Frequently asked questions

The browser has become the new endpoint. Employees log into cloud apps, move data, build products, and interact with customers. It’s where work happens. 

It’s also how attackers get in now. While traditional security tools still focus on endpoints and networks, the browser remains a blind spot: full of risk, but largely unmonitored. This is a visibility and control gap, and attackers are exploiting it. It's why modern organizations need a browser security tool.

A browser-based attack targets users through their web browser to compromise business apps and data. Instead of attacking an organization's network or endpoints, attackers go after the cloud and SaaS applications employees access daily. They log in, steal data, and monetize it through extortion or lateral movements.

Unfortunately, many traditional security tools were built for a different era. Email and network-layer defenses can intercept static phishing pages. However, modern attacks are far more sophisticated. Today's phishing uses dynamic code obfuscation, custom bot protection like CAPTCHA, and layered redirects across legitimate sites like Google Sites and Microsoft Dynamics. Attackers bypass email altogether by delivering spear-fishing links via LinkedIn, Slack, and malvertising. Proxy-based solutions will only see garbled JavaScript without the context of what's actually happening in the user's browser.

The result is that most organizations are unknowingly relying on blocking known-bad sites. It's a wildly ineffective strategy when attackers rotate their infrastructure constantly. Detecting and stopping browser-based attacks requires visibility from inside the browser itself, where you can observe what users actually see and interact with in real time.

Push takes a fundamentally different approach to browser attacks than traditional security tools. Instead of playing an endless game of cat-and-mouse with attackers over domains and detection signatures, Push focuses on behaviors that attackers simply can't change. The Push Security platform detects and blocks browser attacks by observing login behavior and browser context.

For phishing attacks in the browser, Push essentially domain-binds passwords. It's similar to what passkeys do. Push pins your password to its legitimate domain and prevents it from being entered into any webpage on any other domain. No phishing page, no matter how sophisticated or obfuscated, can steal credentials if your password never enters it. This single behavior-based detection stops credential phishing before it happens. Push still inspects webpages to detect cloned login pages and malicious phishing toolkits. This gives admins visibility into unsuccessful attacks targeting users, but the password itself is the kill switch.

For attacks like ClickFix and FileFix, Push detects malicious payloads being copied to a user's clipboard. These attacks trick users into running commands by disguising them as CAPTCHA challenges or error-fixing prompts. But, the malicious script being copied is the tell. Push can warn users or block the page entirely before they paste anything dangerous.

Across all these attacks, Push blocks the malicious behavior and gives you full visibility into what happened. You get detailed timelines, screenshots of the attack pages, blast radius analysis showing which other accounts are at risk, and all the context you need to investigate and remediate quickly.

Push Security deploys a secure browser extension that provides real-time detection and response at the layer where users work and attackers operate: the browser. The extension monitors employee interactions with SaaS applications, performing password security checks locally (without sending passwords anywhere), detecting MFA registration status, and identifying login methods (password, SSO, OIDC). Push provides in-browser guidance to help employees secure their accounts and can enforce security controls like blocking leak, weak, and reused passwords or detecting phishing attempts. Think of Push as EDR, but in the browser. It sits in the background and protects users at the point of access without disrupting productivity.

Push's core security functions include: (1) Real-time browser-based threat detection—respond to AiTM phishing kits, session hijacking, malicious extensions, credential theft, and defend against endpoint compromise that occurs through browser-based attack methods; (2) Browser-native response capabilities such as blocking attacks and enforcing controls at the point of access; (3) Shadow SaaS and shadow AI discovery to see all apps accessed in the browser; (4) Attack surface hardening to detect weak, reused, and leaked passwords plus MFA gaps; (5) Browser telemetry for investigation that provides unique visibility into browser activity for security teams.

Push improves visibility by monitoring the browser layer where EDR, DLP, and SSE tools have no visibility. It shows what happens inside browser sessions, tabs, and extensions directly, almost like how a user would. It also gives visibility into which SaaS apps end users access.

For third-party apps, Push monitors how employees access them, identifies security issues, and enforces controls even without admin access. You can use Push Security to get ahead of third party breaches so you’re not stuck having to react after the fact.

Push works in the browser-based detection and response category, often positioned as "EDR, but in the browser." There is an overlap with other categories like enterprise browser security.

