[{"data":1,"prerenderedAt":3320},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/why-you-cant-vibecode-an-ai-driven-threat-hunting-pipeline":220},[4],{"enabled":5,"name":6},false,"maintenanceMode",[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"7ec0c6aa90q",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":5,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-ea963hyr71","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":5,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":5},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","nvvs606wpyf",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":5,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"p5cq5iu5ttn",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},"14m5qhc3fj8",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":5,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"a3qf9jq159n",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":5,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"ja9ru9mmnw",{"text":165,"url":166},{},1776256937553,1776256937540,[],"wyr0vaut6s",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":5,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"cys0ljv4vru",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},{"id":221,"title":222,"authorsCollection":223,"content":231,"extension":876,"featured":5,"hashTags":62,"meta":877,"metaTitle":222,"ogImage":62,"publishedDate":878,"relatedBlogPostsCollection":879,"slug":3297,"stem":3298,"subtitle":62,"summary":3299,"synopsis":3309,"sys":3310,"tagsCollection":3313,"__hash__":3319},"blog/blog/why-you-cant-vibecode-an-ai-driven-threat-hunting-pipeline.json","Why you can’t vibecode an AI-driven threat hunting pipeline",{"items":224},[225],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":229},"Kelly Davenport","Kelly","Product Team",{"url":230},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":232,"links":807},{"data":233,"content":234,"nodeType":806},{},[235,244,251,273,282,289,297,301,309,316,335,342,350,357,364,371,378,387,390,397,404,411,430,437,444,452,459,466,473,480,487,506,513,520,527,530,537,544,551,558,564,571,578,585,592,598,605,612,619,626,655,662,669,676,683,699,706,713,720,727,733,740,747,754,760,763,770,788],{"data":236,"content":237,"nodeType":243},{},[238],{"data":239,"marks":240,"value":241,"nodeType":242},{},[],"What would it take to vibecode your own AI-driven threat hunting pipeline? ","text","paragraph",{"data":245,"content":246,"nodeType":243},{},[247],{"data":248,"marks":249,"value":250,"nodeType":242},{},[],"The commercial models are right there. You’ve probably got a spare weekend coming up, a really nice espresso machine, and a few bucks for tokens. (Is there already an HGTV series on this?)",{"data":252,"content":253,"nodeType":243},{},[254,258,269],{"data":255,"marks":256,"value":257,"nodeType":242},{},[],"We recently published a ",{"data":259,"content":261,"nodeType":268},{"uri":260},"https://pushsecurity.com/blog/agentic-threat-hunting-engine/",[262],{"data":263,"marks":264,"value":267,"nodeType":242},{},[265],{"type":266},"underline","detailed look","hyperlink",{"data":270,"marks":271,"value":272,"nodeType":242},{},[]," at how we use AI agents as a force multiplier for Push’s threat hunting and detection engineering capabilities.One intriguing detail you might have noticed in that article is that at Push, we treat commercial AI models as commoditized infrastructure, akin to cloud computing.",{"data":274,"content":275,"nodeType":243},{},[276],{"data":277,"marks":278,"value":281,"nodeType":242},{},[279],{"type":280},"bold","So it’s a cheeky question, but a fair one, because if Push is using commercial models, what exactly are you paying for?",{"data":283,"content":284,"nodeType":243},{},[285],{"data":286,"marks":287,"value":288,"nodeType":242},{},[],"It turns out that the models are the easiest things to replace, and in fact we swap out different models with little impact on detection performance. What’s much harder to build is the expertise: the technical knowledge of various attack techniques, the instrumentation in the browser that produces the structured telemetry, and the enforcement layer that turns detections into real-time protection.",{"data":290,"content":291,"nodeType":243},{},[292],{"data":293,"marks":294,"value":296,"nodeType":242},{},[295],{"type":280},"Let’s break it down.",{"data":298,"content":299,"nodeType":300},{},[],"hr",{"data":302,"content":303,"nodeType":308},{},[304],{"data":305,"marks":306,"value":307,"nodeType":242},{},[],"The promise and the perils of threat hunting (and where agentic capabilities fit in)","heading-1",{"data":310,"content":311,"nodeType":243},{},[312],{"data":313,"marks":314,"value":315,"nodeType":242},{},[],"Threat hunting — the practice of proactively searching for threats that haven’t been seen before — is one of the most effective practices in security and one of the least accessible.",{"data":317,"content":318,"nodeType":243},{},[319,323,331],{"data":320,"marks":321,"value":322,"nodeType":242},{},[],"The ",{"data":324,"content":326,"nodeType":268},{"uri":325},"https://www.sans.org/white-papers/sans-2025-threat-hunting-survey-advancements-threat-hunting-amid-ai-cloud-challenges",[327],{"data":328,"marks":329,"value":330,"nodeType":242},{},[],"SANS 2025 Threat Hunting Survey",{"data":332,"marks":333,"value":334,"nodeType":242},{},[]," found that 61% of organizations cite staffing shortages as the top barrier to running a hunting program. A single manual hunt takes 10 to 20 hours of sustained analyst focus — forming hypotheses about what an attacker might be doing, querying data sources sequentially, correlating results by hand, documenting findings. Many organizations hunt infrequently or not at all.",{"data":336,"content":337,"nodeType":243},{},[338],{"data":339,"marks":340,"value":341,"nodeType":242},{},[],"Threat hunting in the browser poses specific challenges: The stakes are high as AI-enabled attacks accelerate, and the availability of training and knowledge is low. ",{"data":343,"content":344,"nodeType":243},{},[345],{"data":346,"marks":347,"value":349,"nodeType":242},{},[348],{"type":280},"AiTM phishing kits that manipulate DOM elements in real time, ClickFix variants that inject malicious payloads through clipboard manipulation, ConsentFix attacks that abuse OAuth consent flows, credential harvesting on pages that rotate infrastructure hourly — these techniques don't map cleanly onto the endpoint-focused threat models most SOC teams were built around, or the data sources they’re used to interrogating. ",{"data":351,"content":352,"nodeType":243},{},[353],{"data":354,"marks":355,"value":356,"nodeType":242},{},[],"Even well-staffed security organizations tend to have a blind spot in the browser layer because the expertise required to hunt there is specialized and the telemetry to support it hasn't historically been available.",{"data":358,"content":359,"nodeType":243},{},[360],{"data":361,"marks":362,"value":363,"nodeType":242},{},[],"Using AI agents to hunt for browser-based threats promises a net-new capability for smaller teams without dedicated threat hunting staff. For larger enterprises, the value of an agentic threat hunting capability lies in its ability to provide (or augment) expertise on emerging attack methods.",{"data":365,"content":366,"nodeType":243},{},[367],{"data":368,"marks":369,"value":370,"nodeType":242},{},[],"Most SOC teams have deep expertise at the endpoint, IdP, cloud, and network layers, built over years of working with those systems’ telemetry and workflows. But browser-based attacks operate in a different domain with different telemetry, different TTPs, and a different evasion model.",{"data":372,"content":373,"nodeType":243},{},[374],{"data":375,"marks":376,"value":377,"nodeType":242},{},[],"A capability like Push’s provides an answer to these three hurdles: providing expertise, without any additional burden on staff, and at a speed that matches the acceleration we’re currently witnessing in browser-based attack techniques.",{"data":379,"content":385,"nodeType":386},{"target":380},{"sys":381},{"id":382,"type":383,"linkType":384},"1uw9eFMPDdrevj26fyix5f","Link","Entry",[],"embedded-entry-block",{"data":388,"content":389,"nodeType":300},{},[],{"data":391,"content":392,"nodeType":308},{},[393],{"data":394,"marks":395,"value":396,"nodeType":242},{},[],"This isn’t chatbot log analysis",{"data":398,"content":399,"nodeType":243},{},[400],{"data":401,"marks":402,"value":403,"nodeType":242},{},[],"When you hear “AI-powered threat hunting,” you might imagine an AI copilot sitting on top of your SIEM, summarizing alerts and correlating log entries faster than a human analyst could. It’s a fair assumption because many products use this kind of implementation, and tools like those are useful.",{"data":405,"content":406,"nodeType":243},{},[407],{"data":408,"marks":409,"value":410,"nodeType":242},{},[],"That’s not what we built at Push.",{"data":412,"content":413,"nodeType":243},{},[414,418,426],{"data":415,"marks":416,"value":417,"nodeType":242},{},[],"If you’re not familiar with Push, it’s a browser security platform deployed as an extension that detects and stops advanced browser-based attacks while also providing visibility and control over shadow apps and identities, including AI usage. You can use the same telemetry Push provides for these use cases to ",{"data":419,"content":421,"nodeType":268},{"uri":420},"https://pushsecurity.com/blog/why-you-cant-control-ai-without-being-in-the-browser/",[422],{"data":423,"marks":424,"value":425,"nodeType":242},{},[],"perform data loss and insider risk investigations",{"data":427,"marks":428,"value":429,"nodeType":242},{},[],", too.",{"data":431,"content":432,"nodeType":243},{},[433],{"data":434,"marks":435,"value":436,"nodeType":242},{},[],"What we built is an agentic threat hunting and detection pipeline where AI agents collaborate with in-house threat researchers to continuously hunt for emerging browser-based attack techniques across our customer base, and then automatically write and deploy new detections.",{"data":438,"content":439,"nodeType":243},{},[440],{"data":441,"marks":442,"value":443,"nodeType":242},{},[],"Our pipeline differs from AI-enabled log analysis in three key ways:",{"data":445,"content":446,"nodeType":451},{},[447],{"data":448,"marks":449,"value":450,"nodeType":242},{},[],"A new telemetry source is the foundation","heading-2",{"data":453,"content":454,"nodeType":243},{},[455],{"data":456,"marks":457,"value":458,"nodeType":242},{},[],"First, the Push platform generates its own telemetry. The Push browser extension operates as a flight recorder, locally collecting browser session metadata that doesn’t exist anywhere else in the security stack — details like DOM structure, script execution contexts, redirect chains, credential entry behavior, OAuth consent flows, and network requests observed from inside the session. ",{"data":460,"content":461,"nodeType":243},{},[462],{"data":463,"marks":464,"value":465,"nodeType":242},{},[],"This metadata is stored locally and only queried during targeted threat hunts, preserving user and customer privacy.",{"data":467,"content":468,"nodeType":451},{},[469],{"data":470,"marks":471,"value":472,"nodeType":242},{},[],"Proactive hunting, not just reactive triage",{"data":474,"content":475,"nodeType":243},{},[476],{"data":477,"marks":478,"value":479,"nodeType":242},{},[],"The pipeline also hunts proactively rather than triaging reactively, as with log analysis agents.",{"data":481,"content":482,"nodeType":243},{},[483],{"data":484,"marks":485,"value":486,"nodeType":242},{},[],"Push agents generate hypotheses, craft queries against the telemetry corpus, run them across millions of browsers, and triage the results — searching for techniques that haven't triggered any existing alert or rule. ",{"data":488,"content":489,"nodeType":243},{},[490,493,502],{"data":491,"marks":492,"value":322,"nodeType":242},{},[],{"data":494,"content":496,"nodeType":268},{"uri":495},"https://pushsecurity.com/blog/installfix/",[497],{"data":498,"marks":499,"value":501,"nodeType":242},{},[500],{"type":266},"InstallFix discovery",{"data":503,"marks":504,"value":505,"nodeType":242},{},[]," described in the original agentic threat hunting article is the clearest example: The Push pipeline surfaced 12 meaningful results from trillions of