[{"data":1,"prerenderedAt":3320},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":964,"faqItemsCollection":965,"faqTitle":62,"featured":6,"hashTags":62,"meta":967,"metaTitle":968,"ogImage":62,"publishedDate":969,"relatedBlogPostsCollection":970,"slug":3296,"stem":3297,"subtitle":62,"summary":3298,"synopsis":3309,"sys":3310,"tagsCollection":3313,"__hash__":3319},"blog/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market.json","7 things Omdia's latest report tells us about the secure enterprise browser market",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":830},{"nodeType":239,"data":240,"content":241},"document",{},[242,264,271,278,287,291,301,317,324,330,337,422,429,435,442,448,451,459,471,478,490,493,501,517,524,531,534,542,549,565,571,587,594,601,608,624,631,634,642,649,665,672,675,683,699,706,727,739,742,750,766,773,780,787,794,797,804,811],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246,251,260],{"nodeType":247,"value":248,"marks":249,"data":250},"text","The ",[],{},{"nodeType":252,"data":253,"content":255},"hyperlink",{"uri":254},"https://research.esg-global.com/reportaction/515202191/Marketing",[256],{"nodeType":247,"value":257,"marks":258,"data":259},"Omdia Browser Management and Security report",[],{},{"nodeType":247,"value":261,"marks":262,"data":263},", based on a survey of 400 IT and security professionals across North America fielded in late 2025, is the most comprehensive industry data to date on how organizations are experiencing, prioritizing, and investing in the secure enterprise browser (SEB) market. ",[],{},{"nodeType":243,"data":265,"content":266},{},[267],{"nodeType":247,"value":268,"marks":269,"data":270},"For us at Push, it externally validates what we've known to be true for some time — the browser is where work happens, where attacks land, and where defenders need to be if they want to detect and stop threats before damage is done.",[],{},{"nodeType":243,"data":272,"content":273},{},[274],{"nodeType":247,"value":275,"marks":276,"data":277},"We pulled out seven findings that matter most for security teams evaluating their approach.",[],{},{"nodeType":279,"data":280,"content":286},"embedded-entry-block",{"target":281},{"sys":282},{"id":283,"type":284,"linkType":285},"4aM879egIFYmDvOhzyNI9A","Link","Entry",[],{"nodeType":288,"data":289,"content":290},"hr",{},[],{"nodeType":292,"data":293,"content":294},"heading-1",{},[295],{"nodeType":247,"value":296,"marks":297,"data":300},"1. The attacks driving concern are the ones happening inside the browser session",[298],{"type":299},"bold",{},{"nodeType":243,"data":302,"content":303},{},[304,308,313],{"nodeType":247,"value":305,"marks":306,"data":307},"The threat picture is driving everything else in this report, so it's the right place to start. ",[],{},{"nodeType":247,"value":309,"marks":310,"data":312},"49% of organizations suffered a successful browser-based attack in the last 12 months.",[311],{"type":299},{},{"nodeType":247,"value":314,"marks":315,"data":316}," Among those affected, browser-originated incidents account for roughly 37% of all security incidents — and 68% say that share has grown over the past two years. ",[],{},{"nodeType":243,"data":318,"content":319},{},[320],{"nodeType":247,"value":321,"marks":322,"data":323},"The browser is not an emerging threat vector. It’s worth noting here that these numbers are also likely lower than the reality, since many are only identified later in the kill chain. Without browser-level telemetry they can be difficult to trace back their source — which in the vast majority of cases, even for malware-driven attacks, is the browser. ",[],{},{"nodeType":279,"data":325,"content":329},{"target":326},{"sys":327},{"id":328,"type":284,"linkType":285},"6Kcz8oILKVHmhQIo5Du6V",[],{"nodeType":243,"data":331,"content":332},{},[333],{"nodeType":247,"value":334,"marks":335,"data":336},"What stands out is that every one of the top attack categories plays out inside the browser session itself — not against the browser as a piece of software, but within the sessions where users interact with applications:",[],{},{"nodeType":338,"data":339,"content":340},"unordered-list",{},[341,352,362,372,382,392,402,412],{"nodeType":342,"data":343,"content":344},"list-item",{},[345],{"nodeType":243,"data":346,"content":347},{},[348],{"nodeType":247,"value":349,"marks":350,"data":351},"Phishing (40%)",[],{},{"nodeType":342,"data":353,"content":354},{},[355],{"nodeType":243,"data":356,"content":357},{},[358],{"nodeType":247,"value":359,"marks":360,"data":361},"Data loss or leakage (38%)",[],{},{"nodeType":342,"data":363,"content":364},{},[365],{"nodeType":243,"data":366,"content":367},{},[368],{"nodeType":247,"value":369,"marks":370,"data":371},"Malicious browser extensions (34%)",[],{},{"nodeType":342,"data":373,"content":374},{},[375],{"nodeType":243,"data":376,"content":377},{},[378],{"nodeType":247,"value":379,"marks":380,"data":381},"Vulnerable browser extensions (33%)",[],{},{"nodeType":342,"data":383,"content":384},{},[385],{"nodeType":243,"data":386,"content":387},{},[388],{"nodeType":247,"value":389,"marks":390,"data":391},"Malicious scripts (31%)",[],{},{"nodeType":342,"data":393,"content":394},{},[395],{"nodeType":243,"data":396,"content":397},{},[398],{"nodeType":247,"value":399,"marks":400,"data":401},"Credential theft via browser (28%)",[],{},{"nodeType":342,"data":403,"content":404},{},[405],{"nodeType":243,"data":406,"content":407},{},[408],{"nodeType":247,"value":409,"marks":410,"data":411},"Cookie theft (22%)",[],{},{"nodeType":342,"data":413,"content":414},{},[415],{"nodeType":243,"data":416,"content":417},{},[418],{"nodeType":247,"value":419,"marks":420,"data":421},"AiTM attacks (17%)",[],{},{"nodeType":243,"data":423,"content":424},{},[425],{"nodeType":247,"value":426,"marks":427,"data":428},"Phishing, credential theft, cookie theft, and AiTM are attacks that target the user's interaction with a web page — the credential entry, the session creation, the token exchange. Malicious and vulnerable extensions are supply chain risks that operate inside the browser's own execution environment. Data loss happens through the browser when employees upload files, paste data into AI tools, or share information with unsanctioned applications. ",[],{},{"nodeType":279,"data":430,"content":434},{"target":431},{"sys":432},{"id":433,"type":284,"linkType":285},"5Kw2kSrL8u4VyslxK8HCtR",[],{"nodeType":243,"data":436,"content":437},{},[438],{"nodeType":247,"value":439,"marks":440,"data":441},"None of these are attacks where network-layer traffic inspection, endpoint monitoring, or email scanning provides complete coverage, because the attack surface is the browser session itself.",[],{},{"nodeType":279,"data":443,"content":447},{"target":444},{"sys":445},{"id":446,"type":284,"linkType":285},"5kI5h4Z31ByD73er7voayF",[],{"nodeType":288,"data":449,"content":450},{},[],{"nodeType":292,"data":452,"content":453},{},[454],{"nodeType":247,"value":455,"marks":456,"data":458},"2. Browser security is now a board-level priority",[457],{"type":299},{},{"nodeType":243,"data":460,"content":461},{},[462,467],{"nodeType":247,"value":463,"marks":464,"data":466},"88% of respondents rank browser security as at least a top-five security priority",[465],{"type":299},{},{"nodeType":247,"value":468,"marks":469,"data":470},", with more than a quarter (26%) calling it their single top priority. For context, this is a survey that covers the full spectrum of security concerns — cloud, supply chain, AI, insider risk — and browser security has risen above most of them.",[],{},{"nodeType":243,"data":472,"content":473},{},[474],{"nodeType":247,"value":475,"marks":476,"data":477},"This is not aspirational interest. The correlation between priority level and investment is sharp: among those who rank browser security as their top priority, 72% have significantly increased their investment due to emerging threats. Among those who rank it in their top five, that figure is 26%. The organizations that care most are spending the most.",[],{},{"nodeType":243,"data":479,"content":480},{},[481,486],{"nodeType":247,"value":482,"marks":483,"data":485},"86% of respondents have increased their browser security investment in response to emerging threats",[484],{"type":299},{},{"nodeType":247,"value":487,"marks":488,"data":489},", with 36% saying the increase was significant. When you ask what's driving that spend, the answer is the threat landscape: the attacks cataloged in the previous section are the reason budgets are moving.",[],{},{"nodeType":288,"data":491,"content":492},{},[],{"nodeType":292,"data":494,"content":495},{},[496],{"nodeType":247,"value":497,"marks":498,"data":500},"3. Real budget is being allocated — and it's growing",[499],{"type":299},{},{"nodeType":243,"data":502,"content":503},{},[504,508,513],{"nodeType":247,"value":505,"marks":506,"data":507},"Secure enterprise browser solutions already take up ",[],{},{"nodeType":247,"value":509,"marks":510,"data":512},"12.6% of the average security budget",[511],{"type":299},{},{"nodeType":247,"value":514,"marks":515,"data":516}," — a substantial allocation for a category that didn't exist as a standalone