[{"data":1,"prerenderedAt":4084},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/what-push-data-reveals-about-the-state-of-shadow-ai":220},[4],{"enabled":5,"name":6},false,"maintenanceMode",[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"7pi17qxi28l",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":5,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-9kxq2yb91mj","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":5,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":5},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","xjiujb2vo9k",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":5,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"sf9fjf65phq",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},"jkhn7p13hds",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":5,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"raaccy8q8y",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":5,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"pmrmfrb50bn",{"text":165,"url":166},{},1776256937553,1776256937540,[],"l9i490dxrf",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":5,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"wzjvgq9f64f",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},{"id":221,"title":222,"authorsCollection":223,"content":231,"extension":1055,"featured":5,"hashTags":62,"meta":1056,"metaTitle":222,"ogImage":62,"publishedDate":1057,"relatedBlogPostsCollection":1058,"slug":4060,"stem":4061,"subtitle":62,"summary":4062,"synopsis":4073,"sys":4074,"tagsCollection":4077,"__hash__":4083},"blog/blog/what-push-data-reveals-about-the-state-of-shadow-ai.json","What Push data reveals about the state of shadow AI",{"items":224},[225],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":229},"Dan Green","Dan","Threat Research",{"url":230},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":232,"links":852},{"nodeType":233,"data":234,"content":235},"document",{},[236,245,252,259,268,312,316,325,332,340,384,390,397,403,406,414,421,430,437,444,460,468,493,500,506,513,521,536,564,570,588,594,602,609,634,641,648,655,661,664,672,679,686,705,713,720,728,751,763,766,774,781,788,795,815,818,825,832],{"nodeType":237,"data":238,"content":239},"paragraph",{},[240],{"nodeType":241,"value":242,"marks":243,"data":244},"text","Employees have been self-adopting apps, creating unmanaged accounts, and introducing third-party software dependencies into their organizations for years, and the core problem hasn't changed: unmanaged software expanding your attack surface without your knowledge.",[],{},{"nodeType":237,"data":246,"content":247},{},[248],{"nodeType":241,"value":249,"marks":250,"data":251},"But the rate at which employees are signing up for AI tools is unprecedented, and the depth of interconnectivity those tools demand is fundamentally different from traditional shadow SaaS. ",[],{},{"nodeType":237,"data":253,"content":254},{},[255],{"nodeType":241,"value":256,"marks":257,"data":258},"AI tools aren't just standalone apps that employees sign into — they're increasingly used as agents that drive other applications, pulling data from one platform, acting on another — they are becoming a core that other apps are integrating to, and that users are integrating with their wider SaaS stack. It’s becoming a focal integration point for app access and functionality in a way that's more comparable to an enterprise cloud platform than a typical SaaS tool. ",[],{},{"nodeType":260,"data":261,"content":267},"embedded-entry-block",{"target":262},{"sys":263},{"id":264,"type":265,"linkType":266},"4jsomkKmK7Vjijo8UkCQkf","Link","Entry",[],{"nodeType":237,"data":269,"content":270},{},[271,275,284,288,294,298,308],{"nodeType":241,"value":272,"marks":273,"data":274},"The industry data backs this up. The",[],{},{"nodeType":276,"data":277,"content":279},"hyperlink",{"uri":278},"https://www.verizon.com/business/resources/reports/dbir/",[280],{"nodeType":241,"value":281,"marks":282,"data":283}," Verizon DBIR 2026",[],{},{"nodeType":241,"value":285,"marks":286,"data":287}," reports that ",[],{},{"nodeType":241,"value":289,"marks":290,"data":293},"45% of employees are now regular AI users on corporate devices",[291],{"type":292},"bold",{},{"nodeType":241,"value":295,"marks":296,"data":297},", up from 15% the year before. ",[],{},{"nodeType":276,"data":299,"content":301},{"uri":300},"https://omdia.tech.informa.com/",[302],{"nodeType":241,"value":303,"marks":304,"data":307},"Omdia's 2026 browser security research",[305],{"type":306},"underline",{},{"nodeType":241,"value":309,"marks":310,"data":311}," presents a stronger picture, finding that 92% allow employees to use public GenAI applications. However, given that the typical company policy sanctions a small number of approved tools, this means everything else employees are using is unsanctioned by default. In other words: every organization in the survey had unsanctioned AI usage.",[],{},{"nodeType":313,"data":314,"content":315},"hr",{},[],{"nodeType":317,"data":318,"content":319},"heading-1",{},[320],{"nodeType":241,"value":321,"marks":322,"data":324},"The state of shadow AI, using Push data",[323],{"type":292},{},{"nodeType":237,"data":326,"content":327},{},[328],{"nodeType":241,"value":329,"marks":330,"data":331},"We analyzed a snapshot of AI activity across Push customers during an average week in April 2026. We wanted to make sure it captured actual activity, not just historical data on apps that were added once and no longer used.",[],{},{"nodeType":237,"data":333,"content":334},{},[335],{"nodeType":241,"value":336,"marks":337,"data":339},"The numbers paint a picture that most security teams will find uncomfortable.",[338],{"type":292},{},{"nodeType":237,"data":341,"content":342},{},[343,347,352,356,361,365,370,374,380],{"nodeType":241,"value":344,"marks":345,"data":346},"The average organization has ",[],{},{"nodeType":241,"value":348,"marks":349,"data":351},"16 unique AI apps",[350],{"type":292},{},{"nodeType":241,"value":353,"marks":354,"data":355}," in active use, ",[],{},{"nodeType":241,"value":357,"marks":358,"data":360},"17 unique AI browser extensions",[359],{"type":292},{},{"nodeType":241,"value":362,"marks":363,"data":364},", and ",[],{},{"nodeType":241,"value":366,"marks":367,"data":369},"17 unique AI OAuth integrations",[368],{"type":292},{},{"nodeType":241,"value":371,"marks":372,"data":373}," connected into just Google Workspace and Microsoft 365 — with some organizations reaching as high as 40 unique AI apps, 163 AI extensions, and 55 OAuth connections to AI apps respectively. At the lowest end, the smallest organization with the ",[],{},{"nodeType":241,"value":375,"marks":376,"data":379},"lowest",[377],{"type":378},"italic",{},{"nodeType":241,"value":381,"marks":382,"data":383}," adoption level is actively using two. ",[],{},{"nodeType":260,"data":385,"content":389},{"target":386},{"sys":387},{"id":388,"type":265,"linkType":266},"2AfeiHub5kyZN8wuf6CJch",[],{"nodeType":237,"data":391,"content":392},{},[393],{"nodeType":241,"value":394,"marks":395,"data":396},"If most organizations have sanctioned one or two core AI assistants/platforms for business use, the gap between what's approved and what's actually happening is significant.",[],{},{"nodeType":260,"data":398,"content":402},{"target":399},{"sys":400},{"id":401,"type":265,"linkType":266},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":313,"data":404,"content":405},{},[],{"nodeType":317,"data":407,"content":408},{},[409],{"nodeType":241,"value":410,"marks":411,"data":413},"Understanding the four categories of shadow AI",[412],{"type":292},{},{"nodeType":237,"data":415,"content":416},{},[417],{"nodeType":241,"value":418,"marks":419,"data":420},"Shadow SaaS has always been a problem, but in the context of AI apps there are four categories of shadow IT that security teams need to understand, because each one introduces a different kind of risk and requires a different approach to tackling it.",[],{},{"nodeType":422,"data":423,"content":424},"heading-2",{},[425],{"nodeType":241,"value":426,"marks":427,"data":429},"Shadow AI apps",[428],{"type":292},{},{"nodeType":237,"data":431,"content":432},{},[433],{"nodeType":241,"value":434,"marks":435,"data":436},"Shadow apps are AI tools that employees have signed up to and are using for business purposes without approval. This is the most visible dimension of the problem, and the one most people think of when they hear \"shadow AI\" — an employee pastes sensitive internal documents into ChatGPT, uploads confidential files to an AI assistant, or uses an unapproved coding tool to generate production code.",[],{},{"nodeType":237,"data":438,"content":439},{},[440],{"nodeType":241,"value":441,"marks":442,"data":443},"All of that is sensitive data leaving the organization through channels the security team can't see - and often accessible using personal accounts that can be compromised on personal devices or workstations. ",[],{},{"nodeType":237,"data":445,"content":446},{},[447,451,456],{"nodeType":241,"value":448,"marks":449,"data":450},"The 2026 DBIR's data loss prevention analysis underscores the scale — shadow AI is now the ",[],{},{"nodeType":241,"value":452,"marks":453,"data":455},"third most common non-malicious insider action",[454],{"type":292},{},{"nodeType":241,"value":457,"marks":458,"data":459}," in DLP data, a 4x increase year-over-year. Across 858,000+ DLP events targeting GenAI tools, the most common data types being submitted were source code (28%), images (16%), structured data (14%), documents (13%), and PDFs (10%). That's not employees asking ChatGPT to fix their grammar — it's core intellectual property, production code, and internal documentation flowing into platforms the security team has no visibility into. But shadow apps themselves are only the most obvious part of the problem.",[],{},{"nodeType":422,"data":461,"content":462},{},[463],{"nodeType":241,"value":464,"marks":465,"data":467},"Shadow tenants",[466],{"type":292},{},{"nodeType":237,"data":469,"content":470},{},[471,475,480,484,489],{"nodeType":241,"value":472,"marks":473,"data":474},"Even when an organization has approved an AI tool — say, an enterprise ChatGPT deployment — employees frequently access the same app with personal accounts, creating shadow tenants that sit entirely outside organizational control. The DBIR found that ",[],{},{"nodeType":241,"value":476,"marks":477,"data":479},"67% of GenAI users on corporate devices are using non-corporate accounts",[478],{"type":292},{},{"nodeType":241,"value":481,"marks":482,"data":483},", and our own data shows that ",[],{},{"nodeType":241,"value":485,"marks":486,"data":488},"37% of file uploads to AI tools are made from shadow accounts",[487],{"type":292},{},{"nodeType":241,"value":490,"marks":491,"data":492}," rather than approved organizational ones.",[],{},{"nodeType":237,"data":494,"content":495},{},[496],{"nodeType":241,"value":497,"marks":498,"data":499},"When an organization approves Claude, ChatGPT, or another core AI platform, you typically also approve the OAuth integration and browser extension for core apps (e.g. M365, Google Workspace, and so on). When that integration is approved, it is approved for all tenants — not just your corporate tenant. ",[],{},{"nodeType":260,"data":501,"content":505},{"target":502},{"sys":503},{"id":504,"type":265,"linkType":266},"3Rvw0n28AYIM3FQXtHyafD",[],{"nodeType":237,"data":507,"content":508},{},[509],{"nodeType":241,"value":510,"marks":511,"data":512},"This means that even if you've deployed enterprise controls around your sanctioned AI tools — DLP policies, retention settings, admin oversight — more than a third of the file uploads hitting AI tools are bypassing those controls entirely because they're happening through personal accounts on corporate devices.",[],{},{"nodeType":422,"data":514,"content":515},{},[516],{"nodeType":241,"value":517,"marks":518,"data":520},"Shadow extensions",[519],{"type":292},{},{"nodeType":237,"data":522,"content":523},{},[524,528,532],{"nodeType":241,"value":525,"marks":526,"data":527},"Many AI tools come with a browser extension counterpart, and there's a large ecosystem of third-party AI extensions that offer everything from writing assistance to automated data extraction. The average organization in our dataset has ",[],{},{"nodeType":241,"value":357,"marks":529,"data":531},[530],{"type":292},{},{"nodeType":241,"value":533,"marks":534,"data":535}," deployed across its workforce, with the highest we observed reaching 163 — and since each of those average 17 different extensions may be installed by multiple employees, the actual number of individual extension installs across the organization is much higher still.",[],{},{"nodeType":237,"data":537,"content":538},{},[539,543,551,555,560],{"nodeType":241,"value":540,"marks":541,"data":542},"The extension dimension is particularly concerning because most extensions operate with significant privilege inside the browser — they can read and modify page content, access cookies and session tokens, and interact with virtually every web application an employee uses. As we detailed in our recent analysis of",[],{},{"nodeType":276,"data":544,"content":546},{"uri":545},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[547],{"nodeType":241,"value":548,"marks":549,"data":550}," browser extension risk scoring",[],{},{"nodeType":241,"value":552,"marks":553,"data":554},", at least ",[],{},{"nodeType":241,"value":556,"marks":557,"data":559},"46.76% of all extensions across Push customers have the permission combinations needed to perform account takeover with no user interaction",[558],{"type":292},{},{"nodeType":241,"value":561,"marks":562,"data":563},", and the extensions involved in every major supply chain breach of the past 18 months scored as normal or low-risk beforehand.",[],{},{"nodeType":260,"data":565,"content":569},{"target":566},{"sys":567},{"id":568,"type":265,"linkType":266},"3z4JOMALI52xoOXZkzPHLD",[],{"nodeType":237,"data":571,"content":572},{},[573,577,584],{"nodeType":241,"value":574,"marks":575,"data":576},"AI extensions add a specific wrinkle to this problem: many are branded to look like official companions to well-known AI tools but are actually third-party creations with no affiliation to the original vendor. They're not necessarily malicious at the point of installation, but they're exactly the kind of extension that's likely to be",[],{},{"nodeType":276,"data":578,"content":579},{"uri":545},[580],{"nodeType":241,"value":581,"marks":582,"data":583}," acquired and weaponized",[],{},{"nodeType":241,"value":585,"marks":586,"data":587}," down the line — and in the meantime, they're collecting data that their permissions entitle them to (which, in most cases, means everything the user can see in their browser).",[],{},{"nodeType":260,"data":589,"content":593},{"target":590},{"sys":591},{"id":592,"type":265,"linkType":266},"6K3z67rohss6H3lCsSn12B",[],{"nodeType":422,"data":595,"content":596},{},[597],{"nodeType":241,"value":598,"marks":599,"data":601},"Shadow integrations",[600],{"type":292},{},{"nodeType":237,"data":603,"content":604},{},[605],{"nodeType":241,"value":606,"marks":607,"data":608},"The fourth dimension — and arguably the most dangerous — is shadow integrations: OAuth connections between AI tools and core enterprise apps that aren't known or approved by the security team. Even if an organization has approved an AI tool for standalone use, plugging that tool directly into Google Workspace, Microsoft 365, Salesforce, or any other one of the dozen or so SaaS apps in a typical user’s work stack is a fundamentally different risk decision, because it creates a persistent, programmatic bridge between your environment and a third party.",[],{},{"nodeType":237,"data":610,"content":611},{},[612,616,621,625,630],{"nodeType":241,"value":613,"marks":614,"data":615},"On average, we see ",[],{},{"nodeType":241,"value":617,"marks":618,"data":620},"17 unique AI app OAuth integrations per organization",[619],{"type":292},{},{"nodeType":241,"value":622,"marks":623,"data":624}," in ",[],{},{"nodeType":241,"value":626,"marks":627,"data":629},"just",[628],{"type":378},{},{"nodeType":241,"value":631,"marks":632,"data":633}," Google Workspace and Microsoft 365 (to be clear: this number excludes the dozens of downstream apps the AI assistants are integrated with as well), with the