browser events, and one of them was a novel attack technique. That's threat hunting at machine scale, not just alert triage.",{"data":507,"content":508,"nodeType":451},{},[509],{"data":510,"marks":511,"value":512,"nodeType":242},{},[],"Not just analysis, but new detections, too",{"data":514,"content":515,"nodeType":243},{},[516],{"data":517,"marks":518,"value":519,"nodeType":242},{},[],"Finally, the output isn’t (only) a natural-language summary of what the agents found. It’s a production detection rule that ships to every Push customer and wires into real-time enforcement controls defined by Push admins. ",{"data":521,"content":522,"nodeType":243},{},[523],{"data":524,"marks":525,"value":526,"nodeType":242},{},[],"The pipeline's job isn’t to help you understand an alert faster. Rather, it’s producing detection rules that didn't exist before at a speed that enables those detections to address emerging attack techniques and organization-specific campaigns within minutes.",{"data":528,"content":529,"nodeType":300},{},[],{"data":531,"content":532,"nodeType":308},{},[533],{"data":534,"marks":535,"value":536,"nodeType":242},{},[],"Agentic threat hunting as core product infrastructure",{"data":538,"content":539,"nodeType":243},{},[540],{"data":541,"marks":542,"value":543,"nodeType":242},{},[],"The nice thing about commercially available AI models is that they’re really good at understanding web code. That arcane Javascript function you’d have to look up in the docs? They recognize it immediately. That makes them perfectly suited to provide domain knowledge that can be harnessed with the right security expertise.",{"data":545,"content":546,"nodeType":243},{},[547],{"data":548,"marks":549,"value":550,"nodeType":242},{},[],"Using commercial models in our agentic detection pipeline then becomes a force multiplier for our research team’s understanding of TTPs — not a security engine in and of itself.",{"data":552,"content":553,"nodeType":243},{},[554],{"data":555,"marks":556,"value":557,"nodeType":242},{},[],"The four core components of our agentic pipeline can’t be replaced by using the same models we do, because the value is not in the models, but in the product infrastructure, product telemetry, and research expertise those models capitalize on.",{"data":559,"content":563,"nodeType":386},{"target":560},{"sys":561},{"id":562,"type":383,"linkType":384},"7oif7PEEC3UMoTqVfRz3ZJ",[],{"data":565,"content":566,"nodeType":451},{},[567],{"data":568,"marks":569,"value":570,"nodeType":242},{},[],"Component 1: The flight recorder",{"data":572,"content":573,"nodeType":243},{},[574],{"data":575,"marks":576,"value":577,"nodeType":242},{},[],"We deploy as a browser extension — not a separate browser, a proxy or an endpoint agent — which means we sit inside the browser session itself, seeing what the user sees. ",{"data":579,"content":580,"nodeType":243},{},[581],{"data":582,"marks":583,"value":584,"nodeType":242},{},[],"A component of the extension acts as a flight recorder, collecting and locally storing browser-level metadata: DOM elements, tab context, script execution, network traffic, user actions, credential entry, and more. This body of structured browser event metadata is the searchable landscape for every hunt.",{"data":586,"content":587,"nodeType":243},{},[588],{"data":589,"marks":590,"value":591,"nodeType":242},{},[],"That's a data source most security teams have never had access to. You can't get it from an endpoint agent, a network proxy, or a cloud access log, because it doesn't exist outside the browser session. Turns out, it matters more than the model itself: When the model has this full browser context — the DOM, redirect chains, user behavior — it can reason about what happened. When it has to start guessing at those details, it starts hallucinating.",{"data":593,"content":597,"nodeType":386},{"target":594},{"sys":595},{"id":596,"type":383,"linkType":384},"6qs9xZvmKlVXOLVhFfMVFx",[],{"data":599,"content":600,"nodeType":451},{},[601],{"data":602,"marks":603,"value":604,"nodeType":242},{},[],"Component 2: The internal knowledge base",{"data":606,"content":607,"nodeType":243},{},[608],{"data":609,"marks":610,"value":611,"nodeType":242},{},[],"As we mentioned earlier, commercial LLMs understand web code exceedingly well. What they don’t know is which patterns in that code indicate a credential-harvesting AiTM kit versus a legitimate login page, or which redirect behavior signals an InstallFix lure versus a normal marketing funnel.",{"data":613,"content":614,"nodeType":243},{},[615],{"data":616,"marks":617,"value":618,"nodeType":242},{},[],"That distinction comes from our internal knowledge base — years of TTP analysis, curated libraries of traces from real phishing kits encountered in the wild, and hunt parameters refined through hundreds of investigations led by our experienced human research team. ",{"data":620,"content":621,"nodeType":243},{},[622],{"data":623,"marks":624,"value":625,"nodeType":242},{},[],"This knowledge base also reflects a deliberate architectural choice. ",{"data":627,"content":628,"nodeType":654},{},[629],{"data":630,"content":631,"nodeType":243},{},[632,636,644,648],{"data":633,"marks":634,"value":635,"nodeType":242},{},[],"As our CPO Jacques Louw put it on ",{"data":637,"content":639,"nodeType":268},{"uri":638},"https://risky.biz/RBNEWSSI128/",[640],{"data":641,"marks":642,"value":643,"nodeType":242},{},[],"Risky Business",{"data":645,"marks":646,"value":647,"nodeType":242},{},[],": ",{"data":649,"marks":650,"value":653,"nodeType":242},{},[651],{"type":652},"italic","\"There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain.\"","blockquote",{"data":656,"content":657,"nodeType":243},{},[658],{"data":659,"marks":660,"value":661,"nodeType":242},{},[],"Our knowledge base encodes behavioral patterns and TTP signatures instead, which means detections remain effective even as infrastructure rotates underneath them.",{"data":663,"content":664,"nodeType":243},{},[665],{"data":666,"marks":667,"value":668,"nodeType":242},{},[],"We've also learned that even high-quality security data isn’t AI-ready out of the box. Structuring data and knowledge for agent consumption requires dedicated engineering. ",{"data":670,"content":671,"nodeType":243},{},[672],{"data":673,"marks":674,"value":675,"nodeType":242},{},[],"Our researchers have spent that time identifying, naming, and documenting browser-based attack techniques and encoding that knowledge into a format that agents can operationalize and extend.",{"data":677,"content":678,"nodeType":451},{},[679],{"data":680,"marks":681,"value":682,"nodeType":242},{},[],"Component 3: The thoughtfully organized agents",{"data":684,"content":685,"nodeType":243},{},[686,690,695],{"data":687,"marks":688,"value":689,"nodeType":242},{},[],"The engineering challenge isn't getting a model to analyze one browser event — it's keeping it reliable across thousands of events. If you fill a context window with too much data and the model loses the ability to discern signal from noise, you get something called ",{"data":691,"marks":692,"value":694,"nodeType":242},{},[693],{"type":280},"context rot",{"data":696,"marks":697,"value":698,"nodeType":242},{},[],". That's been our primary engineering focus over the last quarter: not making agents objectively smarter, but keeping them focused to improve their outputs.",{"data":700,"content":701,"nodeType":243},{},[702],{"data":703,"marks":704,"value":705,"nodeType":242},{},[],"Our solution is hierarchy. A hunting agent oversees the overall hunt — it understands the query and knows what it's looking for. It dispatches an army of analysis agents, each picking up a single result trace, the term we use for a series of events in a session or tab context. ",{"data":707,"content":708,"nodeType":243},{},[709],{"data":710,"marks":711,"value":712,"nodeType":242},{},[],"But even a single trace can contain thousands of events, so each analysis agent breaks it down into blocks, analyzes and summarizes each one, looks for connections between them, and then bubbles up only the interesting signal. Layer by layer, the context narrows until what reaches the top is workable.",{"data":714,"content":715,"nodeType":243},{},[716],{"data":717,"marks":718,"value":719,"nodeType":242},{},[],"Different agents handle hypothesis generation, query crafting, triage, deep investigation, detection authoring, and meta-analysis for quality control. We back-test detections against real data before they ship. This segmentation and hierarchy took significant trial and error — you can swap out almost any individual model in the chain, but the hierarchy itself is the thing that ultimately makes it work.",{"data":721,"content":722,"nodeType":243},{},[723],{"data":724,"marks":725,"value":726,"nodeType":242},{},[],"The consensus coming out of RSAC this year reinforces this approach. The industry's focus has shifted from “which model is the best?” to “how do we build reliable systems around these models?” ",{"data":728,"content":732,"nodeType":386},{"target":729},{"sys":730},{"id":731,"type":383,"linkType":384},"4cXhgVflbtxiKs604aemSt",[],{"data":734,"content":735,"nodeType":451},{},[736],{"data":737,"marks":738,"value":739,"nodeType":242},{},[],"Component 4: The response engine",{"data":741,"content":742,"nodeType":243},{},[743],{"data":744,"marks":745,"value":746,"nodeType":242},{},[],"Finally, a hunt without a response you can operationalize is just a report. When our agents identify a new technique, the detection they write feeds directly into the same platform that enforces real-time controls in the browser: blocking credential entry on phishing pages, intercepting clipboard injection attacks, warning users during suspicious OAuth consent flows, etc.",{"data":748,"content":749,"nodeType":243},{},[750],{"data":751,"marks":752,"value":753,"nodeType":242},{},[],"Detection and response share the same infrastructure, which means a new technique can go seamlessly from hunt analysis to production enforcement.",{"data":755,"content":759,"nodeType":386},{"target":756},{"sys":757},{"id":758,"type":383,"linkType":384},"vIrkHJ4ec1I41nXeRHfT2",[],{"data":761,"content":762,"nodeType":300},{},[],{"data":764,"content":765,"nodeType":308},{},[766],{"data":767,"marks":768,"value":769,"nodeType":242},{},[],"Learn more about Push and how we develop new detections",{"data":771,"content":772,"nodeType":243},{},[773,777,784],{"data":774,"marks":775,"value":776,"nodeType":242},{},[],"For a deeper look at how the pipeline works in practice, including a step-by-step walkthrough of how we discovered a novel InstallFix attack targeting NotebookLM users, the two-loop detection architecture that creates a compounding effect for customers, and the emerging best practices we've identified for using AI agents in security operations, check out our companion article: ",{"data":778,"content":779,"nodeType":268},{"uri":260},[780],{"data":781,"marks":782,"value":783,"nodeType":242},{},[],"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline at Push",{"data":785,"marks":786,"value":787,"nodeType":242},{},[],".",{"data":789,"content":790,"nodeType":243},{},[791,795,803],{"data":792,"marks":793,"value":794,"nodeType":242},{},[],"If you'd like to see how our agentic detection capabilities apply to your environment, ",{"data":796,"content":798,"nodeType":268},{"uri":797},"https://pushsecurity.com/demo",[799],{"data":800,"marks":801,"value":802,"nodeType":242},{},[],"book a demo",{"data":804,"marks":805,"value":787,"nodeType":242},{},[],"document",{"entries":808},{"hyperlink":809,"inline":810,"block":811},[],[],[812,820,828,843,862],{"sys":813,"__typename":814,"type":815,"ctaText":816,"buttonLabel":817,"buttonColour":818,"buttonUrl":819},{"id":382},"CtaWidget","Custom","Learn how AI-enabled attacks are making infrastructure-based detection increasingly ineffective in our update on the Pyramid of Pain concept for 2026.","Read the blog","sunny orange","https://pushsecurity.com/blog/the-pyramid-of-pain-in-the-ai-era/",{"sys":821,"__typename":822,"title":823,"caption":823,"layoutMode":62,"file":824},{"id":562},"Image","High-level view of our agentic threat hunting pipeline.",{"url":825,"width":826,"height":827},"https://images.ctfassets.net/y1cdw1ablpvd/vsZeU4aJ54AUHwTqmB9rQ/95612df4929512599c26f5727af8e420/image1_10.png",2268,1164,{"sys":829,"__typename":830,"content":831,"name":842,"title":62},{"id":596},"InsightTextBlockComponent",{"json":832},{"data":833,"content":834,"nodeType":806},{},[835],{"data":836,"content":837,"nodeType":243},{},[838],{"data":839,"marks":840,"value":841,"nodeType":242},{},[],"The