Push guides users through in-browser prompts at the point of login when security issues are detected. When an employee creates a new account, Push can prompt them to set a strong, unique password and enable MFA. If an employee tries to use a weak, reused, or leaked password, Push can warn or block them and guide them to improve it. Push checks for strong passwords locally in the browser against breach lists (via Have I Been Pwned k-anonymized hashes) without sending passwords anywhere. Push can also detect if employees are using a password manager. Yes, Push clearly distinguishes between authentication methods—showing which apps are accessed via SSO (SAML, OIDC), password login, or social login. This visibility helps administrators understand where SSO should be implemented and identify accounts with weaker authentication methods.

Most account takeover incidents don’t “break” MFA, they work around it by targeting users in the browser. Phishing is the most common path. Instead of crude emails alone, attackers use convincing, browser-based phishing pages that trick users into entering credentials or approving MFA challenges in real time. Once successful, the attacker gains access as the legitimate user.

Another common technique involves infostealer malware stealing active session tokens from the browser. With a valid session token, attackers can access accounts without needing to bypass MFA at all, because MFA has already been satisfied.

Credential stuffing is also widely used. Attackers test large volumes of stolen credentials against multiple applications, looking for accounts where MFA isn’t enforced consistently. These gaps are especially common in SaaS sprawl and shadow apps.

To prevent account takeover, organizations should enforce MFA across all employee accounts and monitor for suspicious authentication activity. Understanding employee MFA status helps identify gaps in your security posture.

With malicious OAuth integrations, attackers trick users into granting access to attacker-controlled apps by abusing the OAuth consent flow. ConsentFix is particularly dangerous because it doesn't require a password or MFA at all. 

Stolen credentials remain a powerful complement to this strategy. When attackers phish credentials or deploy infostealer malware, they acquire passwords and session tokens that can be monetized immediately or sold to other threat actors. Automated tools test stolen passwords across hundreds of apps. Most go undetected because the target apps either lack MFA entirely or have "ghost logins". These are local accounts that accept passwords with no second factor required.

Browser-based attacks are one of the paths of least resistance for cybercriminals.

Employees often adopt AI tools faster than security teams can track them. Traditional network-based security controls have very limited visibility into it. However, Push gives admins visibility into every AI interaction their workforce touches.

Push captures live telemetry directly from the browser to identify every AI-native and AI-enhanced application users access. Security teams can see which corporate identities are connected to which tools. They're able to see how data flows between tools and which new AI apps emerge across environments in real time.

With visibility, governance becomes straightforward. Push enables AI classification. To manage AI risk, apps can be categorized by sensitivity, purpose, and policy status. For tools you choose to allow, you can deploy custom in-browser banners requiring users to read and acknowledge your acceptable use policy before proceeding. This creates an auditable trail that moves policy to an active control embedded in the workflow itself.

Push blocks shadow AI tools deemed non-compliant or too risky directly in the browser. This prevents users from accessing the site or submitting data in the first place. This provides an immediate, powerful way to stop data exfiltration and enforce a hard line on unacceptable risk.

Push detects threats before account compromise by monitoring for attack indicators directly in the browser where identity attacks unfold. This includes: detecting phishing kits and browser-native attacks (like ConsentFix) in real-time, preventing credential reuse on suspicious sites, identifying malicious browser extensions, blocking weak password creation, detecting session hijacking attempts, and stopping credentials from being entered on fraudulent sites. Push's browser extension operates at the session level, giving defenders visibility into attacker behavior as it happens. This happens before credentials are stolen or accounts are compromised. Recently, Push detected and blocked ConsentFix, a new browser-native phishing technique that enables account takeover by simply copying and pasting a URL, completely bypassing traditional email-based defenses and password/MFA controls.

Push discovers shadow SaaS by monitoring all browser activity in real-time. When employees access any cloud application through their browser (whether it's a new signup or existing account) Push captures the activity and identifies the app, even if it's unmanaged by IT, not integrated with SSO, on a free tier, or being tested without approval. Administrators receive real-time notifications when new applications are discovered. Unlike CASB solutions that rely on network traffic analysis or API integrations, Push operates at the browser layer where work actually happens, providing comprehensive visibility into shadow SaaS regardless of network location or device management status. This is particularly important as employees increasingly work from personal devices and access apps outside corporate network controls.

Push provides administrators with full visibility into user activity, attacker behavior, and session-level risk in the browser. This includes: all apps being accessed (managed and shadow), account security posture (password strength, MFA status, leaked credentials), authentication methods, browser extensions and their permissions, suspicious browser activity, phishing attempts, session hijacking, and real-time security events. Administrators can enforce controls like blocking attacks, preventing credential reuse, detecting malicious extensions, and guiding users through in-browser prompts. Unlike antivirus/EDR which focus on endpoint processes and file-based threats, Push operates at the browser layer where modern work happens. EDR sees processes; Push sees browser sessions, SaaS interactions, and identity-based attacks. Push complements EDR by providing browser telemetry that endpoint tools cannot observe. Think of Push as EDR in the browser.