highest reaching 55. Each of those represents a unique AI product that has been granted OAuth access — the total number of individual consent grants across users is larger, because popular integrations get authorized by multiple employees independently.",[],{},{"nodeType":237,"data":635,"content":636},{},[637],{"nodeType":241,"value":638,"marks":639,"data":640},"The actual number of AI-related OAuth connections across the full SaaS estate is considerably higher again, because AI tools that automate workflows need to be connected to be useful — pulling data from one app, analyzing it in another, presenting results in a third.",[],{},{"nodeType":237,"data":642,"content":643},{},[644],{"nodeType":241,"value":645,"marks":646,"data":647},"MCP connections use OAuth to achieve this interconnectivity in the same way, and AI coding agents create a particularly concentrated version of the risk: a single agent configuration can hold OAuth tokens for Jira, Confluence, Salesforce, GitHub, and more, meaning that compromising one agent — whether through prompt injection, a malicious repository config, or a supply chain attack on an MCP server — yields persistent, broadly scoped tokens for every service it was connected to, tokens that survive session restarts and generate audit log entries indistinguishable from legitimate user activity.",[],{},{"nodeType":237,"data":649,"content":650},{},[651],{"nodeType":241,"value":652,"marks":653,"data":654},"It's also worth noting that OAuth blast radius is almost always larger than organizations expect. A single well-permissioned user can expose secrets, dashboards, and internal tooling without tenant-wide admin access. And every new AI tool an employee connects makes the web of abusable permissions a little wider.",[],{},{"nodeType":260,"data":656,"content":660},{"target":657},{"sys":658},{"id":659,"type":265,"linkType":266},"4SnzJ9T93gHzFIUASx7Yb3",[],{"nodeType":313,"data":662,"content":663},{},[],{"nodeType":317,"data":665,"content":666},{},[667],{"nodeType":241,"value":668,"marks":669,"data":671},"Why shadow AI needs a different solution to shadow SaaS",[670],{"type":292},{},{"nodeType":237,"data":673,"content":674},{},[675],{"nodeType":241,"value":676,"marks":677,"data":678},"The reason it's worth distinguishing between these four dimensions isn't academic. Each one requires a different control, and addressing one doesn't solve the others.",[],{},{"nodeType":237,"data":680,"content":681},{},[682],{"nodeType":241,"value":683,"marks":684,"data":685},"Blocking unsanctioned AI apps does nothing for the personal accounts accessing approved ones, and neither addresses the average 17 different AI extensions running with broad browser permissions, let alone the dozens of OAuth integrations that have already been granted persistent access to core enterprise apps — and even auditing OAuth in Google Workspace and Microsoft 365, where the controls are relatively mature, leaves the broader SaaS estate unaddressed, where admin tooling is inconsistent and visibility is limited.",[],{},{"nodeType":237,"data":687,"content":688},{},[689,693,701],{"nodeType":241,"value":690,"marks":691,"data":692},"The tooling gap compounds the policy gap.",[],{},{"nodeType":276,"data":694,"content":696},{"uri":695},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[697],{"nodeType":241,"value":698,"marks":699,"data":700}," Omdia found",[],{},{"nodeType":241,"value":702,"marks":703,"data":704}," that 58% of organizations rely on secure web gateways to secure GenAI usage — but an SWG can tell you that a user visited ChatGPT, not whether they pasted your source code into the prompt. That link between knowing where data went and knowing what the user actually did is the fundamental visibility gap that makes GenAI policies unenforceable without browser-layer tooling.",[],{},{"nodeType":422,"data":706,"content":707},{},[708],{"nodeType":241,"value":709,"marks":710,"data":712},"Advice for security teams",[711],{"type":292},{},{"nodeType":237,"data":714,"content":715},{},[716],{"nodeType":241,"value":717,"marks":718,"data":719},"The principles behind managing shadow AI are the same ones that have governed shadow SaaS and software supply chain management for years: default-deny where feasible, comprehensive inventory where it isn't, and continuous monitoring for changes that signal increased risk. But it's vital that teams act fast to stop the snowball.",[],{},{"nodeType":237,"data":721,"content":722},{},[723],{"nodeType":241,"value":724,"marks":725,"data":727},"That starts with visibility into which AI tools employees are actually using and which accounts they're using to access them — without that baseline, every other control is built on assumptions.",[726],{"type":292},{},{"nodeType":237,"data":729,"content":730},{},[731,736,740,747],{"nodeType":241,"value":732,"marks":733,"data":735},"Extensions",[734],{"type":292},{},{"nodeType":241,"value":737,"marks":738,"data":739}," need the same",[],{},{"nodeType":276,"data":741,"content":742},{"uri":545},[743],{"nodeType":241,"value":744,"marks":745,"data":746}," default-deny allowlisting approach",[],{},{"nodeType":241,"value":748,"marks":749,"data":750}," that has been best practice for software management elsewhere: build a complete inventory, allowlist what's vetted, block everything else, and monitor the approved set for changes that precede weaponization.",[],{},{"nodeType":237,"data":752,"content":753},{},[754,759],{"nodeType":241,"value":755,"marks":756,"data":758},"OAuth",[757],{"type":292},{},{"nodeType":241,"value":760,"marks":761,"data":762}," demands the most urgency, because each unmanaged integration is a persistent trust relationship that survives password resets and MFA changes — adopt default-deny for consent grants in your primary enterprise apps, routinely audit what's already connected, and critically extend that visibility beyond Google and Microsoft to the broader SaaS estate where the controls are weaker and the sprawl is harder to track.",[],{},{"nodeType":313,"data":764,"content":765},{},[],{"nodeType":317,"data":767,"content":768},{},[769],{"nodeType":241,"value":770,"marks":771,"data":773},"Browser visibility and control is key to de-risking AI adoption",[772],{"type":292},{},{"nodeType":237,"data":775,"content":776},{},[777],{"nodeType":241,"value":778,"marks":779,"data":780},"AI usage is fundamentally browser-based activity — every LLM interaction, every prompt containing sensitive data, every AI agent authorization, every OAuth consent grant happens inside a browser session — which makes the browser the natural control point for AI governance across the workforce. ",[],{},{"nodeType":237,"data":782,"content":783},{},[784],{"nodeType":241,"value":785,"marks":786,"data":787},"Push tracks AI app usage and login security across the workforce, inventories and controls AI browser extensions, monitors and blocks OAuth consent flows across any app (not just the primary enterprise platforms), and gives security teams a single view of the full shadow AI picture across all four dimensions.",[],{},{"nodeType":237,"data":789,"content":790},{},[791],{"nodeType":241,"value":792,"marks":793,"data":794},"Shadow AI isn't a problem that will age well if ignored. Every week that passes without visibility adds more apps, more extensions, more integrations, and more potential breach paths into the environment — and as the Vercel breach demonstrated, it only takes one forgotten OAuth grant to turn an employee's idle curiosity into an organization-wide incident.",[],{},{"nodeType":237,"data":796,"content":797},{},[798,802,811],{"nodeType":241,"value":799,"marks":800,"data":801},"Learn more about how you can tackle ",[],{},{"nodeType":276,"data":803,"content":805},{"uri":804},"https://pushsecurity.com/uc/shadow-ai",[806],{"nodeType":241,"value":807,"marks":808,"data":810},"Shadow AI",[809],{"type":306},{},{"nodeType":241,"value":812,"marks":813,"data":814}," with Push. ",[],{},{"nodeType":313,"data":816,"content":817},{},[],{"nodeType":237,"data":819,"content":820},{},[821],{"nodeType":241,"value":822,"marks":823,"data":824},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":237,"data":826,"content":827},{},[828],{"nodeType":241,"value":829,"marks":830,"data":831},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":237,"data":833,"content":834},{},[835,839,848],{"nodeType":241,"value":836,"marks":837,"data":838},"Book a ",[],{},{"nodeType":276,"data":840,"content":842},{"uri":841},"https://pushsecurity.com/demo",[843],{"nodeType":241,"value":844,"marks":845,"data":847},"live demo",[846],{"type":306},{},{"nodeType":241,"value":849,"marks":850,"data":851}," to learn more.",[],{},{"entries":853},{"hyperlink":854,"inline":855,"block":856},[],[],[857,872,886,895,938,990,998],{"sys":858,"__typename":859,"content":860,"name":871,"title":62},{"id":264},"InsightTextBlockComponent",{"json":861},{"nodeType":233,"data":862,"content":863},{},[864],{"nodeType":237,"data":865,"content":866},{},[867],{"nodeType":241,"value":868,"marks":869,"data":870},"Every app connection an employee grants turns that AI tool into a node in a web of interconnected services, which means the more you hook in, the larger the attack surface across all the connected apps — and the greater the blast radius if the account used to access the AI tool is compromised.",[],{},"Shadow ai ib5",{"sys":873,"__typename":859,"content":874,"name":885,"title":62},{"id":388},{"json":875},{"data":876,"content":877,"nodeType":233},{},[878],{"data":879,"content":880,"nodeType":237},{},[881],{"data":882,"marks":883,"value":884,"nodeType":241},{},[],"These are counts of unique products observed in one week, not total installs or connections across the workforce — each unique app, extension, or integration represents a separate AI tool that at least one employee has adopted, so the actual number of individual installs and active sessions across the organization is considerably larger. When the average organization has 17 unique AI extensions deployed, for instance, and many of those are popular tools adopted independently by multiple employees, the per-user footprint adds up quickly.","Shadow ai ib1",{"sys":887,"__typename":888,"title":889,"caption":890,"layoutMode":62,"file":891},{"id":401},"Image","ai-sprawl-infographic","AI sprawl is worse than most organizations realize. ",{"url":892,"width":893,"height":894},"https://images.ctfassets.net/y1cdw1ablpvd/7vCbQdyRkjLs5EmsjBBAQp/3bfb13e7ec19be76325cdc69297c48c3/ai-sprawl-infographic_2x__3_.png",1800,1192,{"sys":896,"__typename":859,"content":897,"name":937,"title":62},{"id":504},{"json":898},{"nodeType":233,"data":899,"content":900},{},[901,931],{"nodeType":237,"data":902,"content":903},{},[904,908,913,923,927],{"nodeType":241,"value":905,"marks":906,"data":907},"This is a perfect example of where",[],{},{"nodeType":241,"value":909,"marks":910,"data":912}," ",[911],{"type":292},{},{"nodeType":276,"data":914,"content":916},{"uri":915},"https://pushsecurity.com/resources/browser-identity-attacks-matrix/evil-twin-integrations",[917],{"nodeType":241,"value":918,"marks":919,"data":922},"Evil Twin",[920,921],{"type":306},{"type":292},{},{"nodeType":241,"value":909,"marks":924,"data":926},[925],{"type":292},{},{"nodeType":241,"value":928,"marks":929,"data":930},"opportunities are likely to be abused by attackers. If you’re not familiar, this is where an attacker can effectively hide a malicious integration where an existing connection for that app is already approved, blending in with normal activity. But while historically maybe 1 out of 100 users had an automation tool like Zapier integrated already, the modern equivalent is that a much higher proportion of users already has Claude or ChatGPT integrated.",[],{},{"nodeType":237,"data":932,"content":933},{},[934],{"nodeType":241,"value":29,"marks":935,"data":936},[],{},"Shadow ai ib4",{"sys":939,"__typename":859,"content":940,"name":989,"title":62},{"id":568},{"json":941},{"nodeType":233,"data":942,"content":943},{},[944],{"nodeType":237,"data":945,"content":946},{},[947,951,962,966,977,980,985],{"nodeType":241,"value":948,"marks":949,"data":950},"This isn't just a Push observation —",[],{},{"nodeType":276,"data":952,"content":953},{"uri":695},[954,957],{"nodeType":241,"value":909,"marks":955,"data":956},[],{},{"nodeType":241,"value":958,"marks":959,"data":961},"Omdia found that malicious browser extensions were cited by 34% of organizations",[960],{"type":306},{},{"nodeType":241,"value":963,"marks":964,"data":965}," that experienced a browser-based attack, making them the third most common attack type after phishing and data leakage. The",[],{},{"nodeType":276,"data":967,"content":968},{"uri":278},[969,972],{"nodeType":241,"value":909,"marks":970,"data":971},[],{},{"nodeType":241,"value":973,"marks":974,"data":976},"Verizon DBIR 2026",[975],{"type":306},{},{"nodeType":241,"value":285,"marks":978,"data":979},[],{},{"nodeType":241,"value":981,"marks":982,"data":984},"more than 15% of corporate users had unauthorized AI browser extensions installed",[983],{"type":292},{},{"nodeType":241,"value":986,"marks":987,"data":988}," — meaning a material share of the workforce is running AI-powered code with broad permissions that no one in security approved or is monitoring. ",[],{},"Shadow ai ib2",{"sys":991,"__typename":888,"title":992,"caption":993,"layoutMode":62,"file":994},{"id":592},"Examples of AI imitation apps","Examples of imitation AI apps observed in active use by Push. Scammy and misleading, but not necessarily malicious (yet), but probably not something you want employees using.",{"url":995,"width":996,"height":997},"https://images.ctfassets.net/y1cdw1ablpvd/73PW50LMkqoFWmsbxP7pIU/a29ed68622aeb453f618fc1eb9a1a55c/image1.png",1999,1189,{"sys":999,"__typename":859,"content":1000,"name":1054,"title":62},{"id":659},{"json":1001},{"nodeType":233,"data":1002,"content":1003},{},[1004,1023],{"nodeType":237,"data":1005,"content":1006},{},[1007,1011,1019],{"nodeType":241,"value":1008,"marks":1009,"data":1010},"The Vercel breach is a textbook illustration of integration risk. A Vercel employee had connected a consumer-grade AI app from Context.ai into their Google Workspace tenant — most likely a self-service trial that was lightly used and forgotten about. Vercel",[],{},{"nodeType":276,"data":1012,"content":1014},{"uri":1013},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[1015],{"nodeType":241,"value":1016,"marks":1017,"data":1018}," wasn't even a registered customer",[],{},{"nodeType":241,"value":1020,"marks":1021,"data":1022}," of Context.ai. When Context.ai was subsequently compromised via an infostealer infection, the attacker leveraged stored OAuth tokens to pivot into the Vercel employee's Google Workspace account, accessing internal dashboards, API keys, NPM tokens, and GitHub tokens.",[],{},{"nodeType":237,"data":1024,"content":1025},{},[1026,1030,1038,1042,1050],{"nodeType":241,"value":1027,"marks":1028,"data":1029},"Vercel is far from an isolated case. In 2025,",[],{},{"nodeType":276,"data":1031,"content":1033},{"uri":1032},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1034],{"nodeType":241,"value":1035,"marks":1036,"data":1037}," Scattered Lapsus$ Hunters",[],{},{"nodeType":241,"value":1039,"marks":1040,"data":1041}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft Drift and Gainsight, impacting over 1,000 organizations and stealing over 1.5 billion records. More recently, Snowflake customers were impacted after a",[],{},{"nodeType":276,"data":1043,"content":1045},{"uri":1044},"https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/",[1046],{"nodeType":241,"value":1047,"marks":1048,"data":1049}," breach at data anomaly detection company Anodot",[],{},{"nodeType":241,"value":1051,"marks":1052,"data":1053},", where attackers attempted to leverage stolen authentication tokens to access downstream environments.",[],{},"Shadow ai ib3","json",{},"2026-05-28T00:00:00.000Z",{"items":1059},[1060,1840,3103],{"__typename":1061,"sys":1062,"publishedDate":1064,"content":1065,"title":1823,"synopsis":1824,"hashTags":62,"slug":1825,"tagsCollection":1826,"authorsCollection":1836},"BlogPosts",{"id":1063},"Lq2AFQ8VG2rMEe4h2CYuH","2026-04-23T00:00:00.000Z",{"json":1066},{"nodeType":233,"data":1067,"content":1068},{},[1069,1097,1130,1137,1143,1146,1154,1161,1167,1186,1193,1201,1221,1237,1244,1251,1254,1262,1269,1276,1341,1348,1356,1368,1375,1382,1388,1396,1403,1410,1417,1424,1430,1438,1445,1531,1537,1540,1548,1555,1571,1578,1585,1591,1611,1614,1621,1628,1634,1653,1660,1667,1673,1676,1684,1691,1698,1704,1711,1717,1723,1748,1754,1766,1773,1780],{"nodeType":237,"data":1070,"content":1071},{},[1072,1076,1084,1088,1093],{"nodeType":241,"value":1073,"marks":1074,"data":1075},"This