"marks":1905,"data":1907},"46%+ of browser extensions in corporate environments have the permission combinations required for direct account takeover via session theft if they are malicious or compromised by an attacker",[1906],{"type":1320},{},{"nodeType":1290,"value":1909,"marks":1910,"data":1911},". Most organizations have no inventory of what's running in their employees' browsers, let alone visibility into what those extensions can access.",[],{},{"nodeType":1286,"data":1913,"content":1914},{},[1915,1919,1927],{"nodeType":1290,"value":1916,"marks":1917,"data":1918},"These aren't theoretical vulnerabilities. They're the specific weaknesses that browser-native identity attacks are designed to exploit. ",[],{},{"nodeType":1680,"data":1920,"content":1922},{"uri":1921},"https://pushsecurity.com/blog/the-cisos-data-problem-and-how-browser-telemetry-can-help/",[1923],{"nodeType":1290,"value":1924,"marks":1925,"data":1926},"This visibility turns browser security from a reactive posture into a proactive one",[],{},{"nodeType":1290,"value":1928,"marks":1929,"data":1930}," — you can see and remediate the identity weaknesses before an attacker exploits them, not just detect the attack while it's in progress.",[],{},{"nodeType":1525,"data":1932,"content":1933},{},[1934],{"nodeType":1290,"value":1935,"marks":1936,"data":1938},"The ROI case",[1937],{"type":1320},{},{"nodeType":1286,"data":1940,"content":1941},{},[1942],{"nodeType":1290,"value":1943,"marks":1944,"data":1945},"The ROI question for any security investment is: what quantum of real risk does this tool address, at what cost in money and operational friction?",[],{},{"nodeType":1286,"data":1947,"content":1948},{},[1949],{"nodeType":1290,"value":1950,"marks":1951,"data":1953},"That calculation looks very different depending on your threat model.",[1952],{"type":1320},{},{"nodeType":1286,"data":1955,"content":1956},{},[1957],{"nodeType":1290,"value":1958,"marks":1959,"data":1960},"A solution focused on browser engine exploits and sandbox escapes is defending against an attack category that represents a tiny fraction of actual enterprise breaches, requires extraordinary attacker resources to execute, and is increasingly mitigated by browser vendors themselves through hardening and rapid patching. Chrome's automatic update cycle means that even when a browser vulnerability is discovered and disclosed, it is typically in front of users as a patch within days. The defenders here are Google, Mozilla, and Microsoft — with multi-billion dollar security teams and full access to the browser internals.",[],{},{"nodeType":1286,"data":1962,"content":1963},{},[1964],{"nodeType":1290,"value":1965,"marks":1966,"data":1967},"A solution focused on identity attacks via the browser — phishing, credential theft, session hijacking, OAuth abuse, malicious browser extensions — is defending against the primary cause of enterprise breaches, one that is accelerating (cloud-conscious intrusions up 37% in 2025, browser-based attacks increasing at 68% of organizations over the past two years per Omdia) and increasingly automated through PhaaS infrastructure that gives low-skill attackers enterprise-grade capability for $1,000 a year.",[],{},{"nodeType":1286,"data":1969,"content":1970},{},[1971],{"nodeType":1290,"value":1972,"marks":1973,"data":1974},"There's also a forward-looking dimension. The threat landscape isn't moving toward more browser exploitation. It's moving further into identity abuse. AI-powered phishing lowers the social engineering barrier. Agentic browsers will automate credential stuffing and account takeover at a scale that wasn't previously possible. And attackers are already adapting to authentication improvements: device code phishing has increased 37x since the start of 2026, a technique specifically designed to circumvent passkeys by bypassing the authentication flow entirely — the attacker never encounters a login page. The investment in identity-centric browser detection compounds over time as the attack surface evolves in the same direction.",[],{},{"nodeType":1277,"data":1976,"content":1980},{"target":1977},{"sys":1978},{"id":1979,"type":1282,"linkType":1283},"cQ6WPV2NMYvDMZXifqzK1",[],{"nodeType":1525,"data":1982,"content":1983},{},[1984],{"nodeType":1290,"value":1985,"marks":1986,"data":1988},"The verdict",[1987],{"type":1320},{},{"nodeType":1286,"data":1990,"content":1991},{},[1992],{"nodeType":1290,"value":1993,"marks":1994,"data":1995},"Browser security is a real and growing priority — according to Omdia Research, it is now a top-five priority for 88% of security leaders and the top priority for 26% of them. 85% expect their browser security spending to increase over the next 12–24 months. The question isn't whether to invest. It's what to invest in.",[],{},{"nodeType":1286,"data":1997,"content":1998},{},[1999],{"nodeType":1290,"value":2000,"marks":2001,"data":2002},"The browser is where your users work, where attackers target them, and where the identity attacks causing the majority of enterprise breaches play out. But not all browser security investments address the same problem.",[],{},{"nodeType":1277,"data":2004,"content":2008},{"target":2005},{"sys":2006},{"id":2007,"type":1282,"linkType":1283},"4nGzT9cNG0Yid93uUCCuTt",[],{"nodeType":1286,"data":2010,"content":2011},{},[2012],{"nodeType":1290,"value":2013,"marks":2014,"data":2015},"Solutions like Seraphic are built to defend against a browser being exploited by an attacker trying to break out of the sandbox — an attack that represents a historic low as a share of enterprise incidents, and one that Google's own hardening and rapid patching increasingly mitigates automatically. SquareX is built around malware sandboxing — a legitimate but declining share of the initial access landscape, and a capability Zscaler's existing customers already partially have. LayerX focuses on internal governance rather than external threats.",[],{},{"nodeType":1286,"data":2017,"content":2018},{},[2019],{"nodeType":1290,"value":2020,"marks":2021,"data":2022},"Push Security is built to defend against the attacks that are behind the major breaches hitting the headlines: identity theft, credential abuse, session hijacking, and the full identity attack kill chain that plays out inside the browser every time an attacker logs in as your user. Every major threat intelligence report points to these as the primary breach vectors. The economics of attack choice guarantee they'll remain so.",[],{},{"nodeType":1286,"data":2024,"content":2025},{},[2026],{"nodeType":1290,"value":2027,"marks":2028,"data":2029},"The security team that deploys Push gets the greatest coverage of the highest-impact threats, on managed and unmanaged devices, with the lightest operational footprint. That is the browser security investment that moves the needle on real organizational risk — not the browser security investment that defends the software nobody's actually attacking.",[],{},{"nodeType":1277,"data":2031,"content":2035},{"target":2032},{"sys":2033},{"id":2034,"type":1282,"linkType":1283},"3a2sEWgWKZulGLCFfODwk0",[],{"nodeType":1286,"data":2037,"content":2038},{},[2039],{"nodeType":1290,"value":29,"marks":2040,"data":2041},[],{},{"entries":2043},{"hyperlink":2044,"inline":2045,"block":2046},[],[],[2047,2074,2114,2137,2151,2160],{"sys":2048,"__typename":2049,"content":2050,"name":2073,"title":66},{"id":1281},"InsightTextBlockComponent",{"json":2051},{"nodeType":1273,"data":2052,"content":2053},{},[2054,2066],{"nodeType":1286,"data":2055,"content":2056},{},[2057,2062],{"nodeType":1290,"value":2058,"marks":2059,"data":2061},"TL;DR:",[2060],{"type":1320},{},{"nodeType":1290,"value":2063,"marks":2064,"data":2065}," Not all browser security investments address the same threat. Seraphic (Crowdstrike) focuses on browser exploitation, SquareX (ZScaler) on malware sandboxing, LayerX on internal governance. None of these address the attacks that are actually causing the most damaging breaches today: identity theft, credential abuse, and session hijacking that play out entirely inside the browser using legitimate authentication flows. Push Security is built specifically for that threat model — delivering the greatest coverage against the most damaging attacks, without the user friction, operational management burden, or stability risks associated with other solutions.",[],{},{"nodeType":1286,"data":2067,"content":2068},{},[2069],{"nodeType":1290,"value":2070,"marks":2071,"data":2072},"\n",[],{},"Browser security buyer's trap IB1",{"sys":2075,"__typename":2049,"content":2076,"name":2113,"title":66},{"id":1382},{"json":2077},{"data":2078,"content":2079,"nodeType":1273},{},[2080],{"data":2081,"content":2082,"nodeType":1286},{},[2083,2087,2096,2100,2109],{"data":2084,"marks":2085,"value":2086,"nodeType":1290},{},[],"You can read about ",{"data":2088,"content":2090,"nodeType":1680},{"uri":2089},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[2091],{"data":2092,"marks":2093,"value":2095,"nodeType":1290},{},[2094],{"type":1688},"Scattered Lapsus$ Hunters",{"data":2097,"marks":2098,"value":2099,"nodeType":1290},{},[]," and ",{"data":2101,"content":2103,"nodeType":1680},{"uri":2102},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[2104],{"data":2105,"marks":2106,"value":2108,"nodeType":1290},{},[2107],{"type":1688},"ShinyHunters’ 2026 campaigns and TTPs",{"data":2110,"marks":2111,"value":2112,"nodeType":1290},{},[]," in our dedicated blog posts. ","Browser security buyer's trap IB2",{"sys":2115,"__typename":2049,"content":2116,"name":2136,"title":66},{"id":1623},{"json":2117},{"data":2118,"content":2119,"nodeType":1273},{},[2120],{"data":2121,"content":2122,"nodeType":1286},{},[2123,2127,2132],{"data":2124,"marks":2125,"value":2126,"nodeType":1290},{},[],"It's worth heading off the obvious counterargument: ",{"data":2128,"marks":2129,"value":2131,"nodeType":1290},{},[2130],{"type":1320},"won't AI-assisted vulnerability discovery eventually make browser exploits cheaper? ",{"data":2133,"marks":2134,"value":2135,"nodeType":1290},{},[],"Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development. ","Browser security buyer's trap