Push extension, the telemetry it collects, and the scale (3 million browsers and counting) at which it operates is the underlying capability that makes our agentic threat hunting possible.","Vibecode threat hunting pipeline IB1",{"sys":844,"__typename":830,"content":845,"name":861,"title":62},{"id":731},{"json":846},{"data":847,"content":848,"nodeType":806},{},[849],{"data":850,"content":851,"nodeType":243},{},[852,857],{"data":853,"marks":854,"value":856,"nodeType":242},{},[855],{"type":280},"What matters is what goes into the model — the telemetry, the domain knowledge, the structured context — and what happens around it: the orchestration, quality control, and feedback loops.",{"data":858,"marks":859,"value":860,"nodeType":242},{},[]," That's where production reliability comes from, and it's where you’ll find the need for significant engineering effort.","Vibecode threat hunting pipeline IB2",{"sys":863,"__typename":830,"content":864,"name":875,"title":62},{"id":758},{"json":865},{"nodeType":806,"data":866,"content":867},{},[868],{"nodeType":243,"data":869,"content":870},{},[871],{"nodeType":242,"value":872,"marks":873,"data":874},"Without a browser-layer enforcement tool, any knowledge of emerging attack methods can only be addressed by revoking sessions, resetting passwords, adding (short-lived) domains to a blocklist, wiping compromised machines, and other after-the-fact response actions that keep security teams on the back foot against these kinds of incidents. ",[],{},"Vibecode threat hunting pipeline IB3","json",{},"2026-06-02T00:00:00.000Z",{"items":880},[881,1855,2482],{"__typename":882,"sys":883,"publishedDate":885,"content":886,"title":1838,"synopsis":1839,"hashTags":62,"slug":1840,"tagsCollection":1841,"authorsCollection":1851},"BlogPosts",{"id":884},"1jfqiWQlL6qkn3i9yjNbFB","2026-05-12T00:00:00.000Z",{"json":887},{"nodeType":806,"data":888,"content":889},{},[890,897,919,931,938,946,953,976,983,990,997,1009,1015,1018,1026,1042,1063,1179,1185,1192,1198,1206,1213,1225,1232,1238,1245,1269,1276,1283,1289,1292,1300,1307,1315,1322,1338,1345,1352,1360,1367,1374,1382,1389,1396,1399,1407,1414,1422,1429,1436,1443,1450,1458,1465,1498,1505,1512,1518,1525,1533,1540,1618,1624,1632,1648,1655,1661,1668,1684,1687,1695,1702,1709,1715,1722,1767,1774,1781,1788,1794,1797,1805,1812,1819],{"nodeType":243,"data":891,"content":892},{},[893],{"nodeType":242,"value":894,"marks":895,"data":896},"In March, our threat hunting engine flagged something it hadn’t seen before.",[],{},{"nodeType":243,"data":898,"content":899},{},[900,904,915],{"nodeType":242,"value":901,"marks":902,"data":903},"Our research team had already been tracking the growing use of ",[],{},{"nodeType":905,"data":906,"content":910},"entry-hyperlink",{"target":907},{"sys":908},{"id":909,"type":383,"linkType":384},"2U6QpQ9rkY8x5ES48okHZB",[911],{"nodeType":242,"value":912,"marks":913,"data":914},"malvertising",[],{},{"nodeType":242,"value":916,"marks":917,"data":918}," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",[],{},{"nodeType":243,"data":920,"content":921},{},[922,926],{"nodeType":242,"value":923,"marks":924,"data":925},"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",[],{},{"nodeType":242,"value":927,"marks":928,"data":930},"But how to separate signal from noise?",[929],{"type":652},{},{"nodeType":243,"data":932,"content":933},{},[934],{"nodeType":242,"value":935,"marks":936,"data":937},"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",[],{},{"nodeType":243,"data":939,"content":940},{},[941],{"nodeType":242,"value":942,"marks":943,"data":945},"Of those, one was novel. ",[944],{"type":280},{},{"nodeType":243,"data":947,"content":948},{},[949],{"nodeType":242,"value":950,"marks":951,"data":952},"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",[],{},{"nodeType":243,"data":954,"content":955},{},[956,961,972],{"nodeType":242,"value":957,"marks":958,"data":960},"We had found our first in-the-wild ",[959],{"type":280},{},{"nodeType":905,"data":962,"content":966},{"target":963},{"sys":964},{"id":965,"type":383,"linkType":384},"7bG71Eo43crbIHKzczooVS",[967],{"nodeType":242,"value":968,"marks":969,"data":971},"InstallFix attack",[970],{"type":280},{},{"nodeType":242,"value":787,"marks":973,"data":975},[974],{"type":280},{},{"nodeType":243,"data":977,"content":978},{},[979],{"nodeType":242,"value":980,"marks":981,"data":982},"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",[],{},{"nodeType":243,"data":984,"content":985},{},[986],{"nodeType":242,"value":987,"marks":988,"data":989},"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",[],{},{"nodeType":243,"data":991,"content":992},{},[993],{"nodeType":242,"value":994,"marks":995,"data":996},"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",[],{},{"nodeType":243,"data":998,"content":999},{},[1000,1005],{"nodeType":242,"value":1001,"marks":1002,"data":1004},"So, can AI agents replace human threat researchers?",[1003],{"type":280},{},{"nodeType":242,"value":1006,"marks":1007,"data":1008}," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",[],{},{"nodeType":386,"data":1010,"content":1014},{"target":1011},{"sys":1012},{"id":1013,"type":383,"linkType":384},"3OiZ7BrViCTTMmHUAbloEt",[],{"nodeType":300,"data":1016,"content":1017},{},[],{"nodeType":308,"data":1019,"content":1020},{},[1021],{"nodeType":242,"value":1022,"marks":1023,"data":1025},"Why scaling browser threat detection requires more than more analysts",[1024],{"type":280},{},{"nodeType":243,"data":1027,"content":1028},{},[1029,1033,1038],{"nodeType":242,"value":1030,"marks":1031,"data":1032},"Already this year, we’ve ",[],{},{"nodeType":242,"value":1034,"marks":1035,"data":1037},"tripled",[1036],{"type":280},{},{"nodeType":242,"value":1039,"marks":1040,"data":1041}," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",[],{},{"nodeType":243,"data":1043,"content":1044},{},[1045,1049,1059],{"nodeType":242,"value":1046,"marks":1047,"data":1048},"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",[],{},{"nodeType":905,"data":1050,"content":1054},{"target":1051},{"sys":1052},{"id":1053,"type":383,"linkType":384},"211Dd0EIrXPOFpvRgs0fEE",[1055],{"nodeType":242,"value":1056,"marks":1057,"data":1058},"Browser & Identity Attacks Matrix",[],{},{"nodeType":242,"value":1060,"marks":1061,"data":1062}," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",[],{},{"nodeType":1064,"data":1065,"content":1066},"unordered-list",{},[1067,1078,1102],{"nodeType":1068,"data":1069,"content":1070},"list-item",{},[1071],{"nodeType":243,"data":1072,"content":1073},{},[1074],{"nodeType":242,"value":1075,"marks":1076,"data":1077},"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ",[],{},{"nodeType":1068,"data":1079,"content":1080},{},[1081],{"nodeType":243,"data":1082,"content":1083},{},[1084,1088,1098],{"nodeType":242,"value":1085,"marks":1086,"data":1087},"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",[],{},{"nodeType":905,"data":1089,"content":1093},{"target":1090},{"sys":1091},{"id":1092,"type":383,"linkType":384},"5DmCqTU2Tg4adYScA5vT2x",[1094],{"nodeType":242,"value":1095,"marks":1096,"data":1097},"device code phishing attacks",[],{},{"nodeType":242,"value":1099,"marks":1100,"data":1101}," across our install base. ",[],{},{"nodeType":1068,"data":1103,"content":1104},{},[1105],{"nodeType":243,"data":1106,"content":1107},{},[1108,1112,1122,1126,1135,1139,1149,1153,1162,1165,1175],{"nodeType":242,"value":1109,"marks":1110,"data":1111},"We were also the first to detect a novel post-authorization attack we dubbed ",[],{},{"nodeType":905,"data":1113,"content":1117},{"target":1114},{"sys":1115},{"id":1116,"type":383,"linkType":384},"71EaaK7lfl6bQBbkAU0qjv",[1118],{"nodeType":242,"value":1119,"marks":1120,"data":1121},"ConsentFix",[],{},{"nodeType":242,"value":1123,"marks":1124,"data":1125}," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",[],{},{"nodeType":905,"data":1127,"content":1130},{"target":1128},{"sys":1129},{"id":965,"type":383,"linkType":384},[1131],{"nodeType":242,"value":1132,"marks":1133,"data":1134},"InstallFix technique",[],{},{"nodeType":242,"value":1136,"marks":1137,"data":1138}," described earlier; and detected an array of other ",[],{},{"nodeType":905,"data":1140,"content":1144},{"target":1141},{"sys":1142},{"id":1143,"type":383,"linkType":384},"2YmiesBvJHGw4wiKEKzLUq",[1145],{"nodeType":242,"value":1146,"marks":1147,"data":1148},"creative",[],{},{"nodeType":242,"value":1150,"marks":1151,"data":1152}," ",[],{},{"nodeType":905,"data":1154,"content":1157},{"target":1155},{"sys":1156},{"id":909,"type":383,"linkType":384},[1158],{"nodeType":242,"value":1159,"marks":1160,"data":1161},"phishing",[],{},{"nodeType":242,"value":1150,"marks":1163,"data":1164},[],{},{"nodeType":905,"data":1166,"content":1170},{"target":1167},{"sys":1168},{"id":1169,"type":383,"linkType":384},"6Zosy4SU0LpjlaSWX75peb",[1171],{"nodeType":242,"value":1172,"marks":1173,"data":1174},"campaigns",[],{},{"nodeType":242,"value":1176,"marks":1177,"data":1178}," tied to malvertising scams.",[],{},{"nodeType":386,"data":1180,"content":1184},{"target":1181},{"sys":1182},{"id":1183,"type":383,"linkType":384},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":243,"data":1186,"content":1187},{},[1188],{"nodeType":242,"value":1189,"marks":1190,"data":1191},"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",[],{},{"nodeType":386,"data":1193,"content":1197},{"target":1194},{"sys":1195},{"id":1196,"type":383,"linkType":384},"1u00uFbC4xsvP9lqahXbgD",[],{"nodeType":451,"data":1199,"content":1200},{},[1201],{"nodeType":242,"value":1202,"marks":1203,"data":1205},"Scaling behavioral detections, not just making bigger blocklists",[1204],{"type":280},{},{"nodeType":243,"data":1207,"content":1208},{},[1209],{"nodeType":242,"value":1210,"marks":1211,"data":1212},"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",[],{},{"nodeType":243,"data":1214,"content":1215},{},[1216,1221],{"nodeType":242,"value":1217,"marks":1218,"data":1220},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",[1219],{"type":280},{},{"nodeType":242,"value":1222,"marks":1223,"data":1224},"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",[],{},{"nodeType":243,"data":1226,"content":1227},{},[1228],{"nodeType":242,"value":1229,"marks":1230,"data":1231},"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",[],{},{"nodeType":386,"data":1233,"content":1237},{"target":1234},{"sys":1235},{"id":1236,"type":383,"linkType":384},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":243,"data":1239,"content":1240},{},[1241],{"nodeType":242,"value":1242,"marks":1243,"data":1244},"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",[],{},{"nodeType":243,"data":1246,"content":1247},{},[1248,1253,1264],{"nodeType":242,"value":1249,"marks":1250,"data":1252},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",[1251],{"type":280},{},{"nodeType":905,"data":1254,"content":1258},{"target":1255},{"sys":1256},{"id":1257,"type":383,"linkType":384},"1qegIy4rMdm5XZXnIEoKpE",[1259],{"nodeType":242,"value":1260,"marks":1261,"data":1263},"Pyramid of Pain",[1262],{"type":280},{},{"nodeType":242,"value":1265,"marks":1266,"data":1268},", the indicators that are hardest for attackers to change.",[1267],{"type":280},{},{"nodeType":243,"data":1270,"content":1271},{},[1272],{"nodeType":242,"value":1273,"marks":1274,"data":1275},"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",[],{},{"nodeType":243,"data":1277,"content":1278},{},[1279],{"nodeType":242,"value":1280,"marks":1281,"data":1282},"We did this not by replacing researchers, but by continuously activating their expertise. You can hear what our CEO and Co-founder Adam had to say about this below. ",[],{},{"nodeType":386,"data":1284,"content":1288},{"target":1285},{"sys":1286},{"id":1287,"type":383,"linkType":384},"C9gr4nF3f6CW45Aol9xij",[],{"nodeType":300,"data":1290,"content":1291},{},[],{"nodeType":308,"data":1293,"content":1294},{},[1295],{"nodeType":242,"value":1296,"marks":1297,"data":1299},"Core principles for agentic threat hunting",[1298],{"type":280},{},{"nodeType":243,"data":1301,"content":1302},{},[1303],{"nodeType":242,"value":1304,"marks":1305,"data":1306},"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",[],{},{"nodeType":451,"data":1308,"content":1309},{},[1310],{"nodeType":242,"value":1311,"marks":1312,"data":1314},"Context