[{"data":1,"prerenderedAt":4153},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/making-the-business-case-for-a-browser-security-solution":220},[4],{"enabled":5,"name":6},false,"maintenanceMode",[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"sq5m7hrtt1",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":5,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-6qjv2xx1o93","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":5,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":5},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","e6y99wzygj4",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":5,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"ejb4610smqd",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},"qmd9dqqccme",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":5,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"8ke3s17c50t",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":5,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"r2hfsxeegak",{"text":165,"url":166},{},1776256937553,1776256937540,[],"ruwk571l1sp",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":5,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"ifd0kiul0a8",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},{"id":221,"title":222,"authorsCollection":223,"content":231,"extension":1607,"featured":5,"hashTags":62,"meta":1608,"metaTitle":1609,"ogImage":62,"publishedDate":1610,"relatedBlogPostsCollection":1611,"slug":4129,"stem":4130,"subtitle":62,"summary":4131,"synopsis":4142,"sys":4143,"tagsCollection":4146,"__hash__":4152},"blog/blog/making-the-business-case-for-a-browser-security-solution.json","How to make the business case for a browser security solution",{"items":224},[225],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":229},"Alex Henshall","Alex","Product Team",{"url":230},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"json":232,"links":1464},{"data":233,"content":234,"nodeType":1463},{},[235,258,265,272,279,286,295,299,309,316,324,343,362,369,376,383,426,433,504,516,519,527,534,540,547,554,573,580,611,644,651,657,664,671,678,769,776,783,789,796,803,827,846,869,888,907,914,921,927,934,941,972,991,997,1004,1023,1030,1037,1082,1089,1092,1100,1107,1114,1133,1140,1182,1201,1204,1212,1219,1361,1369,1388,1395,1402,1405,1413,1420,1427,1430,1437,1444],{"data":236,"content":237,"nodeType":257},{},[238,242,253],{"data":239,"marks":240,"value":29,"nodeType":241},{},[],"text",{"data":243,"content":245,"nodeType":252},{"uri":244},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[246],{"data":247,"marks":248,"value":251,"nodeType":241},{},[249],{"type":250},"underline","Omdia's 2026 research","hyperlink",{"data":254,"marks":255,"value":256,"nodeType":241},{},[]," found that 86% of organizations have already increased browser security spending in response to emerging threats, and 85% expect to spend more over the next 12–24 months. ","paragraph",{"data":259,"content":260,"nodeType":257},{},[261],{"data":262,"marks":263,"value":264,"nodeType":241},{},[],"But finding budget for browser security solutions can be harder than it is for other security tools. Both Gartner and Omdia independently confirm that browser security is predominantly additive; Gartner states explicitly that secure enterprise browsers augment rather than replace existing security controls, and Omdia found that 80% of organizations expect to deploy browser security alongside their current stack.",{"data":266,"content":267,"nodeType":257},{},[268],{"data":269,"marks":270,"value":271,"nodeType":241},{},[],"In practice, that means there's typically no legacy line item to redirect or renewal to swap out. Instead, security leaders are left needing to build a business case from scratch, creating more work on top of an already demanding role. Having a proven framework that other security leaders are already using successfully makes that process significantly faster.",{"data":273,"content":274,"nodeType":257},{},[275],{"data":276,"marks":277,"value":278,"nodeType":241},{},[],"Push helps security leaders build these business cases every day and we've seen firsthand what works and where the budget comes from. ",{"data":280,"content":281,"nodeType":257},{},[282],{"data":283,"marks":284,"value":285,"nodeType":241},{},[],"This article distills those patterns into a practical framework you can use to build your own investment case, as well as provides real-world examples of how Push's customers have found budget to make their own investments in browser security tooling:",{"data":287,"content":293,"nodeType":294},{"target":288},{"sys":289},{"id":290,"type":291,"linkType":292},"3qR5t9Y5wgRfzGqcRNXfNa","Link","Entry",[],"embedded-entry-block",{"data":296,"content":297,"nodeType":298},{},[],"hr",{"data":300,"content":301,"nodeType":308},{},[302],{"data":303,"marks":304,"value":307,"nodeType":241},{},[305],{"type":306},"bold","The strategic imperatives that resonate with non-security executives","heading-1",{"data":310,"content":311,"nodeType":257},{},[312],{"data":313,"marks":314,"value":315,"nodeType":241},{},[],"Two distinct strategic initiatives consistently prove to be effective in unlocking browser security budget. They come from different directions; one is driven by the board down to security, the other is driven by security up to the board. But both lead to the same investment and can be used in conjunction with one another.",{"data":317,"content":318,"nodeType":323},{},[319],{"data":320,"marks":321,"value":322,"nodeType":241},{},[],"Option A | AI visibility and control: the mandate security teams are responding to","heading-2",{"data":325,"content":326,"nodeType":257},{},[327,331,339],{"data":328,"marks":329,"value":330,"nodeType":241},{},[],"AI adoption isn't a security initiative; it's a business strategy decision that executives and boards are driving. They know the organization needs to harness AI to remain competitive, and most have already committed to accelerating its use. But they also know that",{"data":332,"content":334,"nodeType":252},{"uri":333},"https://pushsecurity.com/blog/what-push-data-reveals-about-the-state-of-shadow-ai/",[335],{"data":336,"marks":337,"value":338,"nodeType":241},{},[]," adoption without visibility creates risks they can't quantify or manage",{"data":340,"marks":341,"value":342,"nodeType":241},{},[],", and they expect security to have the visibility and controls to close that gap.",{"data":344,"content":345,"nodeType":257},{},[346,350,358],{"data":347,"marks":348,"value":349,"nodeType":241},{},[],"The browser is the most practical place for security teams to get that visibility and control over AI usage. All AI tool usage — whether that's web apps, extensions, OAuth consent flows, data uploads — traverses the browser. A browser security platform like Push can",{"data":351,"content":353,"nodeType":252},{"uri":352},"https://pushsecurity.com/solution/achieve-security-outcomes/secure-ai",[354],{"data":355,"marks":356,"value":357,"nodeType":241},{},[]," discover which AI tools employees are actually using",{"data":359,"marks":360,"value":361,"nodeType":241},{},[],", monitor how they're being used, track which AI services have been granted access to corporate systems, and enforce policy in real time.",{"data":363,"content":364,"nodeType":257},{},[365],{"data":366,"marks":367,"value":368,"nodeType":241},{},[],"What makes this particularly effective in a budget conversation is that security teams don’t need to explain or sell a new security risk or initiative, instead they're responding to one their executive team has already identified. When security can demonstrate a concrete plan to deliver AI visibility and control, the funding conversation is significantly shorter. The investment addresses the executive mandate while simultaneously providing additional capabilities for the security team like threat protection, identity and shadow IT security, and investigation support.",{"data":370,"content":371,"nodeType":323},{},[372],{"data":373,"marks":374,"value":375,"nodeType":241},{},[],"Option B | Modern breaches that originate in the browser: the gap the existing stack wasn't designed to cover",{"data":377,"content":378,"nodeType":257},{},[379],{"data":380,"marks":381,"value":382,"nodeType":241},{},[],"The second strategic imperative requires more educating on the part of the security leader.",{"data":384,"content":385,"nodeType":257},{},[386,390,398,402,410,414,422],{"data":387,"marks":388,"value":389,"nodeType":241},{},[],"The highest-profile breaches in recent years — MGM, Caesars, Ticketmaster, M&S, Jaguar Land Rover — were all carried out by threat groups like",{"data":391,"content":393,"nodeType":252},{"uri":392},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[394],{"data":395,"marks":396,"value":397,"nodeType":241},{},[]," Scattered Spider",{"data":399,"marks":400,"value":401,"nodeType":241},{},[]," using cloud-native,",{"data":403,"content":405,"nodeType":252},{"uri":404},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[406],{"data":407,"marks":408,"value":409,"nodeType":241},{},[]," identity-based attack techniques",{"data":411,"marks":412,"value":413,"nodeType":241},{},[],". They didn't compromise endpoints or exploit zero-day vulnerabilities. Instead, they compromised employees' cloud app accounts by targeting them with techniques that",{"data":415,"content":417,"nodeType":252},{"uri":416},"https://pushsecurity.com/thank-you/browser-attacks-report",[418],{"data":419,"marks":420,"value":421,"nodeType":241},{},[]," play out inside browser sessions",{"data":423,"marks":424,"value":425,"nodeType":241},{},[]," where existing endpoint, network, and email controls have no visibility.",{"data":427,"content":428,"nodeType":257},{},[429],{"data":430,"marks":431,"value":432,"nodeType":241},{},[],"That doesn't mean your existing security investments are failing. Endpoint, network, and email controls have become effective enough that threat groups are now actively avoiding them by rerouting their attacks via the browser.",{"data":434,"content":435,"nodeType":503},{},[436,459,481],{"data":437,"content":438,"nodeType":458},{},[439],{"data":440,"content":441,"nodeType":257},{},[442,445,454],{"data":443,"marks":444,"value":29,"nodeType":241},{},[],{"data":446,"content":448,"nodeType":252},{"uri":447},"https://www.crowdstrike.com/en-us/global-threat-report/",[449],{"data":450,"marks":451,"value":453,"nodeType":241},{},[452],{"type":250},"CrowdStrike's 2026 data",{"data":455,"marks":456,"value":457,"nodeType":241},{},[]," shows 82% of attack detections are now malware-free. A new capability is needed to address this new playbook, and browser security closes that gap by detecting attacker behavior inside the session, where these attacks actually execute.","list-item",{"data":460,"content":461,"nodeType":458},{},[462],{"data":463,"content":464,"nodeType":257},{},[465,468,477],{"data":466,"marks":467,"value":29,"nodeType":241},{},[],{"data":469,"content":471,"nodeType":252},{"uri":470},"https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/",[472],{"data":473,"marks":474,"value":476,"nodeType":241},{},[475],{"type":250},"Unit 42",{"data":478,"marks":479,"value":480,"nodeType":241},{},[]," found that identity weaknesses played a material role in almost 90% of their investigations, and across more than 750 incident response engagements, 48% involved browser-based activity.",{"data":482,"content":483,"nodeType":458},{},[484],{"data":485,"content":486,"nodeType":257},{},[487,490,499],{"data":488,"marks":489,"value":29,"nodeType":241},{},[],{"data":491,"content":493,"nodeType":252},{"uri":492},"https://services.google.com/fh/files/misc/m-trends-2025-en.pdf",[494],{"data":495,"marks":496,"value":498,"nodeType":241},{},[497],{"type":250},"Mandiant's data",{"data":500,"marks":501,"value":502,"nodeType":241},{},[]," tells a similar story: threat actors exploited identity issues to gain initial access in 83% of incidents involving cloud and SaaS environments.","unordered-list",{"data":505,"content":506,"nodeType":257},{},[507,512],{"data":508,"marks":509,"value":511,"nodeType":241},{},[510],{"type":306},"Identity-based attacks executed via the browser are now the dominant attack pattern.",{"data":513,"marks":514,"value":515,"nodeType":241},{},[]," That framing works in a budget conversation because it identifies a gap rather than asking to improve something that's already covered by an existing solution. It's also reinforced by the fact that the breaches and groups behind them like Scattered Spider were all reported on by the mainstream media, meaning non-security stakeholders are likely to already be somewhat aware of the risks and potential implications of them being realized.",{"data":517,"content":518,"nodeType":298},{},[],{"data":520,"content":521,"nodeType":308},{},[522],{"data":523,"marks":524,"value":526,"nodeType":241},{},[525],{"type":306},"The economic case: five value drivers",{"data":528,"content":529,"nodeType":257},{},[530],{"data":531,"marks":532,"value":533,"nodeType":241},{},[],"Those strategic imperatives establish why something needs to be done, but they don't quantify the cost of inaction or demonstrate how the investment pays for itself. A CFO wants to see where the money comes from, what existing spend it offsets, and what measurable return it delivers. The economic investment case draws on five distinct value drivers, each grounded in capabilities specific to operating inside the browser session.",{"data":535,"content":539,"nodeType":294},{"target":536},{"sys":537},{"id":538,"type":291,"linkType":292},"2W1G5GZWXLbo2hi6bTxAVs",[],{"data":541,"content":542,"nodeType":323},{},[543],{"data":544,"marks":545,"value":546,"nodeType":241},{},[],"1. Avoided breach costs",{"data":548,"content":549,"nodeType":257},{},[550],{"data":551,"marks":552,"value":553,"nodeType":241},{},[],"This is the largest single value driver, but it's also the hardest to measure because the return is defined by the absence of an event rather than the presence of a saving. That said, the methodology is well-established in risk management, and CFOs already accept this logic for insurance and business continuity investments.",{"data":555,"content":556,"nodeType":257},{},[557,561,569],{"data":558,"marks":559,"value":560,"nodeType":241},{},[],"The detection gap described above has a direct financial consequence: every attack that slips through undetected is a potential breach incurring significant direct and indirect costs. Push helps you avoid these costs by detecting",{"data":562,"content":564,"nodeType":252},{"uri":563},"https://pushsecurity.com/solution/achieve-security-outcomes/stop-account-takeover",[565],{"data":566,"marks":567,"value":568,"nodeType":241},{},[]," browser-native attack TTPs",{"data":570,"marks":571,"value":572,"nodeType":241},{},[]," and blocking them in real-time to prevent breaches at the earliest opportunity.",{"data":574,"content":575,"nodeType":257},{},[576],{"data":577,"marks":578,"value":579,"nodeType":241},{},[],"Even though the breach itself is unrealized, there are tangible leading indicators of success: reduced MTTD/MTTR, and fewer attacks progressing to account takeover or endpoint compromise; the stages at which incidents become more expensive to clean up.",{"data":581,"content":582,"nodeType":257},{},[583,587,595,599,607],{"data":584,"marks":585,"value":586,"nodeType":241},{},[],"Quantifying the savings generated by avoiding breaches requires an",{"data":588,"content":590,"nodeType":252},{"uri":589},"https://pushsecurity.com/blog/the-cisos-data-problem-and-how-browser-telemetry-can-help/",[591],{"data":592,"marks":593,"value":594,"nodeType":241},{},[]," estimation of your organization's breach probability and likely cost",{"data":596,"marks":597,"value":598,"nodeType":241},{},[],".",{"data":600,"content":602,"nodeType":252},{"uri":601},"https://www.ibm.com/reports/data-breach",[603],{"data":604,"marks":605,"value":606,"nodeType":241},{},[]," IBM's cost of a data breach report",{"data":608,"marks":609,"value":610,"nodeType":241},{},[]," provides industry-specific benchmarks, though a more grounded alternative is to look at the disclosed costs of the breaches mentioned above and assess your exposure to the same techniques:",{"data":612,"content":613,"nodeType":503},{},[614,624,634],{"data":615,"content":616,"nodeType":458},{},[617],{"data":618,"content":619,"nodeType":257},{},[620],{"data":621,"marks":622,"value":623,"nodeType":241},{},[],"MGM reported over $100M in direct impact plus a $45M class-action settlement.",{"data":625,"content":626,"nodeType":458},{},[627],{"data":628,"content":629,"nodeType":257},{},[630],{"data":631,"marks":632,"value":633,"nodeType":241},{},[],"M&S lost £300M in profits with almost £1B wiped off its market valuation.",{"data":635,"content":636,"nodeType":458},{},[637],{"data":638,"content":639,"nodeType":257},{},[640],{"data":641,"marks":642,"value":643,"nodeType":241},{},[],"The JLR breach was severe enough for the UK government to underwrite a $1.5B loan to mitigate supply chain damage.",{"data":645,"content":646,"nodeType":257},{},[647],{"data":648,"marks":649,"value":650,"nodeType":241},{},[],"Your own incident data, red team results, or phishing simulation outcomes will increase accuracy further.",{"data":652,"content":656,"nodeType":294},{"target":653},{"sys":654},{"id":655,"type":291,"linkType":292},"3SgrdUcQnQsnNLIR9UgBB",[],{"data":658,"content":659,"nodeType":323},{},[660],{"data":661,"marks":662,"value":663,"nodeType":241},{},[],"2. Accelerated and safe AI adoption",{"data":665,"content":666,"nodeType":257},{},[667],{"data":668,"marks":669,"value":670,"nodeType":241},{},[],"Without effective AI visibility and control tooling, your security team becomes either the bottleneck for AI adoption or allows the risks to go unchecked. Every month that adoption is restricted or ungoverned has a productivity cost that compounds.",{"data":672,"content":673,"nodeType":257},{},[674],{"data":675,"marks":676,"value":677,"nodeType":241},{},[],"There's been plenty of research into the productivity impact of AI:",{"data":679,"content":680,"nodeType":503},{},[681,703,725,747],{"data":682,"content":683,"nodeType":458},{},[684],{"data":685,"content":686,"nodeType":257},{},[687,690,699],{"data":688,"marks":689,"value":29,"nodeType":241},{},[],{"data":691,"content":693,"nodeType":252},{"uri":692},"https://www.nber.org/system/files/working_papers/w31161/w31161.pdf",[694],{"data":695,"marks":696,"value":698,"nodeType":241},{},[697],{"type":250},"Stanford and MIT research",{"data":700,"marks":701,"value":702,"nodeType":241},{},[]," found that workers with access to a generative AI assistant were 14% more productive on average, with novice workers seeing a 34% improvement.",{"data":704,"content":705,"nodeType":458},{},[706],{"data":707,"content":708,"nodeType":257},{},[709,712,721],{"data":710,"marks":711,"value":29,"nodeType":241},{},[],{"data":713,"content":715,"nodeType":252},{"uri":714},"https://www.accenture.com/us-en/insights/strategy/productivity-payoff",[716],{"data":717,"marks":718,"value":720,"nodeType":241},{},[719],{"type":250},"Accenture's research",{"data":722,"marks":723,"value":724,"nodeType":241},{},[]," estimates approximately $7,800 per employee per year in productivity value from generative AI for knowledge workers.",{"data":726,"content":727,"nodeType":458},{},[728],{"data":729,"content":730,"nodeType":257},{},[731,734,743],{"data":732,"marks":733,"value":29,"nodeType":241},{},[],{"data":735,"content":737,"nodeType":252},{"uri":736},"https://www.stlouisfed.org/on-the-economy/2025/feb/impact-generative-ai-work-productivity",[738],{"data":739,"marks":740,"value":742,"nodeType":241},{},[741],{"type":250},"The Federal Reserve",{"data":744,"marks":745,"value":746,"nodeType":241},{},[]," independently quantified it at 5.4% of work hours saved, roughly one full working day reclaimed per month.",{"data":748,"content":749,"nodeType":458},{},[750],{"data":751,"content":752,"nodeType":257},{},[753,756,765],{"data":754,"marks":755,"value":29,"nodeType":241},{},[],{"data":757,"content":759,"nodeType":252},{"uri":758},"https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai",[760],{"data":761,"marks":762,"value":764,"nodeType":241},{},[763],{"type":250},"McKinsey's 2025 data",{"data":766,"marks":767,"value":768,"nodeType":241},{},[]," shows organizations leading on AI adoption report 5.8x average ROI within 14 months, and they outperform laggards in both profitability and revenue growth.",{"data":770,"content":771,"nodeType":257},{},[772],{"data":773,"marks":774,"value":775,"nodeType":241},{},[],"A browser security platform like Push removes the governance blocker. When you can see which AI tools employees are using, what data they're sharing, and what permissions they've granted, and enforce policy in real time, the answer to \"can our people use this?