week, a user going by the name of “ShinyHunters” (though allegedly not ",[],{},{"nodeType":276,"data":1077,"content":1078},{"uri":1032},[1079],{"nodeType":241,"value":1080,"marks":1081,"data":1083},"actual ShinyHunters",[1082],{"type":306},{},{"nodeType":241,"value":1085,"marks":1086,"data":1087},", but someone imitating them in an attempt to trade off their credibility) posted on a breach forum claiming access keys, source code, and database data stolen from cloud development platform provider ",[],{},{"nodeType":241,"value":1089,"marks":1090,"data":1092},"Vercel",[1091],{"type":292},{},{"nodeType":241,"value":1094,"marks":1095,"data":1096},". ",[],{},{"nodeType":237,"data":1098,"content":1099},{},[1100,1104,1113,1117,1126],{"nodeType":241,"value":1101,"marks":1102,"data":1103},"This happened because a Vercel employee had connected an AI app, Context.ai, into their Google Workspace tenant. When Context.ai was compromised — ",[],{},{"nodeType":276,"data":1105,"content":1107},{"uri":1106},"https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/",[1108],{"nodeType":241,"value":1109,"marks":1110,"data":1112},"allegedly the result of an infostealer infection from an employee searching for Roblox cheats",[1111],{"type":306},{},{"nodeType":241,"value":1114,"marks":1115,"data":1116}," — the attacker was able to leverage OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts (pointing to a heavily permissioned victim, probably a developer, possibly even a ",[],{},{"nodeType":276,"data":1118,"content":1120},{"uri":1119},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[1121],{"nodeType":241,"value":1122,"marks":1123,"data":1125},"personal device with access to corp credentials",[1124],{"type":306},{},{"nodeType":241,"value":1127,"marks":1128,"data":1129},"). ",[],{},{"nodeType":237,"data":1131,"content":1132},{},[1133],{"nodeType":241,"value":1134,"marks":1135,"data":1136},"This access included a Vercel employee’s Google Workspace account. This particular user had significant access to data and secrets in Vercel’s systems, including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which the attacker was able to exfiltrate, holding Vercel to ransom for $2 million. ",[],{},{"nodeType":260,"data":1138,"content":1142},{"target":1139},{"sys":1140},{"id":1141,"type":265,"linkType":266},"6Ft8aSnzfYVZ7j57mYeXgQ",[],{"nodeType":313,"data":1144,"content":1145},{},[],{"nodeType":317,"data":1147,"content":1148},{},[1149],{"nodeType":241,"value":1150,"marks":1151,"data":1153},"How did this happen, and what could have stopped it?",[1152],{"type":292},{},{"nodeType":237,"data":1155,"content":1156},{},[1157],{"nodeType":241,"value":1158,"marks":1159,"data":1160},"From Vercel’s perspective, this attack could have been avoided had their employees been blocked from adding new OAuth integrations without admin approval (a toggle in their Google admin panel, and an essential control in a well-configured environment). Or, if the integration had been flagged in a routine audit and removed. ",[],{},{"nodeType":260,"data":1162,"content":1166},{"target":1163},{"sys":1164},{"id":1165,"type":265,"linkType":266},"b5HFvY1m6RnuXL3a95jVt",[],{"nodeType":237,"data":1168,"content":1169},{},[1170,1174,1182],{"nodeType":241,"value":1171,"marks":1172,"data":1173},"It probably should have been removed, too. The particular OAuth app that was connected into the environment was a deprecated “AI Office Suite” product intended for consumer use. ",[],{},{"nodeType":276,"data":1175,"content":1177},{"uri":1176},"https://context.ai/security-update",[1178],{"nodeType":241,"value":1179,"marks":1180,"data":1181},"According to Context.ai",[],{},{"nodeType":241,"value":1183,"marks":1184,"data":1185},", Vercel aren’t even a registered customer — adding more evidence that this was probably the result of a self-service trial that was subsequently forgotten about. That consumer product has also since been replaced by an enterprise product. But for whatever reason, the access hadn’t been revoked (from either side). ",[],{},{"nodeType":237,"data":1187,"content":1188},{},[1189],{"nodeType":241,"value":1190,"marks":1191,"data":1192},"The elephant in the room is that Context.ai is an AI app. Most organizations are rightly nervous about employees adding unapproved AI SaaS into their environment. Having employees use shadow AI in the form of LLMs is one thing — users uploading sensitive data to unapproved apps or external tenants being the key concern. But OAuth grants are even more dangerous. Because if that app or vendor is compromised, the apps and accounts you’ve integrated it with are also at risk — which is what was exploited here. ",[],{},{"nodeType":422,"data":1194,"content":1195},{},[1196],{"nodeType":241,"value":1197,"marks":1198,"data":1200},"Where’s the fault?",[1199],{"type":292},{},{"nodeType":237,"data":1202,"content":1203},{},[1204,1208,1217],{"nodeType":241,"value":1205,"marks":1206,"data":1207},"It’s easy to point fingers here. There are multiple control gaps and failures for both parties. Vercel should have disabled OAuth grants without admin approval, and regularly audited the connections in their environment. From a vendor's perspective, they could have also default applied a control that ",[],{},{"nodeType":276,"data":1209,"content":1211},{"uri":1210},"https://vercel.com/kb/bulletin/vercel-april-2026-security-incident",[1212],{"nodeType":241,"value":1213,"marks":1214,"data":1216},"prevents secret environment variables from being read",[1215],{"type":306},{},{"nodeType":241,"value":1218,"marks":1219,"data":1220}," — which would have significantly reduced the impact to Vercel customers from the data breach. ",[],{},{"nodeType":237,"data":1222,"content":1223},{},[1224,1228,1233],{"nodeType":241,"value":1225,"marks":1226,"data":1227},"Context.ai comes off worse. They could and should have had better separation of accounts and privileges — and if true, their users really shouldn’t be downloading Roblox scripts on devices they use for work access. It’s important to say ",[],{},{"nodeType":241,"value":1229,"marks":1230,"data":1232},"if true",[1231],{"type":378},{},{"nodeType":241,"value":1234,"marks":1235,"data":1236}," here, but the prospect of third parties accessing your environment from insecure devices that they use for gaming is the stuff of nightmares for enterprise security and compliance teams.",[],{},{"nodeType":237,"data":1238,"content":1239},{},[1240],{"nodeType":241,"value":1241,"marks":1242,"data":1243},"You definitely don’t want to be Context.ai in this scenario. The reputational harm could be pretty significant, and is a wake-up call for other SaaS vendors to check that their house is in order. But although Vercel have responded quickly and transparently to the incident, this could only really have happened as a result of technical and procedural control gaps on their end.",[],{},{"nodeType":237,"data":1245,"content":1246},{},[1247],{"nodeType":241,"value":1248,"marks":1249,"data":1250},"It’s worth taking a step back and looking at the bigger picture here — and how these issues might impact your organization too. ",[],{},{"nodeType":313,"data":1252,"content":1253},{},[],{"nodeType":317,"data":1255,"content":1256},{},[1257],{"nodeType":241,"value":1258,"marks":1259,"data":1261},"Shadow AI is still just shadow SaaS – but the AI scramble is a force multiplier",[1260],{"type":292},{},{"nodeType":237,"data":1263,"content":1264},{},[1265],{"nodeType":241,"value":1266,"marks":1267,"data":1268},"Shadow IT, and in particular shadow SaaS, is not a new problem. Most organizations run heavily (or exclusively) on SaaS, accessed in the browser, with hundreds of apps per enterprise. Unmanaged, self-adopted apps have been a thorn in the side of security teams for some time. ",[],{},{"nodeType":237,"data":1270,"content":1271},{},[1272],{"nodeType":241,"value":1273,"marks":1274,"data":1275},"There are essentially four kinds of shadow IT to be wary of in the context of AI apps:",[],{},{"nodeType":1277,"data":1278,"content":1279},"unordered-list",{},[1280,1296,1311,1326],{"nodeType":1281,"data":1282,"content":1283},"list-item",{},[1284],{"nodeType":237,"data":1285,"content":1286},{},[1287,1292],{"nodeType":241,"value":1288,"marks":1289,"data":1291},"Shadow apps:",[1290],{"type":292},{},{"nodeType":241,"value":1293,"marks":1294,"data":1295}," Apps that employees have signed up to and are using for business purposes without business approval. This includes apps signed up to with a corporate account or personal account. ",[],{},{"nodeType":1281,"data":1297,"content":1298},{},[1299],{"nodeType":237,"data":1300,"content":1301},{},[1302,1307],{"nodeType":241,"value":1303,"marks":1304,"data":1306},"Shadow tenants:",[1305],{"type":292},{},{"nodeType":241,"value":1308,"marks":1309,"data":1310}," Apps that employees are accessing with personal accounts, essentially creating shadow tenants outside of your organization’s control — even if you’ve approved the app itself.",[],{},{"nodeType":1281,"data":1312,"content":1313},{},[1314],{"nodeType":237,"data":1315,"content":1316},{},[1317,1322],{"nodeType":241,"value":1318,"marks":1319,"data":1321},"Shadow extensions:",[1320],{"type":292},{},{"nodeType":241,"value":1323,"marks":1324,"data":1325}," Many AI apps come with an extension counterpart, along with countless third-party extensions that are either untrustworthy or downright malicious. Browser extensions add another angle to the equation by presenting visibility beyond the application into browser activity. ",[],{},{"nodeType":1281,"data":1327,"content":1328},{},[1329],{"nodeType":237,"data":1330,"content":1331},{},[1332,1337],{"nodeType":241,"value":1333,"marks":1334,"data":1336},"Shadow integrations:",[1335],{"type":292},{},{"nodeType":241,"value":1338,"marks":1339,"data":1340}," OAuth connections across apps that aren’t known or approved. Even if an app itself is approved, plugging that app directly into your primary enterprise apps — with all the sensitive data and functionality therein — isn't necessarily also approved.  ",[],{},{"nodeType":237,"data":1342,"content":1343},{},[1344],{"nodeType":241,"value":1345,"marks":1346,"data":1347},"In the Vercel case, we’re talking specifically about shadow integrations. But all of these present a key risk to your organization. ",[],{},{"nodeType":422,"data":1349,"content":1350},{},[1351],{"nodeType":241,"value":1352,"marks":1353,"data":1355},"The web of OAuth sprawl spans way beyond Google and Microsoft ",[1354],{"type":292},{},{"nodeType":237,"data":1357,"content":1358},{},[1359,1364],{"nodeType":241,"value":1360,"marks":1361,"data":1363},"On average we see 17 unique AI app integrations per organization in Microsoft and Google alone",[1362],{"type":292},{},{"nodeType":241,"value":1365,"marks":1366,"data":1367},". If you consider that most organizations have probably approved 1 or 2 max for business use, and may have approved none at all for app-to-app OAuth connectivity, that’s quite a significant difference. ",[],{},{"nodeType":237,"data":1369,"content":1370},{},[1371],{"nodeType":241,"value":1372,"marks":1373,"data":1374},"The number of connections outside of these core platforms is significantly higher. Just think how the typical AI app operates. If you want it to be able to effectively automate workflows — pull data from one app, aggregate and analyze it in another, present that information in a report, dashboard, or presentation, and then distribute it — that’s a fair few integrations in just one workflow. MCP connections use OAuth to achieve this interconnectivity in the same way as any other SaaS app.",[],{},{"nodeType":237,"data":1376,"content":1377},{},[1378],{"nodeType":241,"value":1379,"marks":1380,"data":1381},"We used to talk about automation apps like Zapier as being a goldmine for attackers. Well, AI apps are on their way to being even more interconnected, more frequently used, and more flexible in terms of how attackers can abuse them. ",[],{},{"nodeType":260,"data":1383,"content":1387},{"target":1384},{"sys":1385},{"id":1386,"type":265,"linkType":266},"4FiWyVw7mpVBA5uBVJoOKL",[],{"nodeType":422,"data":1389,"content":1390},{},[1391],{"nodeType":241,"value":1392,"marks":1393,"data":1395},"A note on OAuth configuration complexity",[1394],{"type":292},{},{"nodeType":237,"data":1397,"content":1398},{},[1399],{"nodeType":241,"value":1400,"marks":1401,"data":1402},"A common misconception is that when a regular user consents to an OAuth app (let's use Google Workspace as the example) the app only gets access to the things they can directly access. Technically that's true — the access is scoped to that user's permissions. But in practice, the blast radius is almost always bigger than people think.",[],{},{"nodeType":237,"data":1404,"content":1405},{},[1406],{"nodeType":241,"value":1407,"marks":1408,"data":1409},"The scope includes shared drives, shared calendars, documents shared with them, and any other collaborative resources. A single well-permissioned user (think: developer with access to secrets, dashboards, and internal tooling) is more than enough to cause serious damage through a single OAuth grant. ",[],{},{"nodeType":237,"data":1411,"content":1412},{},[1413],{"nodeType":241,"value":1414,"marks":1415,"data":1416},"The scopes themselves are often deceptively broad. An app requesting https://www.googleapis.com/auth/drive gets full read/write access to everything the user can see in Drive — not just their personal files. And the blast radius is further contingent on the data and user permission hygiene in these broader environments. ",[],{},{"nodeType":237,"data":1418,"content":1419},{},[1420],{"nodeType":241,"value":1421,"marks":1422,"data":1423},"So if your environment hasn't got cleanly separated access and permissions for different users and groups, an attacker compromising a \"normal\" user account can end up with extensive access. You don't need tenant-wide admin access when a normal user's access already spans the crown jewels.",[],{},{"nodeType":260,"data":1425,"content":1429},{"target":1426},{"sys":1427},{"id":1428,"type":265,"linkType":266},"2t81AnAHx2On3fBynM4vVe",[],{"nodeType":422,"data":1431,"content":1432},{},[1433],{"nodeType":241,"value":1434,"marks":1435,"data":1437},"Unsurprisingly, OAuth breaches are stacking up",[1436],{"type":292},{},{"nodeType":237,"data":1439,"content":1440},{},[1441],{"nodeType":241,"value":1442,"marks":1443,"data":1444},"Widespread OAuth interconnectedness isn’t just an AI app problem. Attackers have been exploiting this for some time:",[],{},{"nodeType":1277,"data":1446,"content":1447},{},[1448,1496],{"nodeType":1281,"data":1449,"content":1450},{},[1451],{"nodeType":237,"data":1452,"content":1453},{},[1454,1458,1466,1470,1479,1483,1492],{"nodeType":241,"value":1455,"marks":1456,"data":1457},"In 2025, ",[],{},{"nodeType":276,"data":1459,"content":1460},{"uri":1032},[1461],{"nodeType":241,"value":1462,"marks":1463,"data":1465},"Scattered Lapsus$ Hunters",[1464],{"type":306},{},{"nodeType":241,"value":1467,"marks":1468,"data":1469}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft (specifically the ",[],{},{"nodeType":276,"data":1471,"content":1473},{"uri":1472},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1474],{"nodeType":241,"value":1475,"marks":1476,"data":1478},"Salesloft Drift",[1477],{"type":306},{},{"nodeType":241,"value":1480,"marks":1481,"data":1482}," platform) and ",[],{},{"nodeType":276,"data":1484,"content":1486},{"uri":1485},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[1487],{"nodeType":241,"value":1488,"marks":1489,"data":1491},"Gainsight",[1490],{"type":306},{},{"nodeType":241,"value":1493,"marks":1494,"data":1495},". In total, over 1000 organizations were impacted, including Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and many more, with over 1.5B records stolen. ",[],{},{"nodeType":1281,"data":1497,"content":1498},{},[1499],{"nodeType":237,"data":1500,"content":1501},{},[1502,1506,1514,1518,1527],{"nodeType":241,"value":1503,"marks":1504,"data":1505},"More recently, Snowflake customers were impacted after a ",[],{},{"nodeType":276,"data":1507,"content":1508},{"uri":1044},[1509],{"nodeType":241,"value":1510,"marks":1511,"data":1513},"breach at data anomaly detection company Anodot",[1512],{"type":306},{},{"nodeType":241,"value":1515,"marks":1516,"data":1517}," where the attacker attempted to leverage the stolen authentication tokens to access Salesforce data, with ",[],{},{"nodeType":276,"data":1519,"content":1521},{"uri":1520},"https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/",[1522],{"nodeType":241,"value":1523,"marks":1524,"data":1526},"Rockstar",[1525],{"type":306},{},{"nodeType":241,"value":1528,"marks":1529,"data":1530}," a high-profile victim of the breach (again linked to Scattered Lapsus$ Hunters). ",[],{},{"nodeType":260,"data":1532,"content":1536},{"target":1533},{"sys":1534},{"id":1535,"type":265,"linkType":266},"3oqoL9L3fxetFcIhnfQhMQ",[],{"nodeType":313,"data":1538,"content":1539},{},[],{"nodeType":317,"data":1541,"content":1542},{},[1543],{"nodeType":241,"value":1544,"marks":1545,"data":1547},"Infostealers continue to drive corporate breaches",[1546],{"type":292},{},{"nodeType":237,"data":1549,"content":1550},{},[1551],{"nodeType":241,"value":1552,"marks":1553,"data":1554},"While unverified, Hudson Rock’s case for an infostealer breach being the root cause of the Context.ai breach seems believable. Infostealer infections have been one of the leading security threats for some time, fuelling breaches powered by stolen credentials and session tokens.",[],{},{"nodeType":237,"data":1556,"content":1557},{},[1558,1562,1567],{"nodeType":241,"value":1559,"marks":1560,"data":1561},"With the assumed rise in MFA coverage, it’s often surprising to security teams that stolen credentials are still a problem. ",[],{},{"nodeType":241,"value":1563,"marks":1564,"data":1566},"But of the last million logins we saw, 1 in 4 were password logins (not SSO), 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. ",[1565],{"type":292},{},{"nodeType":241,"value":1568,"marks":1569,"data":1570},"Plenty of scope for abuse. ",[],{},{"nodeType":237,"data":1572,"content":1573},{},[1574],{"nodeType":241,"value":1575,"marks":1576,"data":1577},"Stolen session tokens are even more valuable to attackers, enabling them to bypass authentication controls by replaying the token in their own browser. In theory, they should only be valid for a limited timeframe, but in practice this can be as many as 90 days, and sometimes indefinite. ",[],{},{"nodeType":237,"data":1579,"content":1580},{},[1581],{"nodeType":241,"value":1582,"marks":1583,"data":1584},"In this case, it seems likely that the compromised device was a developer machine (given the access to Supabase), or potentially even a personal device (given they were installing Roblox cheats…). This is relevant because these personal, developer, and BYOD machines are often less secure — developer machines are often exempt from EDR monitoring or significantly tuned-down (too noisy), while personal devices naturally lack enterprise security software.",[],{},{"nodeType":260,"data":1586,"content":1590},{"target":1587},{"sys":1588},{"id":1589,"type":265,"linkType":266},"139oaGgwRKZbwJzyex9LA5",[],{"nodeType":237,"data":1592,"content":1593},{},[1594,1598,1607],{"nodeType":241,"value":1595,"marks":1596,"data":1597},"We’ve also seen an uptick in developer-oriented phishing and malvertising campaigns. The ",[],{},{"nodeType":276,"data":1599,"content":1601},{"uri":1600},"https://pushsecurity.com/blog/installfix/",[1602],{"nodeType":241,"value":1603,"marks":1604,"data":1606},"InstallFix campaign",[1605],{"type":306},{},{"nodeType":241,"value":1608,"marks":1609,"data":1610}," we identified, intercepting users as they attempt to install AI tools like Claude Code and NotebookLM, is an example of this — and also another way that attackers are capitalizing on AI hype. ",[],{},{"nodeType":313,"data":1612,"content":1613},{},[],{"nodeType":317,"data":1615,"content":1616},{},[1617],{"nodeType":241,"value":709,"marks":1618,"data":1620},[1619],{"type":292},{},{"nodeType":237,"data":1622,"content":1623},{},[1624],{"nodeType":241,"value":1625,"marks":1626,"data":1627},"There are some immediate next steps that we’ll quickly summarize here, as they've already been covered in wider reporting. If you’re a Vercel customer, you should urgently rotate every credential stored as a non-sensitive variable that could have been exposed, enable the sensitive variable feature toggle, and monitor your account for anomalous activity. And if you’re using the specific Context.ai integration, you need to revoke it ASAP and begin a full audit of the connected accounts, both inside Workspace and broader connected apps (this isn’t that easy, as we’ll highlight in a moment). ",[],{},{"nodeType":260,"data":1629,"content":1633},{"target":1630},{"sys":1631},{"id":1632,"type":265,"linkType":266},"76HViirkH2R4QAzWg605sv",[],{"nodeType":237,"data":1635,"content":1636},{},[1637,1641,1650],{"nodeType":241,"value":1638,"marks":1639,"data":1640},"Taking a step back, organizations really need to get their arms around OAuth integrations in their environment. A default-deny approach to allowing users to consent to new integrations, and routinely auditing the ones already in your environment to ensure they’re still definitely required, is essential. Each integration expands your attack surface and could potentially grant an attacker extensive access to your environment. This default-deny approach isn't exactly a new concept for security teams and is the same in principle as what we recently advised for ",[],{},{"nodeType":276,"data":1642,"content":1644},{"uri":1643},"https://pushsecurity.com/blog/browser-extension-management-guide/",[1645],{"nodeType":241,"value":1646,"marks":1647,"data":1649},"browser extension management",[1648],{"type":306},{},{"nodeType":241,"value":1094,"marks":1651,"data":1652},[],{},{"nodeType":237,"data":1654,"content":1655},{},[1656],{"nodeType":241,"value":1657,"marks":1658,"data":1659},"This is fairly straightforward in your main enterprise cloud environment (think M365 or Google Workspace). But doing it across every SaaS app that allows some level of OAuth integration with another (i.e. every SaaS app) is somewhat harder. Not only do you need to have a comprehensive and up-to-date inventory, you need to be an app admin for every app (not always the case for self-adopted apps) and the particular app needs to give you the control to restrict and remove OAuth grants on behalf of users in your tenant. ",[],{},{"nodeType":237,"data":1661,"content":1662},{},[1663],{"nodeType":241,"value":1664,"marks":1665,"data":1666},"Again, this is not exclusively a Shadow AI problem, even if AI adoption is contributing significantly to the sprawl. ",[],{},{"nodeType":260,"data":1668,"content":1672},{"target":1669},{"sys":1670},{"id":1671,"type":265,"linkType":266},"XKKHUiz56G82uwYhbv2Qv",[],{"nodeType":313,"data":1674,"content":1675},{},[],{"nodeType":317,"data":1677,"content":1678},{},[1679],{"nodeType":241,"value":1680,"marks":1681,"data":1683},"How Push can help",[1682],{"type":292},{},{"nodeType":237,"data":1685,"content":1686},{},[1687],{"nodeType":241,"value":1688,"marks":1689,"data":1690},"As we’ve established, there are quite a few pieces to this puzzle. Push can help with all of them. ",[],{},{"nodeType":237,"data":1692,"content":1693},{},[1694],{"nodeType":241,"value":1695,"marks":1696,"data":1697},"Push observes every app login your employees make in their browser, building a comprehensive picture of SaaS and AI use across your organization. This includes how they’re logging in and how secure the login is: did it have MFA, what kind of MFA, was it using a weak or compromised password, did they use SSO, and so on. ",[],{},{"nodeType":260,"data":1699,"content":1703},{"target":1700},{"sys":1701},{"id":1702,"type":265,"linkType":266},"2B205bUaLm6vG8mIQ0rJvA",[],{"nodeType":237,"data":1705,"content":1706},{},[1707],{"nodeType":241,"value":1708,"marks":1709,"data":1710},"Push also tracks OAuth integrations in your environment and gives you the ability to manage and remove them in core environments like M365 and Google Workspace, providing a single platform for you to view, manage, and secure app use across your organization. ",[],{},{"nodeType":260,"data":1712,"content":1716},{"target":1713},{"sys":1714},{"id":1715,"type":265,"linkType":266},"eEbdBUfyzZsdIOjFOXHpM",[],{"nodeType":260,"data":1718,"content":1722},{"target":1719},{"sys":1720},{"id":1721,"type":265,"linkType":266},"1MTFxfROuGKxnkHQwWHe8K",[],{"nodeType":237,"data":1724,"content":1725},{},[1726,1730,1735,1739,1744],{"nodeType":241,"value":1727,"marks":1728,"data":1729},"This makes it easy to surface both vulnerabilities and possible control gaps, and do something about them. But where Push really excels is in the ability to observe and block OAuth connection requests ",[],{},{"nodeType":241,"value":1731,"marks":1732,"data":1734},"even outside of your primary enterprise apps.",[1733],{"type":292},{},{"nodeType":241,"value":1736,"marks":1737,"data":1738}," Using Push, you can detect and block OAuth integration requests as they traverse the browser. This ",[],{},{"nodeType":241,"value":1740,"marks":1741,"data":1743},"app-agnostic",[1742],{"type":292},{},{"nodeType":241,"value":1745,"marks":1746,"data":1747}," level of control is absolutely critical to halting OAuth integration sprawl. ",[],{},{"nodeType":260,"data":1749,"content":1753},{"target":1750},{"sys":1751},{"id":1752,"type":265,"linkType":266},"2VZ4uw6MXslXME2ueydGuT",[],{"nodeType":422,"data":1755,"content":1756},{},[1757,1761],{"nodeType":241,"value":1758,"marks":1759,"data":1760},"And t",[],{},{"nodeType":241,"value":1762,"marks":1763,"data":1765},"hat’s not all …",[1764],{"type":292},{},{"nodeType":237,"data":1767,"content":1768},{},[1769],{"nodeType":241,"value":1770,"marks":1771,"data":1772},"Push’s browser-based security platform also detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking in real time. This includes the most prominent infostealer delivery vectors in terms of malvertising and *Fix-style attacks. Push analyzes every web page in every browser session and tab for threats, in real time, with no latency. ",[],{},{"nodeType":237,"data":1774,"content":1775},{},[1776],{"nodeType":241,"value":1777,"marks":1778,"data":1779},"But as we've established, you don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":237,"data":1781,"content":1782},{},[1783,1787,1795,1799,1808,1812,1819],{"nodeType":241,"value":1784,"marks":1785,"data":1786},"To learn more about Push, ",[],{},{"nodeType":276,"data":1788,"content":1790},{"uri":1789},"https://pushsecurity.com/resources/product-brochure",[1791],{"nodeType":241,"value":1792,"marks":1793,"data":1794},"check out our latest product overview",[],{},{"nodeType":241,"value":1796,"marks":1797,"data":1798},", ",[],{},{"nodeType":276,"data":1800,"content":1802},{"uri":1801},"https://pushsecurity.com/product-demo/",[1803],{"nodeType":241,"value":1804,"marks":1805,"data":1807},"view our demo library",[1806],{"type":306},{},{"nodeType":241,"value":1809,"marks":1810,"data":1811},", or ",[],{},{"nodeType":276,"data":1813,"content":1814},{"uri":841},[1815],{"nodeType":241,"value":1816,"marks":1817,"data":1818},"book some time with one of our team for a live demo",[],{},{"nodeType":241,"value":1820,"marks":1821,"data":1822},".",[],{},"Unpacking the Vercel breach: A cautionary tale for Shadow AI and OAuth sprawl","In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.","unpacking-the-vercel-breach",{"items":1827},[1828,1832],{"sys":1829,"name":1831},{"id":1830},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1833,"name":1835},{"id":1834},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1837},[1838],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":1839},{"url":230},{"__typename":1061,"sys":1841,"publishedDate":1843,"content":1844,"title":3082,"synopsis":3083,"hashTags":62,"slug":3084,"tagsCollection":3085,"authorsCollection":3095},{"id":1842},"6MoHWfQlVildcFYKSbfMcE","2026-05-14T00:00:00.000Z",{"json":1845},{"nodeType":233,"data":1846,"content":1847},{},[1848,1864,1870,1877,1884,1890,1893,1901,1909,1928,1975,1981,1996,1999,2007,2014,2042,2083,2090,2093,2101,2109,2116,2122,2129,2132,2140,2147,2190,2226,2233,2236,2244,2251,2276,2283,2328,2335,2338,2346,2354,2400,2407,2413,2416,2424,2432,2464,2471,2477,2484,2487,2495,2503,2532,2539,2546,2553,2556,2564,2572,2579,2585,2592,2615,2644,2647,2655,2663,2670,2677,2680,2688,2751,2754,2762,2769,3063,3066],{"nodeType":237,"data":1849,"content":1850},{},[1851,1855,1860],{"nodeType":241,"value":1852,"marks":1853,"data":1854},"Browser security solutions are one of the most significant additions to the enterprise security stack in recent years — and the data shows it. The browser is where ",[],{},{"nodeType":241,"value":1856,"marks":1857,"data":1859},"85% of work now happens",[1858],{"type":292},{},{"nodeType":241,"value":1861,"marks":1862,"data":1863},", where AI tools are accessed, and where attackers increasingly choose to strike.",[],{},{"nodeType":260,"data":1865,"content":1869},{"target":1866},{"sys":1867},{"id":1868,"type":265,"linkType":266},"5P6PyFbn4EakRNlIWtNzyL",[],{"nodeType":237,"data":1871,"content":1872},{},[1873],{"nodeType":241,"value":1874,"marks":1875,"data":1876},"But browser security is a nascent category. Getting a clear picture of which solution is right for your team, and how to get the most out of it, isn't straightforward. Current solutions on the market serve a wide range of IT and security use cases, with varying degrees of depth and differentiation across them. Not all use cases are equal in terms of their security value, and not all of them are best addressed in the browser.",[],{},{"nodeType":237,"data":1878,"content":1879},{},[1880],{"nodeType":241,"value":1881,"marks":1882,"data":1883},"This article ranks the security problems that browser security solutions can address by the value they deliver: a combination of the risk reduction on offer, and the degree to which the browser is genuinely the best (or only) layer to solve the problem. ",[],{},{"nodeType":260,"data":1885,"content":1889},{"target":1886},{"sys":1887},{"id":1888,"type":265,"linkType":266},"6SJPvEHizSYk29lEvVVNj",[],{"nodeType":313,"data":1891,"content":1892},{},[],{"nodeType":317,"data":1894,"content":1895},{},[1896],{"nodeType":241,"value":1897,"marks":1898,"data":1900},"#1 — Account takeover prevention: detecting credential attacks across all vectors",[1899],{"type":292},{},{"nodeType":237,"data":1902,"content":1903},{},[1904],{"nodeType":241,"value":1905,"marks":1906,"data":1908},"Security value: Very high | Browser fit: Uniquely suited",[1907],{"type":292},{},{"nodeType":237,"data":1910,"content":1911},{},[1912,1916,1924],{"nodeType":241,"value":1913,"marks":1914,"data":1915},"Account takeover (ATO) is the dominant entry point for enterprise breaches:",[],{},{"nodeType":276,"data":1917,"content":1919},{"uri":1918},"https://www.crowdstrike.com/en-gb/resources/infographics/identity-security-risk-review/",[1920],{"nodeType":241,"value":1921,"marks":1922,"data":1923}," 80% of all modern breaches involve compromised or stolen identities",[],{},{"nodeType":241,"value":1925,"marks":1926,"data":1927},". The attack surface is far wider than most identity tooling can see: credential stuffing, password spraying, ghost logins (password-based fallback authentication that persists after SSO is configured), weak or reused credentials on shadow SaaS apps, and accounts where MFA was never enforced.",[],{},{"nodeType":237,"data":1929,"content":1930},{},[1931,1935,1943,1946,1951,1954,1959,1963,1971],{"nodeType":241,"value":1932,"marks":1933,"data":1934},"According to",[],{},{"nodeType":276,"data":1936,"content":1938},{"uri":1937},"https://cf-assets.www.cloudflare.com/slt3lc6tev37/sWDBUMNVtEJB9ZFLt1dUU/8d69e92de2edfb3bf59e7d21d57e7e1a/Cloudflare-2026-threat-report.pdf",[1939],{"nodeType":241,"value":1940,"marks":1941,"data":1942}," Cloudflare's 2026 Threat Report",[],{},{"nodeType":241,"value":1796,"marks":1944,"data":1945},[],{},{"nodeType":241,"value":1947,"marks":1948,"data":1950},"63% of all human logins involve credentials already compromised elsewhere",[1949],{"type":292},{},{"nodeType":241,"value":362,"marks":1952,"data":1953},[],{},{"nodeType":241,"value":1955,"marks":1956,"data":1958},"94% of all login attempts originate from