IB3",{"sys":2138,"__typename":2049,"content":2139,"name":2150,"title":66},{"id":1979},{"json":2140},{"nodeType":1273,"data":2141,"content":2142},{},[2143],{"nodeType":1286,"data":2144,"content":2145},{},[2146],{"nodeType":1290,"value":2147,"marks":2148,"data":2149},"Solutions optimized for browser exploitation are defending against a shrinking attack category. Browser vendors are very good at closing those vulnerabilities, quickly. The ROI trajectory points the wrong way.",[],{},"Browser security buyer's trap IB4",{"sys":2152,"__typename":2153,"title":2154,"caption":2155,"layoutMode":66,"file":2156},{"id":2007},"Image","Comparing ease of deployment x threat relevance for browser security solutions","Comparing ease of deployment x threat relevance for browser security solutions.",{"url":2157,"width":2158,"height":2159},"https://images.ctfassets.net/y1cdw1ablpvd/4z1RAFROesqaBF4H3qR8yu/cc81098bb5024c55de55e8512f0ae3d5/push_ttp_coverage_2x__1_.png",1440,1142,{"sys":2161,"__typename":2162,"type":2163,"ctaText":2164,"buttonLabel":2165,"buttonColour":2166,"buttonUrl":2167},{"id":2034},"CtaWidget","Custom","Ready to learn more about Push? Book a demo with one of our team. ","Book a Demo","sunny orange","https://pushsecurity.com/demo/","json",{},"2026-05-13T00:00:00.000Z",{"items":2172},[2173,3143,4032],{"__typename":2174,"sys":2175,"content":2177,"title":3122,"synopsis":3123,"hashTags":66,"publishedDate":3124,"slug":3125,"tagsCollection":3126,"authorsCollection":3136},"BlogPosts",{"id":2176},"1jfqiWQlL6qkn3i9yjNbFB",{"json":2178},{"nodeType":1273,"data":2179,"content":2180},{},[2181,2188,2210,2222,2229,2237,2244,2268,2275,2282,2289,2301,2307,2310,2318,2334,2355,2469,2475,2482,2488,2496,2503,2515,2522,2528,2535,2559,2566,2573,2576,2584,2591,2599,2606,2622,2629,2636,2644,2651,2658,2666,2673,2680,2683,2691,2698,2706,2713,2720,2727,2734,2742,2749,2782,2789,2796,2802,2809,2817,2824,2902,2908,2916,2932,2939,2945,2952,2968,2971,2979,2986,2993,2999,3006,3051,3058,3065,3072,3078,3081,3089,3096,3103],{"nodeType":1286,"data":2182,"content":2183},{},[2184],{"nodeType":1290,"value":2185,"marks":2186,"data":2187},"In March, our threat hunting engine flagged something it hadn’t seen before.",[],{},{"nodeType":1286,"data":2189,"content":2190},{},[2191,2195,2206],{"nodeType":1290,"value":2192,"marks":2193,"data":2194},"Our research team had already been tracking the growing use of ",[],{},{"nodeType":2196,"data":2197,"content":2201},"entry-hyperlink",{"target":2198},{"sys":2199},{"id":2200,"type":1282,"linkType":1283},"2U6QpQ9rkY8x5ES48okHZB",[2202],{"nodeType":1290,"value":2203,"marks":2204,"data":2205},"malvertising",[],{},{"nodeType":1290,"value":2207,"marks":2208,"data":2209}," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",[],{},{"nodeType":1286,"data":2211,"content":2212},{},[2213,2217],{"nodeType":1290,"value":2214,"marks":2215,"data":2216},"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",[],{},{"nodeType":1290,"value":2218,"marks":2219,"data":2221},"But how to separate signal from noise?",[2220],{"type":276},{},{"nodeType":1286,"data":2223,"content":2224},{},[2225],{"nodeType":1290,"value":2226,"marks":2227,"data":2228},"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",[],{},{"nodeType":1286,"data":2230,"content":2231},{},[2232],{"nodeType":1290,"value":2233,"marks":2234,"data":2236},"Of those, one was novel. ",[2235],{"type":1320},{},{"nodeType":1286,"data":2238,"content":2239},{},[2240],{"nodeType":1290,"value":2241,"marks":2242,"data":2243},"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",[],{},{"nodeType":1286,"data":2245,"content":2246},{},[2247,2252,2263],{"nodeType":1290,"value":2248,"marks":2249,"data":2251},"We had found our first in-the-wild ",[2250],{"type":1320},{},{"nodeType":2196,"data":2253,"content":2257},{"target":2254},{"sys":2255},{"id":2256,"type":1282,"linkType":1283},"7bG71Eo43crbIHKzczooVS",[2258],{"nodeType":1290,"value":2259,"marks":2260,"data":2262},"InstallFix attack",[2261],{"type":1320},{},{"nodeType":1290,"value":2264,"marks":2265,"data":2267},".",[2266],{"type":1320},{},{"nodeType":1286,"data":2269,"content":2270},{},[2271],{"nodeType":1290,"value":2272,"marks":2273,"data":2274},"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",[],{},{"nodeType":1286,"data":2276,"content":2277},{},[2278],{"nodeType":1290,"value":2279,"marks":2280,"data":2281},"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",[],{},{"nodeType":1286,"data":2283,"content":2284},{},[2285],{"nodeType":1290,"value":2286,"marks":2287,"data":2288},"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",[],{},{"nodeType":1286,"data":2290,"content":2291},{},[2292,2297],{"nodeType":1290,"value":2293,"marks":2294,"data":2296},"So, can AI agents replace human threat researchers?",[2295],{"type":1320},{},{"nodeType":1290,"value":2298,"marks":2299,"data":2300}," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",[],{},{"nodeType":1277,"data":2302,"content":2306},{"target":2303},{"sys":2304},{"id":2305,"type":1282,"linkType":1283},"3OiZ7BrViCTTMmHUAbloEt",[],{"nodeType":1309,"data":2308,"content":2309},{},[],{"nodeType":1313,"data":2311,"content":2312},{},[2313],{"nodeType":1290,"value":2314,"marks":2315,"data":2317},"Why scaling browser threat detection requires more than more analysts",[2316],{"type":1320},{},{"nodeType":1286,"data":2319,"content":2320},{},[2321,2325,2330],{"nodeType":1290,"value":2322,"marks":2323,"data":2324},"Already this year, we’ve ",[],{},{"nodeType":1290,"value":2326,"marks":2327,"data":2329},"tripled",[2328],{"type":1320},{},{"nodeType":1290,"value":2331,"marks":2332,"data":2333}," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",[],{},{"nodeType":1286,"data":2335,"content":2336},{},[2337,2341,2351],{"nodeType":1290,"value":2338,"marks":2339,"data":2340},"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",[],{},{"nodeType":2196,"data":2342,"content":2346},{"target":2343},{"sys":2344},{"id":2345,"type":1282,"linkType":1283},"211Dd0EIrXPOFpvRgs0fEE",[2347],{"nodeType":1290,"value":2348,"marks":2349,"data":2350},"Browser & Identity Attacks Matrix",[],{},{"nodeType":1290,"value":2352,"marks":2353,"data":2354}," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",[],{},{"nodeType":1399,"data":2356,"content":2357},{},[2358,2368,2392],{"nodeType":1403,"data":2359,"content":2360},{},[2361],{"nodeType":1286,"data":2362,"content":2363},{},[2364],{"nodeType":1290,"value":2365,"marks":2366,"data":2367},"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ",[],{},{"nodeType":1403,"data":2369,"content":2370},{},[2371],{"nodeType":1286,"data":2372,"content":2373},{},[2374,2378,2388],{"nodeType":1290,"value":2375,"marks":2376,"data":2377},"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",[],{},{"nodeType":2196,"data":2379,"content":2383},{"target":2380},{"sys":2381},{"id":2382,"type":1282,"linkType":1283},"5DmCqTU2Tg4adYScA5vT2x",[2384],{"nodeType":1290,"value":2385,"marks":2386,"data":2387},"device code phishing attacks",[],{},{"nodeType":1290,"value":2389,"marks":2390,"data":2391}," across our install base. ",[],{},{"nodeType":1403,"data":2393,"content":2394},{},[2395],{"nodeType":1286,"data":2396,"content":2397},{},[2398,2402,2412,2416,2425,2429,2439,2443,2452,2455,2465],{"nodeType":1290,"value":2399,"marks":2400,"data":2401},"We were also the first to detect a novel post-authorization attack we dubbed ",[],{},{"nodeType":2196,"data":2403,"content":2407},{"target":2404},{"sys":2405},{"id":2406,"type":1282,"linkType":1283},"71EaaK7lfl6bQBbkAU0qjv",[2408],{"nodeType":1290,"value":2409,"marks":2410,"data":2411},"ConsentFix",[],{},{"nodeType":1290,"value":2413,"marks":2414,"data":2415}," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",[],{},{"nodeType":2196,"data":2417,"content":2420},{"target":2418},{"sys":2419},{"id":2256,"type":1282,"linkType":1283},[2421],{"nodeType":1290,"value":2422,"marks":2423,"data":2424},"InstallFix technique",[],{},{"nodeType":1290,"value":2426,"marks":2427,"data":2428}," described earlier; and detected an array of other ",[],{},{"nodeType":2196,"data":2430,"content":2434},{"target":2431},{"sys":2432},{"id":2433,"type":1282,"linkType":1283},"2YmiesBvJHGw4wiKEKzLUq",[2435],{"nodeType":1290,"value":2436,"marks":2437,"data":2438},"creative",[],{},{"nodeType":1290,"value":2440,"marks":2441,"data":2442}," ",[],{},{"nodeType":2196,"data":2444,"content":2447},{"target":2445},{"sys":2446},{"id":2200,"type":1282,"linkType":1283},[2448],{"nodeType":1290,"value":2449,"marks":2450,"data":2451},"phishing",[],{},{"nodeType":1290,"value":2440,"marks":2453,"data":2454},[],{},{"nodeType":2196,"data":2456,"content":2460},{"target":2457},{"sys":2458},{"id":2459,"type":1282,"linkType":1283},"6Zosy4SU0LpjlaSWX75peb",[2461],{"nodeType":1290,"value":2462,"marks":2463,"data":2464},"campaigns",[],{},{"nodeType":1290,"value":2466,"marks":2467,"data":2468}," tied to malvertising scams.",[],{},{"nodeType":1277,"data":2470,"content":2474},{"target":2471},{"sys":2472},{"id":2473,"type":1282,"linkType":1283},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":1286,"data":2476,"content":2477},{},[2478],{"nodeType":1290,"value":2479,"marks":2480,"data":2481},"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",[],{},{"nodeType":1277,"data":2483,"content":2487},{"target":2484},{"sys":2485},{"id":2486,"type":1282,"linkType":1283},"1u00uFbC4xsvP9lqahXbgD",[],{"nodeType":1525,"data":2489,"content":2490},{},[2491],{"nodeType":1290,"value":2492,"marks":2493,"data":2495},"Scaling behavioral detections, not just making bigger blocklists",[2494],{"type":1320},{},{"nodeType":1286,"data":2497,"content":2498},{},[2499],{"nodeType":1290,"value":2500,"marks":2501,"data":2502},"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",[],{},{"nodeType":1286,"data":2504,"content":2505},{},[2506,2511],{"nodeType":1290,"value":2507,"marks":2508,"data":2510},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",[2509],{"type":1320},{},{"nodeType":1290,"value":2512,"marks":2513,"data":2514},"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",[],{},{"nodeType":1286,"data":2516,"content":2517},{},[2518],{"nodeType":1290,"value":2519,"marks":2520,"data":2521},"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",[],{},{"nodeType":1277,"data":2523,"content":2527},{"target":2524},{"sys":2525},{"id":2526,"type":1282,"linkType":1283},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":1286,"data":2529,"content":2530},{},[2531],{"nodeType":1290,"value":2532,"marks":2533,"data":2534},"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",[],{},{"nodeType":1286,"data":2536,"content":2537},{},[2538,2543,2554],{"nodeType":1290,"value":2539,"marks":2540,"data":2542},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",[2541],{"type":1320},{},{"nodeType":2196,"data":2544,"content":2548},{"target":2545},{"sys":2546},{"id":2547,"type":1282,"linkType":1283},"1qegIy4rMdm5XZXnIEoKpE",[2549],{"nodeType":1290,"value":2550,"marks":2551,"data":2553},"Pyramid