line item a few years ago. And 85% of respondents expect to increase that spend over the next 12–24 months, with a quarter expecting significant increases.",[],{},{"nodeType":243,"data":518,"content":519},{},[520],{"nodeType":247,"value":521,"marks":522,"data":523},"Where the money comes from tells its own story. The most common funding model is a discrete line item within security program budgets (31%) or a dedicated secure browsing budget (30%). When organizations pull from an existing program budget, web security (26%) and endpoint security (21%) are the most common sources — while SASE/SSE accounts for just 9%, despite SASE vendors being the second most popular vendor category. That disconnect between vendor preference and budget origin suggests the SASE-bundled buying motion may be more aspirational than operational.",[],{},{"nodeType":243,"data":525,"content":526},{},[527],{"nodeType":247,"value":528,"marks":529,"data":530},"IT operations leadership is the top stakeholder in 82% of evaluations, with CISO and security leadership at 64% and CIOs at 42%. Day-to-day management sits primarily with IT Ops (77%) and SecOps (50%). This dual stakeholder picture — IT operations driving evaluation, security leadership providing strategic direction — shapes the competitive landscape in ways we'll come back to.",[],{},{"nodeType":288,"data":532,"content":533},{},[],{"nodeType":292,"data":535,"content":536},{},[537],{"nodeType":247,"value":538,"marks":539,"data":541},"4. AI is accelerating both the threat and the use case",[540],{"type":299},{},{"nodeType":243,"data":543,"content":544},{},[545],{"nodeType":247,"value":546,"marks":547,"data":548},"AI shows up in this report from two directions, mirroring how it is reshaping the security landscape itself.",[],{},{"nodeType":243,"data":550,"content":551},{},[552,556,561],{"nodeType":247,"value":553,"marks":554,"data":555},"On the threat side, ",[],{},{"nodeType":247,"value":557,"marks":558,"data":560},"AI-powered targeted phishing and social engineering is the top emerging concern",[559],{"type":299},{},{"nodeType":247,"value":562,"marks":563,"data":564},", cited by 75% of respondents as either very concerning or concerning. Data leakage via unsanctioned AI applications comes second at 71%, followed by deepfake/AI-generated malicious content at 69% and credential harvesting via fake AI or SaaS login pages at 66%. Every one of these threat categories involves the browser — AI-enhanced phishing lands in the browser, AI data leakage happens through browser-based AI tools, and fake AI login pages are browser-based credential harvesting.",[],{},{"nodeType":279,"data":566,"content":570},{"target":567},{"sys":568},{"id":569,"type":284,"linkType":285},"2ajv2i5wn2GzKuyynQGlvq",[],{"nodeType":243,"data":572,"content":573},{},[574,578,583],{"nodeType":247,"value":575,"marks":576,"data":577},"On the adoption side, the picture is almost universal — and almost universally under-governed. ",[],{},{"nodeType":247,"value":579,"marks":580,"data":582},"92% of organizations now allow employees to use public GenAI applications",[581],{"type":299},{},{"nodeType":247,"value":584,"marks":585,"data":586},", and virtually every organization has some kind of policy position: 37% have sanctioned one public app (with everything else unsanctioned), 39% have sanctioned multiple public apps (with others unsanctioned), and 23% restrict employees to a corporate instance while the public versions are unsanctioned. ",[],{},{"nodeType":243,"data":588,"content":589},{},[590],{"nodeType":247,"value":591,"marks":592,"data":593},"Even the 8% who don't allow GenAI at all have taken a policy position. Essentially 100% of organizations have a GenAI policy — but for the vast majority, that policy designates a large portion of public AI tool usage as unsanctioned, which raises the immediate question of whether they have the tooling to actually enforce it.",[],{},{"nodeType":243,"data":595,"content":596},{},[597],{"nodeType":247,"value":598,"marks":599,"data":600},"The answer, based on the current tooling landscape, appears to be: not quite. When Omdia asked how organizations currently secure GenAI usage, 58% rely on secure web gateways — tools that see traffic metadata but cannot observe what a user actually does inside a GenAI session — while 57% use secure browsing solutions and 57% use SaaS security solutions. ",[],{},{"nodeType":243,"data":602,"content":603},{},[604],{"nodeType":247,"value":605,"marks":606,"data":607},"An SWG can tell you that a user visited ChatGPT, but it cannot tell you whether they pasted your