bots",[1957],{"type":292},{},{"nodeType":241,"value":1960,"marks":1961,"data":1962},". The",[],{},{"nodeType":276,"data":1964,"content":1966},{"uri":1965},"https://pushsecurity.com/blog/snowflake-retro/",[1967],{"nodeType":241,"value":1968,"marks":1969,"data":1970}," Snowflake breach",[],{},{"nodeType":241,"value":1972,"marks":1973,"data":1974}," — 165+ organizations compromised, 1 billion+ records stolen — was powered almost entirely by ghost logins: accounts missing MFA that were susceptible to credential stuffing. It's particularly telling that 80% of the accounts impacted had prior breach exposure.",[],{},{"nodeType":260,"data":1976,"content":1980},{"target":1977},{"sys":1978},{"id":1979,"type":265,"linkType":266},"HbZ66kp5DiAZtwNGFJK7d",[],{"nodeType":237,"data":1982,"content":1983},{},[1984,1988,1993],{"nodeType":241,"value":1985,"marks":1986,"data":1987},"For organizations with contractors and BYOD users, the browser extension is also the only enterprise control deployable on devices that can't be MDM-enrolled — extending ATO detection to exactly the place where, per Verizon DBIR 2025, ",[],{},{"nodeType":241,"value":1989,"marks":1990,"data":1992},"46% of infostealer infections originate",[1991],{"type":292},{},{"nodeType":241,"value":1820,"marks":1994,"data":1995},[],{},{"nodeType":313,"data":1997,"content":1998},{},[],{"nodeType":317,"data":2000,"content":2001},{},[2002],{"nodeType":241,"value":2003,"marks":2004,"data":2006},"#2 — Detecting and stopping advanced phishing: AiTM, multi-channel delivery, and zero-day lures",[2005],{"type":292},{},{"nodeType":237,"data":2008,"content":2009},{},[2010],{"nodeType":241,"value":1905,"marks":2011,"data":2013},[2012],{"type":292},{},{"nodeType":237,"data":2015,"content":2016},{},[2017,2021,2029,2033,2038],{"nodeType":241,"value":2018,"marks":2019,"data":2020},"Adversary-in-the-Middle (AiTM) phishing — where an attacker's reverse proxy intercepts credentials and session tokens in real time — has become the standard technique for bypassing MFA at scale.",[],{},{"nodeType":276,"data":2022,"content":2024},{"uri":2023},"https://www.esentire.com/resources/library/2026-threat-report",[2025],{"nodeType":241,"value":2026,"marks":2027,"data":2028}," eSentire's 2026 Threat Report",[],{},{"nodeType":241,"value":2030,"marks":2031,"data":2032}," attributes ",[],{},{"nodeType":241,"value":2034,"marks":2035,"data":2037},"63% of account compromise incidents to PhaaS kits",[2036],{"type":292},{},{"nodeType":241,"value":2039,"marks":2040,"data":2041},", with account compromise surging 389% year-over-year.",[],{},{"nodeType":237,"data":2043,"content":2044},{},[2045,2049,2057,2061,2066,2070,2079],{"nodeType":241,"value":2046,"marks":2047,"data":2048},"Traditional phishing controls are also no longer in the right place to intercept these attacks. The delivery channel has shifted decisively away from email:",[],{},{"nodeType":276,"data":2050,"content":2052},{"uri":2051},"https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026",[2053],{"nodeType":241,"value":2054,"marks":2055,"data":2056}," Mandiant M-Trends 2026",[],{},{"nodeType":241,"value":2058,"marks":2059,"data":2060}," found email phishing dropped from 14% to 6% as an infection vector, and Push data shows ",[],{},{"nodeType":241,"value":2062,"marks":2063,"data":2065},"roughly 1 in 3 phishing payloads intercepted were delivered outside email entirely",[2064],{"type":292},{},{"nodeType":241,"value":2067,"marks":2068,"data":2069}," — via search engine malvertising, social platforms, and compromised websites. Meanwhile, ",[],{},{"nodeType":276,"data":2071,"content":2073},{"uri":2072},"https://www.spamhaus.com/resource-center/supporting-researchers-with-passive-dns/",[2074],{"nodeType":241,"value":2075,"marks":2076,"data":2078},"89% of phishing domains are active for less than two days",[2077],{"type":292},{},{"nodeType":241,"value":2080,"marks":2081,"data":2082},", making blocklist-based detection structurally too slow — attackers can spin up, tear down, and move on before blocklists can catch up.",[],{},{"nodeType":237,"data":2084,"content":2085},{},[2086],{"nodeType":241,"value":2087,"marks":2088,"data":2089},"Modern phishing plays out entirely inside the browser session. The only detection layer that can see the phishing page structure, the credential entry, and the anomalous token context is the browser itself. Browser-native detection analyses page behavior rather than matching known-bad domains, which means it fires on zero-day kits regardless of how recently the infrastructure was stood up. Controls like credential entry guardrails add an additional layer — blocking corporate passwords from being submitted to unauthorized domains independently of content and behavior-based detections.",[],{},{"nodeType":313,"data":2091,"content":2092},{},[],{"nodeType":317,"data":2094,"content":2095},{},[2096],{"nodeType":241,"value":2097,"marks":2098,"data":2100},"#3 — Identity posture hardening: enforcing security across the apps your IdP doesn't manage",[2099],{"type":292},{},{"nodeType":237,"data":2102,"content":2103},{},[2104],{"nodeType":241,"value":2105,"marks":2106,"data":2108},"Security value: High | Browser fit: Uniquely suited",[2107],{"type":292},{},{"nodeType":237,"data":2110,"content":2111},{},[2112],{"nodeType":241,"value":2113,"marks":2114,"data":2115},"The first challenge is knowing what you're protecting. Every identity an employee creates — every app they sign up to, every password they set, every login that bypasses SSO — is an authentication event that happens inside a browser session. The browser is the only layer that observes all of these events regardless of whether the app is sanctioned, managed, or even known to IT. Solutions that rely on API-level integrations with known apps, network traffic inspection, or email sign-up notifications can only ever build a partial picture, because they can only see apps they already know about. The browser sees the login itself, which means it discovers the identity at the moment it's created or used — authentication method, password strength, MFA status, and all.",[],{},{"nodeType":260,"data":2117,"content":2121},{"target":2118},{"sys":2119},{"id":2120,"type":265,"linkType":266},"HETvBCPsKGkqLVtaasXH0",[],{"nodeType":237,"data":2123,"content":2124},{},[2125],{"nodeType":241,"value":2126,"marks":2127,"data":2128},"But discovery without enforcement is just an inventory problem. Being in the browser means that you're in a great position to act on what it finds at the moment of authentication. Browser-native guardrails that prompt MFA enrollment, guide users toward stronger credentials, and redirect to SSO login paths close the gap at scale, on every app, including those the IdP has never seen. They also produce the continuous, auditable evidence of MFA coverage and credential hygiene across the full application estate that regulators, insurers, and auditors increasingly require — evidence that no IdP-centric tool can provide for apps outside its scope.",[],{},{"nodeType":313,"data":2130,"content":2131},{},[],{"nodeType":317,"data":2133,"content":2134},{},[2135],{"nodeType":241,"value":2136,"marks":2137,"data":2139},"#4 — Browser extension security",[2138],{"type":292},{},{"nodeType":237,"data":2141,"content":2142},{},[2143],{"nodeType":241,"value":2105,"marks":2144,"data":2146},[2145],{"type":292},{},{"nodeType":237,"data":2148,"content":2149},{},[2150,2154,2163,2167,2175,2178,2186],{"nodeType":241,"value":2151,"marks":2152,"data":2153},"Browser extensions have become one of the most talked-about attack surfaces in security over the past 18 months, and understandably so — a string of high-profile supply chain compromises have collectively impacted tens of millions of users since late 2024 (",[],{},{"nodeType":276,"data":2155,"content":2157},{"uri":2156},"https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it",[2158],{"nodeType":241,"value":2159,"marks":2160,"data":2162},"Cyberhaven",[2161],{"type":306},{},{"nodeType":241,"value":2164,"marks":2165,"data":2166},",",[],{},{"nodeType":276,"data":2168,"content":2170},{"uri":2169},"https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html",[2171],{"nodeType":241,"value":2172,"marks":2173,"data":2174}," DarkSpectre",[],{},{"nodeType":241,"value":2164,"marks":2176,"data":2177},[],{},{"nodeType":276,"data":2179,"content":2181},{"uri":2180},"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html",[2182],{"nodeType":241,"value":2183,"marks":2184,"data":2185}," Trust Wallet",[],{},{"nodeType":241,"value":2187,"marks":2188,"data":2189},", among many others).",[],{},{"nodeType":237,"data":2191,"content":2192},{},[2193,2196,2204,2208,2213,2217,2222],{"nodeType":241,"value":29,"marks":2194,"data":2195},[],{},{"nodeType":276,"data":2197,"content":2198},{"uri":545},[2199],{"nodeType":241,"value":2200,"marks":2201,"data":2203},"Analysis of 20,000+ extensions across Push customers",[2202],{"type":306},{},{"nodeType":241,"value":2205,"marks":2206,"data":2207}," found ",[],{},{"nodeType":241,"value":2209,"marks":2210,"data":2212},"46.76% have the permission combinations needed to perform account takeover with no user interaction",[2211],{"type":292},{},{"nodeType":241,"value":2214,"marks":2215,"data":2216},", making permissions-based risk scoring effectively useless as a triage tool. The real threat model is not malicious extensions at install time — it's legitimate extensions that ",[],{},{"nodeType":241,"value":2218,"marks":2219,"data":2221},"become",[2220],{"type":378},{},{"nodeType":241,"value":2223,"marks":2224,"data":2225}," malicious after an ownership transfer, developer account compromise, or silent update push. Every major extension supply chain breach of the past 18 months scored as low-risk immediately before compromise.",[],{},{"nodeType":237,"data":2227,"content":2228},{},[2229],{"nodeType":241,"value":2230,"marks":2231,"data":2232},"SWGs and network tools are structurally blind to this attack surface: a malicious extension exfiltrating session tokens generates no anomalous network signal — its traffic is indistinguishable from normal browsing. Endpoint agents have no visibility into extension behavior at the session level. Extension inventory, supply chain change monitoring — ownership transfers, permission escalations, developer contact changes — and enforcement all require browser-layer access by definition.",[],{},{"nodeType":313,"data":2234,"content":2235},{},[],{"nodeType":317,"data":2237,"content":2238},{},[2239],{"nodeType":241,"value":2240,"marks":2241,"data":2243},"#5 — Shadow SaaS discovery and OAuth integration governance",[2242],{"type":292},{},{"nodeType":237,"data":2245,"content":2246},{},[2247],{"nodeType":241,"value":2105,"marks":2248,"data":2250},[2249],{"type":292},{},{"nodeType":237,"data":2252,"content":2253},{},[2254,2258,2263,2267,2272],{"nodeType":241,"value":2255,"marks":2256,"data":2257},"Shadow SaaS discovery shares DNA with identity posture hardening (#3) — both start with the same browser-native visibility into login events that no other layer can replicate. Where identity posture focuses on hardening ",[],{},{"nodeType":241,"value":2259,"marks":2260,"data":2262},"how",[2261],{"type":378},{},{"nodeType":241,"value":2264,"marks":2265,"data":2266}," employees authenticate, shadow SaaS discovery focuses on ",[],{},{"nodeType":241,"value":2268,"marks":2269,"data":2271},"what",[2270],{"type":378},{},{"nodeType":241,"value":2273,"marks":2274,"data":2275}," they authenticate to: surfacing the full estate of applications in use across the organization, including those that IT has never sanctioned or even heard of.",[],{},{"nodeType":237,"data":2277,"content":2278},{},[2279],{"nodeType":241,"value":2280,"marks":2281,"data":2282},"OAuth integration governance is the component of shadow SaaS that is both the most potentially damaging and the hardest to surface through other means. The SaaS-to-SaaS OAuth pivot is now an industrialized attack pattern.",[],{},{"nodeType":1277,"data":2284,"content":2285},{},[2286,2308],{"nodeType":1281,"data":2287,"content":2288},{},[2289],{"nodeType":237,"data":2290,"content":2291},{},[2292,2296,2304],{"nodeType":241,"value":2293,"marks":2294,"data":2295},"The",[],{},{"nodeType":276,"data":2297,"content":2299},{"uri":2298},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[2300],{"nodeType":241,"value":2301,"marks":2302,"data":2303}," ShinyHunters",[],{},{"nodeType":241,"value":2305,"marks":2306,"data":2307}," Salesforce campaign — which compromised 1,000+ organizations and 1.5 billion records — demonstrated the full chain: the attacker didn't stop at stealing customer data but harvested OAuth tokens, AWS access keys, and Snowflake tokens from breached tenants and pivoted through connected services like Salesloft, Drift, and Gainsight to reach hundreds more organizations.",[],{},{"nodeType":1281,"data":2309,"content":2310},{},[2311],{"nodeType":237,"data":2312,"content":2313},{},[2314,2317,2324],{"nodeType":241,"value":2293,"marks":2315,"data":2316},[],{},{"nodeType":276,"data":2318,"content":2319},{"uri":1013},[2320],{"nodeType":241,"value":2321,"marks":2322,"data":2323}," Context.ai → Vercel",[],{},{"nodeType":241,"value":2325,"marks":2326,"data":2327}," chain followed the same logic — stored OAuth tokens from a forgotten AI app trial provided the bridge into Google Workspace, internal dashboards, and API keys. These are not isolated incidents; they are the repeatable playbook for extracting maximum value from a single compromise through the trust relationships that OAuth connections encode.",[],{},{"nodeType":237,"data":2329,"content":2330},{},[2331],{"nodeType":241,"value":2332,"marks":2333,"data":2334},"Every OAuth consent grant transits the browser — the authorization prompt, the scope disclosure, the user's approval click, and the redirect that completes the grant all happen inside a browser session — which makes the browser the only layer where an unwanted grant can be intercepted before the token is issued and the persistent access path is created. Once a token exists, the damage is done: it survives password resets, MFA changes, and session revocations, and revoking it after the fact requires first knowing it was granted, which most organizations do not.",[],{},{"nodeType":313,"data":2336,"content":2337},{},[],{"nodeType":317,"data":2339,"content":2340},{},[2341],{"nodeType":241,"value":2342,"marks":2343,"data":2345},"#6 — Blocking ClickFix and social engineering-based malware delivery",[2344],{"type":292},{},{"nodeType":237,"data":2347,"content":2348},{},[2349],{"nodeType":241,"value":2350,"marks":2351,"data":2353},"Security value: High | Browser fit: Strong for interception — shared with endpoint security for execution. ConsentFix is a browser-native exception that is T1-aligned.",[2352],{"type":292},{},{"nodeType":237,"data":2355,"content":2356},{},[2357,2361,2366,2370,2378,2382,2387,2391,2396],{"nodeType":241,"value":2358,"marks":2359,"data":2360},"ClickFix was the most common initial access vector reported by Microsoft in 2025, accounting for ",[],{},{"nodeType":241,"value":2362,"marks":2363,"data":2365},"47% of observed attacks",[2364],{"type":292},{},{"nodeType":241,"value":2367,"marks":2368,"data":2369},". CrowdStrike's",[],{},{"nodeType":276,"data":2371,"content":2373},{"uri":2372},"https://www.crowdstrike.com/explore/2026-global-threat-report",[2374],{"nodeType":241,"value":2375,"marks":2376,"data":2377}," 2026 Global Threat Report",[],{},{"nodeType":241,"value":2379,"marks":2380,"data":2381}," identified fake CAPTCHA lures as the most common malware download type, increasing ",[],{},{"nodeType":241,"value":2383,"marks":2384,"data":2386},"563% year-over-year",[2385],{"type":292},{},{"nodeType":241,"value":2388,"marks":2389,"data":2390},". The technique writes a malicious command to the victim's clipboard and social-engineers them into executing it. It is fileless (bypassing download scanning), user-executed (bypassing endpoint behavioral detections), and ",[],{},{"nodeType":241,"value":2392,"marks":2393,"data":2395},"4 in 5 ClickFix payloads intercepted by Push arrived via search engines",[2394],{"type":292},{},{"nodeType":241,"value":2397,"marks":2398,"data":2399}," — not email (bypassing email anti-phishing controls).",[],{},{"nodeType":237,"data":2401,"content":2402},{},[2403],{"nodeType":241,"value":2404,"marks":2405,"data":2406},"The browser is the earliest and most effective intervention