\" shifts from \"not yet, we need to assess the risk\" to \"yes, with our sensible guardrails.\"",{"data":777,"content":778,"nodeType":257},{},[779],{"data":780,"marks":781,"value":782,"nodeType":241},{},[],"Push delivers this by discovering every AI web app, browser, browser extension, and OAuth integration in use. It monitors data sharing through file uploads and clipboard activity, tracks OAuth consent flows where AI services request access to corporate tenants, and enforces policy at the point of action. This allows your team to very quickly get a handle on AI usage, mitigate risks and guide the business on how to best drive safe adoption.",{"data":784,"content":788,"nodeType":294},{"target":785},{"sys":786},{"id":787,"type":291,"linkType":292},"6i7Z6jwFaztuoUCynXfrVH",[],{"data":790,"content":791,"nodeType":323},{},[792],{"data":793,"marks":794,"value":795,"nodeType":241},{},[],"3. Greater return from existing security investments",{"data":797,"content":798,"nodeType":257},{},[799],{"data":800,"marks":801,"value":802,"nodeType":241},{},[],"Push generates direct labor savings in two ways that other tools can't replicate.",{"data":804,"content":805,"nodeType":257},{},[806,811,815,823],{"data":807,"marks":808,"value":810,"nodeType":241},{},[809],{"type":306},"First, identity hygiene remediation at scale.",{"data":812,"marks":813,"value":814,"nodeType":241},{},[]," Push's customer data shows that for every 1,000 employees, an organization will typically have just over",{"data":816,"content":818,"nodeType":252},{"uri":817},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[819],{"data":820,"marks":821,"value":822,"nodeType":241},{},[]," 2,500 identity security vulnerabilities",{"data":824,"marks":825,"value":826,"nodeType":241},{},[]," (missing MFA or weak, breached, reused passwords, etc).",{"data":828,"content":829,"nodeType":257},{},[830,834,842],{"data":831,"marks":832,"value":833,"nodeType":241},{},[],"Without Push, you could conservatively estimate that each vulnerability takes 5–10 minutes to resolve manually (inclusive of project management and reporting time) which translates to between 26 and 52 FTE days per thousand employees.",{"data":835,"content":837,"nodeType":252},{"uri":836},"https://pushsecurity.com/solution/achieve-security-outcomes/harden-unmanaged-identities",[838],{"data":839,"marks":840,"value":841,"nodeType":241},{},[]," Push automates this through in-browser guardrails",{"data":843,"marks":844,"value":845,"nodeType":241},{},[]," that prompt users to fix issues at the point of login. That's thousands of identity vulnerabilities resolved without a single ticket being filed, and weeks of analyst time recovered annually at fully burdened rates.",{"data":847,"content":848,"nodeType":257},{},[849,854,858,866],{"data":850,"marks":851,"value":853,"nodeType":241},{},[852],{"type":306},"Second, investigation efficiency.",{"data":855,"marks":856,"value":857,"nodeType":241},{},[]," Push detects attacks at the earliest and safest opportunity, as the attacker is attempting to gain initial access via the browser. The telemetry Push provides analysts with",{"data":859,"content":861,"nodeType":252},{"uri":860},"https://pushsecurity.com/solution/achieve-security-outcomes/investigate-browser-related-incidents",[862],{"data":863,"marks":864,"value":865,"nodeType":241},{},[]," accelerates their investigations across both external and insider threats",{"data":867,"marks":868,"value":598,"nodeType":241},{},[],{"data":870,"content":871,"nodeType":257},{},[872,876,884],{"data":873,"marks":874,"value":875,"nodeType":241},{},[],"Here’s one example of that in action: Push eliminates",{"data":877,"content":879,"nodeType":252},{"uri":878},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[880],{"data":881,"marks":882,"value":883,"nodeType":241},{},[]," over 99% of compromised credential false positives",{"data":885,"marks":886,"value":887,"nodeType":241},{},[]," in common TI feeds by only surfacing credentials actively being used and observed in the browser. Much like the first direct labour saving, Push saves your team weeks of effort confirming false positives and investigating complex account compromise incidents. It also reduces the likelihood of an incident progressing to the stage where a (costly) external incident response provider is needed. ",{"data":889,"content":890,"nodeType":257},{},[891,895,903],{"data":892,"marks":893,"value":894,"nodeType":241},{},[],"By automatically remediating identity security issues at scale, and accelerating investigations, Push eliminates much of the work that analysts typically find tedious and frustrating: manually chasing password resets, triaging false positives,",{"data":896,"content":898,"nodeType":252},{"uri":897},"https://pushsecurity.com/blog/fixing-secops-alert-fatigue-with-browser-telemetry/",[899],{"data":900,"marks":901,"value":902,"nodeType":241},{},[]," trawling through web proxy logs",{"data":904,"marks":905,"value":906,"nodeType":241},{},[],". Removing that work means they can spend more time on the interesting, high-value aspects of their roles, which directly improves morale and retention.",{"data":908,"content":909,"nodeType":257},{},[910],{"data":911,"marks":912,"value":913,"nodeType":241},{},[],"In a market where replacing a fully ramped security analyst costs 80–150% of their annual salary and the new hire takes months to reach the same productivity, reduced attrition generates its own measurable saving in avoided recruitment, training, and lost productivity during the ramp-up period.",{"data":915,"content":916,"nodeType":257},{},[917],{"data":918,"marks":919,"value":920,"nodeType":241},{},[],"In addition to direct labor savings, Push improves the return on every other security investment in your stack. Browser-layer telemetry feeds into SIEM and SOAR platforms, enriching correlation rules and enabling custom detections that weren't previously possible, a multiplier on the value you're already getting from your existing security investments.",{"data":922,"content":926,"nodeType":294},{"target":923},{"sys":924},{"id":925,"type":291,"linkType":292},"7EwWz1orX6QQtm5MHnaXDQ",[],{"data":928,"content":929,"nodeType":323},{},[930],{"data":931,"marks":932,"value":933,"nodeType":241},{},[],"4. Reduced compliance and audit exposure",{"data":935,"content":936,"nodeType":257},{},[937],{"data":938,"marks":939,"value":940,"nodeType":241},{},[],"Every major security compliance framework — SOC 2, ISO 27001, HIPAA, PCI DSS, NIST, GDPR — requires MFA on accounts, strong and unique passwords, and visibility into which third-party applications are being entrusted with corporate data. These are foundational requirements and they apply across every application employees use, not just the ones IT has provisioned. Self-adopted Shadow IT and unmanaged identities create compliance gaps against these requirements that most organizations don't know they have until an auditor finds them.",{"data":942,"content":943,"nodeType":257},{},[944,947,956,960,968],{"data":945,"marks":946,"value":29,"nodeType":241},{},[],{"data":948,"content":950,"nodeType":252},{"uri":949},"https://pushsecurity.com/resources/mfa-regulation-compliance",[951],{"data":952,"marks":953,"value":955,"nodeType":241},{},[954],{"type":250},"The consequences of gaps in these controls are increasingly financial.",{"data":957,"marks":958,"value":959,"nodeType":241},{},[]," The City of Hamilton had its $18.3M cyber insurance claim denied after a ransomware attack because MFA wasn't fully implemented. The insurer ruled that incomplete MFA coverage voided the policy.",{"data":961,"content":963,"nodeType":252},{"uri":962},"https://pushsecurity.com/blog/what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance/",[964],{"data":965,"marks":966,"value":967,"nodeType":241},{},[]," NYDFS has levied $14 million in fines",{"data":969,"marks":970,"value":971,"nodeType":241},{},[]," from companies with inadequate MFA. These aren't hypothetical risks, and they apply to requirements that Push can help you meet continuously rather than scrambling to find evidence during an audit or after an incident.",{"data":973,"content":974,"nodeType":257},{},[975,979,987],{"data":976,"marks":977,"value":978,"nodeType":241},{},[],"Push addresses these compliance requirements directly. It",{"data":980,"content":982,"nodeType":252},{"uri":981},"https://pushsecurity.com/solution/achieve-security-outcomes/secure-shadow-saas",[983],{"data":984,"marks":985,"value":986,"nodeType":241},{},[]," discovers every application employees actually use",{"data":988,"marks":989,"value":990,"nodeType":241},{},[]," — directly from the login event in the browser, not from network traffic patterns. It also observes the authentication method, password strength, and MFA status for each account. The inventory provided by Push replaces weeks of manual spreadsheet work during audit preparation and gives your GRC team continuous evidence rather than a point-in-time snapshot assembled under pressure.",{"data":992,"content":996,"nodeType":294},{"target":993},{"sys":994},{"id":995,"type":291,"linkType":292},"36lm2TMvlpEPrFfM8KEUqB",[],{"data":998,"content":999,"nodeType":323},{},[1000],{"data":1001,"marks":1002,"value":1003,"nodeType":241},{},[],"5. Consolidated capability and reallocated spend",{"data":1005,"content":1006,"nodeType":257},{},[1007,1011,1019],{"data":1008,"marks":1009,"value":1010,"nodeType":241},{},[],"Push delivers against a",{"data":1012,"content":1014,"nodeType":252},{"uri":1013},"https://pushsecurity.com/blog/the-top-10-security-problems-you-can-solve-in-the-browser-ranked-by-value/",[1015],{"data":1016,"marks":1017,"value":1018,"nodeType":241},{},[]," wide range of use cases",{"data":1020,"marks":1021,"value":1022,"nodeType":241},{},[]," — threat detection, AI governance, identity security, investigation support — that would otherwise require separate point solutions to address. That breadth of coverage from a single platform and deployment creates natural opportunities to consolidate spend.",{"data":1024,"content":1025,"nodeType":257},{},[1026],{"data":1027,"marks":1028,"value":1029,"nodeType":241},{},[],"AI governance is the most immediate example. Nearly every enterprise is evaluating standalone AI monitoring tools right now, and the price tags are significant. If your browser security platform already delivers the AI visibility and control capabilities like Push's described above — app discovery, data sharing monitoring, OAuth consent tracking, real-time policy enforcement — the case for a separate AI governance purchase weakens considerably. Paying separately for a tool that only does AI governance, when your browser security platform delivers it alongside detection, identity security, and investigation capability, is a hard spend to justify.",{"data":1031,"content":1032,"nodeType":257},{},[1033],{"data":1034,"marks":1035,"value":1036,"nodeType":241},{},[],"There's also a broader resource reallocation opportunity. Platforms like Push represent a new generation of security tooling that addresses the challenges posed by modern work and cyber attacks. The ROI they provide is high now and is likely to increase as the platform evolves alongside the threats and risks it addresses. Meanwhile, much of the legacy stack is moving in the opposite direction.",{"data":1038,"content":1039,"nodeType":503},{},[1040,1062,1072],{"data":1041,"content":1042,"nodeType":458},{},[1043],{"data":1044,"content":1045,"nodeType":257},{},[1046,1050,1058],{"data":1047,"marks":1048,"value":1049,"nodeType":241},{},[],"Network-centric tools like",{"data":1051,"content":1053,"nodeType":252},{"uri":1052},"https://pushsecurity.com/blog/push-plus-network-security/",[1054],{"data":1055,"marks":1056,"value":1057,"nodeType":241},{},[]," SWGs and CASBs are becoming increasingly legacy",{"data":1059,"marks":1060,"value":1061,"nodeType":241},{},[]," as more activity moves off the traditional network and into the browser.",{"data":1063,"content":1064,"nodeType":458},{},[1065],{"data":1066,"content":1067,"nodeType":257},{},[1068],{"data":1069,"marks":1070,"value":1071,"nodeType":241},{},[],"RBI deployments are difficult to justify when a browser extension achieves better security outcomes without the user experience penalty.",{"data":1073,"content":1074,"nodeType":458},{},[1075],{"data":1076,"content":1077,"nodeType":257},{},[1078],{"data":1079,"marks":1080,"value":1081,"nodeType":241},{},[],"Phishing simulation programs — whose ROI has long been questioned by practitioners — are harder to justify when attackers are using AI to craft lures and pages that are indistinguishable from the real thing for even the most trained employees. If your browser security platform is already blocking real phishing attempts and delivering contextual security guidance at the actual point of risk, the marginal value of a simulation exercise weeks later diminishes considerably.",{"data":1083,"content":1084,"nodeType":257},{},[1085],{"data":1086,"marks":1087,"value":1088,"nodeType":241},{},[],"As legacy tooling becomes less relevant and more commoditized, you should expect to spend less on it. What you save can then be reallocated towards capabilities like Push that address the current threat landscape rather than the previous one legacy tools were designed for.",{"data":1090,"content":1091,"nodeType":298},{},[],{"data":1093,"content":1094,"nodeType":308},{},[1095],{"data":1096,"marks":1097,"value":1099,"nodeType":241},{},[1098],{"type":306},"Investment risk management",{"data":1101,"content":1102,"nodeType":257},{},[1103],{"data":1104,"marks":1105,"value":1106,"nodeType":241},{},[],"The final component of the business case is assessing the investment risk. Given that browser security solutions are typically a new capability, and therefore a new form of investment, there will naturally be questions about how safe an investment it is.",{"data":1108,"content":1109,"nodeType":257},{},[1110],{"data":1111,"marks":1112,"value":1113,"nodeType":241},{},[],"Browser security takes many forms and approaches, so this section speaks specifically to Push and why it represents a low-risk investment to make.",{"data":1115,"content":1116,"nodeType":257},{},[1117,1121,1129],{"data":1118,"marks":1119,"value":1120,"nodeType":241},{},[],"Push is simple to deploy. It installs as a browser extension via existing MDM tooling — it works on the browsers employees already use, with no migration to a new browser, no user retraining, and no change to workflows.",{"data":1122,"content":1124,"nodeType":252},{"uri":1123},"https://pushsecurity.com/customer-stories",[1125],{"data":1126,"marks":1127,"value":1128,"nodeType":241},{},[]," Customers have rolled Push out to over 100,000 users in under an hour",{"data":1130,"marks":1131,"value":1132,"nodeType":241},{},[]," during normal office hours with zero downtime.",{"data":1134,"content":1135,"nodeType":257},{},[1136],{"data":1137,"marks":1138,"value":1139,"nodeType":241},{},[],"You start seeing findings and detections from day one, not after a months-long implementation project. That compresses time-to-value to a matter of hours, which directly de-risks the investment from a finance perspective. Push's high-fidelity telemetry results in a negligible false positive rate, minimizing the operational cost of running the platform. Push integrates into your existing security workflows and tools, like your SIEM, SOAR, and IdP, and doesn't require a dedicated team to manage, so you gain a new capability without taking on a new operational burden.",{"data":1141,"content":1142,"nodeType":257},{},[1143,1147,1155,1159,1167,1170,1178],{"data":1144,"marks":1145,"value":1146,"nodeType":241},{},[],"Push supports advanced security teams in highly targeted and regulated industries, with over 3 million browsers deployed worldwide. As one of the first browser security extensions, launched in 2022, Push has one of the longest track records in the space, and its research team regularly discovers novel attack techniques, including",{"data":1148,"content":1150,"nodeType":252},{"uri":1149},"https://pushsecurity.com/blog/consentfix/",[1151],{"data":1152,"marks":1153,"value":1154,"nodeType":241},{},[]," ConsentFix",{"data":1156,"marks":1157,"value":1158,"nodeType":241},{},[],",",{"data":1160,"content":1162,"nodeType":252},{"uri":1161},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1163],{"data":1164,"marks":1165,"value":1166,"nodeType":241},{},[]," ghost