of Pain",[2552],{"type":1320},{},{"nodeType":1290,"value":2555,"marks":2556,"data":2558},", the indicators that are hardest for attackers to change.",[2557],{"type":1320},{},{"nodeType":1286,"data":2560,"content":2561},{},[2562],{"nodeType":1290,"value":2563,"marks":2564,"data":2565},"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",[],{},{"nodeType":1286,"data":2567,"content":2568},{},[2569],{"nodeType":1290,"value":2570,"marks":2571,"data":2572},"We did this not by replacing researchers, but by continuously activating their expertise.",[],{},{"nodeType":1309,"data":2574,"content":2575},{},[],{"nodeType":1313,"data":2577,"content":2578},{},[2579],{"nodeType":1290,"value":2580,"marks":2581,"data":2583},"Core principles for agentic threat hunting",[2582],{"type":1320},{},{"nodeType":1286,"data":2585,"content":2586},{},[2587],{"nodeType":1290,"value":2588,"marks":2589,"data":2590},"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",[],{},{"nodeType":1525,"data":2592,"content":2593},{},[2594],{"nodeType":1290,"value":2595,"marks":2596,"data":2598},"Context matters more than custom models",[2597],{"type":1320},{},{"nodeType":1286,"data":2600,"content":2601},{},[2602],{"nodeType":1290,"value":2603,"marks":2604,"data":2605},"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",[],{},{"nodeType":1286,"data":2607,"content":2608},{},[2609,2613,2618],{"nodeType":1290,"value":2610,"marks":2611,"data":2612},"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",[],{},{"nodeType":1290,"value":2614,"marks":2615,"data":2617},"3 million browsers worldwide",[2616],{"type":1320},{},{"nodeType":1290,"value":2619,"marks":2620,"data":2621},", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",[],{},{"nodeType":1286,"data":2623,"content":2624},{},[2625],{"nodeType":1290,"value":2626,"marks":2627,"data":2628},"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",[],{},{"nodeType":1286,"data":2630,"content":2631},{},[2632],{"nodeType":1290,"value":2633,"marks":2634,"data":2635},"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",[],{},{"nodeType":1525,"data":2637,"content":2638},{},[2639],{"nodeType":1290,"value":2640,"marks":2641,"data":2643},"Agents are only as good as the context you give them. Good context is researcher-led",[2642],{"type":1320},{},{"nodeType":1286,"data":2645,"content":2646},{},[2647],{"nodeType":1290,"value":2648,"marks":2649,"data":2650},"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",[],{},{"nodeType":1286,"data":2652,"content":2653},{},[2654],{"nodeType":1290,"value":2655,"marks":2656,"data":2657},"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",[],{},{"nodeType":1525,"data":2659,"content":2660},{},[2661],{"nodeType":1290,"value":2662,"marks":2663,"data":2665},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",[2664],{"type":1320},{},{"nodeType":1286,"data":2667,"content":2668},{},[2669],{"nodeType":1290,"value":2670,"marks":2671,"data":2672},"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",[],{},{"nodeType":1286,"data":2674,"content":2675},{},[2676],{"nodeType":1290,"value":2677,"marks":2678,"data":2679},"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",[],{},{"nodeType":1309,"data":2681,"content":2682},{},[],{"nodeType":1313,"data":2684,"content":2685},{},[2686],{"nodeType":1290,"value":2687,"marks":2688,"data":2690},"How the agentic detection pipeline runs",[2689],{"type":1320},{},{"nodeType":1286,"data":2692,"content":2693},{},[2694],{"nodeType":1290,"value":2695,"marks":2696,"data":2697},"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",[],{},{"nodeType":1525,"data":2699,"content":2700},{},[2701],{"nodeType":1290,"value":2702,"marks":2703,"data":2705},"Example 1: Autonomous threat hunt",[2704],{"type":1320},{},{"nodeType":1286,"data":2707,"content":2708},{},[2709],{"nodeType":1290,"value":2710,"marks":2711,"data":2712},"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",[],{},{"nodeType":1286,"data":2714,"content":2715},{},[2716],{"nodeType":1290,"value":2717,"marks":2718,"data":2719},"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",[],{},{"nodeType":1286,"data":2721,"content":2722},{},[2723],{"nodeType":1290,"value":2724,"marks":2725,"data":2726},"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",[],{},{"nodeType":1286,"data":2728,"content":2729},{},[2730],{"nodeType":1290,"value":2731,"marks":2732,"data":2733},"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",[],{},{"nodeType":1525,"data":2735,"content":2736},{},[2737],{"nodeType":1290,"value":2738,"marks":2739,"data":2741},"Example 2: Human-initiated threat hunt",[2740],{"type":1320},{},{"nodeType":1286,"data":2743,"content":2744},{},[2745],{"nodeType":1290,"value":2746,"marks":2747,"data":2748},"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",[],{},{"nodeType":1286,"data":2750,"content":2751},{},[2752,2756,2761,2765,2770,2773,2778],{"nodeType":1290,"value":2753,"marks":2754,"data":2755},"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",[],{},{"nodeType":1290,"value":2757,"marks":2758,"data":2760},"*pages.dev",[2759],{"type":1320},{},{"nodeType":1290,"value":2762,"marks":2763,"data":2764},", ",[],{},{"nodeType":1290,"value":2766,"marks":2767,"data":2769},"*workers.dev",[2768],{"type":1320},{},{"nodeType":1290,"value":2762,"marks":2771,"data":2772},[],{},{"nodeType":1290,"value":2774,"marks":2775,"data":2777},"*squarespace.com",[2776],{"type":1320},{},{"nodeType":1290,"value":2779,"marks":2780,"data":2781},", etc.",[],{},{"nodeType":1286,"data":2783,"content":2784},{},[2785],{"nodeType":1290,"value":2786,"marks":2787,"data":2788},"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",[],{},{"nodeType":1286,"data":2790,"content":2791},{},[2792],{"nodeType":1290,"value":2793,"marks":2794,"data":2795},"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",[],{},{"nodeType":1277,"data":2797,"content":2801},{"target":2798},{"sys":2799},{"id":2800,"type":1282,"linkType":1283},"4IWOrWuvbwzWRJUkINiwKH",[],{"nodeType":1286,"data":2803,"content":2804},{},[2805],{"nodeType":1290,"value":2806,"marks":2807,"data":2808},"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",[],{},{"nodeType":1525,"data":2810,"content":2811},{},[2812],{"nodeType":1290,"value":2813,"marks":2814,"data":2816},"What infrastructure is needed for agentic threat hunting?",[2815],{"type":1320},{},{"nodeType":1286,"data":2818,"content":2819},{},[2820],{"nodeType":1290,"value":2821,"marks":2822,"data":2823},"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",[],{},{"nodeType":1399,"data":2825,"content":2826},{},[2827,2842,2857,2872,2887],{"nodeType":1403,"data":2828,"content":2829},{},[2830],{"nodeType":1286,"data":2831,"content":2832},{},[2833,2838],{"nodeType":1290,"value":2834,"marks":2835,"data":2837},"A flight recorder: ",[2836],{"type":1320},{},{"nodeType":1290,"value":2839,"marks":2840,"data":2841},"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",[],{},{"nodeType":1403,"data":2843,"content":2844},{},[2845],{"nodeType":1286,"data":2846,"content":2847},{},[2848,2853],{"nodeType":1290,"value":2849,"marks":2850,"data":2852},"A knowledge base:",[2851],{"type":1320},{},{"nodeType":1290,"value":2854,"marks":2855,"data":2856}," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",[],{},{"nodeType":1403,"data":2858,"content":2859},{},[2860],{"nodeType":1286,"data":2861,"content":2862},{},[2863,2868],{"nodeType":1290,"value":2864,"marks":2865,"data":2867},"Agents as tools: ",[2866],{"type":1320},{},{"nodeType":1290,"value":2869,"marks":2870,"data":2871},"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",[],{},{"nodeType":1403,"data":2873,"content":2874},{},[2875],{"nodeType":1286,"data":2876,"content":2877},{},[2878,2883],{"nodeType":1290,"value":2879,"marks":2880,"data":2882},"Humans in the loop: ",[2881],{"type":1320},{},{"nodeType":1290,"value":2884,"marks":2885,"data":2886},"Human researchers who collaborate with agents to initiate hunts and tune detections.",[],{},{"nodeType":1403,"data":2888,"content":2889},{},[2890],{"nodeType":1286,"data":2891,"content":2892},{},[2893,2898],{"nodeType":1290,"value":2894,"marks":2895,"data":2897},"Platform controls: ",[2896],{"type":1320},{},{"nodeType":1290,"value":2899,"marks":2900,"data":2901},"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",[],{},{"nodeType":1277,"data":2903,"content":2907},{"target":2904},{"sys":2905},{"id":2906,"type":1282,"linkType":1283},"7FY0vCBUXOt4vnudFuKALC",[],{"nodeType":1525,"data":2909,"content":2910},{},[2911],{"nodeType":1290,"value":2912,"marks":2913,"data":2915},"What are the best practices for agentic threat detection?",[2914],{"type":1320},{},{"nodeType":1286,"data":2917,"content":2918},{},[2919,2923,2928],{"nodeType":1290,"value":2920,"marks":2921,"data":2922},"To be effective, agents must specialize and focus. This is the ",[],{},{"nodeType":1290,"value":2924,"marks":2925,"data":2927},"agents as tools",[2926],{"type":1320},{},{"nodeType":1290,"value":2929,"marks":2930,"data":2931}," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",[],{},{"nodeType":1286,"data":2933,"content":2934},{},[2935],{"nodeType":1290,"value":2936,"marks":2937,"data":2938},"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",[],{},{"nodeType":1277,"data":2940,"content":2944},{"target":2941},{"sys":2942},{"id":2943,"type":1282,"linkType":1283},"3fzJCknMUmh4Z7YnhBSbsT",[],{"nodeType":1286,"data":2946,"content":2947},{},[2948],{"nodeType":1290,"value":2949,"marks":2950,"data":2951},"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",[],{},{"nodeType":1286,"data":2953,"content":2954},{},[2955,2959,2964],{"nodeType":1290,"value":2956,"marks":2957,"data":2958},"It's vital too that the agent uses ",[],{},{"nodeType":1290,"value":2960,"marks":2961,"data":2963},"privacy-preserving methods and infrastructure.",[2962],{"type":1320},{},{"nodeType":1290,"value":2965,"marks":2966,"data":2967}," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",[],{},{"nodeType":1309,"data":2969,"content":2970},{},[],{"nodeType":1313,"data":2972,"content":2973},{},[2974],{"nodeType":1290,"value":2975,"marks":2976,"data":2978},"The compounding effect and how it benefits Push customers",[2977],{"type":1320},{},{"nodeType":1286,"data":2980,"content":2981},{},[2982],{"nodeType":1290,"value":2983,"marks":2984,"data":2985},"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",[],{},{"nodeType":1286,"data":2987,"content":2988},{},[2989],{"nodeType":1290,"value":2990,"marks":2991,"data":2992},"The outer loop feeds the inner loop, and vice versa.",[],{},{"nodeType":1277,"data":2994,"content":2998},{"target":2995},{"sys":2996},{"id":2997,"type":1282,"linkType":1283},"1Jjqll7IIX2QRxN37gjFMH",[],{"nodeType":1286,"data":3000,"content":3001},{},[3002],{"nodeType":1290,"value":3003,"marks":3004,"data":3005},"Customers benefit from this approach because it means they:",[],{},{"nodeType":1399,"data":3007,"content":3008},{},[3009,3031,3041],{"nodeType":1403,"data":3010,"content":3011},{},[3012],{"nodeType":1286,"data":3013,"content":3014},{},[3015,3019,3027],{"nodeType":1290,"value":3016,"marks":3017,"data":3018},"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",[],{},{"nodeType":1680,"data":3020,"content":3022},{"uri":3021},"/help/audience/engineering/resources/custom-detections",[3023],{"nodeType":1290,"value":3024,"marks":3025,"data":3026},"custom detections",[],{},{"nodeType":1290,"value":3028,"marks":3029,"data":3030},", too, for environment-specific use cases.)",[],{},{"nodeType":1403,"data":3032,"content":3033},{},[3034],{"nodeType":1286,"data":3035,"content":3036},{},[3037],{"nodeType":1290,"value":3038,"marks":3039,"data":3040},"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",[],{},{"nodeType":1403,"data":3042,"content":3043},{},[3044],{"nodeType":1286,"data":3045,"content":3046},{},[3047],{"nodeType":1290,"value":3048,"marks":3049,"data":3050},"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",[],{},{"nodeType":1286,"data":3052,"content":3053},{},[3054],{"nodeType":1290,"value":3055,"marks":3056,"data":3057},"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",[],{},{"nodeType":1286,"data":3059,"content":3060},{},[3061],{"nodeType":1290,"value":3062,"marks":3063,"data":3064},"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",[],{},{"nodeType":1286,"data":3066,"content":3067},{},[3068],{"nodeType":1290,"value":3069,"marks":3070,"data":3071},"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",[],{},{"nodeType":1277,"data":3073,"content":3077},{"target":3074},{"sys":3075},{"id":3076,"type":1282,"linkType":1283},"607jrBjlD1vtcbkDfD04DE",[],{"nodeType":1309,"data":3079,"content":3080},{},[],{"nodeType":1313,"data":3082,"content":3083},{},[3084],{"nodeType":1290,"value":3085,"marks":3086,"data":3088},"Learn more",[3087],{"type":1320},{},{"nodeType":1286,"data":3090,"content":3091},{},[3092],{"nodeType":1290,"value":3093,"marks":3094,"data":3095},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":1286,"data":3097,"content":3098},{},[3099],{"nodeType":1290,"value":3100,"marks":3101,"data":3102},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1286,"data":3104,"content":3105},{},[3106,3110,3118],{"nodeType":1290,"value":3107,"marks":3108,"data":3109},"Book a ",[],{},{"nodeType":1680,"data":3111,"content":3113},{"uri":3112},"/demo",[3114],{"nodeType":1290,"value":3115,"marks":3116,"data":3117},"live demo",[],{},{"nodeType":1290,"value":3119,"marks":3120,"data":3121}," to learn more.",[],{},"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.","2026-05-12T00:00:00.000Z","can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"items":3127},[3128,3132],{"sys":3129,"name":3131},{"id":3130},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":3133,"name":3135},{"id":3134},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":3137},[3138],{"fullName":3139,"firstName":3140,"jobTitle":1268,"profilePicture":3141},"Kelly Davenport","Kelly",{"url":3142},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":2174,"sys":3144,"content":3146,"title":4014,"synopsis":4015,"hashTags":66,"publishedDate":4016,"slug":4017,"tagsCollection":4018,"authorsCollection":4024},{"id":3145},"3jF1fypt08TNlSoWuoMWhj",{"json":3147},{"nodeType":1273,"data":3148,"content":3149},{},[3150,3167,3210,3217,3248,3291,3297,3309,3312,3320,3373,3380,3403,3409,3412,3420,3450,3457,3465,3471,3474,3482,3489,3507,3514,3557,3564,3567,3575,3594,3602,3609,3632,3655,3679,3687,3694,3697,3704,3710,3726,3729,3737,3755,4008],{"nodeType":1286,"data":3151,"content":3152},{},[3153,3157,3163],{"nodeType":1290,"value":3154,"marks":3155,"data":3156},"ShinyHunters and the broader SLH (",[],{},{"nodeType":1680,"data":3158,"content":3159},{"uri":2089},[3160],{"nodeType":1290,"value":2095,"marks":3161,"data":3162},[],{},{"nodeType":1290,"value":3164,"marks":3165,"data":3166},") collective have claimed breaches at thousands of organizations over the past twelve months across retail, technology, aviation, financial services, media, gaming, and education, in what amounts to the most sustained data theft and extortion operation in recent cybercrime history. ",[],{},{"nodeType":1286,"data":3168,"content":3169},{},[3170,3174,3182,3186,3194,3198,3206],{"nodeType":1290,"value":3171,"marks":3172,"data":3173},"The confirmed victim list reads like a Fortune 500 directory: Coca-Cola, Cisco, Qantas, Coinbase, ADT, Aflac, SoundCloud, Rockstar Games, and recently ",[],{},{"nodeType":1680,"data":3175,"content":3177},{"uri":3176},"https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/",[3178],{"nodeType":1290,"value":3179,"marks":3180,"data":3181},"Instructure",[],{},{"nodeType":1290,"value":3183,"marks":3184,"data":3185}," — whose breach ",[],{},{"nodeType":1680,"data":3187,"content":3189},{"uri":3188},"https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/",[3190],{"nodeType":1290,"value":3191,"marks":3192,"data":3193},"disrupted schools and universities nationwide",[],{},{"nodeType":1290,"value":3195,"marks":3196,"data":3197}," during final exams — among dozens more named publicly and likely many more that haven't been (breaches settled quickly behind closed doors don't always make it into the public eye). ShinyHunters alone claimed over 1.5 billion stolen Salesforce records from a single campaign targeting more than 1,000 organizations, and this follows the ",[],{},{"nodeType":1680,"data":3199,"content":3201},{"uri":3200},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[3202],{"nodeType":1290,"value":3203,"marks":3204,"data":3205},"2024 Snowflake breach",[],{},{"nodeType":1290,"value":3207,"marks":3208,"data":3209}," where the same group used infostealer-harvested credentials to compromise over 165 customer environments (and another billion-plus records).",[],{},{"nodeType":1286,"data":3211,"content":3212},{},[3213],{"nodeType":1290,"value":3214,"marks":3215,"data":3216},"SLH operates as a distributed criminal collective. Its genealogy traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, itself part of the Com, a broader community of English-speaking cybercriminals with international criminal affiliations. ",[],{},{"nodeType":1286,"data":3218,"content":3219},{},[3220,3224,3232,3236,3244],{"nodeType":1290,"value":3221,"marks":3222,"data":3223},"Additional operating clusters, including Cordial Spider and Snarky Spider (which CrowdStrike ",[],{},{"nodeType":1680,"data":3225,"content":3227},{"uri":3226},"https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/",[3228],{"nodeType":1290,"value":3229,"marks":3230,"data":3231},"characterizes as the new generation of Scattered Spider",[],{},{"nodeType":1290,"value":3233,"marks":3234,"data":3235},") run parallel campaigns against different target sectors, unified not by shared infrastructure but by a shared playbook of techniques that exploit the structural weakness in modern SaaS-first organizations. ",[],{},{"nodeType":1680,"data":3237,"content":3239},{"uri":3238},"https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt",[3240],{"nodeType":1290,"value":3241,"marks":3242,"data":3243},"Unit 42 documented",[],{},{"nodeType":1290,"value":3245,"marks":3246,"data":3247}," these groups moving from initial compromise to complete data exfiltration in under an hour — faster than most organizations can even begin to respond. ",[],{},{"nodeType":1286,"data":3249,"content":3250},{},[3251,3255,3263,3267,3275,3279,3287],{"nodeType":1290,"value":3252,"marks":3253,"data":3254},"Not every SLH breach is browser-based — the Instructure breach (275 million individuals, ~330 school login portals defaced) began with a Salesforce tenant compromise in September 2025, but resurfaced in May 2026 after attackers ",[],{},{"nodeType":1680,"data":3256,"content":3258},{"uri":3257},"https://www.bitdefender.com/en-us/blog/hotforsecurity/shinyhunters-instructure-hack-massive-data-breach",[3259],{"nodeType":1290,"value":3260,"marks":3261,"data":3262},"exploited a multi-tenant isolation failure",[],{},{"nodeType":1290,"value":3264,"marks":3265,"data":3266}," in Canvas's Free-For-Teacher program (it's now been confirmed that Instructure have \"",[],{},{"nodeType":1680,"data":3268,"content":3270},{"uri":3269},"https://www.instructure.com/incident_update",[3271],{"nodeType":1290,"value":3272,"marks":3273,"data":3274},"reached a settlement",[],{},{"nodeType":1290,"value":3276,"marks":3277,"data":3278},"\" for the deleteion of the data), while the Coinbase breach cost ",[],{},{"nodeType":1680,"data":3280,"content":3282},{"uri":3281},"https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/",[3283],{"nodeType":1290,"value":3284,"marks":3285,"data":3286},"$180M–400M through insider bribery",[],{},{"nodeType":1290,"value":3288,"marks":3289,"data":3290}," — but these are the exceptions. ",[],{},{"nodeType":1277,"data":3292,"content":3296},{"target":3293},{"sys":3294},{"id":3295,"type":1282,"linkType":1283},"4qNrbDyMJIumQfdbh9YVkU",[],{"nodeType":1286,"data":3298,"content":3299},{},[3300,3305],{"nodeType":1290,"value":3301,"marks":3302,"data":3304},"The