point — detecting the clipboard injection and social engineering lure before anything reaches the endpoint in executable form. But the problem doesn't end at the browser boundary: once the command has been pasted and run, detection and remediation become endpoint problems, and a mature defense requires both layers. The broader *Fix family — FileFix, InstallFix, and similar derivatives — follows the same pattern, with the browser providing the critical early-warning layer within a defense that spans browser and endpoint.",[],{},{"nodeType":260,"data":2408,"content":2412},{"target":2409},{"sys":2410},{"id":2411,"type":265,"linkType":266},"39alMHtw9FPHbQINqbAgBN",[],{"nodeType":313,"data":2414,"content":2415},{},[],{"nodeType":317,"data":2417,"content":2418},{},[2419],{"nodeType":241,"value":2420,"marks":2421,"data":2423},"#7 — AI visibility and control: enforcing which AI tools employees can use and how",[2422],{"type":292},{},{"nodeType":237,"data":2425,"content":2426},{},[2427],{"nodeType":241,"value":2428,"marks":2429,"data":2431},"Security value: High | Browser fit: Strong for access enforcement — but AI governance is not a new security problem so much as a force multiplier on existing ones",[2430],{"type":292},{},{"nodeType":237,"data":2433,"content":2434},{},[2435,2439,2447,2451,2460],{"nodeType":241,"value":2436,"marks":2437,"data":2438},"AI adoption is outpacing security governance at nearly every organization, and ",[],{},{"nodeType":276,"data":2440,"content":2441},{"uri":695},[2442],{"nodeType":241,"value":2443,"marks":2444,"data":2446},"71% of organizations are concerned about data leakage via unsanctioned AI apps",[2445],{"type":292},{},{"nodeType":241,"value":2448,"marks":2449,"data":2450},". But the security problems that AI creates are not, for the most part, novel — they are existing Tier 1 problems amplified by a new category of tooling. Shadow AI apps are shadow SaaS (#5). AI OAuth integrations are OAuth governance (#5). AI browser extensions are extension security (#4). The risk of employees using personal AI accounts — ",[],{},{"nodeType":276,"data":2452,"content":2454},{"uri":2453},"https://keepaware.com/blog/46-of-sensitive-data-bypasses-your-dlp",[2455],{"nodeType":241,"value":2456,"marks":2457,"data":2459},"46% of sensitive inputs to AI tools are sent via personal accounts",[2458],{"type":292},{},{"nodeType":241,"value":2461,"marks":2462,"data":2463}," — is an identity posture problem (#3).",[],{},{"nodeType":237,"data":2465,"content":2466},{},[2467],{"nodeType":241,"value":2468,"marks":2469,"data":2470},"The component parts that allow you to govern AI are individually Tier 1 capabilities, and the browser is the best single layer for gaining visibility and control over AI usage — it sees the apps, the OAuth grants, the extensions, and the account context. But a complete end-to-end solution also requires a presence on the endpoint layer (for local AI tools, IDE-integrated agents, and API-level usage that never touches the browser), and prompt-level DLP on sanctioned tools is better handled by platform-native controls than by browser-layer observation.",[],{},{"nodeType":260,"data":2472,"content":2476},{"target":2473},{"sys":2474},{"id":2475,"type":265,"linkType":266},"6Py3z9VgjhKrchmYvhmbsq",[],{"nodeType":237,"data":2478,"content":2479},{},[2480],{"nodeType":241,"value":2481,"marks":2482,"data":2483},"The browser is what makes platform controls effective — if employees are using personal accounts, there are no enterprise audit logs to inspect. And for the growing category of AI agents, agentic browsers, and MCP-connected tools that operate through OAuth grants rather than direct user interaction, the browser is where the consent decisions that authorize those agents are made.",[],{},{"nodeType":313,"data":2485,"content":2486},{},[],{"nodeType":317,"data":2488,"content":2489},{},[2490],{"nodeType":241,"value":2491,"marks":2492,"data":2494},"#8 — Investigation acceleration and incident response: closing the missing middle",[2493],{"type":292},{},{"nodeType":237,"data":2496,"content":2497},{},[2498],{"nodeType":241,"value":2499,"marks":2500,"data":2502},"Security value: High | Browser fit: Strong — fills a structural gap complementary to endpoint, network, and identity telemetry",[2501],{"type":292},{},{"nodeType":237,"data":2504,"content":2505},{},[2506,2510,2515,2519,2528],{"nodeType":241,"value":2507,"marks":2508,"data":2509},"Endpoint logs show what processes executed. Network logs show traffic destinations. IdP logs show authentication events. None of them show what happened ",[],{},{"nodeType":241,"value":2511,"marks":2512,"data":2514},"inside the browser session",[2513],{"type":378},{},{"nodeType":241,"value":2516,"marks":2517,"data":2518}," — the phishing page the user saw, the credentials they entered, the malicious OAuth consent grant, the data uploaded or pasted to an unsanctioned service. This is the missing middle of modern incident investigations, and for the ",[],{},{"nodeType":276,"data":2520,"content":2522},{"uri":2521},"https://www.paloaltonetworks.co.uk/resources/research/unit-42-incident-response-report",[2523],{"nodeType":241,"value":2524,"marks":2525,"data":2527},"48% of intrusions involving browser-based activity",[2526],{"type":292},{},{"nodeType":241,"value":2529,"marks":2530,"data":2531},", the absence of browser telemetry is a significant investigative gap.",[],{},{"nodeType":237,"data":2533,"content":2534},{},[2535],{"nodeType":241,"value":2536,"marks":2537,"data":2538},"Browser-layer telemetry fills that gap with a fundamentally different quality of signal: what users actually clicked, what pages loaded and how they behaved, what credentials were entered, what session activity followed — structured, high-fidelity data from inside the session where the attack played out. That's the difference between inferring what happened and seeing it directly, and it determines scope, drives containment decisions, and provides the direct evidential record that neither endpoint DLP nor network monitoring can supply for browser-native attacks.",[],{},{"nodeType":237,"data":2540,"content":2541},{},[2542],{"nodeType":241,"value":2543,"marks":2544,"data":2545},"Browser telemetry is a key addition to the investigative picture. Investigations are inherently multi-source — without browser data, reconstructing an incident from EDR, network, and IdP logs won't tell you the full picture (particularly when attacks are increasingly delivered outside of email, intercepting users as they browse the internet normally).",[],{},{"nodeType":237,"data":2547,"content":2548},{},[2549],{"nodeType":241,"value":2550,"marks":2551,"data":2552},"The browser provides the causal link that other sources miss: the bridge between \"a user visited a URL\" and \"credentials were submitted to a phishing page that issued a session token now being replayed from an attacker-controlled browser.\" Integrated with SIEM and SOAR platforms, that signal enables automated response workflows to execute on high-confidence detections without waiting for manual triage.",[],{},{"nodeType":313,"data":2554,"content":2555},{},[],{"nodeType":317,"data":2557,"content":2558},{},[2559],{"nodeType":241,"value":2560,"marks":2561,"data":2563},"#9 — Infostealer defense: detecting exposure and blocking delivery",[2562],{"type":292},{},{"nodeType":237,"data":2565,"content":2566},{},[2567],{"nodeType":241,"value":2568,"marks":2569,"data":2571},"Security value: High | Browser fit: Strong for delivery interception and stolen factor detection — complementary to endpoint security for execution",[2570],{"type":292},{},{"nodeType":237,"data":2573,"content":2574},{},[2575],{"nodeType":241,"value":2576,"marks":2577,"data":2578},"Infostealers are the upstream supply chain for a disproportionate share of the most damaging enterprise attacks — harvesting credentials, session cookies, and browser profile data en masse from infected devices, then selling the outputs on infostealer markets for use in credential stuffing, ATO, and ransomware campaigns.",[],{},{"nodeType":260,"data":2580,"content":2584},{"target":2581},{"sys":2582},{"id":2583,"type":265,"linkType":266},"5NF1afwu3zFGThZTtStVQA",[],{"nodeType":237,"data":2586,"content":2587},{},[2588],{"nodeType":241,"value":2589,"marks":2590,"data":2591},"The browser is relevant at two points in the infostealer kill chain. First, delivery interception: ClickFix (covered in #6) is now the primary infostealer delivery mechanism, and the browser is the only layer that can intercept it before execution. Second, detecting stolen factors when attackers attempt to use them — and infostealers produce two categories of stolen factor that the browser can guard against.",[],{},{"nodeType":1277,"data":2593,"content":2594},{},[2595,2605],{"nodeType":1281,"data":2596,"content":2597},{},[2598],{"nodeType":237,"data":2599,"content":2600},{},[2601],{"nodeType":241,"value":2602,"marks":2603,"data":2604},"Stolen credentials can be identified at the point of login: browser-layer detection flags credentials that appear in known breach datasets, catching infostealer-harvested passwords being replayed in credential stuffing campaigns before the account is compromised.",[],{},{"nodeType":1281,"data":2606,"content":2607},{},[2608],{"nodeType":237,"data":2609,"content":2610},{},[2611],{"nodeType":241,"value":2612,"marks":2613,"data":2614},"Stolen session tokens are caught through a different mechanism: sessions originating in instrumented browsers carry a marker, and when a token subsequently appears in an un-instrumented browser it is a confirmed stolen session — catching infostealer-harvested cookies being replayed regardless of how or where the token was originally harvested.",[],{},{"nodeType":237,"data":2616,"content":2617},{},[2618,2622,2631,2635,2640],{"nodeType":241,"value":2619,"marks":2620,"data":2621},"This is particularly critical for the ",[],{},{"nodeType":276,"data":2623,"content":2625},{"uri":2624},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[2626],{"nodeType":241,"value":2627,"marks":2628,"data":2630},"46% of infected devices that are unmanaged",[2629],{"type":292},{},{"nodeType":241,"value":2632,"marks":2633,"data":2634}," where EDR is absent and the stolen credentials and session tokens will never be detected at the endpoint. Infostealer ",[],{},{"nodeType":241,"value":2636,"marks":2637,"data":2639},"execution",[2638],{"type":378},{},{"nodeType":241,"value":2641,"marks":2642,"data":2643}," remains an endpoint problem; the browser closes the delivery and replay gaps that endpoint tools miss.",[],{},{"nodeType":313,"data":2645,"content":2646},{},[],{"nodeType":317,"data":2648,"content":2649},{},[2650],{"nodeType":241,"value":2651,"marks":2652,"data":2654},"#10 — Data loss prevention: a key component of effective DLP, but not the full picture",[2653],{"type":292},{},{"nodeType":237,"data":2656,"content":2657},{},[2658],{"nodeType":241,"value":2659,"marks":2660,"data":2662},"Security value: Medium-high | Browser fit: Partial — complementary to dedicated DLP",[2661],{"type":292},{},{"nodeType":237,"data":2664,"content":2665},{},[2666],{"nodeType":241,"value":2667,"marks":2668,"data":2669},"File uploads to unsanctioned services, sensitive data pasted into AI tools, and exfiltration through personal accounts are genuine and growing risks that traditional email and endpoint-centric DLP tools were not designed to catch. Browser-layer controls provide real value here — particularly for BYOD users and contractors, where endpoint DLP agents cannot be deployed and the browser is the only available data loss visibility.",[],{},{"nodeType":237,"data":2671,"content":2672},{},[2673],{"nodeType":241,"value":2674,"marks":2675,"data":2676},"The honest scope: browser-layer DLP does not cover email-based loss, endpoint-to-endpoint transfers, or cloud API exfiltration. It closes specific and important gaps within a broader DLP strategy, not a replacement for one. A further distinction for organizations evaluating browser DLP for secure third-party access: full-stack enterprise browsers can enforce deeper output controls — watermarking, obfuscation, screenshot and print restrictions — at the OS rendering level that browser extensions cannot reliably replicate. Extension-based browser DLP is strongest for upload, input, and access control use cases rather than OS-level output restriction.",[],{},{"nodeType":313,"data":2678,"content":2679},{},[],{"nodeType":317,"data":2681,"content":2682},{},[2683],{"nodeType":241,"value":2684,"marks":2685,"data":2687},"Tier 3 — Lower Value: A problem best addressed outside of the browser",[2686],{"type":292},{},{"nodeType":1277,"data":2689,"content":2690},{},[2691,2706,2721,2736],{"nodeType":1281,"data":2692,"content":2693},{},[2694],{"nodeType":237,"data":2695,"content":2696},{},[2697,2702],{"nodeType":241,"value":2698,"marks":2699,"data":2701},"Browser exploit protection",[2700],{"type":292},{},{"nodeType":241,"value":2703,"marks":2704,"data":2705}," (narrow RCE/sandbox sense) ranks lower because browser zero-days represent just 9% of all zero-days reported to Google, and 82% of attack detections are now malware-free (CrowdStrike 2026). This is a problem for browser vendors to solve, and it's not a big enough problem to warrant enterprises investing in additional mitigating controls.",[],{},{"nodeType":1281,"data":2707,"content":2708},{},[2709],{"nodeType":237,"data":2710,"content":2711},{},[2712,2717],{"nodeType":241,"value":2713,"marks":2714,"data":2716},"Domain and URL category controls",[2715],{"type":292},{},{"nodeType":241,"value":2718,"marks":2719,"data":2720}," offer genuine browser-layer value but are commoditized by SWG and DNS filtering tools most organizations already operate. This can be provided in the browser, sure (and it's something we do at Push) but offers limited security value in terms of making a difference against modern attacks that quickly rotate these kinds of indicators and are designed to blend in.",[],{},{"nodeType":1281,"data":2722,"content":2723},{},[2724],{"nodeType":237,"data":2725,"content":2726},{},[2727,2732],{"nodeType":241,"value":2728,"marks":2729,"data":2731},"Access management",[2730],{"type":292},{},{"nodeType":241,"value":2733,"marks":2734,"data":2735}," — ZTNA, VPN replacement, PAM, BYOD access control — is an IT infrastructure and access architecture problem, not a security operations problem, and belongs to a different buyer with a different evaluation frame. There are numerous (typically full-stack) Enterprise Browser solutions on the market that address IT use cases like this well.",[],{},{"nodeType":1281,"data":2737,"content":2738},{},[2739],{"nodeType":237,"data":2740,"content":2741},{},[2742,2747],{"nodeType":241,"value":2743,"marks":2744,"data":2746},"Remote browser isolation",[2745],{"type":292},{},{"nodeType":241,"value":2748,"marks":2749,"data":2750}," addresses browser exploit risk rather than the identity-first attacks that represent the majority of current enterprise browser risk, and introduces UX friction that limits deployment at scale. When it triggers, it introduces latency but still fails to detect and stop browser-native attacks.",[],{},{"nodeType":313,"data":2752,"content":2753},{},[],{"nodeType":317,"data":2755,"content":2756},{},[2757],{"nodeType":241,"value":2758,"marks":2759,"data":2761},"How Push Security maps to the highest-value security use cases",[2760],{"type":292},{},{"nodeType":237,"data":2763,"content":2764},{},[2765],{"nodeType":241,"value":2766,"marks":2767,"data":2768},"Push is purpose-built to address all of these problems using a flexible browser extension — plug into any browser with no migration, no host agent deployment, and no IT overhead — that delivers telemetry and control from day one, and extends coverage to every enrolled browser regardless of device ownership.",[],{},{"nodeType":2770,"data":2771,"content":2772},"table",{},[2773,2800,2824,2848,2872,2896,2920,2944,2968,2992,3016,3040],{"nodeType":2774,"data":2775,"content":2776},"table-row",{},[2777,2789],{"nodeType":2778,"data":2779,"content":2780},"table-cell",{},[2781],{"nodeType":237,"data":2782,"content":2783},{},[2784],{"nodeType":241,"value":2785,"marks":2786,"data":2788},"Security use case",[2787],{"type":292},{},{"nodeType":2778,"data":2790,"content":2791},{},[2792],{"nodeType":237,"data":2793,"content":2794},{},[2795],{"nodeType":241,"value":2796,"marks":2797,"data":2799},"How