matters more than custom models",[1313],{"type":280},{},{"nodeType":243,"data":1316,"content":1317},{},[1318],{"nodeType":242,"value":1319,"marks":1320,"data":1321},"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",[],{},{"nodeType":243,"data":1323,"content":1324},{},[1325,1329,1334],{"nodeType":242,"value":1326,"marks":1327,"data":1328},"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",[],{},{"nodeType":242,"value":1330,"marks":1331,"data":1333},"3 million browsers worldwide",[1332],{"type":280},{},{"nodeType":242,"value":1335,"marks":1336,"data":1337},", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",[],{},{"nodeType":243,"data":1339,"content":1340},{},[1341],{"nodeType":242,"value":1342,"marks":1343,"data":1344},"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",[],{},{"nodeType":243,"data":1346,"content":1347},{},[1348],{"nodeType":242,"value":1349,"marks":1350,"data":1351},"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",[],{},{"nodeType":451,"data":1353,"content":1354},{},[1355],{"nodeType":242,"value":1356,"marks":1357,"data":1359},"Agents are only as good as the context you give them. Good context is researcher-led",[1358],{"type":280},{},{"nodeType":243,"data":1361,"content":1362},{},[1363],{"nodeType":242,"value":1364,"marks":1365,"data":1366},"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",[],{},{"nodeType":243,"data":1368,"content":1369},{},[1370],{"nodeType":242,"value":1371,"marks":1372,"data":1373},"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",[],{},{"nodeType":451,"data":1375,"content":1376},{},[1377],{"nodeType":242,"value":1378,"marks":1379,"data":1381},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",[1380],{"type":280},{},{"nodeType":243,"data":1383,"content":1384},{},[1385],{"nodeType":242,"value":1386,"marks":1387,"data":1388},"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",[],{},{"nodeType":243,"data":1390,"content":1391},{},[1392],{"nodeType":242,"value":1393,"marks":1394,"data":1395},"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",[],{},{"nodeType":300,"data":1397,"content":1398},{},[],{"nodeType":308,"data":1400,"content":1401},{},[1402],{"nodeType":242,"value":1403,"marks":1404,"data":1406},"How the agentic detection pipeline runs",[1405],{"type":280},{},{"nodeType":243,"data":1408,"content":1409},{},[1410],{"nodeType":242,"value":1411,"marks":1412,"data":1413},"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",[],{},{"nodeType":451,"data":1415,"content":1416},{},[1417],{"nodeType":242,"value":1418,"marks":1419,"data":1421},"Example 1: Autonomous threat hunt",[1420],{"type":280},{},{"nodeType":243,"data":1423,"content":1424},{},[1425],{"nodeType":242,"value":1426,"marks":1427,"data":1428},"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",[],{},{"nodeType":243,"data":1430,"content":1431},{},[1432],{"nodeType":242,"value":1433,"marks":1434,"data":1435},"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",[],{},{"nodeType":243,"data":1437,"content":1438},{},[1439],{"nodeType":242,"value":1440,"marks":1441,"data":1442},"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",[],{},{"nodeType":243,"data":1444,"content":1445},{},[1446],{"nodeType":242,"value":1447,"marks":1448,"data":1449},"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",[],{},{"nodeType":451,"data":1451,"content":1452},{},[1453],{"nodeType":242,"value":1454,"marks":1455,"data":1457},"Example 2: Human-initiated threat hunt",[1456],{"type":280},{},{"nodeType":243,"data":1459,"content":1460},{},[1461],{"nodeType":242,"value":1462,"marks":1463,"data":1464},"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",[],{},{"nodeType":243,"data":1466,"content":1467},{},[1468,1472,1477,1481,1486,1489,1494],{"nodeType":242,"value":1469,"marks":1470,"data":1471},"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",[],{},{"nodeType":242,"value":1473,"marks":1474,"data":1476},"*pages.dev",[1475],{"type":280},{},{"nodeType":242,"value":1478,"marks":1479,"data":1480},", ",[],{},{"nodeType":242,"value":1482,"marks":1483,"data":1485},"*workers.dev",[1484],{"type":280},{},{"nodeType":242,"value":1478,"marks":1487,"data":1488},[],{},{"nodeType":242,"value":1490,"marks":1491,"data":1493},"*squarespace.com",[1492],{"type":280},{},{"nodeType":242,"value":1495,"marks":1496,"data":1497},", etc.",[],{},{"nodeType":243,"data":1499,"content":1500},{},[1501],{"nodeType":242,"value":1502,"marks":1503,"data":1504},"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",[],{},{"nodeType":243,"data":1506,"content":1507},{},[1508],{"nodeType":242,"value":1509,"marks":1510,"data":1511},"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",[],{},{"nodeType":386,"data":1513,"content":1517},{"target":1514},{"sys":1515},{"id":1516,"type":383,"linkType":384},"4IWOrWuvbwzWRJUkINiwKH",[],{"nodeType":243,"data":1519,"content":1520},{},[1521],{"nodeType":242,"value":1522,"marks":1523,"data":1524},"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",[],{},{"nodeType":451,"data":1526,"content":1527},{},[1528],{"nodeType":242,"value":1529,"marks":1530,"data":1532},"What infrastructure is needed for agentic threat hunting?",[1531],{"type":280},{},{"nodeType":243,"data":1534,"content":1535},{},[1536],{"nodeType":242,"value":1537,"marks":1538,"data":1539},"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",[],{},{"nodeType":1064,"data":1541,"content":1542},{},[1543,1558,1573,1588,1603],{"nodeType":1068,"data":1544,"content":1545},{},[1546],{"nodeType":243,"data":1547,"content":1548},{},[1549,1554],{"nodeType":242,"value":1550,"marks":1551,"data":1553},"A flight recorder: ",[1552],{"type":280},{},{"nodeType":242,"value":1555,"marks":1556,"data":1557},"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",[],{},{"nodeType":1068,"data":1559,"content":1560},{},[1561],{"nodeType":243,"data":1562,"content":1563},{},[1564,1569],{"nodeType":242,"value":1565,"marks":1566,"data":1568},"A knowledge base:",[1567],{"type":280},{},{"nodeType":242,"value":1570,"marks":1571,"data":1572}," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",[],{},{"nodeType":1068,"data":1574,"content":1575},{},[1576],{"nodeType":243,"data":1577,"content":1578},{},[1579,1584],{"nodeType":242,"value":1580,"marks":1581,"data":1583},"Agents as tools: ",[1582],{"type":280},{},{"nodeType":242,"value":1585,"marks":1586,"data":1587},"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",[],{},{"nodeType":1068,"data":1589,"content":1590},{},[1591],{"nodeType":243,"data":1592,"content":1593},{},[1594,1599],{"nodeType":242,"value":1595,"marks":1596,"data":1598},"Humans in the loop: ",[1597],{"type":280},{},{"nodeType":242,"value":1600,"marks":1601,"data":1602},"Human researchers who collaborate with agents to initiate hunts and tune detections.",[],{},{"nodeType":1068,"data":1604,"content":1605},{},[1606],{"nodeType":243,"data":1607,"content":1608},{},[1609,1614],{"nodeType":242,"value":1610,"marks":1611,"data":1613},"Platform controls: ",[1612],{"type":280},{},{"nodeType":242,"value":1615,"marks":1616,"data":1617},"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",[],{},{"nodeType":386,"data":1619,"content":1623},{"target":1620},{"sys":1621},{"id":1622,"type":383,"linkType":384},"7FY0vCBUXOt4vnudFuKALC",[],{"nodeType":451,"data":1625,"content":1626},{},[1627],{"nodeType":242,"value":1628,"marks":1629,"data":1631},"What are the best practices for agentic threat detection?",[1630],{"type":280},{},{"nodeType":243,"data":1633,"content":1634},{},[1635,1639,1644],{"nodeType":242,"value":1636,"marks":1637,"data":1638},"To be effective, agents must specialize and focus. This is the ",[],{},{"nodeType":242,"value":1640,"marks":1641,"data":1643},"agents as tools",[1642],{"type":280},{},{"nodeType":242,"value":1645,"marks":1646,"data":1647}," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",[],{},{"nodeType":243,"data":1649,"content":1650},{},[1651],{"nodeType":242,"value":1652,"marks":1653,"data":1654},"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",[],{},{"nodeType":386,"data":1656,"content":1660},{"target":1657},{"sys":1658},{"id":1659,"type":383,"linkType":384},"3fzJCknMUmh4Z7YnhBSbsT",[],{"nodeType":243,"data":1662,"content":1663},{},[1664],{"nodeType":242,"value":1665,"marks":1666,"data":1667},"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",[],{},{"nodeType":243,"data":1669,"content":1670},{},[1671,1675,1680],{"nodeType":242,"value":1672,"marks":1673,"data":1674},"It's vital too that the agent uses ",[],{},{"nodeType":242,"value":1676,"marks":1677,"data":1679},"privacy-preserving methods and infrastructure.",[1678],{"type":280},{},{"nodeType":242,"value":1681,"marks":1682,"data":1683}," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",[],{},{"nodeType":300,"data":1685,"content":1686},{},[],{"nodeType":308,"data":1688,"content":1689},{},[1690],{"nodeType":242,"value":1691,"marks":1692,"data":1694},"The compounding effect and how it benefits Push customers",[1693],{"type":280},{},{"nodeType":243,"data":1696,"content":1697},{},[1698],{"nodeType":242,"value":1699,"marks":1700,"data":1701},"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",[],{},{"nodeType":243,"data":1703,"content":1704},{},[1705],{"nodeType":242,"value":1706,"marks":1707,"data":1708},"The outer loop feeds the inner loop, and vice versa.",[],{},{"nodeType":386,"data":1710,"content":1714},{"target":1711},{"sys":1712},{"id":1713,"type":383,"linkType":384},"1Jjqll7IIX2QRxN37gjFMH",[],{"nodeType":243,"data":1716,"content":1717},{},[1718],{"nodeType":242,"value":1719,"marks":1720,"data":1721},"Customers benefit from this approach because it means they:",[],{},{"nodeType":1064,"data":1723,"content":1724},{},[1725,1747,1757],{"nodeType":1068,"data":1726,"content":1727},{},[1728],{"nodeType":243,"data":1729,"content":1730},{},[1731,1735,1743],{"nodeType":242,"value":1732,"marks":1733,"data":1734},"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",[],{},{"nodeType":268,"data":1736,"content":1738},{"uri":1737},"/help/audience/engineering/resources/custom-detections",[1739],{"nodeType":242,"value":1740,"marks":1741,"data":1742},"custom detections",[],{},{"nodeType":242,"value":1744,"marks":1745,"data":1746},", too, for environment-specific use cases.)",[],{},{"nodeType":1068,"data":1748,"content":1749},{},[1750],{"nodeType":243,"data":1751,"content":1752},{},[1753],{"nodeType":242,"value":1754,"marks":1755,"data":1756},"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",[],{},{"nodeType":1068,"data":1758,"content":1759},{},[1760],{"nodeType":243,"data":1761,"content":1762},{},[1763],{"nodeType":242,"value":1764,"marks":1765,"data":1766},"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",[],{},{"nodeType":243,"data":1768,"content":1769},{},[1770],{"nodeType":242,"value":1771,"marks":1772,"data":1773},"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",[],{},{"nodeType":243,"data":1775,"content":1776},{},[1777],{"nodeType":242,"value":1778,"marks":1779,"data":1780},"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",[],{},{"nodeType":243,"data":1782,"content":1783},{},[1784],{"nodeType":242,"value":1785,"marks":1786,"data":1787},"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",[],{},{"nodeType":386,"data":1789,"content":1793},{"target":1790},{"sys":1791},{"id":1792,"type":383,"linkType":384},"607jrBjlD1vtcbkDfD04DE",[],{"nodeType":300,"data":1795,"content":1796},{},[],{"nodeType":308,"data":1798,"content":1799},{},[1800],{"nodeType":242,"value":1801,"marks":1802,"data":1804},"Learn more",[1803],{"type":280},{},{"nodeType":243,"data":1806,"content":1807},{},[1808],{"nodeType":242,"value":1809,"marks":1810,"data":1811},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":243,"data":1813,"content":1814},{},[1815],{"nodeType":242,"value":1816,"marks":1817,"data":1818},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":243,"data":1820,"content":1821},{},[1822,1826,1834],{"nodeType":242,"value":1823,"marks":1824,"data":1825},"Book a ",[],{},{"nodeType":268,"data":1827,"content":1829},{"uri":1828},"/demo",[1830],{"nodeType":242,"value":1831,"marks":1832,"data":1833},"live demo",[],{},{"nodeType":242,"value":1835,"marks":1836,"data":1837}," to learn