Get your copy of the SaaS Attacks Report: 2024 edition

Attackers don't hack in, they log in

Stop identity attacks at the first opportunity and prevent breaches

The browser is best

Work happens in the browser, and so do identity attacks. That's why Push created a lightweight but powerful browser agent that defends all your workforce identities, whether they're in your IdP or not.

stopwatch Get real-time visibility across all your identities, apps, accounts and authentication methods
magnifying glass and checklist Detect identity attacks that other telemetry sources can't see
shield with tick Block attacks and risky employee behaviors directly in the browser
circuit

Defense in depth against identity threats

Harden your identity security posture and detect attacks with a single tool that provides proactive and reactive capabilities. down arrow
iceberg
protected computer

Proactively harden your identity attack surface

Discover all your identities, apps, accounts and vulnerabilities
Get unmanaged accounts behind SSO
Block unapproved SaaS apps
Enforce MFA and SSO logins
Detect stolen credentials for sale on the dark web
Eliminate leaked, weak and reused passwords
computer printing

Detect and respond to identity attacks

Stop employees entering creds into phishing sites
Block AitM and BitM toolkits
Detect and block cloned app login pages
Block malicious URLs
Detect session hijacking using stolen tokens
Get rich telemetry across your identity attack surface
Seamlessly integrate Push into your existing tech stack
Push generates telemetry from your employees’ browsers, correlates it with your IdP logs and feeds actionable security findings into your SecOps tools.
Try it free
Seemless Integration
Plug-and-play security for identities
Get instant protection for your workforce identities against phishing, infostealers, credential stuffing, password spraying, session hijacking and more.
Push and play security for identities

Frequently asked questions

Data use, privacy, and security

What data does Push collect?

The push browser agent is designed to inspect and process only information that is related to identity and identity infrastructure security. This means that the agent doesn't request or inspect potentially sensitive business data that your employees upload, link, enter into apps, or that is otherwise available in apps.

The agent does analyze data that is related to identities in the browser and will report that information back to your Push app tenant if it is a work identity (or if you have configured Push to report identities for any domain). In terms of PII, we keep this data to the minimum basic account information (names and email address) needed for security context.

Where we process sensitive identity information (such as a user's password) we don't ever allow that data to leave the local browser context. We immediately analyze and forget, or convert these sensitive values to fingerprints (using k-anonymized hashes of the sensitive values) so we can compare them in future (for example to check if passwords are shared). Even these fingerprint values aren't sent back to your Push app tenant - instead we report back the results of local comparisons done in the browser.

Detecting attacker tools and techniques requires inspecting certain aspects of web apps - this may include things like URL patterns, the page DOM, server headers, or inspecting local data. In these cases we are looking for regex-like matches or generating signatures that we can use for comparisons. We only report back the result of these comparisons and matches done in the local browser context.

You can get a much more detailed description of the data we collect here.

Where is the data stored?

All data that you send to Push via the browser agent or the API integrations is stored in the EU, primarily in AWS Ireland (eu-west-1 for all the cloud engineers). Storing data in the most regulated region means it is easier to satisfy a broad set of privacy requirements including GDPR without the complexity of data export rules and provisions that change frequently.

How is the data secured?

We're a security company, so as you can imagine, we take data protection very seriously. Many of us at Push used to be security consultants working in both red and blue teams, and we practice what we preach.

Push is SOC2 and Cyber Essentials certified and GDPR compliant. You can read more about our privacy and security practices on our security portal page here.

A copy of our Information Security Policy can be provided on request, and our security team gets very excited about discussing the controls we implement beyond compliance requirements.

Will Push see all our employees' passwords?

No. We use a shortened salted hash of each password. It's checked in the browser and never leaves it. Find out more here.

How will Push use my data?