company's source code into the prompt. That distinction — between knowing where data went and knowing what the user actually did — is the fundamental gap that browser-layer visibility exists to close, and it is exactly the gap that makes GenAI policies unenforceable without browser-layer tooling.",[],{},{"nodeType":243,"data":609,"content":610},{},[611,615,620],{"nodeType":247,"value":612,"marks":613,"data":614},"The use case data reflects this. When Omdia asked about the most important use cases for a secure browsing solution, ",[],{},{"nodeType":247,"value":616,"marks":617,"data":619},"generative AI application security came in first at 59%",[618],{"type":299},{},{"nodeType":247,"value":621,"marks":622,"data":623},", followed by data loss prevention at 51% and general web security enhancement at 42%. The feature priorities tell a consistent story: AI-powered threat detection and response (52%) and advanced GenAI usage controls and monitoring (41%) were the top two capabilities organizations said would be most important in a purchase decision. ",[],{},{"nodeType":243,"data":625,"content":626},{},[627],{"nodeType":247,"value":628,"marks":629,"data":630},"AI is both the top threat concern and the top use case for browser security — and it is a browser problem at both ends, because every LLM interaction, every prompt containing sensitive data, and every AI agent authorization happens inside a browser session.",[],{},{"nodeType":288,"data":632,"content":633},{},[],{"nodeType":292,"data":635,"content":636},{},[637],{"nodeType":247,"value":638,"marks":639,"data":641},"5. Organizations that have deployed secure enterprise browser solutions are seeing real results",[640],{"type":299},{},{"nodeType":243,"data":643,"content":644},{},[645],{"nodeType":247,"value":646,"marks":647,"data":648},"One of the most useful sections in Omdia's report is the benefits data — what organizations that have deployed SEB solutions are actually getting out of them.",[],{},{"nodeType":243,"data":650,"content":651},{},[652,656,661],{"nodeType":247,"value":653,"marks":654,"data":655},"The top realized benefit is ",[],{},{"nodeType":247,"value":657,"marks":658,"data":660},"improved data security, cited by 58% of respondents",[659],{"type":299},{},{"nodeType":247,"value":662,"marks":663,"data":664},", followed by fewer security incidents (49%), better visibility and auditing (47%), improved user experience (44%), and simplified configuration and policy management (41%). The picture that emerges is not just a security story but an operational one: organizations are seeing fewer incidents, better visibility, and simpler management alongside the security outcomes.",[],{},{"nodeType":243,"data":666,"content":667},{},[668],{"nodeType":247,"value":669,"marks":670,"data":671},"The 49% who cite fewer security incidents as a realized benefit is the number that matters most here, because it directly connects SEB deployment to measurable risk reduction. Organizations aren't just buying tools and hoping — they're deploying them and seeing fewer successful attacks as a result.",[],{},{"nodeType":288,"data":673,"content":674},{},[],{"nodeType":292,"data":676,"content":677},{},[678],{"nodeType":247,"value":679,"marks":680,"data":682},"6. The market wants protection in existing browsers, not migration",[681],{"type":299},{},{"nodeType":243,"data":684,"content":685},{},[686,690,695],{"nodeType":247,"value":687,"marks":688,"data":689},"When Omdia asked what attributes matter most in a secure enterprise browser solution, ",[],{},{"nodeType":247,"value":691,"marks":692,"data":694},"\"ability to use existing browsers\" ranked as the fourth most important attribute at 48%",[693],{"type":299},{},{"nodeType":247,"value":696,"marks":697,"data":698}," — behind only integration with other security tools (57%), controls over generative AI application usage (53%), and centralized policy enforcement (52%). ",[],{},{"nodeType":243,"data":700,"content":701},{},[702],{"nodeType":247,"value":703,"marks":704,"data":705},"That 48% figure, combined with 80% of respondents saying they expect to use an SEB solution as an integrated or alongside component rather than a replacement for existing tools, points to a clear market preference: organizations want browser security that works with their existing browser estate, not a migration to a new one.",[],{},{"nodeType":243,"data":707,"content":708},{},[709,713,723],{"nodeType":247,"value":710,"marks":711,"data":712},"This is consistent with what we hear from security leaders directly. As ",[],{},{"nodeType":252,"data":714,"content":716},{"uri":715},"https://pushsecurity.com/customer-stories",[717],{"nodeType":247,"value":718,"marks":719,"data":722},"Josh Lemos put it: ",[720],{"type":721},"underline",{},{"nodeType":247,"value":724,"marks":725,"data":726},"\"We looked at the full-stack enterprise browser approach, but converging on a single platform was tough. Push gave me the security instrumentation and context I needed without onerous headwinds.