more.",[],{},"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.","can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"items":1842},[1843,1847],{"sys":1844,"name":1846},{"id":1845},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1848,"name":1850},{"id":1849},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1852},[1853],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":1854},{"url":230},{"__typename":882,"sys":1856,"publishedDate":1858,"content":1859,"title":2461,"synopsis":2462,"hashTags":62,"slug":2463,"tagsCollection":2464,"authorsCollection":2474},{"id":1857},"4NY2NbkAPucFOJY45yrrrE","2026-05-28T00:00:00.000Z",{"json":1860},{"nodeType":806,"data":1861,"content":1862},{},[1863,1870,1877,1884,1890,1931,1934,1942,1949,1957,2000,2006,2013,2019,2022,2030,2037,2045,2052,2059,2075,2083,2108,2115,2121,2128,2136,2151,2179,2185,2203,2209,2217,2224,2249,2256,2263,2270,2276,2279,2287,2294,2301,2320,2328,2335,2343,2366,2378,2381,2389,2396,2403,2410,2430,2433,2439,2445],{"nodeType":243,"data":1864,"content":1865},{},[1866],{"nodeType":242,"value":1867,"marks":1868,"data":1869},"Employees have been self-adopting apps, creating unmanaged accounts, and introducing third-party software dependencies into their organizations for years, and the core problem hasn't changed: unmanaged software expanding your attack surface without your knowledge.",[],{},{"nodeType":243,"data":1871,"content":1872},{},[1873],{"nodeType":242,"value":1874,"marks":1875,"data":1876},"But the rate at which employees are signing up for AI tools is unprecedented, and the depth of interconnectivity those tools demand is fundamentally different from traditional shadow SaaS. ",[],{},{"nodeType":243,"data":1878,"content":1879},{},[1880],{"nodeType":242,"value":1881,"marks":1882,"data":1883},"AI tools aren't just standalone apps that employees sign into — they're increasingly used as agents that drive other applications, pulling data from one platform, acting on another — they are becoming a core that other apps are integrating to, and that users are integrating with their wider SaaS stack. It’s becoming a focal integration point for app access and functionality in a way that's more comparable to an enterprise cloud platform than a typical SaaS tool. ",[],{},{"nodeType":386,"data":1885,"content":1889},{"target":1886},{"sys":1887},{"id":1888,"type":383,"linkType":384},"4jsomkKmK7Vjijo8UkCQkf",[],{"nodeType":243,"data":1891,"content":1892},{},[1893,1897,1905,1909,1914,1918,1927],{"nodeType":242,"value":1894,"marks":1895,"data":1896},"The industry data backs this up. The ",[],{},{"nodeType":268,"data":1898,"content":1900},{"uri":1899},"https://www.verizon.com/business/resources/reports/dbir/",[1901],{"nodeType":242,"value":1902,"marks":1903,"data":1904},"Verizon DBIR 2026",[],{},{"nodeType":242,"value":1906,"marks":1907,"data":1908}," reports that ",[],{},{"nodeType":242,"value":1910,"marks":1911,"data":1913},"45% of employees are now regular AI users on corporate devices",[1912],{"type":280},{},{"nodeType":242,"value":1915,"marks":1916,"data":1917},", up from 15% the year before. ",[],{},{"nodeType":268,"data":1919,"content":1921},{"uri":1920},"https://omdia.tech.informa.com/",[1922],{"nodeType":242,"value":1923,"marks":1924,"data":1926},"Omdia's 2026 browser security research",[1925],{"type":266},{},{"nodeType":242,"value":1928,"marks":1929,"data":1930}," presents a stronger picture, finding that 92% allow employees to use public GenAI applications. However, given that the typical company policy sanctions a small number of approved tools, this means everything else employees are using is unsanctioned by default. In other words: every organization in the survey had unsanctioned AI usage.",[],{},{"nodeType":300,"data":1932,"content":1933},{},[],{"nodeType":308,"data":1935,"content":1936},{},[1937],{"nodeType":242,"value":1938,"marks":1939,"data":1941},"The state of shadow AI, using Push data",[1940],{"type":280},{},{"nodeType":243,"data":1943,"content":1944},{},[1945],{"nodeType":242,"value":1946,"marks":1947,"data":1948},"We analyzed a snapshot of AI activity across Push customers during an average week in April 2026. We wanted to make sure it captured actual activity, not just historical data on apps that were added once and no longer used.",[],{},{"nodeType":243,"data":1950,"content":1951},{},[1952],{"nodeType":242,"value":1953,"marks":1954,"data":1956},"The numbers paint a picture that most security teams will find uncomfortable.",[1955],{"type":280},{},{"nodeType":243,"data":1958,"content":1959},{},[1960,1964,1969,1973,1978,1982,1987,1991,1996],{"nodeType":242,"value":1961,"marks":1962,"data":1963},"The average organization has ",[],{},{"nodeType":242,"value":1965,"marks":1966,"data":1968},"16 unique AI apps",[1967],{"type":280},{},{"nodeType":242,"value":1970,"marks":1971,"data":1972}," in active use, ",[],{},{"nodeType":242,"value":1974,"marks":1975,"data":1977},"17 unique AI browser extensions",[1976],{"type":280},{},{"nodeType":242,"value":1979,"marks":1980,"data":1981},", and ",[],{},{"nodeType":242,"value":1983,"marks":1984,"data":1986},"17 unique AI OAuth integrations",[1985],{"type":280},{},{"nodeType":242,"value":1988,"marks":1989,"data":1990}," connected into just Google Workspace and Microsoft 365 — with some organizations reaching as high as 40 unique AI apps, 163 AI extensions, and 55 OAuth connections to AI apps respectively. At the other end, the smallest organization with the ",[],{},{"nodeType":242,"value":1992,"marks":1993,"data":1995},"lowest",[1994],{"type":652},{},{"nodeType":242,"value":1997,"marks":1998,"data":1999}," adoption level is actively using two. ",[],{},{"nodeType":386,"data":2001,"content":2005},{"target":2002},{"sys":2003},{"id":2004,"type":383,"linkType":384},"2AfeiHub5kyZN8wuf6CJch",[],{"nodeType":243,"data":2007,"content":2008},{},[2009],{"nodeType":242,"value":2010,"marks":2011,"data":2012},"If most organizations have sanctioned one or two core AI assistants/platforms for business use, the gap between what's approved and what's actually happening is significant.",[],{},{"nodeType":386,"data":2014,"content":2018},{"target":2015},{"sys":2016},{"id":2017,"type":383,"linkType":384},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":300,"data":2020,"content":2021},{},[],{"nodeType":308,"data":2023,"content":2024},{},[2025],{"nodeType":242,"value":2026,"marks":2027,"data":2029},"Understanding the four categories of shadow AI",[2028],{"type":280},{},{"nodeType":243,"data":2031,"content":2032},{},[2033],{"nodeType":242,"value":2034,"marks":2035,"data":2036},"Shadow SaaS has always been a problem, but in the context of AI apps there are four categories of shadow IT that security teams need to understand, because each one introduces a different kind of risk and requires a different approach to tackling it.",[],{},{"nodeType":451,"data":2038,"content":2039},{},[2040],{"nodeType":242,"value":2041,"marks":2042,"data":2044},"Shadow AI apps",[2043],{"type":280},{},{"nodeType":243,"data":2046,"content":2047},{},[2048],{"nodeType":242,"value":2049,"marks":2050,"data":2051},"Shadow apps are AI tools that employees have signed up to and are using for business purposes without approval. This is the most visible dimension of the problem, and the one most people think of when they hear \"shadow AI\" — an employee pastes sensitive internal documents into ChatGPT, uploads confidential files to an AI assistant, or uses an unapproved coding tool to generate production code.",[],{},{"nodeType":243,"data":2053,"content":2054},{},[2055],{"nodeType":242,"value":2056,"marks":2057,"data":2058},"All of that is sensitive data leaving the organization through channels the security team can't see - and often accessible using personal accounts that can be compromised on personal devices or workstations. ",[],{},{"nodeType":243,"data":2060,"content":2061},{},[2062,2066,2071],{"nodeType":242,"value":2063,"marks":2064,"data":2065},"The 2026 DBIR's data loss prevention analysis underscores the scale — shadow AI is now the ",[],{},{"nodeType":242,"value":2067,"marks":2068,"data":2070},"third most common non-malicious insider action",[2069],{"type":280},{},{"nodeType":242,"value":2072,"marks":2073,"data":2074}," in DLP data, a 4x increase year-over-year. Across 858,000+ DLP events targeting GenAI tools, the most common data types being submitted were source code (28%), images (16%), structured data (14%), documents (13%), and PDFs (10%). That's not employees asking ChatGPT to fix their grammar — it's core intellectual property, production code, and internal documentation flowing into platforms the security team has no visibility into. But shadow apps themselves are only the most obvious part of the problem.",[],{},{"nodeType":451,"data":2076,"content":2077},{},[2078],{"nodeType":242,"value":2079,"marks":2080,"data":2082},"Shadow tenants",[2081],{"type":280},{},{"nodeType":243,"data":2084,"content":2085},{},[2086,2090,2095,2099,2104],{"nodeType":242,"value":2087,"marks":2088,"data":2089},"Even when an organization has approved an AI tool — say, an enterprise ChatGPT deployment — employees frequently access the same app with personal accounts, creating shadow tenants that sit entirely outside organizational control. The DBIR found that ",[],{},{"nodeType":242,"value":2091,"marks":2092,"data":2094},"67% of GenAI users on corporate devices are using non-corporate accounts",[2093],{"type":280},{},{"nodeType":242,"value":2096,"marks":2097,"data":2098},", and our own data shows that ",[],{},{"nodeType":242,"value":2100,"marks":2101,"data":2103},"38% of file uploads to AI tools are made from shadow accounts",[2102],{"type":280},{},{"nodeType":242,"value":2105,"marks":2106,"data":2107}," rather than approved organizational ones.",[],{},{"nodeType":243,"data":2109,"content":2110},{},[2111],{"nodeType":242,"value":2112,"marks":2113,"data":2114},"When an organization approves Claude, ChatGPT, or another core AI platform, you typically also approve the OAuth integration and browser extension for core apps (e.g. M365, Google Workspace, and so on). When that integration is approved, it is approved for all tenants — not just your corporate tenant. ",[],{},{"nodeType":386,"data":2116,"content":2120},{"target":2117},{"sys":2118},{"id":2119,"type":383,"linkType":384},"3Rvw0n28AYIM3FQXtHyafD",[],{"nodeType":243,"data":2122,"content":2123},{},[2124],{"nodeType":242,"value":2125,"marks":2126,"data":2127},"This means that even if you've deployed enterprise controls around your sanctioned AI tools — DLP policies, retention settings, admin oversight — more than a third of the file uploads hitting AI tools are bypassing those controls entirely because they're happening through personal accounts on corporate devices.",[],{},{"nodeType":451,"data":2129,"content":2130},{},[2131],{"nodeType":242,"value":2132,"marks":2133,"data":2135},"Shadow extensions",[2134],{"type":280},{},{"nodeType":243,"data":2137,"content":2138},{},[2139,2143,2147],{"nodeType":242,"value":2140,"marks":2141,"data":2142},"Many AI tools come with a browser extension counterpart, and there's a large ecosystem of third-party AI extensions that offer everything from writing assistance to automated data extraction. The average organization in our dataset has ",[],{},{"nodeType":242,"value":1974,"marks":2144,"data":2146},[2145],{"type":280},{},{"nodeType":242,"value":2148,"marks":2149,"data":2150}," deployed across its workforce, with the highest we observed reaching 163 — and since each of those average 17 different extensions may be installed by multiple employees, the actual number of individual extension installs across the organization is much higher still.",[],{},{"nodeType":243,"data":2152,"content":2153},{},[2154,2158,2166,2170,2175],{"nodeType":242,"value":2155,"marks":2156,"data":2157},"The extension dimension is particularly concerning because most extensions operate with significant privilege inside the browser — they can read and modify page content, access cookies and session tokens, and interact with virtually every web application an employee uses. As we detailed in our recent analysis of ",[],{},{"nodeType":268,"data":2159,"content":2161},{"uri":2160},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[2162],{"nodeType":242,"value":2163,"marks":2164,"data":2165},"browser extension risk scoring",[],{},{"nodeType":242,"value":2167,"marks":2168,"data":2169},", at least ",[],{},{"nodeType":242,"value":2171,"marks":2172,"data":2174},"46.76% of