logins",{"data":1168,"marks":1169,"value":1158,"nodeType":241},{},[],{"data":1171,"content":1173,"nodeType":252},{"uri":1172},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[1174],{"data":1175,"marks":1176,"value":1177,"nodeType":241},{},[]," SAMLjacking",{"data":1179,"marks":1180,"value":1181,"nodeType":241},{},[],", and regularly publishes campaign analysis referenced across the security community.",{"data":1183,"content":1184,"nodeType":257},{},[1185,1189,1197],{"data":1186,"marks":1187,"value":1188,"nodeType":241},{},[],"Finally, Push actively hunts for new and novel threats across your estate using its research and",{"data":1190,"content":1192,"nodeType":252},{"uri":1191},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[1193],{"data":1194,"marks":1195,"value":1196,"nodeType":241},{},[]," agentic detection pipeline",{"data":1198,"marks":1199,"value":1200,"nodeType":241},{},[],", with no customer input required. That means you remain protected as the threat landscape evolves, and the capability continues to advance and deliver recurring value over the full contract period without additional effort from your team.",{"data":1202,"content":1203,"nodeType":298},{},[],{"data":1205,"content":1206,"nodeType":308},{},[1207],{"data":1208,"marks":1209,"value":1211,"nodeType":241},{},[1210],{"type":306},"Where has the budget actually come from for Push’s customers?",{"data":1213,"content":1214,"nodeType":257},{},[1215],{"data":1216,"marks":1217,"value":1218,"nodeType":241},{},[],"Push's customers have funded their browser security investment through several well-established routes:",{"data":1220,"content":1221,"nodeType":503},{},[1222,1243,1278,1324,1346],{"data":1223,"content":1224,"nodeType":458},{},[1225],{"data":1226,"content":1227,"nodeType":257},{},[1228,1232,1239],{"data":1229,"marks":1230,"value":1231,"nodeType":241},{},[],"Many teams had funded projects to increase their",{"data":1233,"content":1234,"nodeType":252},{"uri":352},[1235],{"data":1236,"marks":1237,"value":1238,"nodeType":241},{},[]," visibility and control over AI use",{"data":1240,"marks":1241,"value":1242,"nodeType":241},{},[]," in their organizations. Push gave them the instrumentation they needed to address their needs while also allowing them to address other valuable security use cases.",{"data":1244,"content":1245,"nodeType":458},{},[1246],{"data":1247,"content":1248,"nodeType":257},{},[1249,1253,1261,1265,1274],{"data":1250,"marks":1251,"value":1252,"nodeType":241},{},[],"Push is frequently purchased following a security incident such as an",{"data":1254,"content":1256,"nodeType":252},{"uri":1255},"https://pushsecurity.com/solution/stop-browser-based-attacks/adversary-in-the-middle-attacks",[1257],{"data":1258,"marks":1259,"value":1260,"nodeType":241},{},[]," AitM phishing breach",{"data":1262,"marks":1263,"value":1264,"nodeType":241},{},[]," or a ",{"data":1266,"content":1268,"nodeType":252},{"uri":1267},"https://pushsecurity.com/solution/stop-browser-based-attacks/clickfix-fix-variants",[1269],{"data":1270,"marks":1271,"value":1273,"nodeType":241},{},[1272],{"type":250},"ClickFix breach",{"data":1275,"marks":1276,"value":1277,"nodeType":241},{},[]," that existing tools failed to detect and stop.",{"data":1279,"content":1280,"nodeType":458},{},[1281],{"data":1282,"content":1283,"nodeType":257},{},[1284,1288,1297,1300,1308,1312,1320],{"data":1285,"marks":1286,"value":1287,"nodeType":241},{},[],"Another leverage point has been ",{"data":1289,"content":1291,"nodeType":252},{"uri":1290},"https://pushsecurity.com/solution/tool-replacements/cloud-access-security-broker",[1292],{"data":1293,"marks":1294,"value":1296,"nodeType":241},{},[1295],{"type":250},"CASB",{"data":1298,"marks":1299,"value":1158,"nodeType":241},{},[],{"data":1301,"content":1303,"nodeType":252},{"uri":1302},"https://pushsecurity.com/solution/tool-replacements/secure-web-gateways",[1304],{"data":1305,"marks":1306,"value":1307,"nodeType":241},{},[]," SWG",{"data":1309,"marks":1310,"value":1311,"nodeType":241},{},[],", and",{"data":1313,"content":1315,"nodeType":252},{"uri":1314},"https://pushsecurity.com/solution/tool-replacements/remote-browser-isolation",[1316],{"data":1317,"marks":1318,"value":1319,"nodeType":241},{},[]," RBI",{"data":1321,"marks":1322,"value":1323,"nodeType":241},{},[]," renewals. The browser-native capabilities of a tool like Push let you either replace or reduce the scope — and cost — on those contracts without losing coverage.",{"data":1325,"content":1326,"nodeType":458},{},[1327],{"data":1328,"content":1329,"nodeType":257},{},[1330,1334,1342],{"data":1331,"marks":1332,"value":1333,"nodeType":241},{},[],"A number of Push customers rolled out",{"data":1335,"content":1337,"nodeType":252},{"uri":1336},"https://pushsecurity.com/solution/achieve-security-outcomes/secure-chromebooks",[1338],{"data":1339,"marks":1340,"value":1341,"nodeType":241},{},[]," Chromebooks",{"data":1343,"marks":1344,"value":1345,"nodeType":241},{},[]," to parts of their workforce and used the savings that generated to pay for Push. These devices fell outside of their standard EDR coverage and they found that Push provided all the visibility and protection they needed for Chromebook users.",{"data":1347,"content":1348,"nodeType":458},{},[1349],{"data":1350,"content":1351,"nodeType":257},{},[1352,1356],{"data":1353,"marks":1354,"value":1355,"nodeType":241},{},[],"But overall, most customers choose to build the net-new case using ROI projections alone. Push customers see direct savings that cover the cost of deploying Push and indirect savings that run into the millions of dollars. ",{"data":1357,"marks":1358,"value":1360,"nodeType":241},{},[1359],{"type":306},"For every $1 invested, Push generates a return of $5 - $15 through a mixture of direct and indirect savings aligned to the five economic value drivers.",{"data":1362,"content":1363,"nodeType":323},{},[1364],{"data":1365,"marks":1366,"value":1368,"nodeType":241},{},[1367],{"type":306},"Strengthening your case with PoV data",{"data":1370,"content":1371,"nodeType":257},{},[1372,1376,1384],{"data":1373,"marks":1374,"value":1375,"nodeType":241},{},[],"One practical step that strengthens any business case significantly is to",{"data":1377,"content":1379,"nodeType":252},{"uri":1378},"https://pushsecurity.com/blog/how-to-avoid-the-browser-security-buyers-trap/",[1380],{"data":1381,"marks":1382,"value":1383,"nodeType":241},{},[]," run a proof of value",{"data":1385,"marks":1386,"value":1387,"nodeType":241},{},[],". A PoV deployment generates findings specific to your organization: real instances of employees being targeted in their browsers, the actual scale of your identity attack surface, and concrete shadow SaaS and AI usage data.",{"data":1389,"content":1390,"nodeType":257},{},[1391],{"data":1392,"marks":1393,"value":1394,"nodeType":241},{},[],"That evidence can be far more compelling to a CFO than generic industry benchmarks, and it hones the projected value from the framework using real-world data taken from your own environment. ",{"data":1396,"content":1397,"nodeType":257},{},[1398],{"data":1399,"marks":1400,"value":1401,"nodeType":241},{},[],"The drawback is that the kind of PoV that generates this type of evidence requires more time and effort to run. Security teams typically opt for this approach when they know they'll encounter stronger resistance to budget being made available and they'll really need to evidence the need in absolutely concrete terms.",{"data":1403,"content":1404,"nodeType":298},{},[],{"data":1406,"content":1407,"nodeType":308},{},[1408],{"data":1409,"marks":1410,"value":1412,"nodeType":241},{},[1411],{"type":306},"Closing thoughts: “nothing worth having comes easy”",{"data":1414,"content":1415,"nodeType":257},{},[1416],{"data":1417,"marks":1418,"value":1419,"nodeType":241},{},[],"The budget conversation for browser security takes more work than it does for a like-for-like tool replacement — but the security leaders who've been through it consistently find that the economic case is stronger than they expected going in. ",{"data":1421,"content":1422,"nodeType":257},{},[1423],{"data":1424,"marks":1425,"value":1426,"nodeType":241},{},[],"Both strategic imperatives are grounded in data any CFO can verify independently, the financial impact is quantifiable across multiple dimensions, and the routes to funding are well-established across organizations that have already made this investment.",{"data":1428,"content":1429,"nodeType":298},{},[],{"data":1431,"content":1432,"nodeType":257},{},[1433],{"data":1434,"marks":1435,"value":1436,"nodeType":241},{},[],"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",{"data":1438,"content":1439,"nodeType":257},{},[1440],{"data":1441,"marks":1442,"value":1443,"nodeType":241},{},[],"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",{"data":1445,"content":1446,"nodeType":257},{},[1447,1451,1459],{"data":1448,"marks":1449,"value":1450,"nodeType":241},{},[],"Book a ",{"data":1452,"content":1454,"nodeType":252},{"uri":1453},"https://pushsecurity.com/demo/",[1455],{"data":1456,"marks":1457,"value":1458,"nodeType":241},{},[],"live demo",{"data":1460,"marks":1461,"value":1462,"nodeType":241},{},[]," to learn more.","document",{"entries":1465},{"hyperlink":1466,"inline":1467,"block":1468},[],[],[1469,1477,1504,1528,1555,1581],{"sys":1470,"__typename":1471,"title":1472,"caption":62,"layoutMode":62,"file":1473},{"id":290},"Image","business case framework",{"url":1474,"width":1475,"height":1476},"https://images.ctfassets.net/y1cdw1ablpvd/1TIwUkTfu8uJkxpF3vS8jS/e93b6ddfa432874452812c2566b5e031/business_case_framework_2x__4_.png",3200,2302,{"sys":1478,"__typename":1479,"content":1480,"name":1503,"title":62},{"id":538},"InsightTextBlockComponent",{"json":1481},{"nodeType":1463,"data":1482,"content":1483},{},[1484,1491],{"nodeType":257,"data":1485,"content":1486},{},[1487],{"nodeType":241,"value":1488,"marks":1489,"data":1490},"To illustrate the potential economic impact, each value driver below includes an estimate for a hypothetical 1,000-employee US technology company called ACME. The assumptions used are conservative and the benchmarks are publicly available. And while your own numbers will differ, the methodology used is transferable. ",[],{},{"nodeType":257,"data":1492,"content":1493},{},[1494,1498],{"nodeType":241,"value":1495,"marks":1496,"data":1497},"Using these estimates, ACME can conservatively expect a return of ",[],{},{"nodeType":241,"value":1499,"marks":1500,"data":1502},"$435K–$925K in combined annual value from direct labor savings, risk-adjusted cost avoidance, and accelerated productivity gains.",[1501],{"type":306},{},"Browser business case IB1",{"sys":1505,"__typename":1479,"content":1506,"name":1527,"title":62},{"id":655},{"json":1507},{"nodeType":1463,"data":1508,"content":1509},{},[1510],{"nodeType":257,"data":1511,"content":1512},{},[1513,1518,1522],{"nodeType":241,"value":1514,"marks":1515,"data":1517},"ACME example: ",[1516],{"type":306},{},{"nodeType":241,"value":1519,"marks":1520,"data":1521},"IBM's data puts the average breach cost for a technology company at approximately $4.9M. Assuming a conservative 5–8% annual breach probability, and given that 80% of breaches are now identity-based and execute via the browser, the question is how much of that exposure Push eliminates. Push detects and blocks browser-native, identity-based attacks in real time. Even using a conservative 80% effectiveness estimate ",[],{},{"nodeType":241,"value":1523,"marks":1524,"data":1526},"the expected annual value is $150K–$250K.",[1525],{"type":306},{},"Browser business case IB2",{"sys":1529,"__typename":1479,"content":1530,"name":1554,"title":62},{"id":787},{"json":1531},{"nodeType":1463,"data":1532,"content":1533},{},[1534],{"nodeType":257,"data":1535,"content":1536},{},[1537,1541,1545,1550],{"nodeType":241,"value":1514,"marks":1538,"data":1540},[1539],{"type":306},{},{"nodeType":241,"value":1542,"marks":1543,"data":1544},"for a 1,000-employee technology company where 60% of the workforce are knowledge workers, accelerating safe AI adoption by three to six months for 25–40% of those workers captures ",[],{},{"nodeType":241,"value":1546,"marks":1547,"data":1549},"$150K–$400K",[1548],{"type":306},{},{"nodeType":241,"value":1551,"marks":1552,"data":1553}," in productivity value.",[],{},"Browser business case IB3",{"sys":1556,"__typename":1479,"content":1557,"name":1580,"title":62},{"id":925},{"json":1558},{"nodeType":1463,"data":1559,"content":1560},{},[1561],{"nodeType":257,"data":1562,"content":1563},{},[1564,1568,1572,1577],{"nodeType":241,"value":1514,"marks":1565,"data":1567},[1566],{"type":306},{},{"nodeType":241,"value":1569,"marks":1570,"data":1571},"Automated identity remediation across approximately 2,500 vulnerabilities recovers $25K–$35K in analyst time annually. Investigation efficiency gains from earlier detection and the elimination of compromised credential false positives save a further $45K–$65K. Reduced analyst attrition, driven by the removal of tedious manual work, avoids $15K–$25K in recruitment and ramp-up costs. Combined, this value driver represents ",[],{},{"nodeType":241,"value":1573,"marks":1574,"data":1576},"$85K–$125K annually",[1575],{"type":306},{},{"nodeType":241,"value":598,"marks":1578,"data":1579},[],{},"Browser business case IB4",{"sys":1582,"__typename":1479,"content":1583,"name":1606,"title":62},{"id":995},{"json":1584},{"nodeType":1463,"data":1585,"content":1586},{},[1587],{"nodeType":257,"data":1588,"content":1589},{},[1590,1594,1598,1603],{"nodeType":241,"value":1514,"marks":1591,"data":1593},[1592],{"type":306},{},{"nodeType":241,"value":1595,"marks":1596,"data":1597},"Push's automated inventory and continuous compliance evidence replaces approximately 1,000 hours of annual audit preparation effort, generating $8K–$25K in direct savings. The larger value is in risk avoidance: assuming a conservative 3–5% annual probability of a compliance-related financial event (e.g. a denied insurance claim or a regulatory fine) and an average impact of $5–8M, even a 30% reduction in that exposure represents $45K–$120K in expected annual value. ",[],{},{"nodeType":241,"value":1599,"marks":1600,"data":1602},"Combined: $50K–$150K",[1601],{"type":306},{},{"nodeType":241,"value":598,"marks":1604,"data":1605},[],{},"Browser business case IB5","json",{},"How to make the business case for browser security","2026-05-29T00:00:00.000Z",{"items":1612},[1613,2324,2873],{"__typename":1614,"sys":1615,"publishedDate":1617,"content":1618,"title":2307,"synopsis":2308,"hashTags":62,"slug":2309,"tagsCollection":2310,"authorsCollection":2320},"BlogPosts",{"id":1616},"1ThCW6Cx8Zcq2flramQdoj","2026-05-21T00:00:00.000Z",{"json":1619},{"nodeType":1463,"data":1620,"content":1621},{},[1622,1629,1636,1659,1666,1673,1680,1683,1691,1698,1718,1725,1732,1780,1787,1795,1802,1809,1816,1819,1827,1834,1846,1853,1861,1880,1886,1925,1931,1938,1950,1956,1963,1981,1989,1996,2015,2021,2029,2036,2191,2194,2202,2209,2216,2219,2227,2234,2246,2258,2270,2282,2289],{"nodeType":257,"data":1623,"content":1624},{},[1625],{"nodeType":241,"value":1626,"marks":1627,"data":1628},"At first, it may seem like an obvious choice, partly because the category name \"Secure Enterprise Browser\" implies the answer is a full-stack browser. Plus, the most visible vendors in the space have spent the past few years marketing that exact choice as the only one. ",[],{},{"nodeType":257,"data":1630,"content":1631},{},[1632],{"nodeType":241,"value":1633,"marks":1634,"data":1635},"But the market tells a different story. The majority of vendors Gartner places in the SEB category are now extensions rather than full browsers, and Gartner explicitly notes that extensions have become the preferred option. ",[],{},{"nodeType":1637,"data":1638,"content":1639},"blockquote",{},[1640],{"nodeType":257,"data":1641,"content":1642},{},[1643,1647,1655],{"nodeType":241,"value":1644,"marks":1645,"data":1646},"The buyer-side data tells the same story: In ",[],{},{"nodeType":252,"data":1648,"content":1649},{"uri":244},[1650],{"nodeType":241,"value":1651,"marks":1652,"data":1654},"Omdia's 2026 survey of 400 IT and security professionals",[1653],{"type":250},{},{"nodeType":241,"value":1656,"marks":1657,"data":1658},", 48% of organizations cited the ability to use their existing browsers as an important attribute in a secure browsing solution.",[],{},{"nodeType":257,"data":1660,"content":1661},{},[1662],{"nodeType":241,"value":1663,"marks":1664,"data":1665},"The truth is: Full-stack enterprise browsers and browser security extensions like Push aren’t competing products. They serve different needs for different teams, though they often get evaluated against each other.",[],{},{"nodeType":257,"data":1667,"content":1668},{},[1669],{"nodeType":241,"value":1670,"marks":1671,"data":1672},"Full-stack enterprise browsers serve the IT team's need to control the workspace. Browser security extensions like Push meet the security team's need to protect their users as they work in their browsers — a fundamentally different problem. ",[],{},{"nodeType":257,"data":1674,"content":1675},{},[1676],{"nodeType":241,"value":1677,"marks":1678,"data":1679},"In this article, we’ll cover why a feature-by-feature checklist is the wrong approach when selecting a secure browser platform, and what questions to consider instead. We’ll also discuss what each type of solution excels at, where Push fits in, and how to map your needs to the right solution.",[],{},{"nodeType":298,"data":1681,"content":1682},{},[],{"nodeType":308,"data":1684,"content":1685},{},[1686],{"nodeType":241,"value":1687,"marks":1688,"data":1690},"Full-stack enterprise browsers meet the IT team's need to control a workspace",[1689],{"type":306},{},{"nodeType":257,"data":1692,"content":1693},{},[1694],{"nodeType":241,"value":1695,"marks":1696,"data":1697},"Full-stack enterprise browsers like Island, Prisma Browser, and SURF Security are best understood as managed workspace platforms rather than browsers in the conventional sense. ",[],{},{"nodeType":1637,"data":1699,"content":1700},{},[1701],{"nodeType":257,"data":1702,"content":1703},{},[1704,1708,1714],{"nodeType":241,"value":1705,"marks":1706,"data":1707},"Island's own CEO Mike Fey has described the company's strategy as transforming the browser into ",[],{},{"nodeType":241,"value":1709,"marks":1710,"data":1713},"\"a centralized, enterprise-grade platform, eliminating layers of legacy IT infrastructure by building more functionality in the browser.