Push integrates with SIEMs and security tools through a REST API and webhooks. You can configure webhooks to send Push events (security detections, new app discoveries, account findings, browser threats, etc.) to any SIEM or SOAR platform. The Events page in the admin console shows all events with their attributes to help you plan integrations. Push recently added the ability to select specific event types to send via webhooks, and offers integrations with platforms like Microsoft Sentinel. Push uses standard JSON format and includes signature verification for webhook security. You can also query Push data programmatically via the REST API for custom integrations and automation, enabling you to aggregate browser telemetry with other security signals for comprehensive threat detection and response.

The Push browser extension is compatible with: Google Chrome, Microsoft Edge, Firefox, Safari, Brave, Opera, Arc, Island, and Prisma Access. The most current list can be found at "What browsers does Push support?"

Push and ZScaler serve different but complementary security functions. ZScaler is a Secure Service Edge (SSE) platform providing network-level security including Secure Web Gateway, CASB, and Zero Trust Network Access—it inspects traffic and enforces policies at the network layer. Push is a browser-based detection and response platform operating at the browser/session layer where users actually work and where most modern attacks occur. While ZScaler focuses on network traffic inspection, Push provides visibility into what happens inside browser sessions, tabs, and SaaS interactions—areas where network tools are blind. Push detects browser-native threats like phishing kits, malicious extensions, session hijacking, and identity attacks that bypass network controls. Push complements ZScaler by providing browser telemetry and session-level security that network-layer tools cannot observe, particularly for shadow SaaS accessed from unmanaged devices or personal browsers.

CrowdStrike Falcon focuses on endpoint detection and response (EDR), providing visibility into processes, files, and OS-level activity on endpoints. Push Security provides browser-based detection and response with visibility into browser sessions, SaaS interactions, and identity attacks. CrowdStrike sees: malware, suspicious processes, file activity, kernel-level threats. Push sees: phishing attempts in the browser, credential reuse, password security, session hijacking, malicious browser extensions, shadow SaaS access, and identity-based attack techniques. To an EDR tool, everything the browser does appears as a single process—it cannot see inside browser sessions or distinguish between legitimate user activity and browser-based attacks. Push operates at the browser layer, providing the granular visibility and context that EDR cannot capture. Together, CrowdStrike and Push provide defense-in-depth: CrowdStrike protects the endpoint; Push protects the browser where modern work and attacks occur.

Yes, Push Security integrates with other security platforms through its REST API and webhook capabilities. Push can send security events, browser-based detections, and findings to security products via webhooks, allowing you to aggregate Push's browser security telemetry with threat detection capabilities. You can configure which events to send, set up authentication, and use Push's API for programmatic queries. The integration enables you to correlate browser-based attacks detected by Push (phishing, session hijacking, shadow SaaS, malicious extensions) with other security signals, create custom detections, and automate response workflows. Push's browser telemetry provides unique session-level data that complements other tool's endpoint and network visibility—creating a more complete picture of your security posture across endpoints, networks, and browsers.

The Push browser agent is designed to inspect and process only information that is related to browser threat detection & response. Get a much more detailed description of the data we collect, our privacy policy, and sub-processors.

No. The Push browser extension analyzes passwords as they are entered as a way to enforce controls or protect them from phishing attacks, and we take a salted partial hash that is only accessible to the extension for future checks. Passwords are never stored and never leave the browser. Still curious about how the Push browser extension securely analyzes passwords? Take the link for a deeper dive into it.

Push delivers immediate protection with out-of-the-box detections and controls for a range of attack types. Within minutes, you can defend your workforce against phishing, ATO with stolen credentials, and session hijacking, while enforcing essential security measures like MFA and strong, unique passwords. On our list of compatible browsers, we include links to managed deployment methods.

Most Push customers deploy to over 1k users in under an hour, all during normal office hours, with zero downtime. Push is built for seamless, enterprise-ready implementation.

Push offers multiple deployment methods to install the Push extension: (1) Managed deployment via MDM, Google Admin Console, or Microsoft Group Policy (recommended); (2) Email enrollment; (3) Self-enrollment landing page.

Push has minimal network impact. This is because the extension is lightweight and operates locally in the browser. This reflects our commitment to maintaining a high-performant solution.