all extensions across Push customers have the permission combinations needed to perform account takeover with no user interaction",[2173],{"type":280},{},{"nodeType":242,"value":2176,"marks":2177,"data":2178},", and the extensions involved in every major supply chain breach of the past 18 months scored as normal or low-risk beforehand.",[],{},{"nodeType":386,"data":2180,"content":2184},{"target":2181},{"sys":2182},{"id":2183,"type":383,"linkType":384},"3z4JOMALI52xoOXZkzPHLD",[],{"nodeType":243,"data":2186,"content":2187},{},[2188,2192,2199],{"nodeType":242,"value":2189,"marks":2190,"data":2191},"AI extensions add a specific wrinkle to this problem: many are branded to look like official companions to well-known AI tools but are actually third-party creations with no affiliation to the original vendor. They're not necessarily malicious at the point of installation, but they're exactly the kind of extension that's likely to be ",[],{},{"nodeType":268,"data":2193,"content":2194},{"uri":2160},[2195],{"nodeType":242,"value":2196,"marks":2197,"data":2198},"acquired and weaponized",[],{},{"nodeType":242,"value":2200,"marks":2201,"data":2202}," down the line — and in the meantime, they're collecting data that their permissions entitle them to (which, in most cases, means everything the user can see in their browser).",[],{},{"nodeType":386,"data":2204,"content":2208},{"target":2205},{"sys":2206},{"id":2207,"type":383,"linkType":384},"6K3z67rohss6H3lCsSn12B",[],{"nodeType":451,"data":2210,"content":2211},{},[2212],{"nodeType":242,"value":2213,"marks":2214,"data":2216},"Shadow integrations",[2215],{"type":280},{},{"nodeType":243,"data":2218,"content":2219},{},[2220],{"nodeType":242,"value":2221,"marks":2222,"data":2223},"The fourth dimension — and arguably the most dangerous — is shadow integrations: OAuth connections between AI tools and core enterprise apps that aren't known or approved by the security team. Even if an organization has approved an AI tool for standalone use, plugging that tool directly into Google Workspace, Microsoft 365, Salesforce, or any other one of the dozen or so SaaS apps in a typical user’s work stack is a fundamentally different risk decision, because it creates a persistent, programmatic bridge between your environment and a third party.",[],{},{"nodeType":243,"data":2225,"content":2226},{},[2227,2231,2236,2240,2245],{"nodeType":242,"value":2228,"marks":2229,"data":2230},"On average, we see ",[],{},{"nodeType":242,"value":2232,"marks":2233,"data":2235},"17 unique AI app OAuth integrations per organization",[2234],{"type":280},{},{"nodeType":242,"value":2237,"marks":2238,"data":2239}," in ",[],{},{"nodeType":242,"value":2241,"marks":2242,"data":2244},"just",[2243],{"type":652},{},{"nodeType":242,"value":2246,"marks":2247,"data":2248}," Google Workspace and Microsoft 365 (to be clear: this number excludes the dozens of downstream apps the AI assistants are integrated with as well), with the highest reaching 55. Each of those represents a unique AI product that has been granted OAuth access — the total number of individual consent grants across users is larger, because popular integrations get authorized by multiple employees independently.",[],{},{"nodeType":243,"data":2250,"content":2251},{},[2252],{"nodeType":242,"value":2253,"marks":2254,"data":2255},"The actual number of AI-related OAuth connections across the full SaaS estate is considerably higher again, because AI tools that automate workflows need to be connected to be useful — pulling data from one app, analyzing it in another, presenting results in a third.",[],{},{"nodeType":243,"data":2257,"content":2258},{},[2259],{"nodeType":242,"value":2260,"marks":2261,"data":2262},"MCP connections use OAuth to achieve this interconnectivity in the same way, and AI coding agents create a particularly concentrated version of the risk: a single agent configuration can hold OAuth tokens for Jira, Confluence, Salesforce, GitHub, and more, meaning that compromising one agent — whether through prompt injection, a malicious repository config, or a supply chain attack on an MCP server — yields persistent, broadly scoped tokens for every service it was connected to, tokens that survive session restarts and generate audit log entries indistinguishable from legitimate user activity.",[],{},{"nodeType":243,"data":2264,"content":2265},{},[2266],{"nodeType":242,"value":2267,"marks":2268,"data":2269},"It's also worth noting that OAuth blast radius is almost always larger than organizations expect. A single well-permissioned user can expose secrets, dashboards, and internal tooling without tenant-wide admin access. And every new AI tool an employee connects makes the web of abusable permissions a little wider.",[],{},{"nodeType":386,"data":2271,"content":2275},{"target":2272},{"sys":2273},{"id":2274,"type":383,"linkType":384},"4SnzJ9T93gHzFIUASx7Yb3",[],{"nodeType":300,"data":2277,"content":2278},{},[],{"nodeType":308,"data":2280,"content":2281},{},[2282],{"nodeType":242,"value":2283,"marks":2284,"data":2286},"Why shadow AI needs a different solution to shadow SaaS",[2285],{"type":280},{},{"nodeType":243,"data":2288,"content":2289},{},[2290],{"nodeType":242,"value":2291,"marks":2292,"data":2293},"The reason it's worth distinguishing between these four dimensions isn't academic. Each one requires a different control, and addressing one doesn't solve the others.",[],{},{"nodeType":243,"data":2295,"content":2296},{},[2297],{"nodeType":242,"value":2298,"marks":2299,"data":2300},"Blocking unsanctioned AI apps does nothing for the personal accounts accessing approved ones, and neither addresses the average 17 different AI extensions running with broad browser permissions, let alone the dozens of OAuth integrations that have already been granted persistent access to core enterprise apps — and even auditing OAuth in Google Workspace and Microsoft 365, where the controls are relatively mature, leaves the broader SaaS estate unaddressed, where admin tooling is inconsistent and visibility is limited.",[],{},{"nodeType":243,"data":2302,"content":2303},{},[2304,2308,2316],{"nodeType":242,"value":2305,"marks":2306,"data":2307},"The tooling gap compounds the policy gap. ",[],{},{"nodeType":268,"data":2309,"content":2311},{"uri":2310},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[2312],{"nodeType":242,"value":2313,"marks":2314,"data":2315},"Omdia found",[],{},{"nodeType":242,"value":2317,"marks":2318,"data":2319}," that 58% of organizations rely on secure web gateways to secure GenAI usage — but an SWG can tell you that a user visited ChatGPT, not whether they pasted your source code into the prompt. That link between knowing where data went and knowing what the user actually did is the fundamental visibility gap that makes GenAI policies unenforceable without browser-layer tooling.",[],{},{"nodeType":451,"data":2321,"content":2322},{},[2323],{"nodeType":242,"value":2324,"marks":2325,"data":2327},"Advice for security teams",[2326],{"type":280},{},{"nodeType":243,"data":2329,"content":2330},{},[2331],{"nodeType":242,"value":2332,"marks":2333,"data":2334},"The principles behind managing shadow AI are the same ones that have governed shadow SaaS and software supply chain management for years: default-deny where feasible, comprehensive inventory where it isn't, and continuous monitoring for changes that signal increased risk. But it's vital that teams act fast to stop the snowball.",[],{},{"nodeType":243,"data":2336,"content":2337},{},[2338],{"nodeType":242,"value":2339,"marks":2340,"data":2342},"That starts with visibility into which AI tools employees are actually using and which accounts they're using to access them — without that baseline, every other control is built on assumptions.",[2341],{"type":280},{},{"nodeType":243,"data":2344,"content":2345},{},[2346,2351,2355,2362],{"nodeType":242,"value":2347,"marks":2348,"data":2350},"Extensions",[2349],{"type":280},{},{"nodeType":242,"value":2352,"marks":2353,"data":2354}," need the same ",[],{},{"nodeType":268,"data":2356,"content":2357},{"uri":2160},[2358],{"nodeType":242,"value":2359,"marks":2360,"data":2361},"default-deny allowlisting approach",[],{},{"nodeType":242,"value":2363,"marks":2364,"data":2365}," that has been best practice for software management elsewhere: build a complete inventory, allowlist what's vetted, block everything else, and monitor the approved set for changes that precede weaponization.",[],{},{"nodeType":243,"data":2367,"content":2368},{},[2369,2374],{"nodeType":242,"value":2370,"marks":2371,"data":2373},"OAuth",[2372],{"type":280},{},{"nodeType":242,"value":2375,"marks":2376,"data":2377}," demands the most urgency, because each unmanaged integration is a persistent trust relationship that survives password resets and MFA changes — adopt default-deny for consent grants in your primary enterprise apps, routinely audit what's already connected, and critically extend that visibility beyond Google and Microsoft to the broader SaaS estate where the controls are weaker and the sprawl is harder to track.",[],{},{"nodeType":300,"data":2379,"content":2380},{},[],{"nodeType":308,"data":2382,"content":2383},{},[2384],{"nodeType":242,"value":2385,"marks":2386,"data":2388},"Browser visibility and control is key to de-risking AI adoption",[2387],{"type":280},{},{"nodeType":243,"data":2390,"content":2391},{},[2392],{"nodeType":242,"value":2393,"marks":2394,"data":2395},"AI usage is fundamentally browser-based activity — every LLM interaction, every prompt containing sensitive data, every AI agent authorization, every OAuth consent grant happens inside a browser session — which makes the browser the natural control point for AI governance across the workforce. ",[],{},{"nodeType":243,"data":2397,"content":2398},{},[2399],{"nodeType":242,"value":2400,"marks":2401,"data":2402},"Push tracks AI app usage and login security across the workforce, inventories and controls AI browser extensions, monitors and blocks OAuth consent flows across any app (not just the primary enterprise platforms), and gives security teams a single view of the full shadow AI picture across all four dimensions.",[],{},{"nodeType":243,"data":2404,"content":2405},{},[2406],{"nodeType":242,"value":2407,"marks":2408,"data":2409},"Shadow AI isn't a problem that will age well if ignored. Every week that passes without visibility adds more apps, more extensions, more integrations, and more potential breach paths into the environment — and as the Vercel breach demonstrated, it only takes one forgotten OAuth grant to turn an employee's idle curiosity into an organization-wide incident.",[],{},{"nodeType":243,"data":2411,"content":2412},{},[2413,2417,2426],{"nodeType":242,"value":2414,"marks":2415,"data":2416},"Learn more about how you can tackle ",[],{},{"nodeType":268,"data":2418,"content":2420},{"uri":2419},"https://pushsecurity.com/uc/shadow-ai",[2421],{"nodeType":242,"value":2422,"marks":2423,"data":2425},"Shadow AI",[2424],{"type":266},{},{"nodeType":242,"value":2427,"marks":2428,"data":2429}," with Push. ",[],{},{"nodeType":300,"data":2431,"content":2432},{},[],{"nodeType":243,"data":2434,"content":2435},{},[2436],{"nodeType":242,"value":1809,"marks":2437,"data":2438},[],{},{"nodeType":243,"data":2440,"content":2441},{},[2442],{"nodeType":242,"value":1816,"marks":2443,"data":2444},[],{},{"nodeType":243,"data":2446,"content":2447},{},[2448,2451,2458],{"nodeType":242,"value":1823,"marks":2449,"data":2450},[],{},{"nodeType":268,"data":2452,"content":2453},{"uri":797},[2454],{"nodeType":242,"value":1831,"marks":2455,"data":2457},[2456],{"type":266},{},{"nodeType":242,"value":1835,"marks":2459,"data":2460},[],{},"What Push data reveals about the state of shadow AI","Shadow AI isn't a new category of risk, it's shadow SaaS with better marketing. But AI adoption has been a genuine force multiplier for the problem.","what-push-data-reveals-about-the-state-of-shadow-ai",{"items":2465},[2466,2470],{"sys":2467,"name":2469},{"id":2468},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":2471,"name":2473},{"id":2472},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2475},[2476],{"fullName":2477,"firstName":2478,"jobTitle":2479,"profilePicture":2480},"Dan Green","Dan","Threat Research",{"url":2481},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":882,"sys":2483,"publishedDate":2485,"content":2486,"title":3280,"synopsis":3281,"hashTags":62,"slug":3282,"tagsCollection":3283,"authorsCollection":3289},{"id":2484},"Gcg7PGuICrlRcqq1QFXxH","2026-05-29T00:00:00.000Z",{"json":2487},{"nodeType":806,"data":2488,"content":2489},{},[2490,2497,2504,2535,2542,2548,2554,2566,2569,2577,2593,2600,2606,2613,2620,2626,2629,2637,2644,2650,2656,2663,2670,2688,2694,2697,2705,2723,2729,2736,2739,2747,2754,2761,2767,2773,2817,2824,2827,2835,2842,2849,2892,2899,2930,2937,2980,2987,2990,2998,3017,3024,3032,3048,3055,3074,3081,3084,3090,3096,3114,3117,3125,3144,3151,3274],{"nodeType":243,"data":2491,"content":2492},{},[2493],{"nodeType":242,"value":2494,"marks":2495,"data":2496},"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.  ",[],{},{"nodeType":243,"data":2498,"content":2499},{},[2500],{"nodeType":242,"value":2501,"marks":2502,"data":2503},"The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.",[],{},{"nodeType":243,"data":2505,"content":2506},{},[2507,2511,2519,2523,2531],{"nodeType":242,"value":2508,"marks":2509,"data":2510},"Several variants of this technique have been ",[],{},{"nodeType":268,"data":2512,"content":2514},{"uri":2513},"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/",[2515],{"nodeType":242,"value":2516,"marks":2517,"data":2518},"reported over the past few months",[],{},{"nodeType":242,"value":2520,"marks":2521,"data":2522},". The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake \"Apple Support\" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer. ",[],{},{"nodeType":268,"data":2524,"content":2526},{"uri":2525},"https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/",[2527],{"nodeType":242,"value":2528,"marks":2529,"data":2530},"Kaspersky documented a parallel campaign",[],{},{"nodeType":242,"value":2532,"marks":2533,"data":2534}," using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern. ",[],{},{"nodeType":243,"data":2536,"content":2537},{},[2538],{"nodeType":242,"value":2539,"marks":2540,"data":2541},"Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable. ",[],{},{"nodeType":386,"data":2543,"content":2547},{"target":2544},{"sys":2545},{"id":2546,"type":383,"linkType":384},"5lz9zt223pecGvdaqdvSTQ",[],{"nodeType":386,"data":2549,"content":2553},{"target":2550},{"sys":2551},{"id":2552,"type":383,"linkType":384},"51GomAj3VOjnbmgd1DWYu0",[],{"nodeType":243,"data":2555,"content":2556},{},[2557,2562],{"nodeType":242,"value":2558,"marks":2559,"data":2561},"This is a live campaign which is still generating detections across our customer base at the time of writing. ",[2560],{"type":280},{},{"nodeType":242,"value":2563,"marks":2564,"data":2565},"Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change. ",[],{},{"nodeType":300,"data":2567,"content":2568},{},[],{"nodeType":308,"data":2570,"content":2571},{},[2572],{"nodeType":242,"value":2573,"marks":2574,"data":2576},"A fake page, not a fake conversation",[2575],{"type":280},{},{"nodeType":243,"data":2578,"content":2579},{},[2580,2584,2589],{"nodeType":242,"value":2581,"marks":2582,"data":2583},"Previously reported variants relied on shared ",[],{},{"nodeType":242,"value":2585,"marks":2586,"data":2588},"conversations",[2587],{"type":652},{},{"nodeType":242,"value":2590,"marks":2591,"data":2592}," — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the \"AI assistant\" appeared to be helpfully guiding the user through an installation process.",[],{},{"nodeType":243,"data":2594,"content":2595},{},[2596],{"nodeType":242,"value":2597,"marks":2598,"data":2599},"But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:",[],{},{"nodeType":386,"data":2601,"content":2605},{"target":2602},{"sys":2603},{"id":2604,"type":383,"linkType":384},"1O9gyQab81SnbxhQp2aa5Z",[],{"nodeType":243,"data":2607,"content":2608},{},[2609],{"nodeType":242,"value":2610,"marks":2611,"data":2612},"A professional-looking error message reads: \"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.\" A prominent download button sits below.",[],{},{"nodeType":243,"data":2614,"content":2615},{},[2616],{"nodeType":242,"value":2617,"marks":2618,"data":2619},"The \"Show code\" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.",[],{},{"nodeType":386,"data":2621,"content":2625},{"target":2622},{"sys":2623},{"id":2624,"type":383,"linkType":384},"4kQTfxB3aVH9W9BeYOuljP",[],{"nodeType":300,"data":2627,"content":2628},{},[],{"nodeType":308,"data":2630,"content":2631},{},[2632],{"nodeType":242,"value":2633,"marks":2634,"data":2636},"The download page",[2635],{"type":280},{},{"nodeType":243,"data":2638,"content":2639},{},[2640],{"nodeType":242,"value":2641,"marks":2642,"data":2643},"Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.",[],{},{"nodeType":386,"data":2645,"content":2649},{"target":2646},{"sys":2647},{"id":2648,"type":383,"linkType":384},"4MdFc4OB37ZihTGx506QJ6",[],{"nodeType":386,"data":2651,"content":2655},{"target":2652},{"sys":2653},{"id":2654,"type":383,"linkType":384},"LaPUy0zpIeY8s4PF2wkat",[],{"nodeType":243,"data":2657,"content":2658},{},[2659],{"nodeType":242,"value":2660,"marks":2661,"data":2662},"The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT. ",[],{},{"nodeType":243,"data":2664,"content":2665},{},[2666],{"nodeType":242,"value":2667,"marks":2668,"data":2669},"Real users in a browser see the fake download page; automated scanners and bots see something benign. This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.",[],{},{"nodeType":243,"data":2671,"content":2672},{},[2673,2677,2685],{"nodeType":242,"value":2674,"marks":2675,"data":2676},"The downloaded executable poses as \"ChatGPT for Desktop\" and is ",[],{},{"nodeType":268,"data":2678,"content":2680},{"uri":2679},"https://www.virustotal.com/gui/file/de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[2681],{"nodeType":242,"value":2682,"marks":2683,"data":2684},"flagged on VirusTotal",[],{},{"nodeType":242,"value":787,"marks":2686,"data":2687},[],{},{"nodeType":386,"data":2689,"content":2693},{"target":2690},{"sys":2691},{"id":2692,"type":383,"linkType":384},"3FSbwoFJYQrcyo9uMsQIWI",[],{"nodeType":300,"data":2695,"content":2696},{},[],{"nodeType":308,"data":2698,"content":2699},{},[2700],{"nodeType":242,"value":2701,"marks":2702,"data":2704},"The Claude variant: same campaign, different platform",[2703],{"type":280},{},{"nodeType":243,"data":2706,"content":2707},{},[2708,2712,2719],{"nodeType":242,"value":2709,"marks":2710,"data":2711},"Alongside the ChatGPT rendered-page variant, Push has also detected the previously reported style of attack using shared Claude.ai conversations. These follow the pattern documented by ",[],{},{"nodeType":268,"data":2713,"content":2714},{"uri":2513},[2715],{"nodeType":242,"value":2716,"marks":2717,"data":2718},"BleepingComputer",[],{},{"nodeType":242,"value":2720,"marks":2721,"data":2722},": a shared chat disguised as a \"Claude Code on Mac\" installation guide, attributed to \"Apple Support,\" containing a curl command that downloads and executes malware.",[],{},{"nodeType":386,"data":2724,"content":2728},{"target":2725},{"sys":2726},{"id":2727,"type":383,"linkType":384},"5sWayuTsVdiLSLoS4sv2Vc",[],{"nodeType":243,"data":2730,"content":2731},{},[2732],{"nodeType":242,"value":2733,"marks":2734,"data":2735},"The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best.",[],{},{"nodeType":300,"data":2737,"content":2738},{},[],{"nodeType":308,"data":2740,"content":2741},{},[2742],{"nodeType":242,"value":2743,"marks":2744,"data":2746},"Malvertising remains one of the top phishing delivery channels",[2745],{"type":280},{},{"nodeType":243,"data":2748,"content":2749},{},[2750],{"nodeType":242,"value":2751,"marks":2752,"data":2753},"Push has detected this variant across multiple customer environments, with users arriving at these shared chat URLs after searching for terms including \"chatgpt,\" \"chatgpt free,\" \"chat gpt,\" and common typos like \"chatgo,\" \"chatgot,\" and \"cvhatgpt.\" ",[],{},{"nodeType":243,"data":2755,"content":2756},{},[2757],{"nodeType":242,"value":2758,"marks":2759,"data":2760},"You can see an example of this below: it's incredibly convincing, and uses the real ChatGPT domain — so even users that are paying attention are liable to fall for it. ",[],{},{"nodeType":386,"data":2762,"content":2766},{"target":2763},{"sys":2764},{"id":2765,"type":383,"linkType":384},"1GYWOyHpZT1rdTm6IGOKu8",[],{"nodeType":386,"data":2768,"content":2772},{"target":2769},{"sys":2770},{"id":2771,"type":383,"linkType":384},"4HpFJRAZH2lbygaEk2xOnN",[],{"nodeType":243,"data":2774,"content":2775},{},[2776,2780,2788,2792,2800,2804,2813],{"nodeType":242,"value":2777,"marks":2778,"data":2779},"This fits a pattern Push has tracked extensively. ",[],{},{"nodeType":268,"data":2781,"content":2783},{"uri":2782},"https://pushsecurity.com/blog/verizon-dbir-2026-review/",[2784],{"nodeType":242,"value":2785,"marks":2786,"data":2787},"Search-based delivery is now the dominant channel for malware distribution",[],{},{"nodeType":242,"value":2789,"marks":2790,"data":2791}," — our own data shows that ClickFix attacks are reached via search results rather than email in 4 of 5 cases, and Push's own research into ",[],{},{"nodeType":268,"data":2793,"content":2795},{"uri":2794},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[2796],{"nodeType":242,"value":2797,"marks":2798,"data":2799},"malvertising campaigns impersonating brands like TradingView",[],{},{"nodeType":242,"value":2801,"marks":2802,"data":2803}," and ",[],{},{"nodeType":268,"data":2805,"content":2807},{"uri":2806},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[2808],{"nodeType":242,"value":2809,"marks":2810,"data":2812},"Ahrefs",[2811],{"type":266},{},{"nodeType":242,"value":2814,"marks":2815,"data":2816}," has demonstrated how effectively search ads can funnel victims to malicious pages. ",[],{},{"nodeType":243,"data":2818,"content":2819},{},[2820],{"nodeType":242,"value":2821,"marks":2822,"data":2823},"The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious.",[],{},{"nodeType":300,"data":2825,"content":2826},{},[],{"nodeType":308,"data":2828,"content":2829},{},[2830],{"nodeType":242,"value":2831,"marks":2832,"data":2834},"Legitimate platform abuse is everywhere",[2833],{"type":280},{},{"nodeType":243,"data":2836,"content":2837},{},[2838],{"nodeType":242,"value":2839,"marks":2840,"data":2841},"This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure. The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.",[],{},{"nodeType":451,"data":2843,"content":2844},{},[2845],{"nodeType":242,"value":2846,"marks":2847,"data":2848},"Legit platform abuse for delivery",[],{},{"nodeType":243,"data":2850,"content":2851},{},[2852,2856,2864,2868,2876,2880,2888],{"nodeType":242,"value":2853,"marks":2854,"data":2855},"On the delivery side, attackers have been ",[],{},{"nodeType":268,"data":2857,"content":2859},{"uri":2858},"https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/",[2860],{"nodeType":242,"value":2861,"marks":2862,"data":2863},"weaponizing stolen AWS credentials to send phishing through Amazon SES",[],{},{"nodeType":242,"value":2865,"marks":2866,"data":2867}," that passes SPF, DKIM, and DMARC validation because SES is a legitimate Amazon service. A Vietnamese operation dubbed ",[],{},{"nodeType":268,"data":2869,"content":2871},{"uri":2870},"https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html",[2872],{"nodeType":242,"value":2873,"marks":2874,"data":2875},"AccountDumpling used Google AppSheet's built-in email capability",[],{},{"nodeType":242,"value":2877,"marks":2878,"data":2879}," as a phishing relay to harvest 30,000 Facebook credentials. ",[],{},{"nodeType":268,"data":2881,"content":2883},{"uri":2882},"https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/",[2884],{"nodeType":242,"value":2885,"marks":2886,"data":2887},"Scammers exploited Microsoft's own internal notification pipeline",[],{},{"nodeType":242,"value":2889,"marks":2890,"data":2891}," — sending phishing from the same msonlineservicesteam@microsoftonline.com address that delivers legitimate 2FA codes — with Spamhaus confirming months of ongoing abuse.",[],{},{"nodeType":451,"data":2893,"content":2894},{},[2895],{"nodeType":242,"value":2896,"marks":2897,"data":2898},"Legit platform abuse for hosting",[],{},{"nodeType":243,"data":2900,"content":2901},{},[2902,2906,2914,2918,2926],{"nodeType":242,"value":2903,"marks":2904,"data":2905},"For hosting, the platforms being abused read like a