\" The deployment model matters because it determines adoption velocity — and a tool that requires browser migration introduces friction that delays time to value.",[],{},{"nodeType":243,"data":728,"content":729},{},[730,734],{"nodeType":247,"value":731,"marks":732,"data":733},"Push was built around this insight from day one. As the secure enterprise browser extension for security teams, Push turns any browser — managed or unmanaged, including agentic browsers — into a telemetry source and control point the moment it's installed. It has been rolled out to 100,000 users in under an hour during normal office hours with zero downtime. ",[],{},{"nodeType":247,"value":735,"marks":736,"data":738},"That is a deployment model that matches what Omdia's respondents are asking for.",[737],{"type":299},{},{"nodeType":288,"data":740,"content":741},{},[],{"nodeType":292,"data":743,"content":744},{},[745],{"nodeType":247,"value":746,"marks":747,"data":749},"7. Dedicated vendors lead over platform plays",[748],{"type":299},{},{"nodeType":243,"data":751,"content":752},{},[753,757,762],{"nodeType":247,"value":754,"marks":755,"data":756},"When Omdia asked which category of vendor organizations primarily use or expect to use for secure enterprise browsing, ",[],{},{"nodeType":247,"value":758,"marks":759,"data":761},"36% chose a dedicated SEB vendor",[760],{"type":299},{},{"nodeType":247,"value":763,"marks":764,"data":765}," — the largest single category. SASE/network security vendors came second at 29%, followed by traditional VDI/desktop virtualization vendors at 19% and endpoint platform vendors at 15%.",[],{},{"nodeType":243,"data":767,"content":768},{},[769],{"nodeType":247,"value":770,"marks":771,"data":772},"The dedicated category leads, and the reason isn't just first-mover advantage — it's architectural. The alternative paths each come with structural constraints. SASE and SSE platforms are network-centric: they see traffic metadata and enforce URL categorization, but they can't observe the rendered page inside a browser tab — the DOM structure, the script behavior, the credential entry that distinguishes a legitimate login from an AiTM reverse-proxy kit. ",[],{},{"nodeType":243,"data":774,"content":775},{},[776],{"nodeType":247,"value":777,"marks":778,"data":779},"Endpoint platforms that bolt on browser visibility are still anchored to the OS layer, solving for browser exploit prevention rather than in-session behavioral detection of the attacks that actually dominate — phishing, credential theft, session hijacking, extension compromise. And when large platform vendors acquire browser security capabilities, the integration work takes years rather than months, during which detection depth sits in a transitional state. ",[],{},{"nodeType":243,"data":781,"content":782},{},[783],{"nodeType":247,"value":784,"marks":785,"data":786},"Dedicated browser-native vendors start from a different premise entirely: the browser isn't a supplementary signal feeding into someone else's SASE pipeline or XDR correlation engine — it is the telemetry source and the control point. The browser is the only place where you get simultaneous visibility into both the attacker's technique and the employee's action within the same session, because the phishing page, the credential submission, the token exchange, and the data exfiltration all happen inside the same tab. No network appliance, endpoint agent, or identity provider log can see all of that, because none of them are present where the interaction occurs.",[],{},{"nodeType":243,"data":788,"content":789},{},[790],{"nodeType":247,"value":791,"marks":792,"data":793},"For security teams evaluating SEB solutions, the architecture matters more than the vendor category label. The capabilities Omdia's respondents ranked highest — integration with existing tools, GenAI controls, centralized policy enforcement, and the ability to use existing browsers — all point toward solutions that deliver detection depth through a lightweight deployment model, without browser migration and without the integration debt of a platform