\"",[1711],{"type":1712},"italic",{},{"nodeType":241,"value":1715,"marks":1716,"data":1717}," ",[],{},{"nodeType":257,"data":1719,"content":1720},{},[1721],{"nodeType":241,"value":1722,"marks":1723,"data":1724},"Chrome Enterprise and Edge for Business occupy a related space as productivity-suite browsers extended with native security controls, sold as part of the broader Google and Microsoft workplace stacks. Different products with different lineage, but all of them converge on the same owner: an IT organization solving for workspace control.",[],{},{"nodeType":257,"data":1726,"content":1727},{},[1728],{"nodeType":241,"value":1729,"marks":1730,"data":1731},"The IT team is trying to achieve workspace policy compliance and access governance. Their primary use case is typically reducing reliance on legacy IT tools like VDI, VPN, remote browser isolation, DaaS, web filtering, and CASBs. In this world, the use cases look like: ",[],{},{"nodeType":503,"data":1733,"content":1734},{},[1735,1750,1765],{"nodeType":458,"data":1736,"content":1737},{},[1738],{"nodeType":257,"data":1739,"content":1740},{},[1741,1746],{"nodeType":241,"value":1742,"marks":1743,"data":1745},"Securing third-party contractors or BYOD",[1744],{"type":306},{},{"nodeType":241,"value":1747,"marks":1748,"data":1749}," where the workspace itself is the access control. ",[],{},{"nodeType":458,"data":1751,"content":1752},{},[1753],{"nodeType":257,"data":1754,"content":1755},{},[1756,1761],{"nodeType":241,"value":1757,"marks":1758,"data":1760},"Regulated populations",[1759],{"type":306},{},{"nodeType":241,"value":1762,"marks":1763,"data":1764}," like call centers, BPO workforces, finance teams handling sensitive material, where output controls like watermarking, screenshot restriction, and print blocking need to be enforced at the OS rendering layer. ",[],{},{"nodeType":458,"data":1766,"content":1767},{},[1768],{"nodeType":257,"data":1769,"content":1770},{},[1771,1776],{"nodeType":241,"value":1772,"marks":1773,"data":1775},"Legacy app support",[1774],{"type":306},{},{"nodeType":241,"value":1777,"marks":1778,"data":1779}," including IE-mode rendering for applications that have never been modernized. ",[],{},{"nodeType":257,"data":1781,"content":1782},{},[1783],{"nodeType":241,"value":1784,"marks":1785,"data":1786},"For these use cases, the architecture is well-suited, and there are numerous full-stack SEB solutions that address them well. Where the full-stack approach runs into trouble is in getting users to migrate onto a new browser and in justifying the cost of doing so. Both problems scale with the size of the workforce. ",[],{},{"nodeType":323,"data":1788,"content":1789},{},[1790],{"nodeType":241,"value":1791,"marks":1792,"data":1794},"Cost of deployment is a significant blocker for full-stack browsers",[1793],{"type":306},{},{"nodeType":257,"data":1796,"content":1797},{},[1798],{"nodeType":241,"value":1799,"marks":1800,"data":1801},"The migration costs are easy to predict: deployment and configuration effort, help desk volume and — biggest of all — user resistance. But it’s the license cost that limits deployments in many organizations going from a free consumer browser to a paid replacement for the first time. ",[],{},{"nodeType":257,"data":1803,"content":1804},{},[1805],{"nodeType":241,"value":1806,"marks":1807,"data":1808},"In fact, Gartner notes that most buyers start with a single use case like covering contractors and rarely pursue organization-wide deployment for a full-stack enterprise browser. ",[],{},{"nodeType":257,"data":1810,"content":1811},{},[1812],{"nodeType":241,"value":1813,"marks":1814,"data":1815},"For organizations that do achieve a full-coverage deployment for these full-stack browsers, the need to manage drift in employee behavior over time gets harder. Agentic browsers like Comet, Atlas, and Dia are already starting to pull users toward AI-native workflows that consumer browsers don’t offer and full-stack enterprise browsers don’t currently match.",[],{},{"nodeType":298,"data":1817,"content":1818},{},[],{"nodeType":308,"data":1820,"content":1821},{},[1822],{"nodeType":241,"value":1823,"marks":1824,"data":1826},"What a browser security extension built for the security team looks like",[1825],{"type":306},{},{"nodeType":257,"data":1828,"content":1829},{},[1830],{"nodeType":241,"value":1831,"marks":1832,"data":1833},"Most browser security extensions on the market were built to address this migration hurdle. They attempt to take as many of the features of a full-stack browser as possible, but make it possible to deploy into users’ existing browsers, sidestepping a lot of the cost and rollout problems.",[],{},{"nodeType":257,"data":1835,"content":1836},{},[1837,1841],{"nodeType":241,"value":1838,"marks":1839,"data":1840},"LayerX, Seraphic, SquareX, and Keep Aware have all at some point echoed this approach in their product descriptions with the line ",[],{},{"nodeType":241,"value":1842,"marks":1843,"data":1845},"\"make any browser an enterprise browser.\"",[1844],{"type":1712},{},{"nodeType":257,"data":1847,"content":1848},{},[1849],{"nodeType":241,"value":1850,"marks":1851,"data":1852},"Ultimately, that approach is still aimed at solving problems for the IT team more than the security team.",[],{},{"nodeType":323,"data":1854,"content":1855},{},[1856],{"nodeType":241,"value":1857,"marks":1858,"data":1860},"Push is different — we built a browser extension to meet the security team's needs",[1859],{"type":306},{},{"nodeType":257,"data":1862,"content":1863},{},[1864,1868,1876],{"nodeType":241,"value":1865,"marks":1866,"data":1867},"Push set out to meet a different need. Our team's background has always been in defending organizations against advanced attacks. We spent our careers working in red and blue teams throughout the network and endpoint eras of cyber attacks. The mission we started with in 2022 was to defend organizations against the ",[],{},{"nodeType":252,"data":1869,"content":1870},{"uri":416},[1871],{"nodeType":241,"value":1872,"marks":1873,"data":1875},"new era of damaging cyber attacks that originate in the browser",[1874],{"type":250},{},{"nodeType":241,"value":1877,"marks":1878,"data":1879},". ",[],{},{"nodeType":294,"data":1881,"content":1885},{"target":1882},{"sys":1883},{"id":1884,"type":291,"linkType":292},"6BwJl8ZkiMore2o1BKx2w6",[],{"nodeType":257,"data":1887,"content":1888},{},[1889,1893,1901,1905,1910,1914,1922],{"nodeType":241,"value":1890,"marks":1891,"data":1892},"We chose a browser extension as the approach for our solution, not because we wanted to build an easier-to-deploy enterprise browser, but so we could use it as a security agent to collect high-fidelity telemetry for TTP-based detections, and apply real-time controls to stop attacks at the earliest opportunity in the modern  — ",[],{},{"nodeType":252,"data":1894,"content":1895},{"uri":61},[1896],{"nodeType":241,"value":1897,"marks":1898,"data":1900},"browser and identity native",[1899],{"type":250},{},{"nodeType":241,"value":1902,"marks":1903,"data":1904},"  — kill chain. ",[],{},{"nodeType":241,"value":1906,"marks":1907,"data":1909},"In effect, we created EDR, but for the browser. ",[1908],{"type":306},{},{"nodeType":241,"value":1911,"marks":1912,"data":1913},"This is what gives Push the edge compared to other Secure Enterprise Browser solutions when it comes to tackling the highest priority threats in the browser — ",[],{},{"nodeType":252,"data":1915,"content":1916},{"uri":1378},[1917],{"nodeType":241,"value":1918,"marks":1919,"data":1921},"we’re optimized for this problem area",[1920],{"type":250},{},{"nodeType":241,"value":1877,"marks":1923,"data":1924},[],{},{"nodeType":294,"data":1926,"content":1930},{"target":1927},{"sys":1928},{"id":1929,"type":291,"linkType":292},"4nGzT9cNG0Yid93uUCCuTt",[],{"nodeType":257,"data":1932,"content":1933},{},[1934],{"nodeType":241,"value":1935,"marks":1936,"data":1937},"For a security team using Push’s extension, this means attacks get stopped at the earliest opportunity in the kill chain and before they cause harm. ",[],{},{"nodeType":257,"data":1939,"content":1940},{},[1941,1945],{"nodeType":241,"value":1942,"marks":1943,"data":1944},"When a user lands on a phishing page built to harvest their credentials, Push sees the page rendering and the JavaScript executing inside the DOM, and can block the credential submission before the form posts. When a user is being walked through a ClickFix or ConsentFix social engineering flow, Push sees the clipboard writes and the OAuth consent flow parameters being prepared, and can intervene before the user completes the action. When a session token is stolen and replayed against a different device, Push sees the session activity and surfaces the compromise. ",[],{},{"nodeType":241,"value":1946,"marks":1947,"data":1949},"Push does all of this from a browser extension, without needing to replace the user's browser. ",[1948],{"type":306},{},{"nodeType":294,"data":1951,"content":1955},{"target":1952},{"sys":1953},{"id":1954,"type":291,"linkType":292},"1FZEbn0K80d1jHRRTk7kL7",[],{"nodeType":257,"data":1957,"content":1958},{},[1959],{"nodeType":241,"value":1960,"marks":1961,"data":1962},"The same underlying technology also addresses other high-value security use cases: Visibility and control over AI usage; hardening identities and surfacing shadow IT; and supporting insider investigations and preventing data loss. ",[],{},{"nodeType":257,"data":1964,"content":1965},{},[1966,1970,1977],{"nodeType":241,"value":1967,"marks":1968,"data":1969},"The",[],{},{"nodeType":252,"data":1971,"content":1972},{"uri":1013},[1973],{"nodeType":241,"value":1974,"marks":1975,"data":1976}," highest-value use cases",[],{},{"nodeType":241,"value":1978,"marks":1979,"data":1980}," the browser can address are all powered by the same underlying technical capability, which is why Push's single extension can address four major security use cases rather than four separate tools needing four separate deployments. The success metric for security teams using Push is attacks averted or stopped, cyber risk reduced, and security posture and resilience strengthened — not workspace policy compliance.",[],{},{"nodeType":323,"data":1982,"content":1983},{},[1984],{"nodeType":241,"value":1985,"marks":1986,"data":1988},"Proven at scale: What security leaders are saying",[1987],{"type":306},{},{"nodeType":257,"data":1990,"content":1991},{},[1992],{"nodeType":241,"value":1993,"marks":1994,"data":1995},"Push launched its browser extension in 2022, making it one of the first and longest-running browser security extensions in the category, and it is now deployed across more than three million browsers worldwide.",[],{},{"nodeType":257,"data":1997,"content":1998},{},[1999,2003,2011],{"nodeType":241,"value":2000,"marks":2001,"data":2002},"Many ",[],{},{"nodeType":252,"data":2004,"content":2005},{"uri":1123},[2006],{"nodeType":241,"value":2007,"marks":2008,"data":2010},"Push customers",[2009],{"type":250},{},{"nodeType":241,"value":2012,"marks":2013,"data":2014}," were initially considering full-stack enterprise browsers, but found that Push provided all the visibility and control they needed without the migration headache.",[],{},{"nodeType":294,"data":2016,"content":2020},{"target":2017},{"sys":2018},{"id":2019,"type":291,"linkType":292},"4RDIOAuVN10mZCtjltJCB4",[],{"nodeType":323,"data":2022,"content":2023},{},[2024],{"nodeType":241,"value":2025,"marks":2026,"data":2028},"The extension matters, but it's what we built around it that really counts",[2027],{"type":306},{},{"nodeType":257,"data":2030,"content":2031},{},[2032],{"nodeType":241,"value":2033,"marks":2034,"data":2035},"The extension is the most visible part of the Push platform, but what Push has built around it makes the solution the most powerful security tool in the browser:",[],{},{"nodeType":503,"data":2037,"content":2038},{},[2039,2086,2123,2161,2176],{"nodeType":458,"data":2040,"content":2041},{},[2042],{"nodeType":257,"data":2043,"content":2044},{},[2045,2050,2054,2060,2063,2071,2075,2082],{"nodeType":241,"value":2046,"marks":2047,"data":2049},"In-house threat research that discovers attack techniques as they emerge.",[2048],{"type":306},{},{"nodeType":241,"value":2051,"marks":2052,"data":2053}," Push researchers track real-world adversary activity and discover new techniques as they appear, including",[],{},{"nodeType":252,"data":2055,"content":2056},{"uri":1149},[2057],{"nodeType":241,"value":1154,"marks":2058,"data":2059},[],{},{"nodeType":241,"value":1158,"marks":2061,"data":2062},[],{},{"nodeType":252,"data":2064,"content":2066},{"uri":2065},"https://pushsecurity.com/blog/installfix/",[2067],{"nodeType":241,"value":2068,"marks":2069,"data":2070}," InstallFix",[],{},{"nodeType":241,"value":2072,"marks":2073,"data":2074},", and creating the",[],{},{"nodeType":252,"data":2076,"content":2077},{"uri":404},[2078],{"nodeType":241,"value":2079,"marks":2080,"data":2081}," Browser & Identity Attacks Matrix",[],{},{"nodeType":241,"value":2083,"marks":2084,"data":2085},". Detection is only as good as the threat understanding behind it, and research is what keeps that understanding ahead of what attackers are doing in the wild.",[],{},{"nodeType":458,"data":2087,"content":2088},{},[2089],{"nodeType":257,"data":2090,"content":2091},{},[2092,2097,2101,2107,2111,2119],{"nodeType":241,"value":2093,"marks":2094,"data":2096},"Agentic threat hunting and detection engineering at machine speed.",[2095],{"type":306},{},{"nodeType":241,"value":2098,"marks":2099,"data":2100}," Push's",[],{},{"nodeType":252,"data":2102,"content":2103},{"uri":1191},[2104],{"nodeType":241,"value":1196,"marks":2105,"data":2106},[],{},{"nodeType":241,"value":2108,"marks":2109,"data":2110}," operationalizes the research, generating new behavioral detections in minutes rather than quarterly releases — covering the",[],{},{"nodeType":252,"data":2112,"content":2114},{"uri":2113},"https://pushsecurity.com/blog/how-the-browser-became-the-main-cyber-battleground/",[2115],{"nodeType":241,"value":2116,"marks":2117,"data":2118}," techniques behind the Scattered Spider, Scattered Lapsus$ Hunters, and ShinyHunters breaches",[],{},{"nodeType":241,"value":2120,"marks":2121,"data":2122}," of the past three years. Attackers are using AI to accelerate the pace at which they generate new lures, kits, and infrastructure; Push keeps security teams in front by advancing the capability at machine speed and scale.",[],{},{"nodeType":458,"data":2124,"content":2125},{},[2126],{"nodeType":257,"data":2127,"content":2128},{},[2129,2134,2138,2145,2149,2157],{"nodeType":241,"value":2130,"marks":2131,"data":2133},"Collecting the right telemetry to surface both attacker behavior and risky user action.",[2132],{"type":306},{},{"nodeType":241,"value":2135,"marks":2136,"data":2137}," Telemetry by itself is just data — the value comes from knowing what to collect, why it matters, and how to turn it into detections and controls. Push combines deep instrumentation of the browser with the expertise to use what we collect: the same browser-layer telemetry that detects AiTM kits, ClickFix and ConsentFix lures, and session token replay also surfaces what users are pasting into AI tools, which",[],{},{"nodeType":252,"data":2139,"content":2140},{"uri":1161},[2141],{"nodeType":241,"value":2142,"marks":2143,"data":2144}," SaaS apps they're logging into outside the IdP",[],{},{"nodeType":241,"value":2146,"marks":2147,"data":2148},", which OAuth grants are being made, and which",[],{},{"nodeType":252,"data":2150,"content":2152},{"uri":2151},"https://pushsecurity.com/blog/browser-extension-management-guide/",[2153],{"nodeType":241,"value":2154,"marks":2155,"data":2156}," extensions are running in their browsers",[],{},{"nodeType":241,"value":2158,"marks":2159,"data":2160},". The threat detection and the identity, AI, and DLP use cases are not separate features — they are different applications of the same underlying telemetry, surfaced because Push knows what to look for.",[],{},{"nodeType":458,"data":2162,"content":2163},{},[2164],{"nodeType":257,"data":2165,"content":2166},{},[2167,2172],{"nodeType":241,"value":2168,"marks":2169,"data":2171},"Enforcing the right controls at the right place at the right moment.",[2170],{"type":306},{},{"nodeType":241,"value":2173,"marks":2174,"data":2175}," Visibility without actionability is only half a solution. Push turns the browser into a strong control point for stopping attacks and risky user behaviors in real time — reusing passwords, intercepting credential submission to non-IdP domains, blocking ClickFix clipboard payloads before paste-execute, prompting MFA enrollment at the point of login, warning on weak or breached passwords at credential entry, and surfacing app banners that communicate policy at the moment of use. The same control surface that stops attackers stops the user's mistakes that lead to the next breach.",[],{},{"nodeType":458,"data":2177,"content":2178},{},[2179],{"nodeType":257,"data":2180,"content":2181},{},[2182,2187],{"nodeType":241,"value":2183,"marks":2184,"data":2186},"Balancing security and privacy.",[2185],{"type":306},{},{"nodeType":241,"value":2188,"marks":2189,"data":2190}," Push is designed to give security teams the telemetry they need without monitoring personal browsing. By default, only logins to configured corporate domains are observed; personal browsing is not collected. (Though administrators have the option to observe personal account logins to work apps, and identify where browsers are being synced to personal accounts, which can result in password loss.) Plaintext passwords and form inputs are never transmitted — passwords are analyzed locally using salted partial hashes. Broader browser metadata is stored on the device and only transmitted when it matches a detection rule. Push does not train AI models on customer telemetry.",[],{},{"nodeType":298,"data":2192,"content":2193},{},[],{"nodeType":308,"data":2195,"content":2196},{},[2197],{"nodeType":241,"value":2198,"marks":2199,"data":2201},"Full-stack enterprise browsers and Push’s browser extension are not mutually exclusive",[2200],{"type":306},{},{"nodeType":257,"data":2203,"content":2204},{},[2205],{"nodeType":241,"value":2206,"marks":2207,"data":2208},"It’s worth pausing on a point that often gets lost in the way the market discusses this choice. Full-stack enterprise browsers and Push’s extension-based solution are not mutually exclusive. They do different things for different teams, and they run together. ",[],{},{"nodeType":257,"data":2210,"content":2211},{},[2212],{"nodeType":241,"value":2213,"marks":2214,"data":2215},"Push supports enterprise browsers like Island and Prisma Browser. Many of