Push addresses it",[2798],{"type":292},{},{"nodeType":2774,"data":2801,"content":2802},{},[2803,2814],{"nodeType":2778,"data":2804,"content":2805},{},[2806],{"nodeType":237,"data":2807,"content":2808},{},[2809],{"nodeType":241,"value":2810,"marks":2811,"data":2813},"Account takeover prevention",[2812],{"type":292},{},{"nodeType":2778,"data":2815,"content":2816},{},[2817],{"nodeType":237,"data":2818,"content":2819},{},[2820],{"nodeType":241,"value":2821,"marks":2822,"data":2823},"Surfaces and fixes ghost logins, weak and breached credentials and missing MFA controls across every app and device — including shadow SaaS and unmanaged devices invisible to the IdP. Push also detects and stops the attack techniques that typically lead to ATO early in the kill chain and before an account can be compromised.",[],{},{"nodeType":2774,"data":2825,"content":2826},{},[2827,2838],{"nodeType":2778,"data":2828,"content":2829},{},[2830],{"nodeType":237,"data":2831,"content":2832},{},[2833],{"nodeType":241,"value":2834,"marks":2835,"data":2837},"Advanced phishing detection",[2836],{"type":292},{},{"nodeType":2778,"data":2839,"content":2840},{},[2841],{"nodeType":237,"data":2842,"content":2843},{},[2844],{"nodeType":241,"value":2845,"marks":2846,"data":2847},"Behavioral page analysis detects phishing kits regardless of whether the domain is known-bad. Credential entry guardrails block corporate passwords from being submitted to unauthorized domains. TTP-based detection remains effective as attacker infrastructure rotates.",[],{},{"nodeType":2774,"data":2849,"content":2850},{},[2851,2862],{"nodeType":2778,"data":2852,"content":2853},{},[2854],{"nodeType":237,"data":2855,"content":2856},{},[2857],{"nodeType":241,"value":2858,"marks":2859,"data":2861},"Identity posture hardening",[2860],{"type":292},{},{"nodeType":2778,"data":2863,"content":2864},{},[2865],{"nodeType":237,"data":2866,"content":2867},{},[2868],{"nodeType":241,"value":2869,"marks":2870,"data":2871},"Enforces MFA, strong credentials, and SSO adoption across every app the IdP doesn't manage. Produces continuous, auditable MFA coverage and credential hygiene evidence across the full application and device estate.",[],{},{"nodeType":2774,"data":2873,"content":2874},{},[2875,2886],{"nodeType":2778,"data":2876,"content":2877},{},[2878],{"nodeType":237,"data":2879,"content":2880},{},[2881],{"nodeType":241,"value":2882,"marks":2883,"data":2885},"Browser extension security",[2884],{"type":292},{},{"nodeType":2778,"data":2887,"content":2888},{},[2889],{"nodeType":237,"data":2890,"content":2891},{},[2892],{"nodeType":241,"value":2893,"marks":2894,"data":2895},"Live extension inventory with supply chain change event monitoring — ownership transfers, permission escalations, developer contact changes — rather than static risk scoring. Supports default-deny allowlisting and remote extension removal. Blocks known-bad malicious extensions automatically.",[],{},{"nodeType":2774,"data":2897,"content":2898},{},[2899,2910],{"nodeType":2778,"data":2900,"content":2901},{},[2902],{"nodeType":237,"data":2903,"content":2904},{},[2905],{"nodeType":241,"value":2906,"marks":2907,"data":2909},"Shadow SaaS and OAuth governance",[2908],{"type":292},{},{"nodeType":2778,"data":2911,"content":2912},{},[2913],{"nodeType":237,"data":2914,"content":2915},{},[2916],{"nodeType":241,"value":2917,"marks":2918,"data":2919},"Discovers shadow SaaS from actual login events with full authentication context. Monitors and blocks OAuth consent flows — including AI and MCP integrations — in real time before persistent access paths are created.",[],{},{"nodeType":2774,"data":2921,"content":2922},{},[2923,2934],{"nodeType":2778,"data":2924,"content":2925},{},[2926],{"nodeType":237,"data":2927,"content":2928},{},[2929],{"nodeType":241,"value":2930,"marks":2931,"data":2933},"ClickFix and the *Fix family",[2932],{"type":292},{},{"nodeType":2778,"data":2935,"content":2936},{},[2937],{"nodeType":237,"data":2938,"content":2939},{},[2940],{"nodeType":241,"value":2941,"marks":2942,"data":2943},"Detects and blocks ClickFix lures, clipboard injection, and browser-native variants like ConsentFix in real time — before the payload executes or OAuth key material is captured.",[],{},{"nodeType":2774,"data":2945,"content":2946},{},[2947,2958],{"nodeType":2778,"data":2948,"content":2949},{},[2950],{"nodeType":237,"data":2951,"content":2952},{},[2953],{"nodeType":241,"value":2954,"marks":2955,"data":2957},"AI visibility & control",[2956],{"type":292},{},{"nodeType":2778,"data":2959,"content":2960},{},[2961],{"nodeType":237,"data":2962,"content":2963},{},[2964],{"nodeType":241,"value":2965,"marks":2966,"data":2967},"Enforces which AI tools employees can access and routes usage to corporate tenants. Governs AI browser extensions and blocks OAuth consent grants to unapproved AI applications — drawing on the same Tier 1 capabilities (OAuth governance, extension security, shadow SaaS discovery) that make this possible.",[],{},{"nodeType":2774,"data":2969,"content":2970},{},[2971,2982],{"nodeType":2778,"data":2972,"content":2973},{},[2974],{"nodeType":237,"data":2975,"content":2976},{},[2977],{"nodeType":241,"value":2978,"marks":2979,"data":2981},"Security investigations & incident response",[2980],{"type":292},{},{"nodeType":2778,"data":2983,"content":2984},{},[2985],{"nodeType":237,"data":2986,"content":2987},{},[2988],{"nodeType":241,"value":2989,"marks":2990,"data":2991},"High-fidelity session telemetry — page loads, credential entries, DOM changes, OAuth grants — fills the missing middle that endpoint, network, and IdP logs leave open. Feeds directly into SIEM and SOAR for automated response.",[],{},{"nodeType":2774,"data":2993,"content":2994},{},[2995,3006],{"nodeType":2778,"data":2996,"content":2997},{},[2998],{"nodeType":237,"data":2999,"content":3000},{},[3001],{"nodeType":241,"value":3002,"marks":3003,"data":3005},"Infostealer defense",[3004],{"type":292},{},{"nodeType":2778,"data":3007,"content":3008},{},[3009],{"nodeType":237,"data":3010,"content":3011},{},[3012],{"nodeType":241,"value":3013,"marks":3014,"data":3015},"Intercepts ClickFix-based infostealer delivery before execution. Detects token replay in unenrolled browser contexts — catching post-theft abuse from AiTM-sourced tokens and infostealer-harvested cookies, including from unmanaged devices.",[],{},{"nodeType":2774,"data":3017,"content":3018},{},[3019,3030],{"nodeType":2778,"data":3020,"content":3021},{},[3022],{"nodeType":237,"data":3023,"content":3024},{},[3025],{"nodeType":241,"value":3026,"marks":3027,"data":3029},"Data loss prevention",[3028],{"type":292},{},{"nodeType":2778,"data":3031,"content":3032},{},[3033],{"nodeType":237,"data":3034,"content":3035},{},[3036],{"nodeType":241,"value":3037,"marks":3038,"data":3039},"Observes file uploads, downloads, and sensitive data inputs across all applications. Extends data loss visibility to BYOD and contractor devices where endpoint DLP cannot reach.",[],{},{"nodeType":2774,"data":3041,"content":3042},{},[3043,3053],{"nodeType":2778,"data":3044,"content":3045},{},[3046],{"nodeType":237,"data":3047,"content":3048},{},[3049],{"nodeType":241,"value":2713,"marks":3050,"data":3052},[3051],{"type":292},{},{"nodeType":2778,"data":3054,"content":3055},{},[3056],{"nodeType":237,"data":3057,"content":3058},{},[3059],{"nodeType":241,"value":3060,"marks":3061,"data":3062},"Custom URL blocklists with wildcard support and REST API management for threat intelligence feed sync. Application category blocking restricts access to classes of apps (file-sharing, unsanctioned AI tools) configurable by user group. Domain categorization bringing SWG-style category blocking natively to the browser without a network proxy.",[],{},{"nodeType":313,"data":3064,"content":3065},{},[],{"nodeType":237,"data":3067,"content":3068},{},[3069,3072,3079],{"nodeType":241,"value":822,"marks":3070,"data":3071},[],{},{"nodeType":276,"data":3073,"content":3074},{"uri":841},[3075],{"nodeType":241,"value":3076,"marks":3077,"data":3078}," Book a live demo to learn more.",[],{},{"nodeType":241,"value":29,"marks":3080,"data":3081},[],{},"The top 10 security problems you can solve in the browser — ranked by value","Ranking the security problems you can solve in the browser by security value and browser fit.","the-top-10-security-problems-you-can-solve-in-the-browser-ranked-by-value",{"items":3086},[3087,3091],{"sys":3088,"name":3090},{"id":3089},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":3092,"name":3094},{"id":3093},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":3096},[3097],{"fullName":3098,"firstName":3099,"jobTitle":3100,"profilePicture":3101},"Alex Henshall","Alex","Product Team",{"url":3102},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1061,"sys":3104,"publishedDate":3106,"content":3107,"title":4044,"synopsis":4045,"hashTags":62,"slug":4046,"tagsCollection":4047,"authorsCollection":4053},{"id":3105},"1jfqiWQlL6qkn3i9yjNbFB","2026-05-12T00:00:00.000Z",{"json":3108},{"nodeType":233,"data":3109,"content":3110},{},[3111,3118,3140,3152,3159,3167,3174,3197,3204,3211,3218,3230,3236,3239,3247,3263,3284,3397,3403,3410,3416,3424,3431,3443,3450,3456,3463,3487,3494,3501,3504,3512,3519,3527,3534,3550,3557,3564,3572,3579,3586,3594,3601,3608,3611,3619,3626,3634,3641,3648,3655,3662,3670,3677,3709,3716,3723,3729,3736,3744,3751,3829,3835,3843,3859,3866,3872,3879,3895,3898,3906,3913,3920,3926,3933,3978,3985,3992,3999,4005,4008,4016,4022,4028],{"nodeType":237,"data":3112,"content":3113},{},[3114],{"nodeType":241,"value":3115,"marks":3116,"data":3117},"In March, our threat hunting engine flagged something it hadn’t seen before.",[],{},{"nodeType":237,"data":3119,"content":3120},{},[3121,3125,3136],{"nodeType":241,"value":3122,"marks":3123,"data":3124},"Our research team had already been tracking the growing use of ",[],{},{"nodeType":3126,"data":3127,"content":3131},"entry-hyperlink",{"target":3128},{"sys":3129},{"id":3130,"type":265,"linkType":266},"2U6QpQ9rkY8x5ES48okHZB",[3132],{"nodeType":241,"value":3133,"marks":3134,"data":3135},"malvertising",[],{},{"nodeType":241,"value":3137,"marks":3138,"data":3139}," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",[],{},{"nodeType":237,"data":3141,"content":3142},{},[3143,3147],{"nodeType":241,"value":3144,"marks":3145,"data":3146},"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",[],{},{"nodeType":241,"value":3148,"marks":3149,"data":3151},"But how to separate signal from noise?",[3150],{"type":378},{},{"nodeType":237,"data":3153,"content":3154},{},[3155],{"nodeType":241,"value":3156,"marks":3157,"data":3158},"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",[],{},{"nodeType":237,"data":3160,"content":3161},{},[3162],{"nodeType":241,"value":3163,"marks":3164,"data":3166},"Of those, one was novel. ",[3165],{"type":292},{},{"nodeType":237,"data":3168,"content":3169},{},[3170],{"nodeType":241,"value":3171,"marks":3172,"data":3173},"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",[],{},{"nodeType":237,"data":3175,"content":3176},{},[3177,3182,3193],{"nodeType":241,"value":3178,"marks":3179,"data":3181},"We had found our first in-the-wild ",[3180],{"type":292},{},{"nodeType":3126,"data":3183,"content":3187},{"target":3184},{"sys":3185},{"id":3186,"type":265,"linkType":266},"7bG71Eo43crbIHKzczooVS",[3188],{"nodeType":241,"value":3189,"marks":3190,"data":3192},"InstallFix attack",[3191],{"type":292},{},{"nodeType":241,"value":1820,"marks":3194,"data":3196},[3195],{"type":292},{},{"nodeType":237,"data":3198,"content":3199},{},[3200],{"nodeType":241,"value":3201,"marks":3202,"data":3203},"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",[],{},{"nodeType":237,"data":3205,"content":3206},{},[3207],{"nodeType":241,"value":3208,"marks":3209,"data":3210},"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",[],{},{"nodeType":237,"data":3212,"content":3213},{},[3214],{"nodeType":241,"value":3215,"marks":3216,"data":3217},"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",[],{},{"nodeType":237,"data":3219,"content":3220},{},[3221,3226],{"nodeType":241,"value":3222,"marks":3223,"data":3225},"So, can AI agents replace human threat researchers?",[3224],{"type":292},{},{"nodeType":241,"value":3227,"marks":3228,"data":3229}," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",[],{},{"nodeType":260,"data":3231,"content":3235},{"target":3232},{"sys":3233},{"id":3234,"type":265,"linkType":266},"3OiZ7BrViCTTMmHUAbloEt",[],{"nodeType":313,"data":3237,"content":3238},{},[],{"nodeType":317,"data":3240,"content":3241},{},[3242],{"nodeType":241,"value":3243,"marks":3244,"data":3246},"Why scaling browser threat detection requires more than more analysts",[3245],{"type":292},{},{"nodeType":237,"data":3248,"content":3249},{},[3250,3254,3259],{"nodeType":241,"value":3251,"marks":3252,"data":3253},"Already this year, we’ve ",[],{},{"nodeType":241,"value":3255,"marks":3256,"data":3258},"tripled",[3257],{"type":292},{},{"nodeType":241,"value":3260,"marks":3261,"data":3262}," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",[],{},{"nodeType":237,"data":3264,"content":3265},{},[3266,3270,3280],{"nodeType":241,"value":3267,"marks":3268,"data":3269},"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",[],{},{"nodeType":3126,"data":3271,"content":3275},{"target":3272},{"sys":3273},{"id":3274,"type":265,"linkType":266},"211Dd0EIrXPOFpvRgs0fEE",[3276],{"nodeType":241,"value":3277,"marks":3278,"data":3279},"Browser & Identity Attacks Matrix",[],{},{"nodeType":241,"value":3281,"marks":3282,"data":3283}," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",[],{},{"nodeType":1277,"data":3285,"content":3286},{},[3287,3297,3321],{"nodeType":1281,"data":3288,"content":3289},{},[3290],{"nodeType":237,"data":3291,"content":3292},{},[3293],{"nodeType":241,"value":3294,"marks":3295,"data":3296},"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ",[],{},{"nodeType":1281,"data":3298,"content":3299},{},[3300],{"nodeType":237,"data":3301,"content":3302},{},[3303,3307,3317],{"nodeType":241,"value":3304,"marks":3305,"data":3306},"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",[],{},{"nodeType":3126,"data":3308,"content":3312},{"target":3309},{"sys":3310},{"id":3311,"type":265,"linkType":266},"5DmCqTU2Tg4adYScA5vT2x",[3313],{"nodeType":241,"value":3314,"marks":3315,"data":3316},"device code phishing attacks",[],{},{"nodeType":241,"value":3318,"marks":3319,"data":3320}," across our install base. ",[],{},{"nodeType":1281,"data":3322,"content":3323},{},[3324],{"nodeType":237,"data":3325,"content":3326},{},[3327,3331,3341,3345,3354,3358,3368,3371,3380,3383,3393],{"nodeType":241,"value":3328,"marks":3329,"data":3330},"We were also the first to detect a novel post-authorization attack we dubbed ",[],{},{"nodeType":3126,"data":3332,"content":3336},{"target":3333},{"sys":3334},{"id":3335,"type":265,"linkType":266},"71EaaK7lfl6bQBbkAU0qjv",[3337],{"nodeType":241,"value":3338,"marks":3339,"data":3340},"ConsentFix",[],{},{"nodeType":241,"value":3342,"marks":3343,"data":3344}," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",[],{},{"nodeType":3126,"data":3346,"content":3349},{"target":3347},{"sys":3348},{"id":3186,"type":265,"linkType":266},[3350],{"nodeType":241,"value":3351,"marks":3352,"data":3353},"InstallFix technique",[],{},{"nodeType":241,"value":3355,"marks":3356,"data":3357}," described earlier; and detected an array of other ",[],{},{"nodeType":3126,"data":3359,"content":3363},{"target":3360},{"sys":3361},{"id":3362,"type":265,"linkType":266},"2YmiesBvJHGw4wiKEKzLUq",[3364],{"nodeType":241,"value":3365,"marks":3366,"data":3367},"creative",[],{},{"nodeType":241,"value":909,"marks":3369,"data":3370},[],{},{"nodeType":3126,"data":3372,"content":3375},{"target":3373},{"sys":3374},{"id":3130,"type":265,"linkType":266},[3376],{"nodeType":241,"value":3377,"marks":3378,"data":3379},"phishing",[],{},{"nodeType":241,"value":909,"marks":3381,"data":3382},[],{},{"nodeType":3126,"data":3384,"content":3388},{"target":3385},{"sys":3386},{"id":3387,"type":265,"linkType":266},"6Zosy4SU0LpjlaSWX75peb",[3389],{"nodeType":241,"value":3390,"marks":3391,"data":3392},"campaigns",[],{},{"nodeType":241,"value":3394,"marks":3395,"data":3396}," tied to malvertising