The sole reason we exist is to improve security, so it goes without saying that protecting your personal data is a top priority. At Push, we have a few fundamental principles:

  • The data you send to Push (whether via the extension or API) is yours, remains yours, and is deleted when you close your account with us.
  • We do not sell our users' data. We aren't a data broker, we don't sell your personal information to data brokers, and we especially don't sell your information to other companies that want to spam you with marketing emails. We are not ad-funded, don't show ads in any of our Services, and never will.
  • We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you throughout the operation of our services.
  • We store personal information for only as long as we have reason to keep it.
  • We make considerable efforts to secure your personal information; we practice what we preach throughout our service.
  • We have no interest in making money by selling or sharing your personal information with anyone else.
  • We aim for full transparency on how we gather, use, and share your personal information.

You can review our full privacy policy here.

Does Push monitor my employees' personal accounts?

Before you deploy the browser agent, it is by default configured to monitor logins into work applications where your corporate email domain name is being used. That prevents any personal accounts from being monitored by Push.

The Push browser agent

What is the Push browser agent and how does it work?

The Push browser agent is deployed as a browser extension using any MDM, Google Admin console, Microsoft Group Policy, or manual enrollment. This agent observes employee logins and signups to cloud accounts using federated and unfederated identities. The browser extension then actively interrogates the collected data to detect common attack techniques, block phishing attempts, enforce end-user security controls, and uncover account security issues.

Why does Push use a browser agent?

Push uses a browser agent to collect browser data and generate telemetry.

Browser data is the broadest, most contextual data source for monitoring your entire identity attack surface for indicators of attack and finding vulnerabilities. Other data sources such as IdP and work app logs provide rich data into a narrow set of identities and apps. Network and email data provides very limited insight into identity security as well as being prone to false positives.

The Push browser agent not only performs passive observation, but also active interrogation. This enables you to detect attack techniques and tools so you can protect all identities, whether they are in your IdP system or not.

Finally, the browser agent also allows you to apply controls in the right place and at the right time. Push's set-and-forget guardrails can block, warn or guide employees so you have one less problem to worry about.

What browsers does Push support?

Google Chrome, Microsoft Edge, Firefox, Safari, Brave, Opera, Arc. Find out more here.

How do I deploy the Push browser agent to my whole organization and how long does it take?

You can deploy the Push browser extension using managed browser configuration, an existing MDM solution (such as Jamf or Microsoft Intune), or through a Group Policy if you have an Active Directory environment. Or, if you prefer, you can prompt employees to self-enroll via email or chat message by sending them a unique enrollment link. Find out more here.

Obviously we're going to tell you it's really quick and easy to deploy Push. So here's a real-world customer example:

Inductive Automation deployed the Push browser agent to 99 percent of their devices in 5 minutes in the middle of a regular workday. According to Jason their CISO, the deployment was so seamless that they received no help desk requests. You can read more about how Inductive Automation uses Push here.

Can users remove the Push browser agent?

No, if the extension is installed using device management software, the extension can be deployed so that it cannot be removed from their browser.

Solution capability and suitability
Who is Push for?

Push's users range from small-but-capable security teams in growing cloud-native/networkless businesses, right up to advanced SOC teams and IAM teams in large enterprises.

What they all have in common is that they recognize the growing risk of attacks against their workforce identities and want to reduce it.

What kind of identity attacks does Push defend against?

We're a team of ex red teamers and incident responders, so as you can imagine we analyze attacks by threat actors such as Scattered Spider and APT29 as well as research new identity attack techniques yet to be seen in the wild. For example, here's our research into SaaS-native attack techniques.

Today, Push helps you defend your workforce identities against:

  • Phishing
  • Adversary-in-the-Middle (e.g. Evilginx)
  • Browser-in-the-Browser (e.g. EvilnoVNC)
  • Credential stuffing
  • Brute force attacks / password spraying
  • Consent phishing
  • Business email compromise
  • Account takeover / hijacking
  • Account-to-account lateral movement
  • Shadow workflows
What makes Push different to other ITDR solutions?

Other ITDR platforms don't generate their own telemetry. Instead they tap into your IdP logs and pull them into a secondary SIEM-like platform from where you can develop and run detection use cases.