Push’s customers use a full-stack browser for the contractor population or regulated workload where the IT team needs workspace controls, and Push across the rest of the workforce to provide the deep security capabilities that the IT team is not measured on but the security team is. The right framing for many enterprises is not whether to choose full-stack or extension. It is full-stack for the IT use cases that need it, and Push everywhere else.",[],{},{"nodeType":298,"data":2217,"content":2218},{},[],{"nodeType":308,"data":2220,"content":2221},{},[2222],{"nodeType":241,"value":2223,"marks":2224,"data":2226},"Which one is right for your security team?",[2225],{"type":306},{},{"nodeType":257,"data":2228,"content":2229},{},[2230],{"nodeType":241,"value":2231,"marks":2232,"data":2233},"The answer follows from the need you are trying to meet. The scenarios below cover the most common real-world situations and the approach that fits each.",[],{},{"nodeType":257,"data":2235,"content":2236},{},[2237,2242],{"nodeType":241,"value":2238,"marks":2239,"data":2241},"Is your priority detecting and stopping attacks in the browser?",[2240],{"type":306},{},{"nodeType":241,"value":2243,"marks":2244,"data":2245}," Go with Push. Push detects and stops the threats actually breaching enterprises — AiTM phishing, ClickFix, OAuth abuse, malicious browser extensions. It also provides valuable additional insight during investigations to understand incidents better and decide how to respond to them. ",[],{},{"nodeType":257,"data":2247,"content":2248},{},[2249,2254],{"nodeType":241,"value":2250,"marks":2251,"data":2253},"Do you have a large contractor or third-party population needing locked-down workspace controls?",[2252],{"type":306},{},{"nodeType":241,"value":2255,"marks":2256,"data":2257}," Use a full-stack enterprise browser for that population and Push for everyone else. Watermarking, screenshot blocking and print restriction are OS-level controls that extensions cannot reliably replicate.",[],{},{"nodeType":257,"data":2259,"content":2260},{},[2261,2266],{"nodeType":241,"value":2262,"marks":2263,"data":2265},"Do you have a multi-browser estate including a mix of consumer and agentic browsers?",[2264],{"type":306},{},{"nodeType":241,"value":2267,"marks":2268,"data":2269}," Push will provide the coverage you need to secure users. The browser options are growing, and locking your workforce into a single corporate browser becomes harder every time a new productivity-shaping browser ships. Push regularly adds support for emerging browsers.",[],{},{"nodeType":257,"data":2271,"content":2272},{},[2273,2278],{"nodeType":241,"value":2274,"marks":2275,"data":2277},"Is significant BYOD or unmanaged-device coverage required.",[2276],{"type":306},{},{"nodeType":241,"value":2279,"marks":2280,"data":2281}," Push is a great option, particularly if you also have Chromebooks that fall outside of your EDR coverage. The extension can easily be installed via email or landing page self-enrollment, with options to enforce coverage through conditional access policies. This provides full threat detection and policy enforcement on devices the organization does not own.",[],{},{"nodeType":257,"data":2283,"content":2284},{},[2285],{"nodeType":241,"value":2286,"marks":2287,"data":2288},"In short, if you are solving for workspace control, the right tool is a full-stack enterprise browser. If you’re solving for protecting users as they work in their browsers, Push is the tool built specifically for that need — with the research depth, detection engineering, and operational scale to do the job.",[],{},{"nodeType":257,"data":2290,"content":2291},{},[2292,2295,2304],{"nodeType":241,"value":29,"marks":2293,"data":2294},[],{},{"nodeType":252,"data":2296,"content":2298},{"uri":2297},"https://pushsecurity.com/demo",[2299],{"nodeType":241,"value":2300,"marks":2301,"data":2303},"Book a live demo to learn more",[2302],{"type":250},{},{"nodeType":241,"value":598,"marks":2305,"data":2306},[],{},"Enterprise browser vs. browser extension: Which should your security team choose?","If you're building a shortlist of browser security vendors, do you need a full-stack enterprise browser, or browser security extension? ","enterprise-browser-vs-browser-extension-which-should-your-security-team-choose",{"items":2311},[2312,2316],{"sys":2313,"name":2315},{"id":2314},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":2317,"name":2319},{"id":2318},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":2321},[2322],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":2323},{"url":230},{"__typename":1614,"sys":2325,"publishedDate":2327,"content":2328,"title":2854,"synopsis":2855,"hashTags":62,"slug":2856,"tagsCollection":2857,"authorsCollection":2865},{"id":2326},"7sZs2lHCTN8oYc2OIGCIQG","2026-05-20T00:00:00.000Z",{"json":2329},{"nodeType":1463,"data":2330,"content":2331},{},[2332,2339,2342,2350,2366,2373,2380,2386,2394,2401,2408,2414,2431,2447,2455,2471,2478,2485,2488,2496,2512,2518,2536,2542,2550,2574,2581,2584,2592,2599,2605,2612,2630,2638,2654,2657,2665,2681,2688,2695,2714,2717,2725,2732,2739,2746,2752,2760,2776,2783,2800,2803,2811,2818,2825,2831,2837],{"nodeType":257,"data":2333,"content":2334},{},[2335],{"nodeType":241,"value":2336,"marks":2337,"data":2338},"The headline finding getting the most airtime in 2026 is that vulnerability exploitation has overtaken credential abuse as the top single initial access vector, jumping to 31% from 20% the year before. The vulnerability management crisis driving this statistic is one of the most important stories in this year's data. But reading it as evidence that identity threats are receding would be a mistake, because the DBIR's own data tells a more complicated and more useful story when you look at the full picture.",[],{},{"nodeType":298,"data":2340,"content":2341},{},[],{"nodeType":308,"data":2343,"content":2344},{},[2345],{"nodeType":241,"value":2346,"marks":2347,"data":2349},"Vulnerability exploitation has caught up with identity — not replaced it",[2348],{"type":306},{},{"nodeType":257,"data":2351,"content":2352},{},[2353,2357,2362],{"nodeType":241,"value":2354,"marks":2355,"data":2356},"The DBIR's headline comparison pits vulnerability exploitation (31%) against credential abuse (13%) as individual vectors. That comparison is accurate but incomplete, because the DBIR tracks identity-related initial access across ",[],{},{"nodeType":241,"value":2358,"marks":2359,"data":2361},"three",[2360],{"type":306},{},{"nodeType":241,"value":2363,"marks":2364,"data":2365}," separate categories: phishing (16%), credential abuse (13%), and pretexting (6%). Before interpreting those numbers, there's a methodological wrinkle worth understanding.",[],{},{"nodeType":257,"data":2367,"content":2368},{},[2369],{"nodeType":241,"value":2370,"marks":2371,"data":2372},"This year's report added pretexting as a newly tracked initial access vector, reclassifying some incidents previously counted as credential abuse. The DBIR is transparent about the effect: without that change, credential abuse would have been 16% rather than 13%. On an apples-to-apples basis, identity-related initial access (phishing 16% + credential abuse 16%) comes to 32% — versus 31% for vulnerability exploitation.",[],{},{"nodeType":257,"data":2374,"content":2375},{},[2376],{"nodeType":241,"value":2377,"marks":2378,"data":2379},"To be precise about what moved: phishing held roughly flat year over year, but credential abuse saw a modest decline even on the adjusted basis (from 22% to 16%). Overall, the identity picture is broadly stable. The reason the two categories have converged is that vulnerability exploitation surged 55%, not that identity attacks meaningfully receded.",[],{},{"nodeType":294,"data":2381,"content":2385},{"target":2382},{"sys":2383},{"id":2384,"type":291,"linkType":292},"5GvSsSY4R6X34ZBMidZ54X",[],{"nodeType":323,"data":2387,"content":2388},{},[2389],{"nodeType":241,"value":2390,"marks":2391,"data":2393},"The taxonomy gap",[2392],{"type":306},{},{"nodeType":257,"data":2395,"content":2396},{},[2397],{"nodeType":241,"value":2398,"marks":2399,"data":2400},"It's also worth asking how much the DBIR's initial access taxonomy can tell us. The figure that everyone is citing — Figure 10 — is labelled \"select enumerations,\" and the four tracked vectors (vulnerability exploitation, phishing, credential abuse, pretexting) add up to only 66% of initial access. A third of the picture isn't represented in the headline breakdown at all.",[],{},{"nodeType":257,"data":2402,"content":2403},{},[2404],{"nodeType":241,"value":2405,"marks":2406,"data":2407},"The cluster boundaries and where you draw them also changes the story. The DBIR classifies ClickFix under \"baiting\" — a category that covers malicious downloads and SEO poisoning — rather than phishing, even though the end goal is often the same: getting a user to execute something they shouldn't. Pretexting absorbed incidents that were previously credential abuse, shifting the numbers between categories. These are useful analytical clusters, but they aren't clean divisions of a neatly partitioned attack surface.",[],{},{"nodeType":294,"data":2409,"content":2413},{"target":2410},{"sys":2411},{"id":2412,"type":291,"linkType":292},"7t6ZcHDycaPOyLstX4r8zl",[],{"nodeType":257,"data":2415,"content":2416},{},[2417,2421,2428],{"nodeType":241,"value":2418,"marks":2419,"data":2420},"These are identity attacks at scale, and it isn't clear where — or whether — they show up in the DBIR's initial access vectors. This lack of depth in identity and in-browser attack vectors is common in many defensive models, which is why we've created our own",[],{},{"nodeType":252,"data":2422,"content":2423},{"uri":61},[2424],{"nodeType":241,"value":2425,"marks":2426,"data":2427}," Browser and Identity Attacks Matrix",[],{},{"nodeType":241,"value":598,"marks":2429,"data":2430},[],{},{"nodeType":257,"data":2432,"content":2433},{},[2434,2438,2443],{"nodeType":241,"value":2435,"marks":2436,"data":2437},"That convergence at initial access also understates the role credentials play across full breach chains. The DBIR states plainly that credential abuse at any point in the breach progression — not just as the first action — appears in ",[],{},{"nodeType":241,"value":2439,"marks":2440,"data":2442},"39% of all breaches",[2441],{"type":306},{},{"nodeType":241,"value":2444,"marks":2445,"data":2446},", making it the single most pervasive technique in the dataset. Credentials don't just open the front door; they unlock lateral movement, privilege escalation, and persistence throughout the attack chain.",[],{},{"nodeType":323,"data":2448,"content":2449},{},[2450],{"nodeType":241,"value":2451,"marks":2452,"data":2454},"The vulnerability treadmill",[2453],{"type":306},{},{"nodeType":257,"data":2456,"content":2457},{},[2458,2462,2467],{"nodeType":241,"value":2459,"marks":2460,"data":2461},"The vulnerability exploitation surge itself is driven by a structural capacity crisis rather than a shift in attacker preference. Edge devices and VPNs now account for 22% of vulnerability-exploitation breaches, up from 3% the prior year — a ",[],{},{"nodeType":241,"value":2463,"marks":2464,"data":2466},"sevenfold",[2465],{"type":1712},{},{"nodeType":241,"value":2468,"marks":2469,"data":2470}," increase. Organizations face 50% more CISA KEV vulnerabilities to remediate than a year ago, median remediation time has increased from 32 to 43 days, and the volume of vulnerability records in the dataset has grown roughly eightfold.",[],{},{"nodeType":257,"data":2472,"content":2473},{},[2474],{"nodeType":241,"value":2475,"marks":2476,"data":2477},"This trend was already visible in last year's DBIR, when vulnerability exploitation jumped from 15% to 20%. AI-assisted exploit development may be compounding the problem — the DBIR's own data shows 32% of AI-assisted initial access targeting vulnerability exploitation — but the structural capacity crisis was accelerating well before AI became a meaningful factor in the attacker toolkit.",[],{},{"nodeType":257,"data":2479,"content":2480},{},[2481],{"nodeType":241,"value":2482,"marks":2483,"data":2484},"The vulnerability treadmill is accelerating, and the DBIR's remediation data shows defenders losing ground. But this is an additive problem, not a substitution. Both attack surfaces are growing. ",[],{},{"nodeType":298,"data":2486,"content":2487},{},[],{"nodeType":308,"data":2489,"content":2490},{},[2491],{"nodeType":241,"value":2492,"marks":2493,"data":2495},"Phishing has left the inbox",[2494],{"type":306},{},{"nodeType":257,"data":2497,"content":2498},{},[2499,2503,2508],{"nodeType":241,"value":2500,"marks":2501,"data":2502},"41% percent of social engineering breaches now involve vectors other than email, with approximately a quarter coming from social media or phone-based channels. Voice phishing simulations show a ",[],{},{"nodeType":241,"value":2504,"marks":2505,"data":2507},"40% higher success rate",[2506],{"type":306},{},{"nodeType":241,"value":2509,"marks":2510,"data":2511}," than email phishing — a median click rate of 2% versus 1.4%.",[],{},{"nodeType":294,"data":2513,"content":2517},{"target":2514},{"sys":2515},{"id":2516,"type":291,"linkType":292},"7pK8qqIDDNmHmJmlcybNoe",[],{"nodeType":257,"data":2519,"content":2520},{},[2521,2525,2532],{"nodeType":241,"value":2522,"marks":2523,"data":2524},"Even within the email channel, the data confirms what",[],{},{"nodeType":252,"data":2526,"content":2527},{"uri":1013},[2528],{"nodeType":241,"value":2529,"marks":2530,"data":2531}," browser-level detection data has been showing",[],{},{"nodeType":241,"value":2533,"marks":2534,"data":2535},": credential harvesting dominates. The DBIR's email security gateway breakdown shows 80% of blocked attacks are credential or session phishing, with only 10% involving malware delivery, 5% callback phishing, and 3% BEC. If you're running an email security gateway, the vast majority of what it catches is credential phishing — and 41% of social engineering is arriving through channels it can't see at all.",[],{},{"nodeType":294,"data":2537,"content":2541},{"target":2538},{"sys":2539},{"id":2540,"type":291,"linkType":292},"6CvwzQA3gJ8B3RFzLrH7Kp",[],{"nodeType":323,"data":2543,"content":2544},{},[2545],{"nodeType":241,"value":2546,"marks":2547,"data":2549},"The ClickFix detection gap",[2548],{"type":306},{},{"nodeType":257,"data":2551,"content":2552},{},[2553,2557,2565,2569],{"nodeType":241,"value":2554,"marks":2555,"data":2556},"The DBIR reports ClickFix at only 2.7% of attacks detected at the browser level. For context,",[],{},{"nodeType":252,"data":2558,"content":2560},{"uri":2559},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection/",[2561],{"nodeType":241,"value":2562,"marks":2563,"data":2564}," CrowdStrike reported a 563% increase in ClickFix lures",[],{},{"nodeType":241,"value":2566,"marks":2567,"data":2568}," over the same period and Microsoft identified it as the most common initial access point at 47% of observed attacks. Push's own data shows ClickFix at a significantly higher proportion of browser-level detections, ",[],{},{"nodeType":241,"value":2570,"marks":2571,"data":2573},"with 4 in 5 delivered via search engines specifically.",[2572],{"type":306},{},{"nodeType":257,"data":2575,"content":2576},{},[2577],{"nodeType":241,"value":2578,"marks":2579,"data":2580},"The gap is striking, and the most likely explanation is a visibility one. ClickFix attacks result in a malware download or script execution on the endpoint — and without browser-layer context, that execution looks like any other malware delivery. If a contributing organization doesn't have visibility into the browser session that preceded the payload, they'd attribute the incident to \"malware download\" or \"user execution\" rather than ClickFix specifically. The DBIR's 2.7% probably reflects how often contributors could trace the chain back to a ClickFix page, not how often ClickFix was actually the delivery mechanism.",[],{},{"nodeType":298,"data":2582,"content":2583},{},[],{"nodeType":308,"data":2585,"content":2586},{},[2587],{"nodeType":241,"value":2588,"marks":2589,"data":2591},"Stolen credentials are the ransomware on-ramp",[2590],{"type":306},{},{"nodeType":257,"data":2593,"content":2594},{},[2595],{"nodeType":241,"value":2596,"marks":2597,"data":2598},"One of the most powerful findings in this year's DBIR is the quantification of the relationship between credential compromise and ransomware outcomes. Fifty percent of ransomware victims had a credential or infostealer event occur within 95 days prior to the ransomware attack, drawing a causal line from credential theft to ransomware deployment.",[],{},{"nodeType":294,"data":2600,"content":2604},{"target":2601},{"sys":2602},{"id":2603,"type":291,"linkType":292},"3ZwG5UiweFR4fYiDaxJJDm",[],{"nodeType":257,"data":2606,"content":2607},{},[2608],{"nodeType":241,"value":2609,"marks":2610,"data":2611},"The infostealer supply chain data reinforces the picture. Infostealers are surfacing an average of 2,362 breached corporate credentials per month from organizational email domains in stealer log datasets, and 54% of devices in Initial Access Broker logs had at least one infostealer installed. The 95-day median window is consistent with the known timeline from credential harvest to ransomware deployment.",[],{},{"nodeType":257,"data":2613,"content":2614},{},[2615,2619,2626],{"nodeType":241,"value":2616,"marks":2617,"data":2618},"That timeline reinforces an argument we've been making about",[],{},{"nodeType":252,"data":2620,"content":2621},{"uri":589},[2622],{"nodeType":241,"value":2623,"marks":2624,"data":2625}," where the intervention point needs to be",[],{},{"nodeType":241,"value":2627,"marks":2628,"data":2629},": detecting credential compromise upstream — at the point of credential entry, session creation, or stolen credential reuse — rather than waiting for the ransomware deployment that follows weeks or months later.",[],{},{"nodeType":323,"data":2631,"content":2632},{},[2633],{"nodeType":241,"value":2634,"marks":2635,"data":2637},"Post-compromise tradecraft is shifting",[2636],{"type":306},{},{"nodeType":257,"data":2639,"content":2640},{},[2641,2645,2650],{"nodeType":241,"value":2642,"marks":2643,"data":2644},"The DBIR's post-compromise data adds another dimension. RMM tool abuse by threat actors showed a ",[],{},{"nodeType":241,"value":2646,"marks":2647,"data":2649},"240% increase",[2648],{"type":306},{},{"nodeType":241,"value":2651,"marks":2652,"data":2653}," over the prior year, while traditional backdoor and C2 malware usage fell 27%. Attackers