scams.",[],{},{"nodeType":260,"data":3398,"content":3402},{"target":3399},{"sys":3400},{"id":3401,"type":265,"linkType":266},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":237,"data":3404,"content":3405},{},[3406],{"nodeType":241,"value":3407,"marks":3408,"data":3409},"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",[],{},{"nodeType":260,"data":3411,"content":3415},{"target":3412},{"sys":3413},{"id":3414,"type":265,"linkType":266},"1u00uFbC4xsvP9lqahXbgD",[],{"nodeType":422,"data":3417,"content":3418},{},[3419],{"nodeType":241,"value":3420,"marks":3421,"data":3423},"Scaling behavioral detections, not just making bigger blocklists",[3422],{"type":292},{},{"nodeType":237,"data":3425,"content":3426},{},[3427],{"nodeType":241,"value":3428,"marks":3429,"data":3430},"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",[],{},{"nodeType":237,"data":3432,"content":3433},{},[3434,3439],{"nodeType":241,"value":3435,"marks":3436,"data":3438},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",[3437],{"type":292},{},{"nodeType":241,"value":3440,"marks":3441,"data":3442},"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",[],{},{"nodeType":237,"data":3444,"content":3445},{},[3446],{"nodeType":241,"value":3447,"marks":3448,"data":3449},"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",[],{},{"nodeType":260,"data":3451,"content":3455},{"target":3452},{"sys":3453},{"id":3454,"type":265,"linkType":266},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":237,"data":3457,"content":3458},{},[3459],{"nodeType":241,"value":3460,"marks":3461,"data":3462},"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",[],{},{"nodeType":237,"data":3464,"content":3465},{},[3466,3471,3482],{"nodeType":241,"value":3467,"marks":3468,"data":3470},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",[3469],{"type":292},{},{"nodeType":3126,"data":3472,"content":3476},{"target":3473},{"sys":3474},{"id":3475,"type":265,"linkType":266},"1qegIy4rMdm5XZXnIEoKpE",[3477],{"nodeType":241,"value":3478,"marks":3479,"data":3481},"Pyramid of Pain",[3480],{"type":292},{},{"nodeType":241,"value":3483,"marks":3484,"data":3486},", the indicators that are hardest for attackers to change.",[3485],{"type":292},{},{"nodeType":237,"data":3488,"content":3489},{},[3490],{"nodeType":241,"value":3491,"marks":3492,"data":3493},"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",[],{},{"nodeType":237,"data":3495,"content":3496},{},[3497],{"nodeType":241,"value":3498,"marks":3499,"data":3500},"We did this not by replacing researchers, but by continuously activating their expertise.",[],{},{"nodeType":313,"data":3502,"content":3503},{},[],{"nodeType":317,"data":3505,"content":3506},{},[3507],{"nodeType":241,"value":3508,"marks":3509,"data":3511},"Core principles for agentic threat hunting",[3510],{"type":292},{},{"nodeType":237,"data":3513,"content":3514},{},[3515],{"nodeType":241,"value":3516,"marks":3517,"data":3518},"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",[],{},{"nodeType":422,"data":3520,"content":3521},{},[3522],{"nodeType":241,"value":3523,"marks":3524,"data":3526},"Context matters more than custom models",[3525],{"type":292},{},{"nodeType":237,"data":3528,"content":3529},{},[3530],{"nodeType":241,"value":3531,"marks":3532,"data":3533},"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",[],{},{"nodeType":237,"data":3535,"content":3536},{},[3537,3541,3546],{"nodeType":241,"value":3538,"marks":3539,"data":3540},"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",[],{},{"nodeType":241,"value":3542,"marks":3543,"data":3545},"3 million browsers worldwide",[3544],{"type":292},{},{"nodeType":241,"value":3547,"marks":3548,"data":3549},", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",[],{},{"nodeType":237,"data":3551,"content":3552},{},[3553],{"nodeType":241,"value":3554,"marks":3555,"data":3556},"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",[],{},{"nodeType":237,"data":3558,"content":3559},{},[3560],{"nodeType":241,"value":3561,"marks":3562,"data":3563},"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",[],{},{"nodeType":422,"data":3565,"content":3566},{},[3567],{"nodeType":241,"value":3568,"marks":3569,"data":3571},"Agents are only as good as the context you give them. Good context is researcher-led",[3570],{"type":292},{},{"nodeType":237,"data":3573,"content":3574},{},[3575],{"nodeType":241,"value":3576,"marks":3577,"data":3578},"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",[],{},{"nodeType":237,"data":3580,"content":3581},{},[3582],{"nodeType":241,"value":3583,"marks":3584,"data":3585},"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",[],{},{"nodeType":422,"data":3587,"content":3588},{},[3589],{"nodeType":241,"value":3590,"marks":3591,"data":3593},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",[3592],{"type":292},{},{"nodeType":237,"data":3595,"content":3596},{},[3597],{"nodeType":241,"value":3598,"marks":3599,"data":3600},"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",[],{},{"nodeType":237,"data":3602,"content":3603},{},[3604],{"nodeType":241,"value":3605,"marks":3606,"data":3607},"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",[],{},{"nodeType":313,"data":3609,"content":3610},{},[],{"nodeType":317,"data":3612,"content":3613},{},[3614],{"nodeType":241,"value":3615,"marks":3616,"data":3618},"How the agentic detection pipeline runs",[3617],{"type":292},{},{"nodeType":237,"data":3620,"content":3621},{},[3622],{"nodeType":241,"value":3623,"marks":3624,"data":3625},"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",[],{},{"nodeType":422,"data":3627,"content":3628},{},[3629],{"nodeType":241,"value":3630,"marks":3631,"data":3633},"Example 1: Autonomous threat hunt",[3632],{"type":292},{},{"nodeType":237,"data":3635,"content":3636},{},[3637],{"nodeType":241,"value":3638,"marks":3639,"data":3640},"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",[],{},{"nodeType":237,"data":3642,"content":3643},{},[3644],{"nodeType":241,"value":3645,"marks":3646,"data":3647},"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",[],{},{"nodeType":237,"data":3649,"content":3650},{},[3651],{"nodeType":241,"value":3652,"marks":3653,"data":3654},"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",[],{},{"nodeType":237,"data":3656,"content":3657},{},[3658],{"nodeType":241,"value":3659,"marks":3660,"data":3661},"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",[],{},{"nodeType":422,"data":3663,"content":3664},{},[3665],{"nodeType":241,"value":3666,"marks":3667,"data":3669},"Example 2: Human-initiated threat hunt",[3668],{"type":292},{},{"nodeType":237,"data":3671,"content":3672},{},[3673],{"nodeType":241,"value":3674,"marks":3675,"data":3676},"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",[],{},{"nodeType":237,"data":3678,"content":3679},{},[3680,3684,3689,3692,3697,3700,3705],{"nodeType":241,"value":3681,"marks":3682,"data":3683},"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",[],{},{"nodeType":241,"value":3685,"marks":3686,"data":3688},"*pages.dev",[3687],{"type":292},{},{"nodeType":241,"value":1796,"marks":3690,"data":3691},[],{},{"nodeType":241,"value":3693,"marks":3694,"data":3696},"*workers.dev",[3695],{"type":292},{},{"nodeType":241,"value":1796,"marks":3698,"data":3699},[],{},{"nodeType":241,"value":3701,"marks":3702,"data":3704},"*squarespace.com",[3703],{"type":292},{},{"nodeType":241,"value":3706,"marks":3707,"data":3708},", etc.",[],{},{"nodeType":237,"data":3710,"content":3711},{},[3712],{"nodeType":241,"value":3713,"marks":3714,"data":3715},"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",[],{},{"nodeType":237,"data":3717,"content":3718},{},[3719],{"nodeType":241,"value":3720,"marks":3721,"data":3722},"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",[],{},{"nodeType":260,"data":3724,"content":3728},{"target":3725},{"sys":3726},{"id":3727,"type":265,"linkType":266},"4IWOrWuvbwzWRJUkINiwKH",[],{"nodeType":237,"data":3730,"content":3731},{},[3732],{"nodeType":241,"value":3733,"marks":3734,"data":3735},"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",[],{},{"nodeType":422,"data":3737,"content":3738},{},[3739],{"nodeType":241,"value":3740,"marks":3741,"data":3743},"What infrastructure is needed for agentic threat hunting?",[3742],{"type":292},{},{"nodeType":237,"data":3745,"content":3746},{},[3747],{"nodeType":241,"value":3748,"marks":3749,"data":3750},"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",[],{},{"nodeType":1277,"data":3752,"content":3753},{},[3754,3769,3784,3799,3814],{"nodeType":1281,"data":3755,"content":3756},{},[3757],{"nodeType":237,"data":3758,"content":3759},{},[3760,3765],{"nodeType":241,"value":3761,"marks":3762,"data":3764},"A flight recorder: ",[3763],{"type":292},{},{"nodeType":241,"value":3766,"marks":3767,"data":3768},"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",[],{},{"nodeType":1281,"data":3770,"content":3771},{},[3772],{"nodeType":237,"data":3773,"content":3774},{},[3775,3780],{"nodeType":241,"value":3776,"marks":3777,"data":3779},"A knowledge base:",[3778],{"type":292},{},{"nodeType":241,"value":3781,"marks":3782,"data":3783}," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",[],{},{"nodeType":1281,"data":3785,"content":3786},{},[3787],{"nodeType":237,"data":3788,"content":3789},{},[3790,3795],{"nodeType":241,"value":3791,"marks":3792,"data":3794},"Agents as tools: ",[3793],{"type":292},{},{"nodeType":241,"value":3796,"marks":3797,"data":3798},"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",[],{},{"nodeType":1281,"data":3800,"content":3801},{},[3802],{"nodeType":237,"data":3803,"content":3804},{},[3805,3810],{"nodeType":241,"value":3806,"marks":3807,"data":3809},"Humans in the loop: ",[3808],{"type":292},{},{"nodeType":241,"value":3811,"marks":3812,"data":3813},"Human researchers who collaborate with agents to initiate hunts and tune detections.",[],{},{"nodeType":1281,"data":3815,"content":3816},{},[3817],{"nodeType":237,"data":3818,"content":3819},{},[3820,3825],{"nodeType":241,"value":3821,"marks":3822,"data":3824},"Platform controls: ",[3823],{"type":292},{},{"nodeType":241,"value":3826,"marks":3827,"data":3828},"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",[],{},{"nodeType":260,"data":3830,"content":3834},{"target":3831},{"sys":3832},{"id":3833,"type":265,"linkType":266},"7FY0vCBUXOt4vnudFuKALC",[],{"nodeType":422,"data":3836,"content":3837},{},[3838],{"nodeType":241,"value":3839,"marks":3840,"data":3842},"What are the best practices for agentic threat detection?",[3841],{"type":292},{},{"nodeType":237,"data":3844,"content":3845},{},[3846,3850,3855],{"nodeType":241,"value":3847,"marks":3848,"data":3849},"To be effective, agents must specialize and focus. This is the ",[],{},{"nodeType":241,"value":3851,"marks":3852,"data":3854},"agents as tools",[3853],{"type":292},{},{"nodeType":241,"value":3856,"marks":3857,"data":3858}," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",[],{},{"nodeType":237,"data":3860,"content":3861},{},[3862],{"nodeType":241,"value":3863,"marks":3864,"data":3865},"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",[],{},{"nodeType":260,"data":3867,"content":3871},{"target":3868},{"sys":3869},{"id":3870,"type":265,"linkType":266},"3fzJCknMUmh4Z7YnhBSbsT",[],{"nodeType":237,"data":3873,"content":3874},{},[3875],{"nodeType":241,"value":3876,"marks":3877,"data":3878},"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",[],{},{"nodeType":237,"data":3880,"content":3881},{},[3882,3886,3891],{"nodeType":241,"value":3883,"marks":3884,"data":3885},"It's vital too that the agent uses ",[],{},{"nodeType":241,"value":3887,"marks":3888,"data":3890},"privacy-preserving methods and infrastructure.",[3889],{"type":292},{},{"nodeType":241,"value":3892,"marks":3893,"data":3894}," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",[],{},{"nodeType":313,"data":3896,"content":3897},{},[],{"nodeType":317,"data":3899,"content":3900},{},[3901],{"nodeType":241,"value":3902,"marks":3903,"data":3905},"The compounding effect and how it benefits Push customers",[3904],{"type":292},{},{"nodeType":237,"data":3907,"content":3908},{},[3909],{"nodeType":241,"value":3910,"marks":3911,"data":3912},"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",[],{},{"nodeType":237,"data":3914,"content":3915},{},[3916],{"nodeType":241,"value":3917,"marks":3918,"data":3919},"The outer loop feeds the inner loop, and vice versa.",[],{},{"nodeType":260,"data":3921,"content":3925},{"target":3922},{"sys":3923},{"id":3924,"type":265,"linkType":266},"1Jjqll7IIX2QRxN37gjFMH",[],{"nodeType":237,"data":3927,"content":3928},{},[3929],{"nodeType":241,"value":3930,"marks":3931,"data":3932},"Customers benefit from this approach because it means they:",[],{},{"nodeType":1277,"data":3934,"content":3935},{},[3936,3958,3968],{"nodeType":1281,"data":3937,"content":3938},{},[3939],{"nodeType":237,"data":3940,"content":3941},{},[3942,3946,3954],{"nodeType":241,"value":3943,"marks":3944,"data":3945},"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",[],{},{"nodeType":276,"data":3947,"content":3949},{"uri":3948},"/help/audience/engineering/resources/custom-detections",[3950],{"nodeType":241,"value":3951,"marks":3952,"data":3953},"custom detections",[],{},{"nodeType":241,"value":3955,"marks":3956,"data":3957},", too, for environment-specific use cases.)",[],{},{"nodeType":1281,"data":3959,"content":3960},{},[3961],{"nodeType":237,"data":3962,"content":3963},{},[3964],{"nodeType":241,"value":3965,"marks":3966,"data":3967},"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",[],{},{"nodeType":1281,"data":3969,"content":3970},{},[3971],{"nodeType":237,"data":3972,"content":3973},{},[3974],{"nodeType":241,"value":3975,"marks":3976,"data":3977},"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",[],{},{"nodeType":237,"data":3979,"content":3980},{},[3981],{"nodeType":241,"value":3982,"marks":3983,"data":3984},"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",[],{},{"nodeType":237,"data":3986,"content":3987},{},[3988],{"nodeType":241,"value":3989,"marks":3990,"data":3991},"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",[],{},{"nodeType":237,"data":3993,"content":3994},{},[3995],{"nodeType":241,"value":3996,"marks":3997,"data":3998},"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",[],{},{"nodeType":260,"data":4000,"content":4004},{"target":4001},{"sys":4002},{"id":4003,"type":265,"linkType":266},"607jrBjlD1vtcbkDfD04DE",[],{"nodeType":313,"data":4006,"content":4007},{},[],{"nodeType":317,"data":4009,"content":4010},{},[4011],{"nodeType":241,"value":4012,"marks":4013,"data":4015},"Learn more",[4014],{"type":292},{},{"nodeType":237,"data":4017,"content":4018},{},[4019],{"nodeType":241,"value":822,"marks":4020,"data":4021},[],{},{"nodeType":237,"data":4023,"content":4024},{},[4025],{"nodeType":241,"value":829,"marks":4026,"data":4027},[],{},{"nodeType":237,"data":4029,"content":4030},{},[4031,4034,4041],{"nodeType":241,"value":836,"marks":4032,"data":4033},[],{},{"nodeType":276,"data":4035,"content":4037},{"uri":4036},"/demo",[4038],{"nodeType":241,"value":844,"marks":4039,"data":4040},[],{},{"nodeType":241,"value":849,"marks":4042,"data":4043},[],{},"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.","can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"items":4048},[4049,4051],{"sys":4050,"name":1831},{"id":1830},{"sys":4052,"name":1835},{"id":1834},{"items":4054},[4055],{"fullName":4056,"firstName":4057,"jobTitle":3100,"profilePicture":4058},"Kelly Davenport","Kelly",{"url":4059},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","what-push-data-reveals-about-the-state-of-shadow-ai","blog/what-push-data-reveals-about-the-state-of-shadow-ai",{"json":4063},{"data":4064,"content":4065,"nodeType":233},{},[4066],{"data":4067,"content":4068,"nodeType":237},{},[4069],{"data":4070,"marks":4071,"value":4072,"nodeType":241},{},[],"Push telemetry shows that the average organization has 16 unique AI apps, 17 AI browser extensions, and 17 AI OAuth integrations in active use — most of them unapproved. Shadow AI isn't a new category of risk, it's shadow SaaS with better marketing. But AI adoption has been a genuine force multiplier for the problem.","Shadow AI isn't a new category of risk, it's shadow SaaS with better marketing. But AI adoption has been a genuine force multiplier for the problem.",{"id":4075,"publishedAt":4076},"4NY2NbkAPucFOJY45yrrrE","2026-05-28T10:51:55.597Z",{"items":4078},[4079,4081],{"sys":4080,"name":3094},{"id":3093},{"sys":4082,"name":3090},{"id":3089},"4FLml2Nfro5uJYyJTamdKxu6Kl9xu2pfFyjrr778oFE",1779968392548]