acquisition.",[],{},{"nodeType":288,"data":795,"content":796},{},[],{"nodeType":243,"data":798,"content":799},{},[800],{"nodeType":247,"value":801,"marks":802,"data":803},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":243,"data":805,"content":806},{},[807],{"nodeType":247,"value":808,"marks":809,"data":810},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":243,"data":812,"content":813},{},[814,817,826],{"nodeType":247,"value":29,"marks":815,"data":816},[],{},{"nodeType":252,"data":818,"content":820},{"uri":819},"https://pushsecurity.com/demo",[821],{"nodeType":247,"value":822,"marks":823,"data":825},"Book a live demo",[824],{"type":721},{},{"nodeType":247,"value":827,"marks":828,"data":829}," to learn more.",[],{},{"entries":831},{"hyperlink":832,"inline":833,"block":834},[],[],[835,844,885,893,924],{"sys":836,"__typename":837,"title":838,"caption":839,"layoutMode":62,"file":840},{"id":283},"Image","Omdia report key stats infographic","Headline stats from the latest Omdia report.",{"url":841,"width":842,"height":843},"https://images.ctfassets.net/y1cdw1ablpvd/62TiADpvI65W2gT7RQwlOU/a4aaad376574b1cd963fc0afa5e2942d/omdia-browser-security-infographic_2x__2_.png",1700,1434,{"sys":845,"__typename":846,"content":847,"name":884,"title":62},{"id":328},"InsightTextBlockComponent",{"json":848},{"nodeType":239,"data":849,"content":850},{},[851],{"nodeType":243,"data":852,"content":853},{},[854,858,867,871,880],{"nodeType":247,"value":855,"marks":856,"data":857},"The evidence here isn’t just statistics. The real-world breaches attributed to ",[],{},{"nodeType":252,"data":859,"content":861},{"uri":860},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[862],{"nodeType":247,"value":863,"marks":864,"data":866},"Scattered Lapsus$ Hunters",[865],{"type":721},{},{"nodeType":247,"value":868,"marks":869,"data":870},", including the ",[],{},{"nodeType":252,"data":872,"content":874},{"uri":873},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[875],{"nodeType":247,"value":876,"marks":877,"data":879},"ShinyHunters-branded 2026 hacking spree",[878],{"type":721},{},{"nodeType":247,"value":881,"marks":882,"data":883},", clearly underline the real-world threat. ",[],{},"Omdia report IB1",{"sys":886,"__typename":887,"type":888,"ctaText":889,"buttonLabel":890,"buttonColour":891,"buttonUrl":892},{"id":433},"CtaWidget","Custom","Get our latest technical whitepaper to learn about the state of browser-based attacks in 2026 (no sign-up required).","Download Now","sunny orange","https://pushsecurity.com/thank-you/browser-attacks-report",{"sys":894,"__typename":846,"content":895,"name":923,"title":62},{"id":446},{"json":896},{"data":897,"content":898,"nodeType":239},{},[899],{"data":900,"content":901,"nodeType":243},{},[902,906,919],{"data":903,"marks":904,"value":905,"nodeType":247},{},[],"It's worth noting that AiTM — now the dominant phishing technique in the wild,",{"data":907,"content":909,"nodeType":252},{"uri":908},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[910,914],{"data":911,"marks":912,"value":913,"nodeType":247},{},[]," ",{"data":915,"marks":916,"value":918,"nodeType":247},{},[917],{"type":721},"responsible for 62% of phishing blocked by Microsoft",{"data":920,"marks":921,"value":922,"nodeType":247},{},[]," — shows up at just 17% in Omdia's data. That likely reflects a recognition gap rather than low prevalence: most organizations lack the browser-layer visibility to distinguish an AiTM reverse-proxy attack from a conventional phishing page, which means the real AiTM figure is probably buried inside the 40% who reported phishing generally.","Omdia report IB2",{"sys":925,"__typename":846,"content":926,"name":963,"title":62},{"id":569},{"json":927},{"nodeType":239,"data":928,"content":929},{},[930],{"nodeType":243,"data":931,"content":932},{},[933,937,946,950,959],{"nodeType":247,"value":934,"marks":935,"data":936},"This is something we’re seeing extensively in the wild. Just about every phishing kit we encounter today is packed with signs of AI use. You can see our ",[],{},{"nodeType":252,"data":938,"content":940},{"uri":939},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[941],{"nodeType":247,"value":942,"marks":943,"data":945},"recent analysis of the Doko’s Panel real-time vishing + AitM kit",[944],{"type":721},{},{"nodeType":247,"value":947,"marks":948,"data":949}," for one example of this. AI development of kits and tools is rapidly driving down the time for attackers to adopt and scale new capabilities — the ",[],{},{"nodeType":252,"data":951,"content":953},{"uri":952},"https://pushsecurity.com/blog/device-code-phishing/",[954],{"nodeType":247,"value":955,"marks":956,"data":958},"37x