vast majority of SLH campaigns over the past year converge on three browser-based attack vectors: vishing combined with AiTM phishing, device code phishing exploiting account authorization flows, and OAuth supply chain attacks through compromised third-party integrators.",[3303],{"type":1320},{},{"nodeType":1290,"value":3306,"marks":3307,"data":3308}," Each is well-documented, each has produced confirmed victims at scale, and each is detectable or preventable through browser-layer security controls. This post examines all three.",[],{},{"nodeType":1309,"data":3310,"content":3311},{},[],{"nodeType":1313,"data":3313,"content":3314},{},[3315],{"nodeType":1290,"value":3316,"marks":3317,"data":3319},"Vector 1: Vishing combined with AiTM phishing",[3318],{"type":1320},{},{"nodeType":1286,"data":3321,"content":3322},{},[3323,3327,3335,3339,3347,3351,3358,3362,3370],{"nodeType":1290,"value":3324,"marks":3325,"data":3326},"The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that",[],{},{"nodeType":1680,"data":3328,"content":3330},{"uri":3329},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[3331],{"nodeType":1290,"value":3332,"marks":3333,"data":3334}," Mandiant",[],{},{"nodeType":1290,"value":3336,"marks":3337,"data":3338},",",[],{},{"nodeType":1680,"data":3340,"content":3342},{"uri":3341},"https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/",[3343],{"nodeType":1290,"value":3344,"marks":3345,"data":3346}," CrowdStrike",[],{},{"nodeType":1290,"value":3348,"marks":3349,"data":3350},", and",[],{},{"nodeType":1680,"data":3352,"content":3353},{"uri":3238},[3354],{"nodeType":1290,"value":3355,"marks":3356,"data":3357}," Unit 42",[],{},{"nodeType":1290,"value":3359,"marks":3360,"data":3361}," have all documented from the incident response side, and which Push has",[],{},{"nodeType":1680,"data":3363,"content":3365},{"uri":3364},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[3366],{"nodeType":1290,"value":3367,"marks":3368,"data":3369}," documented from inside the attacker's own operator panels",[],{},{"nodeType":1290,"value":2264,"marks":3371,"data":3372},[],{},{"nodeType":1286,"data":3374,"content":3375},{},[3376],{"nodeType":1290,"value":3377,"marks":3378,"data":3379},"An attacker impersonating IT support calls the target employee, establishes urgency — often citing a \"mandatory passkey rollout\" or a \"security compliance update\" — and directs them to a victim-branded AiTM phishing page (typically at a domain like \u003Ccompany>sso.com or \u003Ccompany>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session. ",[],{},{"nodeType":1286,"data":3381,"content":3382},{},[3383,3387,3394,3398],{"nodeType":1290,"value":3384,"marks":3385,"data":3386},"One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's ",[],{},{"nodeType":1680,"data":3388,"content":3389},{"uri":3364},[3390],{"nodeType":1290,"value":3391,"marks":3392,"data":3393},"infiltration of the criminal phishing panels",[],{},{"nodeType":1290,"value":3395,"marks":3396,"data":3397}," identified over 400 linked domains across four distinct infrastructure clusters. ",[],{},{"nodeType":1290,"value":3399,"marks":3400,"data":3402},"This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.",[3401],{"type":1320},{},{"nodeType":1277,"data":3404,"content":3408},{"target":3405},{"sys":3406},{"id":3407,"type":1282,"linkType":1283},"1Yhthl0PILGW7EmCcZUrNv",[],{"nodeType":1309,"data":3410,"content":3411},{},[],{"nodeType":1313,"data":3413,"content":3414},{},[3415],{"nodeType":1290,"value":3416,"marks":3417,"data":3419},"Vector 2: Vishing combined with device code phishing",[3418],{"type":1320},{},{"nodeType":1286,"data":3421,"content":3422},{},[3423,3427,3435,3439,3446],{"nodeType":1290,"value":3424,"marks":3425,"data":3426},"The",[],{},{"nodeType":1680,"data":3428,"content":3430},{"uri":3429},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[3431],{"nodeType":1290,"value":3432,"marks":3433,"data":3434}," ShinyHunters Salesforce campaign",[],{},{"nodeType":1290,"value":3436,"marks":3437,"data":3438}," that ran through 2025 and into 2026 used device code phishing as one of its core methods,",[],{},{"nodeType":1680,"data":3440,"content":3441},{"uri":3200},[3442],{"nodeType":1290,"value":3443,"marks":3444,"data":3445}," compromising over 1,000 organizations and claiming 1.5 billion stolen records",[],{},{"nodeType":1290,"value":3447,"marks":3448,"data":3449}," — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled \"DataLoader\" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.",[],{},{"nodeType":1286,"data":3451,"content":3452},{},[3453],{"nodeType":1290,"value":3454,"marks":3455,"data":3456},"Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. ",[],{},{"nodeType":1286,"data":3458,"content":3459},{},[3460],{"nodeType":1290,"value":3461,"marks":3462,"data":3464},"This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.",[3463],{"type":1320},{},{"nodeType":1277,"data":3466,"content":3470},{"target":3467},{"sys":3468},{"id":3469,"type":1282,"linkType":1283},"3ElQz8sLATnR8RY5nVlBGM",[],{"nodeType":1309,"data":3472,"content":3473},{},[],{"nodeType":1313,"data":3475,"content":3476},{},[3477],{"nodeType":1290,"value":3478,"marks":3479,"data":3481},"Vector 3: OAuth supply chain attacks through compromised integrators",[3480],{"type":1320},{},{"nodeType":1286,"data":3483,"content":3484},{},[3485],{"nodeType":1290,"value":3486,"marks":3487,"data":3488},"The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.",[],{},{"nodeType":1286,"data":3490,"content":3491},{},[3492,3495,3503],{"nodeType":1290,"value":3424,"marks":3493,"data":3494},[],{},{"nodeType":1680,"data":3496,"content":3498},{"uri":3497},"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift",[3499],{"nodeType":1290,"value":3500,"marks":3501,"data":3502}," Salesloft/Drift supply chain attack",[],{},{"nodeType":1290,"value":3504,"marks":3505,"data":3506}," demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight. ",[],{},{"nodeType":1286,"data":3508,"content":3509},{},[3510],{"nodeType":1290,"value":3511,"marks":3512,"data":3513},"Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.",[],{},{"nodeType":1286,"data":3515,"content":3516},{},[3517,3521,3529,3533,3541,3545,3553],{"nodeType":1290,"value":3518,"marks":3519,"data":3520},"The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at",[],{},{"nodeType":1680,"data":3522,"content":3524},{"uri":3523},"https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/",[3525],{"nodeType":1290,"value":3526,"marks":3527,"data":3528}," Vimeo",[],{},{"nodeType":1290,"value":3530,"marks":3531,"data":3532}," (119,000 users), Rockstar Games (78.6 million records), and",[],{},{"nodeType":1680,"data":3534,"content":3536},{"uri":3535},"https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/",[3537],{"nodeType":1290,"value":3538,"marks":3539,"data":3540}," Zara/Inditex",[],{},{"nodeType":1290,"value":3542,"marks":3543,"data":3544}," (197,000 people), with further downstream victims likely still emerging. The",[],{},{"nodeType":1680,"data":3546,"content":3548},{"uri":3547},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[3549],{"nodeType":1290,"value":3550,"marks":3551,"data":3552}," Vercel breach",[],{},{"nodeType":1290,"value":3554,"marks":3555,"data":3556}," demonstrates this too, which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).",[],{},{"nodeType":1286,"data":3558,"content":3559},{},[3560],{"nodeType":1290,"value":3561,"marks":3562,"data":3563},"A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.",[],{},{"nodeType":1309,"data":3565,"content":3566},{},[],{"nodeType":1313,"data":3568,"content":3569},{},[3570],{"nodeType":1290,"value":3571,"marks":3572,"data":3574},"These attacks all happen in the browser",[3573],{"type":1320},{},{"nodeType":1286,"data":3576,"content":3577},{},[3578,3582,3590],{"nodeType":1290,"value":3579,"marks":3580,"data":3581},"Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the",[],{},{"nodeType":1680,"data":3583,"content":3585},{"uri":3584},"https://pushsecurity.com/blog/device-code-phishing/",[3586],{"nodeType":1290,"value":3587,"marks":3588,"data":3589}," same criminal kits now offer AiTM and device code phishing side by side",[],{},{"nodeType":1290,"value":3591,"marks":3592,"data":3593},", and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.",[],{},{"nodeType":1525,"data":3595,"content":3596},{},[3597],{"nodeType":1290,"value":3598,"marks":3599,"data":3601},"How Push can help",[3600],{"type":1320},{},{"nodeType":1286,"data":3603,"content":3604},{},[3605],{"nodeType":1290,"value":3606,"marks":3607,"data":3608},"Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise. ",[],{},{"nodeType":1286,"data":3610,"content":3611},{},[3612,3617,3621,3628],{"nodeType":1290,"value":3613,"marks":3614,"data":3616},"For vishing + AiTM attacks, ",[3615],{"type":1320},{},{"nodeType":1290,"value":3618,"marks":3619,"data":3620},"Push's",[],{},{"nodeType":1680,"data":3622,"content":3623},{"uri":3364},[3624],{"nodeType":1290,"value":3625,"marks":3626,"data":3627}," behavioral phishing detection",[],{},{"nodeType":1290,"value":3629,"marks":3630,"data":3631}," analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.  ",[],{},{"nodeType":1286,"data":3633,"content":3634},{},[3635,3640,3644,3651],{"nodeType":1290,"value":3636,"marks":3637,"data":3639},"For device code phishing,",[3638],{"type":1320},{},{"nodeType":1290,"value":3641,"marks":3642,"data":3643}," Push detects the phishing pages associated with ",[],{},{"nodeType":1680,"data":3645,"content":3646},{"uri":3584},[3647],{"nodeType":1290,"value":3648,"marks":3649,"data":3650},"device code phishing kits",[],{},{"nodeType":1290,"value":3652,"marks":3653,"data":3654}," — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.",[],{},{"nodeType":1286,"data":3656,"content":3657},{},[3658,3663,3667,3675],{"nodeType":1290,"value":3659,"marks":3660,"data":3662},"For OAuth supply chain attacks,",[3661],{"type":1320},{},{"nodeType":1290,"value":3664,"marks":3665,"data":3666}," Push's ",[],{},{"nodeType":1680,"data":3668,"content":3670},{"uri":3669},"https://site.dev.pushsecurity.com/contentful-preview/?blogSlug=analyzing-the-instructure-breach",[3671],{"nodeType":1290,"value":3672,"marks":3673,"data":3674},"detects and controls OAuth consent flows",[],{},{"nodeType":1290,"value":3676,"marks":3677,"data":3678}," at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place. ",[],{},{"nodeType":1525,"data":3680,"content":3681},{},[3682],{"nodeType":1290,"value":3683,"marks":3684,"data":3686},"Closing thoughts",[3685],{"type":1320},{},{"nodeType":1286,"data":3688,"content":3689},{},[3690],{"nodeType":1290,"value":3691,"marks":3692,"data":3693},"The campaigns documented in this post are not historical — they are ongoing, with new victims surfacing weekly and the underlying criminal infrastructure still actively developing. But the defensive strategy does not require anticipating which specific group, vector, or target sector comes next, because all three converge on the same control point: the browser, where the attack begins or the integration decision is made. Organizations with browser-layer detection and OAuth governance in place have defense-in-depth against the full range of techniques these groups employ, regardless of which specific vector any given campaign uses.",[],{},{"nodeType":1309,"data":3695,"content":3696},{},[],{"nodeType":1286,"data":3698,"content":3699},{},[3700],{"nodeType":1290,"value":3701,"marks":3702,"data":3703},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":1286,"data":3705,"content":3706},{},[3707],{"nodeType":1290,"value":3100,"marks":3708,"data":3709},[],{},{"nodeType":1286,"data":3711,"content":3712},{},[3713,3716,3723],{"nodeType":1290,"value":29,"marks":3714,"data":3715},[],{},{"nodeType":1680,"data":3717,"content":3718},{"uri":2167},[3719],{"nodeType":1290,"value":3720,"marks":3721,"data":3722},"Book a live demo to learn more.",[],{},{"nodeType":1290,"value":29,"marks":3724,"data":3725},[],{},{"nodeType":1309,"data":3727,"content":3728},{},[],{"nodeType":1313,"data":3730,"content":3731},{},[3732],{"nodeType":1290,"value":3733,"marks":3734,"data":3736},"Appendix: named ShinyHunters victims since May 2025",[3735],{"type":1320},{},{"nodeType":1286,"data":3738,"content":3739},{},[3740,3744,3751],{"nodeType":1290,"value":3741,"marks":3742,"data":3743},"To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the ",[],{},{"nodeType":1680,"data":3745,"content":3746},{"uri":2089},[3747],{"nodeType":1290,"value":3748,"marks":3749,"data":3750},"Scattered Lapsus$ Hunters \"brand\"",[],{},{"nodeType":1290,"value":3752,"marks":3753,"data":3754}," also aren't listed below. ",[],{},{"nodeType":3756,"data":3757,"content":3758},"table",{},[3759,3808,3865,3913,3961],{"nodeType":3760,"data":3761,"content":3762},"table-row",{},[3763,3775,3786,3797],{"nodeType":3764,"data":3765,"content":3766},"table-cell",{},[3767],{"nodeType":1286,"data":3768,"content":3769},{},[3770],{"nodeType":1290,"value":3771,"marks":3772,"data":3774},"Campaign",[3773],{"type":1320},{},{"nodeType":3764,"data":3776,"content":3777},{},[3778],{"nodeType":1286,"data":3779,"content":3780},{},[3781],{"nodeType":1290,"value":3782,"marks":3783,"data":3785},"Began",[3784],{"type":1320},{},{"nodeType":3764,"data":3787,"content":3788},{},[3789],{"nodeType":1286,"data":3790,"content":3791},{},[3792],{"nodeType":1290,"value":3793,"marks":3794,"data":3796},"Named victims",[3795],{"type":1320},{},{"nodeType":3764,"data":3798,"content":3799},{},[3800],{"nodeType":1286,"data":3801,"content":3802},{},[3803],{"nodeType":1290,"value":3804,"marks":3805,"data":3807},"Confirmed impact",[3806],{"type":1320},{},{"nodeType":3760,"data":3809,"content":3810},{},[3811,3835,3845,3855],{"nodeType":3764,"data":3812,"content":3813},{},[3814],{"nodeType":1286,"data":3815,"content":3816},{},[3817,3822,3826,3831],{"nodeType":1290,"value":3818,"marks":3819,"data":3821},"ShinyHunters Salesforce Vishing",[3820],{"type":1320},{},{"nodeType":1290,"value":3823,"marks":3824,"data":3825}," (vishing + device code phishing → Salesforce connected app authorization) \n\n& ",[],{},{"nodeType":1290,"value":3827,"marks":3828,"data":3830},"Salesloft/Drift Supply Chain",[3829],{"type":1320},{},{"nodeType":1290,"value":3832,"marks":3833,"data":3834}," (stolen OAuth tokens → downstream Salesforce access)",[],{},{"nodeType":3764,"data":3836,"content":3837},{},[3838],{"nodeType":1286,"data":3839,"content":3840},{},[3841],{"nodeType":1290,"value":3842,"marks":3843,"data":3844},"May 2025",[],{},{"nodeType":3764,"data":3846,"content":3847},{},[3848],{"nodeType":1286,"data":3849,"content":3850},{},[3851],{"nodeType":1290,"value":3852,"marks":3853,"data":3854},"Coca-Cola Europacific Partners, Cisco, Qantas, LVMH, Adidas, Google, Chanel, Pandora, Allianz Life, Air France-KLM, Farmers Insurance, Workday, TransUnion, Stellantis, Kering, Odido, Hallmark, Salesloft (origin), Toast, Avalara, Fastly, Cato Networks, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Elastic, JFrog, CyberArk, Rubrik, BeyondTrust, Proofpoint, Workiva, Mercer Advisors, Beacon Pointe, Ameriprise, Kemper, Udemy, 7-Eleven, Mytheresa, Marcus & Millichap, Carnival, Pitney Bowes, Alert 360, Amtrak, McGraw-Hill, Canada Life",[],{},{"nodeType":3764,"data":3856,"content":3857},{},[3858],{"nodeType":1286,"data":3859,"content":3860},{},[3861],{"nodeType":1290,"value":3862,"marks":3863,"data":3864},"48 named victims. Confirmed individual impact includes 23M+ records (Coca-Cola), 5.7M records (Qantas), 6.2M customers (Odido), 4.4M consumers (TransUnion), up to 18M records (Stellantis), 13.5M emails (McGraw-Hill), 8.2M emails (Pitney Bowes), 7.5M emails (Carnival). ShinyHunters claims 1.5B+ Salesforce records across 1,000+ organizations total.",[],{},{"nodeType":3760,"data":3866,"content":3867},{},[3868,3883,3893,3903],{"nodeType":3764,"data":3869,"content":3870},{},[3871],{"nodeType":1286,"data":3872,"content":3873},{},[3874,3879],{"nodeType":1290,"value":3875,"marks":3876,"data":3878},"Vishing + AiTM SSO",[3877],{"type":1320},{},{"nodeType":1290,"value":3880,"marks":3881,"data":3882}," (vishing → AiTM phishing page → SSO session capture → SaaS data exfiltration)",[],{},{"nodeType":3764,"data":3884,"content":3885},{},[3886],{"nodeType":1286,"data":3887,"content":3888},{},[3889],{"nodeType":1290,"value":3890,"marks":3891,"data":3892},"Aug 2025",[],{},{"nodeType":3764,"data":3894,"content":3895},{},[3896],{"nodeType":1286,"data":3897,"content":3898},{},[3899],{"nodeType":1290,"value":3900,"marks":3901,"data":3902},"SoundCloud, GrubHub, Panera Bread, Match Group, Crunchbase, Betterment, CarMax, Edmunds, CarGurus, Hims & Hers, University of Pennsylvania, Harvard University, Optimizely, TELUS Digital, Crunchyroll, ADT",[],{},{"nodeType":3764,"data":3904,"content":3905},{},[3906],{"nodeType":1286,"data":3907,"content":3908},{},[3909],{"nodeType":1290,"value":3910,"marks":3911,"data":3912},"16 named victims. Confirmed individual impact includes ~30M records (SoundCloud), ~14M records (Panera), 10M+ records (Match Group), ~20M records (Betterment), 5.5M people (ADT), 1M+ records (UPenn), ~1PB stolen from TELUS Digital ($65M ransom refused).",[],{},{"nodeType":3760,"data":3914,"content":3915},{},[3916,3931,3941,3951],{"nodeType":3764,"data":3917,"content":3918},{},[3919],{"nodeType":1286,"data":3920,"content":3921},{},[3922,3927],{"nodeType":1290,"value":3923,"marks":3924,"data":3926},"Anodot Supply Chain",[3925],{"type":1320},{},{"nodeType":1290,"value":3928,"marks":3929,"data":3930}," (stolen OAuth tokens → downstream Snowflake/BigQuery access)",[],{},{"nodeType":3764,"data":3932,"content":3933},{},[3934],{"nodeType":1286,"data":3935,"content":3936},{},[3937],{"nodeType":1290,"value":3938,"marks":3939,"data":3940},"Apr 2026",[],{},{"nodeType":3764,"data":3942,"content":3943},{},[3944],{"nodeType":1286,"data":3945,"content":3946},{},[3947],{"nodeType":1290,"value":3948,"marks":3949,"data":3950},"Anodot/Glassbox (origin), Rockstar Games, Vimeo, Zara/Inditex",[],{},{"nodeType":3764,"data":3952,"content":3953},{},[3954],{"nodeType":1286,"data":3955,"content":3956},{},[3957],{"nodeType":1290,"value":3958,"marks":3959,"data":3960},"4 named victims (12+ total claimed). 78.6M records (Rockstar Games), 197K individuals (Zara), 119K individuals (Vimeo).",[],{},{"nodeType":3760,"data":3962,"content":3963},{},[3964,3979,3988,3998],{"nodeType":3764,"data":3965,"content":3966},{},[3967],{"nodeType":1286,"data":3968,"content":3969},{},[3970,3975],{"nodeType":1290,"value":3971,"marks":3972,"data":3974},"Other SLH-attributed",[3973],{"type":1320},{},{"nodeType":1290,"value":3976,"marks":3977,"data":3978}," (misc. vectors including infostealer chains, CI/CD supply chain, SaaS platform compromise)",[],{},{"nodeType":3764,"data":3980,"content":3981},{},[3982],{"nodeType":1286,"data":3983,"content":3984},{},[3985],{"nodeType":1290,"value":3842,"marks":3986,"data":3987},[],{},{"nodeType":3764,"data":3989,"content":3990},{},[3991],{"nodeType":1286,"data":3992,"content":3993},{},[3994],{"nodeType":1290,"value":3995,"marks":3996,"data":3997},"UK Legal Aid Agency, Mixpanel, Wynn Resorts, Woflow, Vercel, European Commission, Mercor, Medtronic, Instructure",[],{},{"nodeType":3764,"data":3999,"content":4000},{},[4001],{"nodeType":1286,"data":4002,"content":4003},{},[4004],{"nodeType":1290,"value":4005,"marks":4006,"data":4007},"10 named victims across varied vectors. Notable: Vercel (Lumma Stealer → Context.ai OAuth app → Google Workspace), European Commission (poisoned Trivy GitHub Action → 340GB across 71 EU entities)",[],{},{"nodeType":1286,"data":4009,"content":4010},{},[4011],{"nodeType":1290,"value":29,"marks":4012,"data":4013},[],{},"The three attack techniques behind ShinyHunters' 2026 campaigns ","ShinyHunters' breach of Instructure is the latest in a long series of attacks. Here's our view of the big picture. ","2026-05-08T00:00:00.000Z","analyzing-the-instructure-breach",{"items":4019},[4020,4022],{"sys":4021,"name":3131},{"id":3130},{"sys":4023,"name":3135},{"id":3134},{"items":4025},[4026],{"fullName":4027,"firstName":4028,"jobTitle":4029,"profilePicture":4030},"Dan Green","Dan","Threat