are increasingly living off the land with the same remote access tools IT teams use. Post-compromise detection is getting harder, which makes catching the initial credential compromise upstream that much more valuable.",[],{},{"nodeType":298,"data":2655,"content":2656},{},[],{"nodeType":308,"data":2658,"content":2659},{},[2660],{"nodeType":241,"value":2661,"marks":2662,"data":2664},"Your vendors are half the problem",[2663],{"type":306},{},{"nodeType":257,"data":2666,"content":2667},{},[2668,2672,2677],{"nodeType":241,"value":2669,"marks":2670,"data":2671},"Third-party involvement in breaches reached ",[],{},{"nodeType":241,"value":2673,"marks":2674,"data":2676},"48%",[2675],{"type":306},{},{"nodeType":241,"value":2678,"marks":2679,"data":2680}," this year, up from 30% — a 60% increase that follows a prior year where the figure had already doubled.",[],{},{"nodeType":257,"data":2682,"content":2683},{},[2684],{"nodeType":241,"value":2685,"marks":2686,"data":2687},"The DBIR's root cause analysis maps directly to identity security: insecure authentication — absent MFA, improper credential rotation — and lack of least privilege enforcement account for a substantial share of cloud-based third-party incidents. Only 23% of third-party organizations fully remediated missing or improperly secured MFA on cloud accounts, and weak password and permission misconfigurations took a median of 8 months to resolve 50% of findings.",[],{},{"nodeType":257,"data":2689,"content":2690},{},[2691],{"nodeType":241,"value":2692,"marks":2693,"data":2694},"Eight months. That's the median timeline for third-party vendors to resolve the identity hygiene issues that create the attack surface in their environments — environments that your data lives in.",[],{},{"nodeType":257,"data":2696,"content":2697},{},[2698,2702,2710],{"nodeType":241,"value":2699,"marks":2700,"data":2701},"Extend that posture gap across every vendor and third-party integration, and you start to see why the third-party breach figure keeps climbing. Visibility into",[],{},{"nodeType":252,"data":2703,"content":2705},{"uri":2704},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[2706],{"nodeType":241,"value":2707,"marks":2708,"data":2709}," OAuth consent flows and third-party integration sprawl",[],{},{"nodeType":241,"value":2711,"marks":2712,"data":2713}," is the starting point for getting ahead of a supply chain problem that is structurally getting worse.",[],{},{"nodeType":298,"data":2715,"content":2716},{},[],{"nodeType":308,"data":2718,"content":2719},{},[2720],{"nodeType":241,"value":2721,"marks":2722,"data":2724},"AI is scaling known techniques — and creating new blind spots from the inside",[2723],{"type":306},{},{"nodeType":257,"data":2726,"content":2727},{},[2728],{"nodeType":241,"value":2729,"marks":2730,"data":2731},"The DBIR's AI analysis this year is grounded in a collaboration with Anthropic covering 793 threat actors who received enforcement action for violating acceptable use policy between March 2025 and February 2026. The findings are measured rather than alarmist: in the median case, actors sought AI assistance across about 15 distinct ATT&CK techniques, 44% of AI-assisted initial access was phishing-related, and less than 2.5% of techniques observed were classified as rare.",[],{},{"nodeType":257,"data":2733,"content":2734},{},[2735],{"nodeType":241,"value":2736,"marks":2737,"data":2738},"AI is currently an operational tool for attackers — automating and scaling known techniques rather than unlocking novel ones. Despite heavy AI-assisted focus on phishing, the DBIR's own incident dataset shows phishing as an initial access vector has barely changed year over year — suggesting AI may be uplifting less-experienced attackers to a higher baseline of lure quality without meaningfully increasing success rates against organizations that already have detection in place.",[],{},{"nodeType":257,"data":2740,"content":2741},{},[2742],{"nodeType":241,"value":2743,"marks":2744,"data":2745},"The more concerning number is the 32% of AI-assisted initial access targeting vulnerability exploitation — compounding the patching capacity crisis discussed earlier in a trend that was already accelerating before AI entered the picture.",[],{},{"nodeType":294,"data":2747,"content":2751},{"target":2748},{"sys":2749},{"id":2750,"type":291,"linkType":292},"4bFTnVx1SXMQzZSaICCJOn",[],{"nodeType":323,"data":2753,"content":2754},{},[2755],{"nodeType":241,"value":2756,"marks":2757,"data":2759},"Shadow AI is the bigger problem",[2758],{"type":306},{},{"nodeType":257,"data":2761,"content":2762},{},[2763,2767,2772],{"nodeType":241,"value":2764,"marks":2765,"data":2766},"The sharper AI risk for most organizations, though, is internal. Forty-five percent of employees are now regular AI users on corporate devices — up from 15%, a threefold increase — and ",[],{},{"nodeType":241,"value":2768,"marks":2769,"data":2771},"67% of them use non-corporate accounts",[2770],{"type":306},{},{"nodeType":241,"value":2773,"marks":2774,"data":2775},". Shadow AI has become the third most common non-malicious insider action in DLP data, a fourfold increase over the prior year, with source code as the leading data type submitted to unauthorized AI platforms by a wide margin.",[],{},{"nodeType":257,"data":2777,"content":2778},{},[2779],{"nodeType":241,"value":2780,"marks":2781,"data":2782},"The browser extension angle is particularly relevant. More than 15% of users had unauthorized AI browser extensions installed, and the DBIR specifically notes that these extensions collect and retain browsing context from internal sites — creating a data exfiltration pathway that operates independently of traditional DLP controls.",[],{},{"nodeType":257,"data":2784,"content":2785},{},[2786,2790,2797],{"nodeType":241,"value":2787,"marks":2788,"data":2789},"This is moving faster than any previous shadow IT wave, and the data loss vector is the browser — where users interact with AI tools, where extensions collect context, and where OAuth consent grants connect AI services to corporate data. Visibility and control at that layer isn't a nice-to-have for AI governance;",[],{},{"nodeType":252,"data":2791,"content":2792},{"uri":2151},[2793],{"nodeType":241,"value":2794,"marks":2795,"data":2796}," it's the minimum viable starting point",[],{},{"nodeType":241,"value":598,"marks":2798,"data":2799},[],{},{"nodeType":298,"data":2801,"content":2802},{},[],{"nodeType":308,"data":2804,"content":2805},{},[2806],{"nodeType":241,"value":2807,"marks":2808,"data":2810},"What this means for defenders",[2809],{"type":306},{},{"nodeType":257,"data":2812,"content":2813},{},[2814],{"nodeType":241,"value":2815,"marks":2816,"data":2817},"The DBIR's 2026 data paints a picture of converging pressures rather than shifting priorities. Vulnerability exploitation surged, but identity-related initial access is broadly stable and credential abuse at 39% across full breach chains remains the single most pervasive technique in the dataset. Phishing is arriving through channels that email gateways can't see. The infostealer-to-ransomware pipeline now has longitudinal data behind it. Third-party involvement keeps climbing because vendor identity hygiene takes months to remediate. And shadow AI is creating data exposure pathways that most security stacks weren't designed to see.",[],{},{"nodeType":257,"data":2819,"content":2820},{},[2821],{"nodeType":241,"value":2822,"marks":2823,"data":2824},"The common thread across all of these findings is that the browser — where credentials are entered, sessions are created, OAuth consent is granted, AI tools are accessed, and extensions collect data — is the layer where these risks converge and where defenders need visibility and control if they're going to address them at the point of risk rather than after the fact.",[],{},{"nodeType":257,"data":2826,"content":2827},{},[2828],{"nodeType":241,"value":1436,"marks":2829,"data":2830},[],{},{"nodeType":257,"data":2832,"content":2833},{},[2834],{"nodeType":241,"value":1443,"marks":2835,"data":2836},[],{},{"nodeType":257,"data":2838,"content":2839},{},[2840,2843,2851],{"nodeType":241,"value":29,"marks":2841,"data":2842},[],{},{"nodeType":252,"data":2844,"content":2845},{"uri":2297},[2846],{"nodeType":241,"value":2847,"marks":2848,"data":2850},"Book a live demo to learn more.",[2849],{"type":250},{},{"nodeType":241,"value":29,"marks":2852,"data":2853},[],{},"What the Verizon DBIR tells us about how breaches happen in 2026","What we can learn from 2026's installment of the Verizon Data Breach Investigations Report.","verizon-dbir-2026-review",{"items":2858},[2859,2861],{"sys":2860,"name":2315},{"id":2314},{"sys":2862,"name":2864},{"id":2863},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":2866},[2867],{"fullName":2868,"firstName":2869,"jobTitle":2870,"profilePicture":2871},"Mark Orlando","Mark","Field CTO",{"url":2872},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"__typename":1614,"sys":2874,"publishedDate":2876,"content":2877,"title":4116,"synopsis":4117,"hashTags":62,"slug":4118,"tagsCollection":4119,"authorsCollection":4125},{"id":2875},"6MoHWfQlVildcFYKSbfMcE","2026-05-14T00:00:00.000Z",{"json":2878},{"nodeType":1463,"data":2879,"content":2880},{},[2881,2897,2903,2910,2917,2923,2926,2934,2942,2961,3010,3016,3031,3034,3042,3049,3077,3118,3125,3128,3136,3144,3151,3157,3164,3167,3175,3182,3224,3261,3268,3271,3279,3286,3311,3318,3362,3369,3372,3380,3388,3434,3441,3447,3450,3458,3466,3498,3505,3511,3518,3521,3529,3537,3566,3573,3580,3587,3590,3598,3606,3613,3619,3626,3649,3678,3681,3689,3697,3704,3711,3714,3722,3785,3788,3796,3803,4097,4100],{"nodeType":257,"data":2882,"content":2883},{},[2884,2888,2893],{"nodeType":241,"value":2885,"marks":2886,"data":2887},"Browser security solutions are one of the most significant additions to the enterprise security stack in recent years — and the data shows it. The browser is where ",[],{},{"nodeType":241,"value":2889,"marks":2890,"data":2892},"85% of work now happens",[2891],{"type":306},{},{"nodeType":241,"value":2894,"marks":2895,"data":2896},", where AI tools are accessed, and where attackers increasingly choose to strike.",[],{},{"nodeType":294,"data":2898,"content":2902},{"target":2899},{"sys":2900},{"id":2901,"type":291,"linkType":292},"5P6PyFbn4EakRNlIWtNzyL",[],{"nodeType":257,"data":2904,"content":2905},{},[2906],{"nodeType":241,"value":2907,"marks":2908,"data":2909},"But browser security is a nascent category. Getting a clear picture of which solution is right for your team, and how to get the most out of it, isn't straightforward. Current solutions on the market serve a wide range of IT and security use cases, with varying degrees of depth and differentiation across them. Not all use cases are equal in terms of their security value, and not all of them are best addressed in the browser.",[],{},{"nodeType":257,"data":2911,"content":2912},{},[2913],{"nodeType":241,"value":2914,"marks":2915,"data":2916},"This article ranks the security problems that browser security solutions can address by the value they deliver: a combination of the risk reduction on offer, and the degree to which the browser is genuinely the best (or only) layer to solve the problem. ",[],{},{"nodeType":294,"data":2918,"content":2922},{"target":2919},{"sys":2920},{"id":2921,"type":291,"linkType":292},"6SJPvEHizSYk29lEvVVNj",[],{"nodeType":298,"data":2924,"content":2925},{},[],{"nodeType":308,"data":2927,"content":2928},{},[2929],{"nodeType":241,"value":2930,"marks":2931,"data":2933},"#1 — Account takeover prevention: detecting credential attacks across all vectors",[2932],{"type":306},{},{"nodeType":257,"data":2935,"content":2936},{},[2937],{"nodeType":241,"value":2938,"marks":2939,"data":2941},"Security value: Very high | Browser fit: Uniquely suited",[2940],{"type":306},{},{"nodeType":257,"data":2943,"content":2944},{},[2945,2949,2957],{"nodeType":241,"value":2946,"marks":2947,"data":2948},"Account takeover (ATO) is the dominant entry point for enterprise breaches:",[],{},{"nodeType":252,"data":2950,"content":2952},{"uri":2951},"https://www.crowdstrike.com/en-gb/resources/infographics/identity-security-risk-review/",[2953],{"nodeType":241,"value":2954,"marks":2955,"data":2956}," 80% of all modern breaches involve compromised or stolen identities",[],{},{"nodeType":241,"value":2958,"marks":2959,"data":2960},". The attack surface is far wider than most identity tooling can see: credential stuffing, password spraying, ghost logins (password-based fallback authentication that persists after SSO is configured), weak or reused credentials on shadow SaaS apps, and accounts where MFA was never enforced.",[],{},{"nodeType":257,"data":2962,"content":2963},{},[2964,2968,2976,2980,2985,2989,2994,2998,3006],{"nodeType":241,"value":2965,"marks":2966,"data":2967},"According to",[],{},{"nodeType":252,"data":2969,"content":2971},{"uri":2970},"https://cf-assets.www.cloudflare.com/slt3lc6tev37/sWDBUMNVtEJB9ZFLt1dUU/8d69e92de2edfb3bf59e7d21d57e7e1a/Cloudflare-2026-threat-report.pdf",[2972],{"nodeType":241,"value":2973,"marks":2974,"data":2975}," Cloudflare's 2026 Threat Report",[],{},{"nodeType":241,"value":2977,"marks":2978,"data":2979},", ",[],{},{"nodeType":241,"value":2981,"marks":2982,"data":2984},"63% of all human logins involve credentials already compromised elsewhere",[2983],{"type":306},{},{"nodeType":241,"value":2986,"marks":2987,"data":2988},", and ",[],{},{"nodeType":241,"value":2990,"marks":2991,"data":2993},"94% of all login attempts originate from bots",[2992],{"type":306},{},{"nodeType":241,"value":2995,"marks":2996,"data":2997},". The",[],{},{"nodeType":252,"data":2999,"content":3001},{"uri":3000},"https://pushsecurity.com/blog/snowflake-retro/",[3002],{"nodeType":241,"value":3003,"marks":3004,"data":3005}," Snowflake breach",[],{},{"nodeType":241,"value":3007,"marks":3008,"data":3009}," — 165+ organizations compromised, 1 billion+ records stolen — was powered almost entirely by ghost logins: accounts missing MFA that were susceptible to credential stuffing. It's particularly telling that 80% of the accounts impacted had prior breach exposure.",[],{},{"nodeType":294,"data":3011,"content":3015},{"target":3012},{"sys":3013},{"id":3014,"type":291,"linkType":292},"HbZ66kp5DiAZtwNGFJK7d",[],{"nodeType":257,"data":3017,"content":3018},{},[3019,3023,3028],{"nodeType":241,"value":3020,"marks":3021,"data":3022},"For organizations with contractors and BYOD users, the browser extension is also the only enterprise control deployable on devices that can't be MDM-enrolled — extending ATO detection to exactly the place where, per Verizon DBIR 2025, ",[],{},{"nodeType":241,"value":3024,"marks":3025,"data":3027},"46% of infostealer infections originate",[3026],{"type":306},{},{"nodeType":241,"value":598,"marks":3029,"data":3030},[],{},{"nodeType":298,"data":3032,"content":3033},{},[],{"nodeType":308,"data":3035,"content":3036},{},[3037],{"nodeType":241,"value":3038,"marks":3039,"data":3041},"#2 — Detecting and stopping advanced phishing: AiTM, multi-channel delivery, and zero-day lures",[3040],{"type":306},{},{"nodeType":257,"data":3043,"content":3044},{},[3045],{"nodeType":241,"value":2938,"marks":3046,"data":3048},[3047],{"type":306},{},{"nodeType":257,"data":3050,"content":3051},{},[3052,3056,3064,3068,3073],{"nodeType":241,"value":3053,"marks":3054,"data":3055},"Adversary-in-the-Middle (AiTM) phishing — where an attacker's reverse proxy intercepts credentials and session tokens in real time — has become the standard technique for bypassing MFA at scale.",[],{},{"nodeType":252,"data":3057,"content":3059},{"uri":3058},"https://www.esentire.com/resources/library/2026-threat-report",[3060],{"nodeType":241,"value":3061,"marks":3062,"data":3063}," eSentire's 2026 Threat Report",[],{},{"nodeType":241,"value":3065,"marks":3066,"data":3067}," attributes ",[],{},{"nodeType":241,"value":3069,"marks":3070,"data":3072},"63% of account compromise incidents to PhaaS kits",[3071],{"type":306},{},{"nodeType":241,"value":3074,"marks":3075,"data":3076},", with account compromise surging 389% year-over-year.",[],{},{"nodeType":257,"data":3078,"content":3079},{},[3080,3084,3092,3096,3101,3105,3114],{"nodeType":241,"value":3081,"marks":3082,"data":3083},"Traditional phishing controls are also no longer in the right place to intercept these attacks. The delivery channel has shifted decisively away from email:",[],{},{"nodeType":252,"data":3085,"content":3087},{"uri":3086},"https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026",[3088],{"nodeType":241,"value":3089,"marks":3090,"data":3091}," Mandiant M-Trends 2026",[],{},{"nodeType":241,"value":3093,"marks":3094,"data":3095}," found email phishing dropped from 14% to 6% as an infection vector, and Push data shows ",[],{},{"nodeType":241,"value":3097,"marks":3098,"data":3100},"roughly 1 in 3 phishing payloads intercepted were delivered outside email entirely",[3099],{"type":306},{},{"nodeType":241,"value":3102,"marks":3103,"data":3104}," — via search engine malvertising, social platforms, and compromised websites. Meanwhile, ",[],{},{"nodeType":252,"data":3106,"content":3108},{"uri":3107},"https://www.spamhaus.com/resource-center/supporting-researchers-with-passive-dns/",[3109],{"nodeType":241,"value":3110,"marks":3111,"data":3113},"89% of phishing domains are active for less than two days",[3112],{"type":306},{},{"nodeType":241,"value":3115,"marks":3116,"data":3117},", making blocklist-based detection structurally too slow — attackers can spin up, tear down, and move on before blocklists can catch up.",[],{},{"nodeType":257,"data":3119,"content":3120},{},[3121],{"nodeType":241,"value":3122,"marks":3123,"data":3124},"Modern phishing plays out entirely inside the browser session. The only detection layer that can see the phishing page structure, the credential entry, and the anomalous token context is the browser itself. Browser-native detection analyses page behavior rather than matching known-bad domains, which means it fires on zero-day kits regardless of how recently the infrastructure was stood up. Controls like credential entry guardrails add an additional layer — blocking corporate passwords from being submitted to unauthorized domains independently of content and behavior-based detections.",[],{},{"nodeType":298,"data":3126,"content":3127},{},[],{"nodeType":308,"data":3129,"content":3130},{},[3131],{"nodeType":241,"value":3132,"marks":3133,"data":3135},"#3 — Identity posture hardening: enforcing security across the apps your IdP doesn't manage",[3134],{"type":306},{},{"nodeType":257,"data":3137,"content":3138},{},[3139],{"nodeType":241,"value":3140,"marks":3141,"data":3143},"Security