increase in device code phishing in 2026",[957],{"type":721},{},{"nodeType":247,"value":960,"marks":961,"data":962}," being another indicator of this (we've observed heavy AI tool use across multiple kits and campaigns, with the EvilTokens kit gaining particular notoriety for its abuse of the Railway platform's AI features).",[],{},"Omdia report IB3","json",{"items":966},[],{},"7 things Omdia's latest report tells us about the SEB market","2026-05-13T00:00:00.000Z",{"items":971},[972,1767,2305],{"__typename":973,"sys":974,"content":976,"title":1746,"synopsis":1747,"hashTags":62,"publishedDate":969,"slug":1748,"tagsCollection":1749,"authorsCollection":1759},"BlogPosts",{"id":975},"2V130uMePtxAaefYQAKInb",{"json":977},{"data":978,"content":979,"nodeType":239},{},[980,986,993,1000,1007,1010,1018,1025,1037,1049,1054,1061,1064,1072,1079,1085,1092,1099,1208,1215,1218,1227,1234,1297,1313,1319,1326,1329,1337,1344,1352,1359,1366,1398,1405,1413,1420,1427,1434,1442,1449,1456,1463,1466,1474,1486,1493,1500,1508,1515,1522,1530,1537,1600,1616,1635,1643,1650,1658,1665,1672,1679,1685,1693,1700,1707,1713,1720,1727,1734,1740],{"data":981,"content":985,"nodeType":279},{"target":982},{"sys":983},{"id":984,"type":284,"linkType":285},"5CPZ96xixlhgh6oqQ2rfmO",[],{"data":987,"content":988,"nodeType":243},{},[989],{"data":990,"marks":991,"value":992,"nodeType":247},{},[],"When a security team evaluates browser security solutions, they're usually asking the right question: “How do we protect our users as they work in the browser?”",{"data":994,"content":995,"nodeType":243},{},[996],{"data":997,"marks":998,"value":999,"nodeType":247},{},[],"But the answer they get from many vendors is shaped by a fundamentally different threat model — one that treats the browser as a piece of software to be hardened against exploitation, rather than as the arena where your users’ identities get stolen.",{"data":1001,"content":1002,"nodeType":243},{},[1003],{"data":1004,"marks":1005,"value":1006,"nodeType":247},{},[],"This distinction has enormous consequences for your security posture and the return you can expect from your investment in a new solution.",{"data":1008,"content":1009,"nodeType":288},{},[],{"data":1011,"content":1012,"nodeType":292},{},[1013],{"data":1014,"marks":1015,"value":1017,"nodeType":247},{},[1016],{"type":299},"Two different problems, dressed the same",{"data":1019,"content":1020,"nodeType":243},{},[1021],{"data":1022,"marks":1023,"value":1024,"nodeType":247},{},[],"When it comes to protecting users as they work in the browser, security tools typically fall into one of two camps:",{"data":1026,"content":1027,"nodeType":243},{},[1028,1033],{"data":1029,"marks":1030,"value":1032,"nodeType":247},{},[1031],{"type":299},"The first camp:",{"data":1034,"marks":1035,"value":1036,"nodeType":247},{},[]," represented by solutions like Seraphic (now CrowdStrike) — is built around the threat of attacking the browser itself. The architecture is designed to scramble the browser’s JavaScript runtime and prevent exploits from detonating and breaking out of the browser sandbox. This is browser hardening: defending the browser as software against exploitation by attackers who want to compromise the underlying device.",{"data":1038,"content":1039,"nodeType":243},{},[1040,1045],{"data":1041,"marks":1042,"value":1044,"nodeType":247},{},[1043],{"type":299},"The second camp:",{"data":1046,"marks":1047,"value":1048,"nodeType":247},{},[]," and the one Push Security occupies uniquely, focuses on what happens inside the browser when a user is working normally. Phishing pages harvesting credentials. Session tokens being stolen. Malicious OAuth applications being granted access through social engineering. Adversary-in-the-middle proxies intercepting authentication flows. These attacks don't exploit the browser. They exploit the human — and now agents — using it via the browser's legitimate capabilities (think of it as LOTL, browser edition).",{"data":1050,"content":1053,"nodeType":279},{"target":1051},{"sys":1052},{"id":433,"type":284,"linkType":285},[],{"data":1055,"content":1056,"nodeType":243},{},[1057],{"data":1058,"marks":1059,"value":1060,"nodeType":247},{},[],"The question for any security team evaluating this space: which of these threat models presents the greatest risks to my organization?",{"data":1062,"content":1063,"nodeType":288},{},[],{"data":1065,"content":1066,"nodeType":292},{},[1067],{"data":1068,"marks":1069,"value":1071,"nodeType":247},{},[1070],{"type":299},"How organizations are actually being