Push is different because it generates its own telemetry from the browser that can be used to detect identity attacks. The browser data Push collects is the broadest, most contextual data source for monitoring your entire identity attack surface. Many indicators of identity attacks will not be visible in IdP logs alone, but they can be detected when you incorporate browser telemetry into your monitoring.

Push still allows you to further enrich the browser data with data from your IdPs so you can have the best from both worlds.

If Push is browser-based, does it do browser security like an enterprise browser?

Our mission is to defend your organization against identity attacks as they are now responsible for the majority of all breaches. While Push is a browser-based identity solution, our focus is not on securing the browser itself. We use browser data because gives us the broadest and most contextual source for monitoring your full identity attack surface, detecting identity attack techniques and uncovering identity vulnerabilities.

Enterprise browsers can be likened to a new secure operating system, Push on the other hand can be likened to EDR but for identities. For organizations with a locked-down environment it can make sense to force employees to use a single mandated enterprise browser so their activities can be monitored and controlled. However, rolling them out across the organization is a big migration project. On the other hand, Push can quickly be deployed so you can enforce common-sense security controls in any browser and stop attacks against workforce identities.

Do we still need Push if all our cloud apps are behind SSO?

Push defends all your identities, whether they're in your IdP or not. Push customers are often surprised by the number of non-SSO identities their employees have. These can be on apps employees have signed up to themselves and haven't told IT about yet, or even on apps that have been onboarded to SSO.

By giving you visibility of all your employees' cloud apps and identities, Push can help you get as many of your apps as possible behind SSO. Unfortunately, not all apps support SAML SSO or OIDC SSO, and many that do will charge you more for it. Push defends all the identities on apps where it's impossible or impractical to use SSO, so every workforce identity is protected against identity attacks.

Can we use Push instead of a CASB?

While Push is definitely not a CASB, it can still discover all the apps your employees are using, and gives you visibility of the identities they use to access these apps. Because Push uses browser data to work at an identity and application level it enables you to see how securely your employees are using each app, harden identities that are vulnerable to identity attacks and detect attacks against workforce identities. This isn't possible with a CASB as they work at the network layer and infer cloud app usage from users visiting websites.

Can we use Push instead of a SSPM solution?

SSPM solutions that integrate directly with cloud applications can provide rich visibility of users, identities and vulnerabilities. However, they are limited to supporting a small number of apps that directly integrate with the SSPM solution and even then, they are totally dependent on the app vendor making useful security data accessible via API. Push uses browser data because it provides far broader coverage across all identities and apps so you can monitor and defend your whole identity attack surface.

Can Push still monitor identities on desktop client apps not accessed via the browser?

Yes. Our research has shown that about two thirds of common thick clients redirect to the browser for login, and most are used in-browser for administrative functions.

Will Push immediately start sending our employees ChatOps messages?

No. When you assign licenses to employees it does not automatically start messaging employees on Slack or Teams.

Push allows you to completely customize the ChatOps rollout so you can decide what types of issues will generate messages/alerts and who in your business will receive them.

We're constantly refining all aspects of how we interact with your employees to make sure we're giving them the right guidance at the right time with the minimum amount of messages.

Integrations
What IdPs does Push support?

Push directly integrates with Microsoft 365, Google Workspace and Okta to further enrich the data collected in the browser. Any other IdP system logs can be ingested into your SIEM/XDR solution alongside Push's data to give you comprehensive coverage across your identity attack surface.

What cloud apps does Push support?
The full list of apps we support is available and continuously updated here. New cloud apps are added each week as we discover our customers' employees using them. If we're missing one that you want to see, contact us, and we'll be happy to add it.
What other security tools does Push integrate with?
Push provides an API and webhooks so you can send Push data to your other security tools. This obviously includes your SIEM, XDR and SOAR platforms, but can also include compliance platforms, logging stacks, AWS Lambda, data analytic platforms and IT spend management tools.