who's who of modern web infrastructure. ",[],{},{"nodeType":268,"data":2907,"content":2909},{"uri":2908},"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/",[2910],{"nodeType":242,"value":2911,"marks":2912,"data":2913},"Operation HookedWing ran for four years",[],{},{"nodeType":242,"value":2915,"marks":2916,"data":2917}," on GitHub Pages and Vercel, compromising 500+ organizations across more than 100 GitHub Pages domains before anyone documented it publicly. Cofense has separately ",[],{},{"nodeType":268,"data":2919,"content":2921},{"uri":2920},"https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing/",[2922],{"nodeType":242,"value":2923,"marks":2924,"data":2925},"documented the growing abuse of Vercel",[],{},{"nodeType":242,"value":2927,"marks":2928,"data":2929}," for credential phishing hosting. Pixm's Q1 2026 phishing report tracked over 100 unique Azure Blob Storage subdomain variants hosting phishing content that carried Microsoft's own domain reputation, alongside abuse of Cloudflare CDN, Cloudflare Workers, Cloudflare R2, Backblaze B2, and Supabase. ",[],{},{"nodeType":451,"data":2931,"content":2932},{},[2933],{"nodeType":242,"value":2934,"marks":2935,"data":2936},"Abuse of compromised websites that are otherwise legit",[],{},{"nodeType":243,"data":2938,"content":2939},{},[2940,2944,2952,2956,2964,2968,2976],{"nodeType":242,"value":2941,"marks":2942,"data":2943},"Compromised legitimate sites are also being repurposed at scale. A mass exploitation of a ",[],{},{"nodeType":268,"data":2945,"content":2947},{"uri":2946},"https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/",[2948],{"nodeType":242,"value":2949,"marks":2950,"data":2951},"Ghost CMS vulnerability planted ClickFix pages across 700+ websites",[],{},{"nodeType":242,"value":2953,"marks":2954,"data":2955}," including Harvard, Oxford, and DuckDuckGo subdomains. Microsoft recently documented a campaign where ",[],{},{"nodeType":268,"data":2957,"content":2959},{"uri":2958},"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",[2960],{"nodeType":242,"value":2961,"marks":2962,"data":2963},"SEO poisoning was combined with AI chatbot recommendation manipulation",[],{},{"nodeType":242,"value":2965,"marks":2966,"data":2967}," to deliver GPU mining malware — extending the poisoning from traditional search results into AI-generated software recommendations. And ",[],{},{"nodeType":268,"data":2969,"content":2971},{"uri":2970},"https://www.helpnetsecurity.com/2026/05/27/deno-rat-malware-fake-chatgpt-claude-installers/",[2972],{"nodeType":242,"value":2973,"marks":2974,"data":2975},"fake ChatGPT and Claude installers on GitHub and SourceForge",[],{},{"nodeType":242,"value":2977,"marks":2978,"data":2979}," have been delivering the DinDoor backdoor and a Deno-based RAT via repositories that mimic legitimate developer tool distributions.",[],{},{"nodeType":243,"data":2981,"content":2982},{},[2983],{"nodeType":242,"value":2984,"marks":2985,"data":2986},"The structural problem is that every one of these platforms is genuinely legitimate, and the security controls that evaluate them — domain reputation, email authentication, URL categorization — confirm them as trusted because they are trusted. This attack extends this pattern into new territory by weaponizing the content-sharing features of AI chatbot platforms specifically, but the underlying principles are the same. ",[],{},{"nodeType":300,"data":2988,"content":2989},{},[],{"nodeType":308,"data":2991,"content":2992},{},[2993],{"nodeType":242,"value":2994,"marks":2995,"data":2997},"Impact analysis",[2996],{"type":280},{},{"nodeType":243,"data":2999,"content":3000},{},[3001,3005,3013],{"nodeType":242,"value":3002,"marks":3003,"data":3004},"Shared-chat malware delivery exploits a structural property of AI platforms that traditional security controls aren't designed to handle. Domain reputation, URL categorization, and safe browsing databases all treat chatgpt.com and claude.ai as trusted — because they are. Using these trusted pages to link off to further convincing-looking pages hosting malware allows the attacker to run campaigns that blend in, as well as rotate the phishing delivery pages later in the chain should they ever be flagged, allowing the campaign to continue without interruption (a well known ",[],{},{"nodeType":268,"data":3006,"content":3008},{"uri":3007},"https://phishing-techniques.pushsecurity.com/",[3009],{"nodeType":242,"value":3010,"marks":3011,"data":3012},"detection evasion technique",[],{},{"nodeType":242,"value":3014,"marks":3015,"data":3016},"). ",[],{},{"nodeType":243,"data":3018,"content":3019},{},[3020],{"nodeType":242,"value":3021,"marks":3022,"data":3023},"What makes the rendered-page variant particularly concerning is that it eliminates the most obvious red flag in the earlier attacks. The Claude.ai conversation variants required the victim to recognize that a shared chat instructing them to paste terminal commands might be suspicious — a tall order for many users, but at least the attack surface was visible. The rendered-page variant shows nothing that looks like an attack. It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT. ",[],{},{"nodeType":451,"data":3025,"content":3026},{},[3027],{"nodeType":242,"value":3028,"marks":3029,"data":3031},"How Push detected the attack",[3030],{"type":280},{},{"nodeType":243,"data":3033,"content":3034},{},[3035,3039,3044],{"nodeType":242,"value":3036,"marks":3037,"data":3038},"We've aligned our detection logic for this technique under the name ",[],{},{"nodeType":242,"value":3040,"marks":3041,"data":3043},"LLMShare",[3042],{"type":280},{},{"nodeType":242,"value":3045,"marks":3046,"data":3047}," — a technique-level detection that covers shared content abuse across LLM platforms, not tied to any single campaign or set of IOCs. ",[],{},{"nodeType":243,"data":3049,"content":3050},{},[3051],{"nodeType":242,"value":3052,"marks":3053,"data":3054},"Because Push sees the full context of how a user arrived at a page and what that page does once it renders, we can identify LLMShare attacks regardless of which AI platform is being abused or what social engineering wrapper the attacker has chosen. ",[],{},{"nodeType":243,"data":3056,"content":3057},{},[3058,3062,3070],{"nodeType":242,"value":3059,"marks":3060,"data":3061},"When we identified the initial instances of this campaign, we used our ",[],{},{"nodeType":268,"data":3063,"content":3065},{"uri":3064},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[3066],{"nodeType":242,"value":3067,"marks":3068,"data":3069},"agentic threat hunting pipeline",[],{},{"nodeType":242,"value":3071,"marks":3072,"data":3073}," to hunt for additional examples across our customer telemetry, develop the LLMShare detection, and rapidly deploy it to customers. Push blocks users from interacting with the page before any malicious activity can occur. ",[],{},{"nodeType":243,"data":3075,"content":3076},{},[3077],{"nodeType":242,"value":3078,"marks":3079,"data":3080},"Push customers do not need to take any further action.",[],{},{"nodeType":300,"data":3082,"content":3083},{},[],{"nodeType":243,"data":3085,"content":3086},{},[3087],{"nodeType":242,"value":1809,"marks":3088,"data":3089},[],{},{"nodeType":243,"data":3091,"content":3092},{},[3093],{"nodeType":242,"value":1816,"marks":3094,"data":3095},[],{},{"nodeType":243,"data":3097,"content":3098},{},[3099,3102,3111],{"nodeType":242,"value":29,"marks":3100,"data":3101},[],{},{"nodeType":268,"data":3103,"content":3105},{"uri":3104},"https://pushsecurity.com/demo/",[3106],{"nodeType":242,"value":3107,"marks":3108,"data":3110},"Book a live demo to learn more.",[3109],{"type":266},{},{"nodeType":242,"value":29,"marks":3112,"data":3113},[],{},{"nodeType":300,"data":3115,"content":3116},{},[],{"nodeType":308,"data":3118,"content":3119},{},[3120],{"nodeType":242,"value":3121,"marks":3122,"data":3124},"Indicators of compromise",[3123],{"type":280},{},{"nodeType":243,"data":3126,"content":3127},{},[3128,3132,3140],{"nodeType":242,"value":3129,"marks":3130,"data":3131},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":268,"data":3133,"content":3135},{"uri":3134},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[3136],{"nodeType":242,"value":3137,"marks":3138,"data":3139},"quickly spin up and rotate the sites used",[],{},{"nodeType":242,"value":3141,"marks":3142,"data":3143}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":243,"data":3145,"content":3146},{},[3147],{"nodeType":242,"value":3148,"marks":3149,"data":3150},"At the time of writing, the indicators observed were:",[],{},{"nodeType":3152,"data":3153,"content":3154},"table",{},[3155,3182,3206,3228,3251],{"nodeType":3156,"data":3157,"content":3158},"table-row",{},[3159,3171],{"nodeType":3160,"data":3161,"content":3162},"table-header-cell",{},[3163],{"nodeType":243,"data":3164,"content":3165},{},[3166],{"nodeType":242,"value":3167,"marks":3168,"data":3170},"Indicator",[3169],{"type":280},{},{"nodeType":3160,"data":3172,"content":3173},{},[3174],{"nodeType":243,"data":3175,"content":3176},{},[3177],{"nodeType":242,"value":3178,"marks":3179,"data":3181},"Type",[3180],{"type":280},{},{"nodeType":3156,"data":3183,"content":3184},{},[3185,3196],{"nodeType":3186,"data":3187,"content":3188},"table-cell",{},[3189],{"nodeType":243,"data":3190,"content":3191},{},[3192],{"nodeType":242,"value":3193,"marks":3194,"data":3195},"hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131",[],{},{"nodeType":3186,"data":3197,"content":3198},{},[3199],{"nodeType":243,"data":3200,"content":3201},{},[3202],{"nodeType":242,"value":3203,"marks":3204,"data":3205},"URL",[],{},{"nodeType":3156,"data":3207,"content":3208},{},[3209,3219],{"nodeType":3186,"data":3210,"content":3211},{},[3212],{"nodeType":243,"data":3213,"content":3214},{},[3215],{"nodeType":242,"value":3216,"marks":3217,"data":3218},"hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d",[],{},{"nodeType":3186,"data":3220,"content":3221},{},[3222],{"nodeType":243,"data":3223,"content":3224},{},[3225],{"nodeType":242,"value":3203,"marks":3226,"data":3227},[],{},{"nodeType":3156,"data":3229,"content":3230},{},[3231,3241],{"nodeType":3186,"data":3232,"content":3233},{},[3234],{"nodeType":243,"data":3235,"content":3236},{},[3237],{"nodeType":242,"value":3238,"marks":3239,"data":3240},"openew[.]app",[],{},{"nodeType":3186,"data":3242,"content":3243},{},[3244],{"nodeType":243,"data":3245,"content":3246},{},[3247],{"nodeType":242,"value":3248,"marks":3249,"data":3250},"Domain",[],{},{"nodeType":3156,"data":3252,"content":3253},{},[3254,3264],{"nodeType":3186,"data":3255,"content":3256},{},[3257],{"nodeType":243,"data":3258,"content":3259},{},[3260],{"nodeType":242,"value":3261,"marks":3262,"data":3263},"de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[],{},{"nodeType":3186,"data":3265,"content":3266},{},[3267],{"nodeType":243,"data":3268,"content":3269},{},[3270],{"nodeType":242,"value":3271,"marks":3272,"data":3273},"SHA256",[],{},{"nodeType":243,"data":3275,"content":3276},{},[3277],{"nodeType":242,"value":29,"marks":3278,"data":3279},[],{},"LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms","How attackers are using shared content features on AI chatbot platforms to deliver malware via pages hosted on legitimate domains, sent via malvertising.","llmshare-malvertising-campaign",{"items":3284},[3285,3287],{"sys":3286,"name":1846},{"id":1845},{"sys":3288,"name":1850},{"id":1849},{"items":3290},[3291],{"fullName":3292,"firstName":3293,"jobTitle":3294,"profilePicture":3295},"Keanu Maharaj","Keanu","Senior Security Researcher",{"url":3296},"https://images.ctfassets.net/y1cdw1ablpvd/VCGOm62jiocjwngWTh32U/e9a30637b1c76bf988d2fec90f5b6c36/1689361049351_1.png","why-you-cant-vibecode-an-ai-driven-threat-hunting-pipeline","blog/why-you-cant-vibecode-an-ai-driven-threat-hunting-pipeline",{"json":3300},{"data":3301,"content":3302,"nodeType":806},{},[3303],{"data":3304,"content":3305,"nodeType":243},{},[3306],{"data":3307,"marks":3308,"value":3309,"nodeType":242},{},[],"Push uses commercial AI models to deliver agentic threat hunting. Can’t you just build something yourself with those same models? Well, no.",{"id":3311,"publishedAt":3312},"2nQU0gDEqgarstvFMqFTzn","2026-06-02T06:53:33.809Z",{"items":3314},[3315,3317],{"sys":3316,"name":2473},{"id":2472},{"sys":3318,"name":1846},{"id":1845},"eS944CsITxDsJ-YWxoLw8WlH-pOMMh7hzmn3Qm70BGA",1780385377024]