'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
AI is accelerating the collapse of indicator-based threat detection. Technique-level detection is the only layer that holds, and requires both the right vantage point and the research capability to stay ahead.
AI is accelerating the collapse of indicator-based threat detection. Technique-level detection is the only layer that holds, and requires both the right vantage point and the research capability to stay ahead.
Back in 2024, we wrote about how the Pyramid of Pain shapes Push's detection philosophy — detections targeting indicators that are easy for attackers to change deliver diminishing returns, while detections targeting attacker techniques impose a cost that's hard to absorb. Two years on, every force that made IoC-based detection fragile has intensified.
AI hasn't introduced a new problem so much as it's compressed the timelines on an existing one — attackers can generate infrastructure, iterate on tooling, and industrialize newly discovered techniques faster than before. The bottom layers of the Pyramid are collapsing under the weight of machine-speed operations, and the middle layers are starting to buckle too.
These changes mean that technique-level detection is more important than ever. In this article, we’ll dig into how the Pyramid is changing, and what this means for our detection philosophy at Push (TL;DR — it reinforces the path we’re already on: building detections at the top of the Pyramid by harnessing browser visibility).
The bottom of the Pyramid was already crumbling
The case against indicator-based detection didn't need AI to be compelling. 89% of phishing domains are active for fewer than two days, with just 6.5% surviving past 15 days — by the time a domain makes it onto a blocklist, the campaign has moved on.
We've written before about how this makes every phishing attack effectively a zero-day for organizations relying on known-bad detection. The phishing kit's behavior — its page structure, script signatures, malicious payload mechanics — is the only detection target that outlasts a single campaign.
When we blogged about the Pyramid of Pain for modern attacks that happen predominantly over the internet, with minimal (or zero) endpoint contact, it first looked like this:
Now, it looks more like this:
Let’s explore why.
AI is accelerating phishing rotation and delivery
Attackers are harnessing AI at every stage, speeding up the process of creating, rotating, and replacing phishing infrastructure at every level, as well as capitalizing on AI adoption itself to enhance their lures. The operational signature is more domains, shorter lifespans, more variation, and fewer of the reuse patterns that blocklists depend on.
Attackers can vibe-code entire phishing pages in minutes — not just cloning legitimate login pages but vibe-cloning them, feeding an AI a screenshot and having it rebuild a convincing frontend with a completely unique backend.
We've seen attackers clone free SaaS tools like background removers and PDF converters, then inject phishing components or ClickFix payloads into what looks like a functional utility. We’ve even seen attackers distributing malware using AI-generated pages shared using LLM tool sharing functionality, resulting in phishing delivery pages hosted on real claude.ai and chatgpt.com. And legitimate cloud platforms like Railway, Cloudflare Workers, and Vercel host and dynamically rotate attack infrastructure, so the domains feeding into blocklists often belong to reputable services that can't simply be blocked.
The kit ecosystem is fragmenting faster than anyone can track
What we see across our install base is a huge and growing variation in phishing kits — new kits, derivative kits of known platforms, derivatives of those derivatives — appearing on a weekly basis.
As we reported in our Browser Attacks Report, the most common AiTM kits we detected over the last year were Tycoon 2FA (59% of detections), followed by Sneaky 2FA, FlowerStorm, Evilginx (nominally a red team tool, but widely abused by attackers), NakedPages, Gabagool, and dozens more — but those established names are just the visible layer.
Code is forked, modified, and redeployed across kits in a pattern that resembles open-source development more than traditional criminal enterprise, and the rate at which new variants appear is accelerating. The Venom kit reuses Sneaky 2FA's AiTM infrastructure but carries different branding and adds device code phishing — whether it's the same developers, stolen code, or a deliberate fork is unclear.
Tycoon 2FA illustrates the scale of the evolution. The kit evolves continuously, addingnew capabilities, new evasion techniques, and hybridizing with other platforms. Even when Sekoia and Microsoft seized 330+ Tycoon domains in March 2026, the techniques it popularized were already embedded across competitors, and the slack was taken up by rival platforms within days. And in any case, Tycoon was back to normal levels of operation shortly after. It has also been observed pivoting to add new device code phishing capabilities (more on that below).
Tear one down and there are many more to take its place — and meanwhile the original is already evolving into something new.
New techniques are being industrialized faster than ever
As well as the fragmentation of existing kits, we’re seeing new techniques added at an accelerating rate.
Device code phishing is the clearest case study. From early nation state adoption in 2024, it took until 2026 for criminal adoption to really take off, but the take-up this year is unprecedented. The EvilTokens kit packaged device code phishing into a PhaaS offering with GPT-powered spear-phishing and adaptive landing pages, hitting 340+ organizations across five countries in March 2026.
Now, device code functionality is now a core phish kit component. We’re tracking 18+ kits with device code phishing capabilities and a 37.5x increase in device code phishing detections this year alone, with the technique moving from state-sponsored exclusivity to something any PhaaS customer can rent.
Similarly, when we infiltrated Doko's Panel — a real-time vishing and AiTM platform used by ShinyHunters and affiliated groups — the codebase was full of LLM-generated artifacts. Multiple groups were using the templated vishing panel and spinning up their own variants, but the AI-generated indicators persisted throughout. This approach to real-time vishing + browser payload has been a mainstay of the Com affiliates like ShinyHunters this year.
The broader ClickFix family shows the same acceleration: First reported in early 2024 and adopted by four nation-state groups within a single quarter. Fast forward and CrowdStrike's data shows a 563% increase in fake CAPTCHA incidents (one of the more common ClickFix lure types), while Microsoft reported it as making up 47% of observed attacks according to their Digital Defense Report.