Research",{"url":4031},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":2174,"sys":4033,"content":4035,"title":4547,"synopsis":4548,"hashTags":66,"publishedDate":4549,"slug":4550,"tagsCollection":4551,"authorsCollection":4559},{"id":4034},"2MWicW07sNEBp59wxYtAiC",{"json":4036},{"nodeType":1273,"data":4037,"content":4038},{},[4039,4047,4078,4084,4091,4110,4125,4128,4136,4151,4171,4196,4202,4218,4249,4255,4261,4277,4280,4288,4295,4303,4321,4337,4345,4371,4378,4386,4417,4424,4432,4439,4445,4448,4456,4463,4471,4477,4480,4488,4495,4502,4509,4521,4524,4530],{"nodeType":1313,"data":4040,"content":4041},{},[4042],{"nodeType":1290,"value":4043,"marks":4044,"data":4046},"The quantification problem nobody talks about",[4045],{"type":1320},{},{"nodeType":1286,"data":4048,"content":4049},{},[4050,4054,4062,4066,4074],{"nodeType":1290,"value":4051,"marks":4052,"data":4053},"I was recently teaching",[],{},{"nodeType":1680,"data":4055,"content":4057},{"uri":4056},"https://www.sans.org/cyber-security-courses/cybersecurity-leaders/",[4058],{"nodeType":1290,"value":4059,"marks":4060,"data":4061}," SANS LDR551",[],{},{"nodeType":1290,"value":4063,"marks":4064,"data":4065},", where we cover some of the flawed approaches used in risk measurement and prioritization — for example, presenting ordinal data in a risk matrix as ratio data, implying that the matrix represents quantitative analysis when it’s more of a best guess. We then look at modeling using",[],{},{"nodeType":1680,"data":4067,"content":4069},{"uri":4068},"https://en.wikipedia.org/wiki/Loss_exceedance_curve",[4070],{"nodeType":1290,"value":4071,"marks":4072,"data":4073}," Loss Exceedance Curves",[],{},{"nodeType":1290,"value":4075,"marks":4076,"data":4077}," as a more accurate, if much more difficult, approach to quantitative risk assessment.",[],{},{"nodeType":1277,"data":4079,"content":4083},{"target":4080},{"sys":4081},{"id":4082,"type":1282,"linkType":1283},"4S1wJUm6E1qvyZzwrl2DL",[],{"nodeType":1286,"data":4085,"content":4086},{},[4087],{"nodeType":1290,"value":4088,"marks":4089,"data":4090},"The only problem is, we rarely have the time or the data to construct such models. Ask a CISO how they measure risk for credential compromise and other account takeover attacks, and the answer will probably include one or more of the following: a risk assessment, a whiteboard, and a room full of smart people making educated guesses about attack frequency and control strength. ",[],{},{"nodeType":1286,"data":4092,"content":4093},{},[4094,4098,4106],{"nodeType":1290,"value":4095,"marks":4096,"data":4097},"That isn't a criticism — for most risk scenarios, expert elicitation is the best (and most convenient) available method. Breach cost data is sparse, threat actor behavior is unpredictable, and internal incident history is (ideally!) a limited sample. Quantitative risk frameworks like",[],{},{"nodeType":1680,"data":4099,"content":4101},{"uri":4100},"https://www.fairinstitute.org/",[4102],{"nodeType":1290,"value":4103,"marks":4104,"data":4105}," FAIR",[],{},{"nodeType":1290,"value":4107,"marks":4108,"data":4109}," give structure to that uncertainty, but they can't conjure data that just doesn't exist.",[],{},{"nodeType":1286,"data":4111,"content":4112},{},[4113,4117,4122],{"nodeType":1290,"value":4114,"marks":4115,"data":4116},"The results are usually estimates with wide confidence intervals and loss distributions that appear precise, but are hard to defend to a CFO or a board. Finance leaders have seen Monte Carlo simulations before; the capable ones will challenge the quality of the outputs if they doubt the quality of the inputs. ",[],{},{"nodeType":1290,"value":4118,"marks":4119,"data":4121},"But with the right telemetry, we can get both",[4120],{"type":1320},{},{"nodeType":1290,"value":2264,"marks":4123,"data":4124},[],{},{"nodeType":1309,"data":4126,"content":4127},{},[],{"nodeType":1313,"data":4129,"content":4130},{},[4131],{"nodeType":1290,"value":4132,"marks":4133,"data":4135},"Why the identity attack surface is uniquely measurable",[4134],{"type":1320},{},{"nodeType":1286,"data":4137,"content":4138},{},[4139,4143,4148],{"nodeType":1290,"value":4140,"marks":4141,"data":4142},"We've written extensively about the shift to identity as a primary attack vector — and the evidence continues to stack up. Credential phishing, device code phishing, ClickFix, adversary-in-the-middle attacks, session hijacking, and SaaS account compromise now account for the majority of breach entry points in most enterprise environments. But the silver lining here is that this shift has created something valuable for risk quantification: ",[],{},{"nodeType":1290,"value":4144,"marks":4145,"data":4147},"a highly observable threat surface",[4146],{"type":276},{},{"nodeType":1290,"value":2264,"marks":4149,"data":4150},[],{},{"nodeType":1286,"data":4152,"content":4153},{},[4154,4158,4167],{"nodeType":1290,"value":4155,"marks":4156,"data":4157},"Identity attacks execute ",[],{},{"nodeType":1680,"data":4159,"content":4161},{"uri":4160},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[4162],{"nodeType":1290,"value":4163,"marks":4164,"data":4166},"in the browser",[4165],{"type":1688},{},{"nodeType":1290,"value":4168,"marks":4169,"data":4170},". They leave traces in authentication flows, login behaviors, OAuth integrations, extension activity, and SaaS access patterns — all of which are captured in real time by the Push extension. Unlike network or endpoint attacks, where the signal is often binary and retroactive, browser-based identity threats generate continuous, high-frequency telemetry that maps directly onto the inputs that drive quantitative risk models.",[],{},{"nodeType":1286,"data":4172,"content":4173},{},[4174,4178,4183,4187,4192],{"nodeType":1290,"value":4175,"marks":4176,"data":4177},"This telemetry directly informs the hardest inputs in any quantitative risk model. One is ",[],{},{"nodeType":1290,"value":4179,"marks":4180,"data":4182},"Threat Event Frequency (TEF)",[4181],{"type":1320},{},{"nodeType":1290,"value":4184,"marks":4185,"data":4186},": how often a threat agent acts against an asset in a given period. For identity risks, this can be answered in how many credential phishing attempts reached your users across all delivery channels (social media, email, malvertising, etc.), or how frequently your users authorize malicious or compromised SaaS apps. Browser-level telemetry can answer these questions with ",[],{},{"nodeType":1290,"value":4188,"marks":4189,"data":4191},"observed",[4190],{"type":276},{},{"nodeType":1290,"value":4193,"marks":4194,"data":4195}," data rather than industry lookups and general benchmarks. ",[],{},{"nodeType":1277,"data":4197,"content":4201},{"target":4198},{"sys":4199},{"id":4200,"type":1282,"linkType":1283},"EvjT68MCWW7nz5q86xe8S",[],{"nodeType":1286,"data":4203,"content":4204},{},[4205,4209,4214],{"nodeType":1290,"value":4206,"marks":4207,"data":4208},"The other input to risk modeling that's difficult to express in concrete terms is ",[],{},{"nodeType":1290,"value":4210,"marks":4211,"data":4213},"vulnerability",[4212],{"type":1320},{},{"nodeType":1290,"value":4215,"marks":4216,"data":4217},": the probability a threat becomes a loss event or, more specifically, how likely it is that your controls will fail. ",[],{},{"nodeType":1286,"data":4219,"content":4220},{},[4221,4225,4233,4237,4245],{"nodeType":1290,"value":4222,"marks":4223,"data":4224},"This is where browser telemetry gets especially concrete.",[],{},{"nodeType":1680,"data":4226,"content":4228},{"uri":4227},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[4229],{"nodeType":1290,"value":4230,"marks":4231,"data":4232}," Analysis of login telemetry across Push-monitored environments",[],{},{"nodeType":1290,"value":4234,"marks":4235,"data":4236}," shows that 1 in 4 logins are still password-only (not SSO), 2 in 5 are not protected by MFA, and 1 in 5 use a weak, breached, or reused password. Many of these logins occur outside the visibility of a central IdP platform like Microsoft, Google or Okta — the result of downstream ",[],{},{"nodeType":1680,"data":4238,"content":4240},{"uri":4239},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[4241],{"nodeType":1290,"value":4242,"marks":4243,"data":4244},"ghost logins",[],{},{"nodeType":1290,"value":4246,"marks":4247,"data":4248},". ",[],{},{"nodeType":1277,"data":4250,"content":4254},{"target":4251},{"sys":4252},{"id":4253,"type":1282,"linkType":1283},"5GctExdVGjHRwKifiP00Fp",[],{"nodeType":1277,"data":4256,"content":4260},{"target":4257},{"sys":4258},{"id":4259,"type":1282,"linkType":1283},"2mWToHCJcuB9FMwxxzd67F",[],{"nodeType":1286,"data":4262,"content":4263},{},[4264,4268,4273],{"nodeType":1290,"value":4265,"marks":4266,"data":4267},"In a FAIR-based model, TEF and vulnerability together determine ",[],{},{"nodeType":1290,"value":4269,"marks":4270,"data":4272},"loss event frequency",[4271],{"type":1320},{},{"nodeType":1290,"value":4274,"marks":4275,"data":4276},": the foundational driver of the entire risk calculation. Using telemetry from your own environment as the basis for these calculations makes them far more accurate, and more likely to stand up to scrutiny.",[],{},{"nodeType":1309,"data":4278,"content":4279},{},[],{"nodeType":1313,"data":4281,"content":4282},{},[4283],{"nodeType":1290,"value":4284,"marks":4285,"data":4287},"The attack surface is bigger than most models assume",[4286],{"type":1320},{},{"nodeType":1286,"data":4289,"content":4290},{},[4291],{"nodeType":1290,"value":4292,"marks":4293,"data":4294},"One of the consistent failures in identity risk modeling is the tendency to model risks defenders can see, and leave the rest off the balance sheet. These omissions create a systematic understatement of exposure that browser-based telemetry can offset.",[],{},{"nodeType":1525,"data":4296,"content":4297},{},[4298],{"nodeType":1290,"value":4299,"marks":4300,"data":4302},"Shadow AI and OAuth sprawl",[4301],{"type":1320},{},{"nodeType":1286,"data":4304,"content":4305},{},[4306,4309,4317],{"nodeType":1290,"value":29,"marks":4307,"data":4308},[],{},{"nodeType":1680,"data":4310,"content":4311},{"uri":3547},[4312],{"nodeType":1290,"value":4313,"marks":4314,"data":4316},"The Vercel breach in April 2026",[4315],{"type":1688},{},{"nodeType":1290,"value":4318,"marks":4319,"data":4320}," was the result of an OAuth connection to a third-party AI SaaS tool a developer connected into the organization's Google Workspace tenant (without admin approval). When the AI vendor was compromised, the attacker leveraged stored OAuth tokens to access