value: High | Browser fit: Uniquely suited",[3142],{"type":306},{},{"nodeType":257,"data":3145,"content":3146},{},[3147],{"nodeType":241,"value":3148,"marks":3149,"data":3150},"The first challenge is knowing what you're protecting. Every identity an employee creates — every app they sign up to, every password they set, every login that bypasses SSO — is an authentication event that happens inside a browser session. The browser is the only layer that observes all of these events regardless of whether the app is sanctioned, managed, or even known to IT. Solutions that rely on API-level integrations with known apps, network traffic inspection, or email sign-up notifications can only ever build a partial picture, because they can only see apps they already know about. The browser sees the login itself, which means it discovers the identity at the moment it's created or used — authentication method, password strength, MFA status, and all.",[],{},{"nodeType":294,"data":3152,"content":3156},{"target":3153},{"sys":3154},{"id":3155,"type":291,"linkType":292},"HETvBCPsKGkqLVtaasXH0",[],{"nodeType":257,"data":3158,"content":3159},{},[3160],{"nodeType":241,"value":3161,"marks":3162,"data":3163},"But discovery without enforcement is just an inventory problem. Being in the browser means that you're in a great position to act on what it finds at the moment of authentication. Browser-native guardrails that prompt MFA enrollment, guide users toward stronger credentials, and redirect to SSO login paths close the gap at scale, on every app, including those the IdP has never seen. They also produce the continuous, auditable evidence of MFA coverage and credential hygiene across the full application estate that regulators, insurers, and auditors increasingly require — evidence that no IdP-centric tool can provide for apps outside its scope.",[],{},{"nodeType":298,"data":3165,"content":3166},{},[],{"nodeType":308,"data":3168,"content":3169},{},[3170],{"nodeType":241,"value":3171,"marks":3172,"data":3174},"#4 — Browser extension security",[3173],{"type":306},{},{"nodeType":257,"data":3176,"content":3177},{},[3178],{"nodeType":241,"value":3140,"marks":3179,"data":3181},[3180],{"type":306},{},{"nodeType":257,"data":3183,"content":3184},{},[3185,3189,3198,3201,3209,3212,3220],{"nodeType":241,"value":3186,"marks":3187,"data":3188},"Browser extensions have become one of the most talked-about attack surfaces in security over the past 18 months, and understandably so — a string of high-profile supply chain compromises have collectively impacted tens of millions of users since late 2024 (",[],{},{"nodeType":252,"data":3190,"content":3192},{"uri":3191},"https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it",[3193],{"nodeType":241,"value":3194,"marks":3195,"data":3197},"Cyberhaven",[3196],{"type":250},{},{"nodeType":241,"value":1158,"marks":3199,"data":3200},[],{},{"nodeType":252,"data":3202,"content":3204},{"uri":3203},"https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html",[3205],{"nodeType":241,"value":3206,"marks":3207,"data":3208}," DarkSpectre",[],{},{"nodeType":241,"value":1158,"marks":3210,"data":3211},[],{},{"nodeType":252,"data":3213,"content":3215},{"uri":3214},"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html",[3216],{"nodeType":241,"value":3217,"marks":3218,"data":3219}," Trust Wallet",[],{},{"nodeType":241,"value":3221,"marks":3222,"data":3223},", among many others).",[],{},{"nodeType":257,"data":3225,"content":3226},{},[3227,3230,3239,3243,3248,3252,3257],{"nodeType":241,"value":29,"marks":3228,"data":3229},[],{},{"nodeType":252,"data":3231,"content":3233},{"uri":3232},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[3234],{"nodeType":241,"value":3235,"marks":3236,"data":3238},"Analysis of 20,000+ extensions across Push customers",[3237],{"type":250},{},{"nodeType":241,"value":3240,"marks":3241,"data":3242}," found ",[],{},{"nodeType":241,"value":3244,"marks":3245,"data":3247},"46.76% have the permission combinations needed to perform account takeover with no user interaction",[3246],{"type":306},{},{"nodeType":241,"value":3249,"marks":3250,"data":3251},", making permissions-based risk scoring effectively useless as a triage tool. The real threat model is not malicious extensions at install time — it's legitimate extensions that ",[],{},{"nodeType":241,"value":3253,"marks":3254,"data":3256},"become",[3255],{"type":1712},{},{"nodeType":241,"value":3258,"marks":3259,"data":3260}," malicious after an ownership transfer, developer account compromise, or silent update push. Every major extension supply chain breach of the past 18 months scored as low-risk immediately before compromise.",[],{},{"nodeType":257,"data":3262,"content":3263},{},[3264],{"nodeType":241,"value":3265,"marks":3266,"data":3267},"SWGs and network tools are structurally blind to this attack surface: a malicious extension exfiltrating session tokens generates no anomalous network signal — its traffic is indistinguishable from normal browsing. Endpoint agents have no visibility into extension behavior at the session level. Extension inventory, supply chain change monitoring — ownership transfers, permission escalations, developer contact changes — and enforcement all require browser-layer access by definition.",[],{},{"nodeType":298,"data":3269,"content":3270},{},[],{"nodeType":308,"data":3272,"content":3273},{},[3274],{"nodeType":241,"value":3275,"marks":3276,"data":3278},"#5 — Shadow SaaS discovery and OAuth integration governance",[3277],{"type":306},{},{"nodeType":257,"data":3280,"content":3281},{},[3282],{"nodeType":241,"value":3140,"marks":3283,"data":3285},[3284],{"type":306},{},{"nodeType":257,"data":3287,"content":3288},{},[3289,3293,3298,3302,3307],{"nodeType":241,"value":3290,"marks":3291,"data":3292},"Shadow SaaS discovery shares DNA with identity posture hardening (#3) — both start with the same browser-native visibility into login events that no other layer can replicate. Where identity posture focuses on hardening ",[],{},{"nodeType":241,"value":3294,"marks":3295,"data":3297},"how",[3296],{"type":1712},{},{"nodeType":241,"value":3299,"marks":3300,"data":3301}," employees authenticate, shadow SaaS discovery focuses on ",[],{},{"nodeType":241,"value":3303,"marks":3304,"data":3306},"what",[3305],{"type":1712},{},{"nodeType":241,"value":3308,"marks":3309,"data":3310}," they authenticate to: surfacing the full estate of applications in use across the organization, including those that IT has never sanctioned or even heard of.",[],{},{"nodeType":257,"data":3312,"content":3313},{},[3314],{"nodeType":241,"value":3315,"marks":3316,"data":3317},"OAuth integration governance is the component of shadow SaaS that is both the most potentially damaging and the hardest to surface through other means. The SaaS-to-SaaS OAuth pivot is now an industrialized attack pattern.",[],{},{"nodeType":503,"data":3319,"content":3320},{},[3321,3342],{"nodeType":458,"data":3322,"content":3323},{},[3324],{"nodeType":257,"data":3325,"content":3326},{},[3327,3330,3338],{"nodeType":241,"value":1967,"marks":3328,"data":3329},[],{},{"nodeType":252,"data":3331,"content":3333},{"uri":3332},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[3334],{"nodeType":241,"value":3335,"marks":3336,"data":3337}," ShinyHunters",[],{},{"nodeType":241,"value":3339,"marks":3340,"data":3341}," Salesforce campaign — which compromised 1,000+ organizations and 1.5 billion records — demonstrated the full chain: the attacker didn't stop at stealing customer data but harvested OAuth tokens, AWS access keys, and Snowflake tokens from breached tenants and pivoted through connected services like Salesloft, Drift, and Gainsight to reach hundreds more organizations.",[],{},{"nodeType":458,"data":3343,"content":3344},{},[3345],{"nodeType":257,"data":3346,"content":3347},{},[3348,3351,3358],{"nodeType":241,"value":1967,"marks":3349,"data":3350},[],{},{"nodeType":252,"data":3352,"content":3353},{"uri":2704},[3354],{"nodeType":241,"value":3355,"marks":3356,"data":3357}," Context.ai → Vercel",[],{},{"nodeType":241,"value":3359,"marks":3360,"data":3361}," chain followed the same logic — stored OAuth tokens from a forgotten AI app trial provided the bridge into Google Workspace, internal dashboards, and API keys. These are not isolated incidents; they are the repeatable playbook for extracting maximum value from a single compromise through the trust relationships that OAuth connections encode.",[],{},{"nodeType":257,"data":3363,"content":3364},{},[3365],{"nodeType":241,"value":3366,"marks":3367,"data":3368},"Every OAuth consent grant transits the browser — the authorization prompt, the scope disclosure, the user's approval click, and the redirect that completes the grant all happen inside a browser session — which makes the browser the only layer where an unwanted grant can be intercepted before the token is issued and the persistent access path is created. Once a token exists, the damage is done: it survives password resets, MFA changes, and session revocations, and revoking it after the fact requires first knowing it was granted, which most organizations do not.",[],{},{"nodeType":298,"data":3370,"content":3371},{},[],{"nodeType":308,"data":3373,"content":3374},{},[3375],{"nodeType":241,"value":3376,"marks":3377,"data":3379},"#6 — Blocking ClickFix and social engineering-based malware delivery",[3378],{"type":306},{},{"nodeType":257,"data":3381,"content":3382},{},[3383],{"nodeType":241,"value":3384,"marks":3385,"data":3387},"Security value: High | Browser fit: Strong for interception — shared with endpoint security for execution. ConsentFix is a browser-native exception that is T1-aligned.",[3386],{"type":306},{},{"nodeType":257,"data":3389,"content":3390},{},[3391,3395,3400,3404,3412,3416,3421,3425,3430],{"nodeType":241,"value":3392,"marks":3393,"data":3394},"ClickFix was the most common initial access vector reported by Microsoft in 2025, accounting for ",[],{},{"nodeType":241,"value":3396,"marks":3397,"data":3399},"47% of observed attacks",[3398],{"type":306},{},{"nodeType":241,"value":3401,"marks":3402,"data":3403},". CrowdStrike's",[],{},{"nodeType":252,"data":3405,"content":3407},{"uri":3406},"https://www.crowdstrike.com/explore/2026-global-threat-report",[3408],{"nodeType":241,"value":3409,"marks":3410,"data":3411}," 2026 Global Threat Report",[],{},{"nodeType":241,"value":3413,"marks":3414,"data":3415}," identified fake CAPTCHA lures as the most common malware download type, increasing ",[],{},{"nodeType":241,"value":3417,"marks":3418,"data":3420},"563% year-over-year",[3419],{"type":306},{},{"nodeType":241,"value":3422,"marks":3423,"data":3424},". The technique writes a malicious command to the victim's clipboard and social-engineers them into executing it. It is fileless (bypassing download scanning), user-executed (bypassing endpoint behavioral detections), and ",[],{},{"nodeType":241,"value":3426,"marks":3427,"data":3429},"4 in 5 ClickFix payloads intercepted by Push arrived via search engines",[3428],{"type":306},{},{"nodeType":241,"value":3431,"marks":3432,"data":3433}," — not email (bypassing email anti-phishing controls).",[],{},{"nodeType":257,"data":3435,"content":3436},{},[3437],{"nodeType":241,"value":3438,"marks":3439,"data":3440},"The browser is the earliest and most effective intervention point — detecting the clipboard injection and social engineering lure before anything reaches the endpoint in executable form. But the problem doesn't end at the browser boundary: once the command has been pasted and run, detection and remediation become endpoint problems, and a mature defense requires both layers. The broader *Fix family — FileFix, InstallFix, and similar derivatives — follows the same pattern, with the browser providing the critical early-warning layer within a defense that spans browser and endpoint.",[],{},{"nodeType":294,"data":3442,"content":3446},{"target":3443},{"sys":3444},{"id":3445,"type":291,"linkType":292},"39alMHtw9FPHbQINqbAgBN",[],{"nodeType":298,"data":3448,"content":3449},{},[],{"nodeType":308,"data":3451,"content":3452},{},[3453],{"nodeType":241,"value":3454,"marks":3455,"data":3457},"#7 — AI visibility and control: enforcing which AI tools employees can use and how",[3456],{"type":306},{},{"nodeType":257,"data":3459,"content":3460},{},[3461],{"nodeType":241,"value":3462,"marks":3463,"data":3465},"Security value: High | Browser fit: Strong for access enforcement — but AI governance is not a new security problem so much as a force multiplier on existing ones",[3464],{"type":306},{},{"nodeType":257,"data":3467,"content":3468},{},[3469,3473,3481,3485,3494],{"nodeType":241,"value":3470,"marks":3471,"data":3472},"AI adoption is outpacing security governance at nearly every organization, and ",[],{},{"nodeType":252,"data":3474,"content":3475},{"uri":244},[3476],{"nodeType":241,"value":3477,"marks":3478,"data":3480},"71% of organizations are concerned about data leakage via unsanctioned AI apps",[3479],{"type":306},{},{"nodeType":241,"value":3482,"marks":3483,"data":3484},". But the security problems that AI creates are not, for the most part, novel — they are existing Tier 1 problems amplified by a new category of tooling. Shadow AI apps are shadow SaaS (#5). AI OAuth integrations are OAuth governance (#5). AI browser extensions are extension security (#4). The risk of employees using personal AI accounts — ",[],{},{"nodeType":252,"data":3486,"content":3488},{"uri":3487},"https://keepaware.com/blog/46-of-sensitive-data-bypasses-your-dlp",[3489],{"nodeType":241,"value":3490,"marks":3491,"data":3493},"46% of sensitive inputs to AI tools are sent via personal accounts",[3492],{"type":306},{},{"nodeType":241,"value":3495,"marks":3496,"data":3497}," — is an identity posture problem (#3).",[],{},{"nodeType":257,"data":3499,"content":3500},{},[3501],{"nodeType":241,"value":3502,"marks":3503,"data":3504},"The component parts that allow you to govern AI are individually Tier 1 capabilities, and the browser is the best single layer for gaining visibility and control over AI usage — it sees the apps, the OAuth grants, the extensions, and the account context. But a complete end-to-end solution also requires a presence on the endpoint layer (for local AI tools, IDE-integrated agents, and API-level usage that never touches the browser), and prompt-level DLP on sanctioned tools is better handled by platform-native controls than by browser-layer observation.",[],{},{"nodeType":294,"data":3506,"content":3510},{"target":3507},{"sys":3508},{"id":3509,"type":291,"linkType":292},"6Py3z9VgjhKrchmYvhmbsq",[],{"nodeType":257,"data":3512,"content":3513},{},[3514],{"nodeType":241,"value":3515,"marks":3516,"data":3517},"The browser is what makes platform controls effective — if employees are using personal accounts, there are no enterprise audit logs to inspect. And for the growing category of AI agents, agentic browsers, and MCP-connected tools that operate through OAuth grants rather than direct user interaction, the browser is where the consent decisions that authorize those agents are made.",[],{},{"nodeType":298,"data":3519,"content":3520},{},[],{"nodeType":308,"data":3522,"content":3523},{},[3524],{"nodeType":241,"value":3525,"marks":3526,"data":3528},"#8 — Investigation acceleration and incident response: closing the missing middle",[3527],{"type":306},{},{"nodeType":257,"data":3530,"content":3531},{},[3532],{"nodeType":241,"value":3533,"marks":3534,"data":3536},"Security value: High | Browser fit: Strong — fills a structural gap complementary to endpoint, network, and identity telemetry",[3535],{"type":306},{},{"nodeType":257,"data":3538,"content":3539},{},[3540,3544,3549,3553,3562],{"nodeType":241,"value":3541,"marks":3542,"data":3543},"Endpoint logs show what processes executed. Network logs show traffic destinations. IdP logs show authentication events. None of them show what happened ",[],{},{"nodeType":241,"value":3545,"marks":3546,"data":3548},"inside the browser session",[3547],{"type":1712},{},{"nodeType":241,"value":3550,"marks":3551,"data":3552}," — the phishing page the user saw, the credentials they entered, the malicious OAuth consent grant, the data uploaded or pasted to an unsanctioned service. This is the missing middle of modern incident investigations, and for the ",[],{},{"nodeType":252,"data":3554,"content":3556},{"uri":3555},"https://www.paloaltonetworks.co.uk/resources/research/unit-42-incident-response-report",[3557],{"nodeType":241,"value":3558,"marks":3559,"data":3561},"48% of intrusions involving browser-based activity",[3560],{"type":306},{},{"nodeType":241,"value":3563,"marks":3564,"data":3565},", the absence of browser telemetry is a significant investigative gap.",[],{},{"nodeType":257,"data":3567,"content":3568},{},[3569],{"nodeType":241,"value":3570,"marks":3571,"data":3572},"Browser-layer telemetry fills that gap with a fundamentally different quality of signal: what users actually clicked, what pages loaded and how they behaved, what credentials were entered, what session activity followed — structured, high-fidelity data from inside the session where the attack played out. That's the difference between inferring what happened and seeing it directly, and it determines scope, drives containment decisions, and provides the direct evidential record that neither endpoint DLP nor network monitoring can supply for browser-native attacks.",[],{},{"nodeType":257,"data":3574,"content":3575},{},[3576],{"nodeType":241,"value":3577,"marks":3578,"data":3579},"Browser telemetry is a key addition to the investigative picture. Investigations are inherently multi-source — without browser data, reconstructing an incident from EDR, network, and IdP logs won't tell you the full picture (particularly when attacks are increasingly delivered outside of email, intercepting users as they browse the internet normally).",[],{},{"nodeType":257,"data":3581,"content":3582},{},[3583],{"nodeType":241,"value":3584,"marks":3585,"data":3586},"The browser provides the causal link that other sources miss: the bridge between \"a user visited a URL\" and \"credentials were submitted to a phishing page that issued a session token now being replayed from an attacker-controlled browser.