And ConsentFix — a combination of ClickFix and OAuth consent phishing techniques — suggests the next compression is already underway. Push researchers discovered the technique in December 2025 — a browser-native ClickFix variant hijacking OAuth consent grants via Azure CLI's localhost redirect. It was later confirmed to be tied to APT29. By January 2026, a criminal ConsentFix v3 toolkit had appeared on the XSS forum with Cloudflare Workers, ZoomInfo targeting, and automated exfiltration via Pipedream.
Six weeks is all it took for ConsentFix to go from nation-state technique to commoditized criminal toolkit — a compression that took device code phishing and ClickFix roughly a year.
Why technique-level detection is the only layer that holds
The middle of the Pyramid — tool signatures and artifacts — used to offer much more durable detection than infrastructure indicators. Fingerprinting a specific phishing kit by its JavaScript structure or HTML patterns provided a detection target that survived across dozens or hundreds of campaigns, even as the underlying domains rotated. Tool level detections are still better, but not by quite the same margin.
When the kit landscape was dominated by a handful of platforms, you could write signatures for Tycoon, Sneaky2FA, EvilProxy, and so on, and cover the lion's share of attacks. With the ecosystem now producing new variants and entirely new kits on a weekly basis, detecting by kit fingerprint starts to look uncomfortably similar to detecting by domain.
But many of these proliferating kits do share behavioral patterns at a deeper level than their code signatures. For example, every device code phishing kit implements fundamentally the same flow: present a lure, generate a device code via the OAuth Device Authorization endpoint, get the user to enter it on the legitimate authorization page, and poll for the resulting tokens. The frontends vary, the infrastructure varies, but the behavioral pattern doesn't.
If you build detections around a specific kit's JavaScript patterns, then you're in an arms race with the kit's developer. Build detections around the behavioral mechanics of the technique itself — how the page interacts with the authorization endpoint, the sequence of user actions it orchestrates, the redirect patterns — and you’re tracking something that changes at a much slower rate.
Genuinely new attack techniques still require human creativity — an attacker has to identify a gap in how a legitimate protocol or feature can be subverted. That kind of innovation hasn't been automated. But the window to discover a technique, build a detection, and then deploy it before it is adopted by criminals at scale is compressing with each generation.
Organizations that detect at the technique level and deploy before commoditization have a structural advantage that increases over time. Waiting for indicators — even tool-level indicators — means chasing a curve that's accelerating away from you. This is the challenge we grapple with every day as we strive for the most resilient detections possible.
As our CPO Jacques Louw put it on Risky Business: "There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain."
What it takes to detect at the top of the Pyramid
If technique-level detection is the only layer that holds, two things have to be true about your detection capability: You need the right vantage point, and you need the research velocity to stay ahead.
You need the right vantage point
Technique-level behaviors in browser-based identity attacks — how a phishing page orchestrates credential entry, how a device code flow presents its authorization prompt, how a ClickFix variant manipulates the clipboard — are visible in the browser session and nowhere else.
Network proxies see encrypted traffic and can attempt to reconstruct page behavior from metadata, but DOM manipulation, user interaction sequences, and script execution aren't visible from that vantage point. Email gateways see the delivery mechanism (or nothing at all in the increasing number of social media and search engine based attacks) but not the payload.
As we disclosed in our browser attacks report, 95% of in-browser attacks we detect use some form of bot protection, often combined with conditional loading techniques like referrer and browser checks, reliably defeating automated analysis techniques.
Behavioral detection at the technique level requires observing what happens on the page at the moment the user interacts with it — analyzing pages, not links. When you see the entire browsing flow — ad click, redirect chain, page render, credential prompt — an attack stands out immediately. Without that context, any detection system is forced to fill in gaps, and the gaps are where attacks hide.
Push sits inside the browser session, observing this in real time. Its detections target the behavioral mechanics of techniques rather than the surface characteristics of individual kits or infrastructure.
You need the research expertise
When the window between technique discovery and industrialized exploitation is measured in weeks rather than years, the detection pipeline needs to operate on that same compressed timescale.
This is where our agentic threat hunting pipeline fits. It's tripled our monthly detection output — not by generating bigger blocklists, but by scaling the process of discovering behavioral patterns across the telemetry generated by 3+ million browser deployments.
The detections it produces are technique-class by design, targeting how attacks work rather than the infrastructure or specific tool that implements them. The goal is curation, not accumulation — hundreds of high-fidelity behavioral detections rather than the billions of signatures and domain entries that traditional approaches require.
When we detected the first in-the-wild InstallFix attack through the pipeline — a user had searched for NotebookLM, clicked a paid Google ad, and was redirected to a fake page with a WebAssembly C2 connector — the detection shipped to all customers within minutes. It didn't depend on knowing the domain, the ad creative, or the specific kit. It depended on recognizing the technique itself.
Technique-level detection is now the only option
As a framework for detection durability, the Pyramid of Pain is more relevant than ever.
AI has made infrastructure indicators essentially disposable. The tools tier is compressing as criminal vendors vibe-code, fork, and clone tooling at machine speed. Technique-level detection is the layer that holds long-term to be able to proactively detect and block net-new attacks and the kits that power them.
Novel attack techniques still require human creativity to discover, and detections built around how those techniques work can survive infrastructure rotation, tool proliferation, and kit fragmentation. Defending that layer requires a vantage point inside the browser session and a research pipeline fast enough to stay ahead of the accelerating path from discovery to industrialization.
Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.
Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.
Book a live demo to learn more.