downstream accounts, ultimately reaching internal dashboards, API keys, and source code. ",[],{},{"nodeType":1286,"data":4322,"content":4323},{},[4324,4328,4333],{"nodeType":1290,"value":4325,"marks":4326,"data":4327},"Push telemetry across customer environments shows an average of ",[],{},{"nodeType":1290,"value":4329,"marks":4330,"data":4332},"17 unique AI app integrations per organization in Microsoft and Google alone",[4331],{"type":1320},{},{"nodeType":1290,"value":4334,"marks":4335,"data":4336},", most of which security teams would describe as unapproved. These generally don't appear in a conventional risk model that isn't looking for them.",[],{},{"nodeType":1525,"data":4338,"content":4339},{},[4340],{"nodeType":1290,"value":4341,"marks":4342,"data":4344},"Browser extensions",[4343],{"type":1320},{},{"nodeType":1286,"data":4346,"content":4347},{},[4348,4352,4362,4367],{"nodeType":1290,"value":29,"marks":4349,"data":4351},[4350],{"type":1320},{},{"nodeType":1680,"data":4353,"content":4355},{"uri":4354},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[4356],{"nodeType":1290,"value":4357,"marks":4358,"data":4361},"Analysis of 20,000 unique extensions deployed across Push customer environments",[4359,4360],{"type":1688},{"type":1320},{},{"nodeType":1290,"value":4363,"marks":4364,"data":4366}," found that 46.76% have the permission combinations required for account takeover without user interaction. ",[4365],{"type":1320},{},{"nodeType":1290,"value":4368,"marks":4369,"data":4370},"The extensions carrying these permissions aren't flagged by risk scoring systems because the same permissions are used by ad blockers, password managers, and translation tools (the downside of relying on tools that rely on dubious scoring to assess extensions, but I digress). ",[],{},{"nodeType":1286,"data":4372,"content":4373},{},[4374],{"nodeType":1290,"value":4375,"marks":4376,"data":4377},"What matters for risk quantification isn't the permission set or an arbitrary score assigned by a vendor; it's whether the monitoring exists to detect when a previously-clean extension changes ownership, escalates permissions, or behaves anomalously. Without that monitoring, the exposure is real but unquantified.",[],{},{"nodeType":1525,"data":4379,"content":4380},{},[4381],{"nodeType":1290,"value":4382,"marks":4383,"data":4385},"ClickFix and non-email delivery channels",[4384],{"type":1320},{},{"nodeType":1286,"data":4387,"content":4388},{},[4389,4393,4401,4405,4413],{"nodeType":1290,"value":4390,"marks":4391,"data":4392},"ClickFix — where a malicious page silently writes a PowerShell or mshta command into the victim's clipboard and instructs them to paste it — was",[],{},{"nodeType":1680,"data":4394,"content":4396},{"uri":4395},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[4397],{"nodeType":1290,"value":4398,"marks":4399,"data":4400}," the most common initial access vector observed by Microsoft in 2025",[],{},{"nodeType":1290,"value":4402,"marks":4403,"data":4404},", and CrowdStrike reported a",[],{},{"nodeType":1680,"data":4406,"content":4408},{"uri":4407},"https://www.crowdstrike.com/explore/2026-global-threat-report",[4409],{"nodeType":1290,"value":4410,"marks":4411,"data":4412}," 563% increase in fake CAPTCHA lures",[],{},{"nodeType":1290,"value":4414,"marks":4415,"data":4416}," (one of the most common ClickFix styles in which the user has to \"verify they're human\" by running a command on their machine). ",[],{},{"nodeType":1286,"data":4418,"content":4419},{},[4420],{"nodeType":1290,"value":4421,"marks":4422,"data":4423},"What makes this particularly relevant for risk quantification is the delivery channel: 4 in 5 ClickFix payloads intercepted by Push arrive via search engines, not email. A risk model that estimates threat event frequency from email-based phishing telemetry alone is structurally blind to an entire category of attack that has become one of the most prevalent initial access methods in the landscape.",[],{},{"nodeType":1525,"data":4425,"content":4426},{},[4427],{"nodeType":1290,"value":4428,"marks":4429,"data":4431},"Authorization attacks",[4430],{"type":1320},{},{"nodeType":1286,"data":4433,"content":4434},{},[4435],{"nodeType":1290,"value":4436,"marks":4437,"data":4438},"Device code phishing and OAuth consent abuse represent a slightly separate category of identity attack that most risk models don't account for because they operate after the authentication flow has already completed — meaning password strength, MFA coverage, and SSO adoption are irrelevant to whether the attack succeeds. ",[],{},{"nodeType":1277,"data":4440,"content":4444},{"target":4441},{"sys":4442},{"id":4443,"type":1282,"linkType":1283},"7qtHmxCzBm5664jD6HsCwN",[],{"nodeType":1309,"data":4446,"content":4447},{},[],{"nodeType":1313,"data":4449,"content":4450},{},[4451],{"nodeType":1290,"value":4452,"marks":4453,"data":4455},"The key lesson for CISOs",[4454],{"type":1320},{},{"nodeType":1286,"data":4457,"content":4458},{},[4459],{"nodeType":1290,"value":4460,"marks":4461,"data":4462},"A risk model that measures identity vulnerability purely in terms of authentication hygiene at the IdP layer — how many accounts have MFA, how many use SSO — will correctly quantify one dimension of exposure while completely missing another that is growing faster and is structurally immune to the controls being measured.",[],{},{"nodeType":1286,"data":4464,"content":4465},{},[4466],{"nodeType":1290,"value":4467,"marks":4468,"data":4470},"For a CISO building a risk model, these aren't edge cases. They represent a real attack surface that doesn't show up in models built on conventional network, endpoint, and cloud telemetry. We aren't just talking about better inputs to risk modeling — we're talking about entirely new risk scenarios that aren't being modeled at all, supported by live data.",[4469],{"type":1320},{},{"nodeType":1277,"data":4472,"content":4476},{"target":4473},{"sys":4474},{"id":4475,"type":1282,"linkType":1283},"2ObEcO1gqz8lrOLCZzfpNw",[],{"nodeType":1309,"data":4478,"content":4479},{},[],{"nodeType":1525,"data":4481,"content":4482},{},[4483],{"nodeType":1290,"value":4484,"marks":4485,"data":4487},"Browser telemetry makes a CISO's life easier",[4486],{"type":1320},{},{"nodeType":1286,"data":4489,"content":4490},{},[4491],{"nodeType":1290,"value":4492,"marks":4493,"data":4494},"Browser-based telemetry changes the conversation a CISO can have with a CFO or board. Instead of \"industry benchmarks suggest our expected annual loss from account compromise is somewhere in this range,\" the answer is, \"We can see how often these attacks are attempted against our users, and we can measure what percentage of our accounts have the controls in place to stop them,\" or \"We know how many shadow AI apps our users self-provision and share data with each month.\" ",[],{},{"nodeType":1286,"data":4496,"content":4497},{},[4498],{"nodeType":1290,"value":4499,"marks":4500,"data":4501},"Identity risk is only a piece of the quantification problem. Loss magnitude, regulatory exposure, and reputational impact are still extremely hard to estimate regardless of how good your frequency inputs are. ",[],{},{"nodeType":1286,"data":4503,"content":4504},{},[4505],{"nodeType":1290,"value":4506,"marks":4507,"data":4508},"But the identity attack surface is one of the few areas in security where measurement is genuinely achievable right now, and the gap between what most organizations are modeling and what's actually observable is significant. Shadow SaaS integrations, unapproved AI connections, browser extensions with excessive privileges — these are enumerable risks that don't appear in models built on network, endpoint, and cloud access telemetry alone. ",[],{},{"nodeType":1286,"data":4510,"content":4511},{},[4512,4517],{"nodeType":1290,"value":4513,"marks":4514,"data":4516},"The lesson for CISOs serious about quantitative risk management is this: the frameworks exist, the talent is available, and the bottleneck is almost always data quality. ",[4515],{"type":1320},{},{"nodeType":1290,"value":4518,"marks":4519,"data":4520},"Browser telemetry is a good example of the kind of high-fidelity, environment-specific measurement that closes that gap.",[],{},{"nodeType":1309,"data":4522,"content":4523},{},[],{"nodeType":1286,"data":4525,"content":4526},{},[4527],{"nodeType":1290,"value":3701,"marks":4528,"data":4529},[],{},{"nodeType":1286,"data":4531,"content":4532},{},[4533,4536,4544],{"nodeType":1290,"value":3100,"marks":4534,"data":4535},[],{},{"nodeType":1680,"data":4537,"content":4539},{"uri":4538},"https://pushsecurity.com/book-demo/",[4540],{"nodeType":1290,"value":4541,"marks":4542,"data":4543}," Book a live demo",[],{},{"nodeType":1290,"value":3119,"marks":4545,"data":4546},[],{},"The CISO's data problem (and how browser telemetry can help)","How CISOs can use browser telemetry to support cyber risk quantification in areas where traditional data points fall short. ","2026-05-11T00:00:00.000Z","the-cisos-data-problem-and-how-browser-telemetry-can-help",{"items":4552},[4553,4557],{"sys":4554,"name":4556},{"id":4555},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":4558,"name":3135},{"id":3134},{"items":4560},[4561],{"fullName":4562,"firstName":4563,"jobTitle":4564,"profilePicture":4565},"Mark Orlando","Mark","Field CTO",{"url":4566},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png","how-to-avoid-the-browser-security-buyers-trap","blog/how-to-avoid-the-browser-security-buyers-trap",{"json":4570},{"data":4571,"content":4572,"nodeType":1273},{},[4573],{"data":4574,"content":4575,"nodeType":1286},{},[4576],{"data":4577,"marks":4578,"value":4579,"nodeType":1290},{},[],"Securing the browser vs. securing the organization via the browser — what's the difference? Most browser security solutions defend against the browser being hacked, but these aren't the attacks that are actually leading to major breaches. ","Securing the browser vs. securing the organization via the browser — what's the difference?",{"id":4582,"publishedAt":4583},"2V130uMePtxAaefYQAKInb","2026-05-13T12:55:18.074Z",{"items":4585},[4586,4588],{"sys":4587,"name":3131},{"id":3130},{"sys":4589,"name":4556},{"id":4555},"ScLVtmuX1LFbQLmXscLL25t5f_pEaVPsL03NTmfFjEU",1778682547032]