\" Integrated with SIEM and SOAR platforms, that signal enables automated response workflows to execute on high-confidence detections without waiting for manual triage.",[],{},{"nodeType":298,"data":3588,"content":3589},{},[],{"nodeType":308,"data":3591,"content":3592},{},[3593],{"nodeType":241,"value":3594,"marks":3595,"data":3597},"#9 — Infostealer defense: detecting exposure and blocking delivery",[3596],{"type":306},{},{"nodeType":257,"data":3599,"content":3600},{},[3601],{"nodeType":241,"value":3602,"marks":3603,"data":3605},"Security value: High | Browser fit: Strong for delivery interception and stolen factor detection — complementary to endpoint security for execution",[3604],{"type":306},{},{"nodeType":257,"data":3607,"content":3608},{},[3609],{"nodeType":241,"value":3610,"marks":3611,"data":3612},"Infostealers are the upstream supply chain for a disproportionate share of the most damaging enterprise attacks — harvesting credentials, session cookies, and browser profile data en masse from infected devices, then selling the outputs on infostealer markets for use in credential stuffing, ATO, and ransomware campaigns.",[],{},{"nodeType":294,"data":3614,"content":3618},{"target":3615},{"sys":3616},{"id":3617,"type":291,"linkType":292},"5NF1afwu3zFGThZTtStVQA",[],{"nodeType":257,"data":3620,"content":3621},{},[3622],{"nodeType":241,"value":3623,"marks":3624,"data":3625},"The browser is relevant at two points in the infostealer kill chain. First, delivery interception: ClickFix (covered in #6) is now the primary infostealer delivery mechanism, and the browser is the only layer that can intercept it before execution. Second, detecting stolen factors when attackers attempt to use them — and infostealers produce two categories of stolen factor that the browser can guard against.",[],{},{"nodeType":503,"data":3627,"content":3628},{},[3629,3639],{"nodeType":458,"data":3630,"content":3631},{},[3632],{"nodeType":257,"data":3633,"content":3634},{},[3635],{"nodeType":241,"value":3636,"marks":3637,"data":3638},"Stolen credentials can be identified at the point of login: browser-layer detection flags credentials that appear in known breach datasets, catching infostealer-harvested passwords being replayed in credential stuffing campaigns before the account is compromised.",[],{},{"nodeType":458,"data":3640,"content":3641},{},[3642],{"nodeType":257,"data":3643,"content":3644},{},[3645],{"nodeType":241,"value":3646,"marks":3647,"data":3648},"Stolen session tokens are caught through a different mechanism: sessions originating in instrumented browsers carry a marker, and when a token subsequently appears in an un-instrumented browser it is a confirmed stolen session — catching infostealer-harvested cookies being replayed regardless of how or where the token was originally harvested.",[],{},{"nodeType":257,"data":3650,"content":3651},{},[3652,3656,3665,3669,3674],{"nodeType":241,"value":3653,"marks":3654,"data":3655},"This is particularly critical for the ",[],{},{"nodeType":252,"data":3657,"content":3659},{"uri":3658},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[3660],{"nodeType":241,"value":3661,"marks":3662,"data":3664},"46% of infected devices that are unmanaged",[3663],{"type":306},{},{"nodeType":241,"value":3666,"marks":3667,"data":3668}," where EDR is absent and the stolen credentials and session tokens will never be detected at the endpoint. Infostealer ",[],{},{"nodeType":241,"value":3670,"marks":3671,"data":3673},"execution",[3672],{"type":1712},{},{"nodeType":241,"value":3675,"marks":3676,"data":3677}," remains an endpoint problem; the browser closes the delivery and replay gaps that endpoint tools miss.",[],{},{"nodeType":298,"data":3679,"content":3680},{},[],{"nodeType":308,"data":3682,"content":3683},{},[3684],{"nodeType":241,"value":3685,"marks":3686,"data":3688},"#10 — Data loss prevention: a key component of effective DLP, but not the full picture",[3687],{"type":306},{},{"nodeType":257,"data":3690,"content":3691},{},[3692],{"nodeType":241,"value":3693,"marks":3694,"data":3696},"Security value: Medium-high | Browser fit: Partial — complementary to dedicated DLP",[3695],{"type":306},{},{"nodeType":257,"data":3698,"content":3699},{},[3700],{"nodeType":241,"value":3701,"marks":3702,"data":3703},"File uploads to unsanctioned services, sensitive data pasted into AI tools, and exfiltration through personal accounts are genuine and growing risks that traditional email and endpoint-centric DLP tools were not designed to catch. Browser-layer controls provide real value here — particularly for BYOD users and contractors, where endpoint DLP agents cannot be deployed and the browser is the only available data loss visibility.",[],{},{"nodeType":257,"data":3705,"content":3706},{},[3707],{"nodeType":241,"value":3708,"marks":3709,"data":3710},"The honest scope: browser-layer DLP does not cover email-based loss, endpoint-to-endpoint transfers, or cloud API exfiltration. It closes specific and important gaps within a broader DLP strategy, not a replacement for one. A further distinction for organizations evaluating browser DLP for secure third-party access: full-stack enterprise browsers can enforce deeper output controls — watermarking, obfuscation, screenshot and print restrictions — at the OS rendering level that browser extensions cannot reliably replicate. Extension-based browser DLP is strongest for upload, input, and access control use cases rather than OS-level output restriction.",[],{},{"nodeType":298,"data":3712,"content":3713},{},[],{"nodeType":308,"data":3715,"content":3716},{},[3717],{"nodeType":241,"value":3718,"marks":3719,"data":3721},"Tier 3 — Lower Value: A problem best addressed outside of the browser",[3720],{"type":306},{},{"nodeType":503,"data":3723,"content":3724},{},[3725,3740,3755,3770],{"nodeType":458,"data":3726,"content":3727},{},[3728],{"nodeType":257,"data":3729,"content":3730},{},[3731,3736],{"nodeType":241,"value":3732,"marks":3733,"data":3735},"Browser exploit protection",[3734],{"type":306},{},{"nodeType":241,"value":3737,"marks":3738,"data":3739}," (narrow RCE/sandbox sense) ranks lower because browser zero-days represent just 9% of all zero-days reported to Google, and 82% of attack detections are now malware-free (CrowdStrike 2026). This is a problem for browser vendors to solve, and it's not a big enough problem to warrant enterprises investing in additional mitigating controls.",[],{},{"nodeType":458,"data":3741,"content":3742},{},[3743],{"nodeType":257,"data":3744,"content":3745},{},[3746,3751],{"nodeType":241,"value":3747,"marks":3748,"data":3750},"Domain and URL category controls",[3749],{"type":306},{},{"nodeType":241,"value":3752,"marks":3753,"data":3754}," offer genuine browser-layer value but are commoditized by SWG and DNS filtering tools most organizations already operate. This can be provided in the browser, sure (and it's something we do at Push) but offers limited security value in terms of making a difference against modern attacks that quickly rotate these kinds of indicators and are designed to blend in.",[],{},{"nodeType":458,"data":3756,"content":3757},{},[3758],{"nodeType":257,"data":3759,"content":3760},{},[3761,3766],{"nodeType":241,"value":3762,"marks":3763,"data":3765},"Access management",[3764],{"type":306},{},{"nodeType":241,"value":3767,"marks":3768,"data":3769}," — ZTNA, VPN replacement, PAM, BYOD access control — is an IT infrastructure and access architecture problem, not a security operations problem, and belongs to a different buyer with a different evaluation frame. There are numerous (typically full-stack) Enterprise Browser solutions on the market that address IT use cases like this well.",[],{},{"nodeType":458,"data":3771,"content":3772},{},[3773],{"nodeType":257,"data":3774,"content":3775},{},[3776,3781],{"nodeType":241,"value":3777,"marks":3778,"data":3780},"Remote browser isolation",[3779],{"type":306},{},{"nodeType":241,"value":3782,"marks":3783,"data":3784}," addresses browser exploit risk rather than the identity-first attacks that represent the majority of current enterprise browser risk, and introduces UX friction that limits deployment at scale. When it triggers, it introduces latency but still fails to detect and stop browser-native attacks.",[],{},{"nodeType":298,"data":3786,"content":3787},{},[],{"nodeType":308,"data":3789,"content":3790},{},[3791],{"nodeType":241,"value":3792,"marks":3793,"data":3795},"How Push Security maps to the highest-value security use cases",[3794],{"type":306},{},{"nodeType":257,"data":3797,"content":3798},{},[3799],{"nodeType":241,"value":3800,"marks":3801,"data":3802},"Push is purpose-built to address all of these problems using a flexible browser extension — plug into any browser with no migration, no host agent deployment, and no IT overhead — that delivers telemetry and control from day one, and extends coverage to every enrolled browser regardless of device ownership.",[],{},{"nodeType":3804,"data":3805,"content":3806},"table",{},[3807,3834,3858,3882,3906,3930,3954,3978,4002,4026,4050,4074],{"nodeType":3808,"data":3809,"content":3810},"table-row",{},[3811,3823],{"nodeType":3812,"data":3813,"content":3814},"table-cell",{},[3815],{"nodeType":257,"data":3816,"content":3817},{},[3818],{"nodeType":241,"value":3819,"marks":3820,"data":3822},"Security use case",[3821],{"type":306},{},{"nodeType":3812,"data":3824,"content":3825},{},[3826],{"nodeType":257,"data":3827,"content":3828},{},[3829],{"nodeType":241,"value":3830,"marks":3831,"data":3833},"How Push addresses it",[3832],{"type":306},{},{"nodeType":3808,"data":3835,"content":3836},{},[3837,3848],{"nodeType":3812,"data":3838,"content":3839},{},[3840],{"nodeType":257,"data":3841,"content":3842},{},[3843],{"nodeType":241,"value":3844,"marks":3845,"data":3847},"Account takeover prevention",[3846],{"type":306},{},{"nodeType":3812,"data":3849,"content":3850},{},[3851],{"nodeType":257,"data":3852,"content":3853},{},[3854],{"nodeType":241,"value":3855,"marks":3856,"data":3857},"Surfaces and fixes ghost logins, weak and breached credentials and missing MFA controls across every app and device — including shadow SaaS and unmanaged devices invisible to the IdP. Push also detects and stops the attack techniques that typically lead to ATO early in the kill chain and before an account can be compromised.",[],{},{"nodeType":3808,"data":3859,"content":3860},{},[3861,3872],{"nodeType":3812,"data":3862,"content":3863},{},[3864],{"nodeType":257,"data":3865,"content":3866},{},[3867],{"nodeType":241,"value":3868,"marks":3869,"data":3871},"Advanced phishing detection",[3870],{"type":306},{},{"nodeType":3812,"data":3873,"content":3874},{},[3875],{"nodeType":257,"data":3876,"content":3877},{},[3878],{"nodeType":241,"value":3879,"marks":3880,"data":3881},"Behavioral page analysis detects phishing kits regardless of whether the domain is known-bad. Credential entry guardrails block corporate passwords from being submitted to unauthorized domains. TTP-based detection remains effective as attacker infrastructure rotates.",[],{},{"nodeType":3808,"data":3883,"content":3884},{},[3885,3896],{"nodeType":3812,"data":3886,"content":3887},{},[3888],{"nodeType":257,"data":3889,"content":3890},{},[3891],{"nodeType":241,"value":3892,"marks":3893,"data":3895},"Identity posture hardening",[3894],{"type":306},{},{"nodeType":3812,"data":3897,"content":3898},{},[3899],{"nodeType":257,"data":3900,"content":3901},{},[3902],{"nodeType":241,"value":3903,"marks":3904,"data":3905},"Enforces MFA, strong credentials, and SSO adoption across every app the IdP doesn't manage. Produces continuous, auditable MFA coverage and credential hygiene evidence across the full application and device estate.",[],{},{"nodeType":3808,"data":3907,"content":3908},{},[3909,3920],{"nodeType":3812,"data":3910,"content":3911},{},[3912],{"nodeType":257,"data":3913,"content":3914},{},[3915],{"nodeType":241,"value":3916,"marks":3917,"data":3919},"Browser extension security",[3918],{"type":306},{},{"nodeType":3812,"data":3921,"content":3922},{},[3923],{"nodeType":257,"data":3924,"content":3925},{},[3926],{"nodeType":241,"value":3927,"marks":3928,"data":3929},"Live extension inventory with supply chain change event monitoring — ownership transfers, permission escalations, developer contact changes — rather than static risk scoring. Supports default-deny allowlisting and remote extension removal. Blocks known-bad malicious extensions automatically.",[],{},{"nodeType":3808,"data":3931,"content":3932},{},[3933,3944],{"nodeType":3812,"data":3934,"content":3935},{},[3936],{"nodeType":257,"data":3937,"content":3938},{},[3939],{"nodeType":241,"value":3940,"marks":3941,"data":3943},"Shadow SaaS and OAuth governance",[3942],{"type":306},{},{"nodeType":3812,"data":3945,"content":3946},{},[3947],{"nodeType":257,"data":3948,"content":3949},{},[3950],{"nodeType":241,"value":3951,"marks":3952,"data":3953},"Discovers shadow SaaS from actual login events with full authentication context. Monitors and blocks OAuth consent flows — including AI and MCP integrations — in real time before persistent access paths are created.",[],{},{"nodeType":3808,"data":3955,"content":3956},{},[3957,3968],{"nodeType":3812,"data":3958,"content":3959},{},[3960],{"nodeType":257,"data":3961,"content":3962},{},[3963],{"nodeType":241,"value":3964,"marks":3965,"data":3967},"ClickFix and the *Fix family",[3966],{"type":306},{},{"nodeType":3812,"data":3969,"content":3970},{},[3971],{"nodeType":257,"data":3972,"content":3973},{},[3974],{"nodeType":241,"value":3975,"marks":3976,"data":3977},"Detects and blocks ClickFix lures, clipboard injection, and browser-native variants like ConsentFix in real time — before the payload executes or OAuth key material is captured.",[],{},{"nodeType":3808,"data":3979,"content":3980},{},[3981,3992],{"nodeType":3812,"data":3982,"content":3983},{},[3984],{"nodeType":257,"data":3985,"content":3986},{},[3987],{"nodeType":241,"value":3988,"marks":3989,"data":3991},"AI visibility & control",[3990],{"type":306},{},{"nodeType":3812,"data":3993,"content":3994},{},[3995],{"nodeType":257,"data":3996,"content":3997},{},[3998],{"nodeType":241,"value":3999,"marks":4000,"data":4001},"Enforces which AI tools employees can access and routes usage to corporate tenants. Governs AI browser extensions and blocks OAuth consent grants to unapproved AI applications — drawing on the same Tier 1 capabilities (OAuth governance, extension security, shadow SaaS discovery) that make this possible.",[],{},{"nodeType":3808,"data":4003,"content":4004},{},[4005,4016],{"nodeType":3812,"data":4006,"content":4007},{},[4008],{"nodeType":257,"data":4009,"content":4010},{},[4011],{"nodeType":241,"value":4012,"marks":4013,"data":4015},"Security investigations & incident response",[4014],{"type":306},{},{"nodeType":3812,"data":4017,"content":4018},{},[4019],{"nodeType":257,"data":4020,"content":4021},{},[4022],{"nodeType":241,"value":4023,"marks":4024,"data":4025},"High-fidelity session telemetry — page loads, credential entries, DOM changes, OAuth grants — fills the missing middle that endpoint, network, and IdP logs leave open. Feeds directly into SIEM and SOAR for automated response.",[],{},{"nodeType":3808,"data":4027,"content":4028},{},[4029,4040],{"nodeType":3812,"data":4030,"content":4031},{},[4032],{"nodeType":257,"data":4033,"content":4034},{},[4035],{"nodeType":241,"value":4036,"marks":4037,"data":4039},"Infostealer defense",[4038],{"type":306},{},{"nodeType":3812,"data":4041,"content":4042},{},[4043],{"nodeType":257,"data":4044,"content":4045},{},[4046],{"nodeType":241,"value":4047,"marks":4048,"data":4049},"Intercepts ClickFix-based infostealer delivery before execution. Detects token replay in unenrolled browser contexts — catching post-theft abuse from AiTM-sourced tokens and infostealer-harvested cookies, including from unmanaged devices.",[],{},{"nodeType":3808,"data":4051,"content":4052},{},[4053,4064],{"nodeType":3812,"data":4054,"content":4055},{},[4056],{"nodeType":257,"data":4057,"content":4058},{},[4059],{"nodeType":241,"value":4060,"marks":4061,"data":4063},"Data loss prevention",[4062],{"type":306},{},{"nodeType":3812,"data":4065,"content":4066},{},[4067],{"nodeType":257,"data":4068,"content":4069},{},[4070],{"nodeType":241,"value":4071,"marks":4072,"data":4073},"Observes file uploads, downloads, and sensitive data inputs across all applications. Extends data loss visibility to BYOD and contractor devices where endpoint DLP cannot reach.",[],{},{"nodeType":3808,"data":4075,"content":4076},{},[4077,4087],{"nodeType":3812,"data":4078,"content":4079},{},[4080],{"nodeType":257,"data":4081,"content":4082},{},[4083],{"nodeType":241,"value":3747,"marks":4084,"data":4086},[4085],{"type":306},{},{"nodeType":3812,"data":4088,"content":4089},{},[4090],{"nodeType":257,"data":4091,"content":4092},{},[4093],{"nodeType":241,"value":4094,"marks":4095,"data":4096},"Custom URL blocklists with wildcard support and REST API management for threat intelligence feed sync. Application category blocking restricts access to classes of apps (file-sharing, unsanctioned AI tools) configurable by user group. Domain categorization bringing SWG-style category blocking natively to the browser without a network proxy.",[],{},{"nodeType":298,"data":4098,"content":4099},{},[],{"nodeType":257,"data":4101,"content":4102},{},[4103,4106,4113],{"nodeType":241,"value":1436,"marks":4104,"data":4105},[],{},{"nodeType":252,"data":4107,"content":4108},{"uri":2297},[4109],{"nodeType":241,"value":4110,"marks":4111,"data":4112}," Book a live demo to learn more.",[],{},{"nodeType":241,"value":29,"marks":4114,"data":4115},[],{},"The top 10 security problems you can solve in the browser — ranked by value","Ranking the security problems you can solve in the browser by security value and browser fit.","the-top-10-security-problems-you-can-solve-in-the-browser-ranked-by-value",{"items":4120},[4121,4123],{"sys":4122,"name":2315},{"id":2314},{"sys":4124,"name":2319},{"id":2318},{"items":4126},[4127],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":4128},{"url":230},"making-the-business-case-for-a-browser-security-solution","blog/making-the-business-case-for-a-browser-security-solution",{"json":4132},{"data":4133,"content":4134,"nodeType":1463},{},[4135],{"data":4136,"content":4137,"nodeType":257},{},[4138],{"data":4139,"marks":4140,"value":4141,"nodeType":241},{},[],"Browser security is one of the fastest-growing investment areas in enterprise security. It's clear that security teams need browser security solutions, but the challenge is often figuring out how to fund it.","Browser security is one of the fastest-growing investment areas in enterprise security. Here's our proven framework to create budget for browser security tools.",{"id":4144,"publishedAt":4145},"3u4XQlYOFzwY1nKVFaovos","2026-05-29T14:18:34.415Z",{"items":4147},[4148,4150],{"sys":4149,"name":2315},{"id":2314},{"sys":4151,"name":2319},{"id":2318},"1aWZtX_hS0I7_UY4NuszMcL3y_5TAE3KN2yPZUr43jo",1780064634531]