breached",{"data":1073,"content":1074,"nodeType":243},{},[1075],{"data":1076,"marks":1077,"value":1078,"nodeType":247},{},[],"Let's look at the major breach campaigns of the last three years without the marketing filter and a pattern emerges immediately. Scattered Spider and its successors breached MGM Resorts, Caesars, M&S, JLR, and Salesforce customers — not through browser exploits, but through social engineering, phishing and Adversary-in-the-Middle attacks that stole session tokens and SSO credentials. ",{"data":1080,"content":1084,"nodeType":279},{"target":1081},{"sys":1082},{"id":1083,"type":284,"linkType":285},"2qIMTiyyIsQFAyGJ9Ikyej",[],{"data":1086,"content":1087,"nodeType":243},{},[1088],{"data":1089,"marks":1090,"value":1091,"nodeType":247},{},[],"In every case, the attack happened in the browser — using stolen identities to log into legitimate cloud services — not on the browser through exploitation of the browser engine itself.",{"data":1093,"content":1094,"nodeType":243},{},[1095],{"data":1096,"marks":1097,"value":1098,"nodeType":247},{},[],"The data from major threat intelligence sources is unambiguous:",{"data":1100,"content":1101,"nodeType":338},{},[1102,1121,1140,1159,1178,1193],{"data":1103,"content":1104,"nodeType":342},{},[1105],{"data":1106,"content":1107,"nodeType":243},{},[1108,1112,1117],{"data":1109,"marks":1110,"value":1111,"nodeType":247},{},[],"Identity weaknesses played a material role in ",{"data":1113,"marks":1114,"value":1116,"nodeType":247},{},[1115],{"type":299},"almost 90% of Unit 42 incident response investigations",{"data":1118,"marks":1119,"value":1120,"nodeType":247},{},[]," (Palo Alto Networks Unit 42 IR Report)",{"data":1122,"content":1123,"nodeType":342},{},[1124],{"data":1125,"content":1126,"nodeType":243},{},[1127,1131,1136],{"data":1128,"marks":1129,"value":1130,"nodeType":247},{},[],"Credential abuse and phishing combined accounted for ",{"data":1132,"marks":1133,"value":1135,"nodeType":247},{},[1134],{"type":299},"38% of all breaches",{"data":1137,"marks":1138,"value":1139,"nodeType":247},{},[],", making identity the single largest breach vector (Verizon DBIR 2025)",{"data":1141,"content":1142,"nodeType":342},{},[1143],{"data":1144,"content":1145,"nodeType":243},{},[1146,1150,1155],{"data":1147,"marks":1148,"value":1149,"nodeType":247},{},[],"Cloud-conscious intrusions — attackers using stolen identities to access cloud services — rose ",{"data":1151,"marks":1152,"value":1154,"nodeType":247},{},[1153],{"type":299},"37% in 2025",{"data":1156,"marks":1157,"value":1158,"nodeType":247},{},[],", up 266% among state-nexus actors (CrowdStrike 2026 Global Threat Report)",{"data":1160,"content":1161,"nodeType":342},{},[1162],{"data":1163,"content":1164,"nodeType":243},{},[1165,1169,1174],{"data":1166,"marks":1167,"value":1168,"nodeType":247},{},[],"In cloud-related incidents, identity issues drove initial access in ",{"data":1170,"marks":1171,"value":1173,"nodeType":247},{},[1172],{"type":299},"83% of cases",{"data":1175,"marks":1176,"value":1177,"nodeType":247},{},[]," (Mandiant / Google Cloud Threat Horizons H1 2026)",{"data":1179,"content":1180,"nodeType":342},{},[1181],{"data":1182,"content":1183,"nodeType":243},{},[1184,1189],{"data":1185,"marks":1186,"value":1188,"nodeType":247},{},[1187],{"type":299},"82% of attack detections are now malware-free",{"data":1190,"marks":1191,"value":1192,"nodeType":247},{},[]," — they don't touch the endpoint and abuse legitimate access and functionality (CrowdStrike 2026 Global Threat Report)",{"data":1194,"content":1195,"nodeType":342},{},[1196],{"data":1197,"content":1198,"nodeType":243},{},[1199,1204],{"data":1200,"marks":1201,"value":1203,"nodeType":247},{},[1202],{"type":299},"49% of organizations",{"data":1205,"marks":1206,"value":1207,"nodeType":247},{},[]," suffered a successful browser-based attack in the last 12 months (Omdia 2026)",{"data":1209,"content":1210,"nodeType":243},{},[1211],{"data":1212,"marks":1213,"value":1214,"nodeType":247},{},[],"These aren't edge cases. This is now the primary attack playbook.",{"data":1216,"content":1217,"nodeType":288},{},[],{"data":1219,"content":1220,"nodeType":1226},{},[1221],{"data":1222,"marks":1223,"value":1225,"nodeType":247},{},[1224],{"type":299},"The economics of attack choice","heading-2",{"data":1228,"content":1229,"nodeType":243},{},[1230],{"data":1231,"marks":1232,"value":1233,"nodeType":247},{},[],"Attackers are rational actors. They pick the cheapest, most reliable path to their objective. The economics of browser exploitation versus identity theft tell the whole story:",{"data":1235,"content":1236,"nodeType":338},{},[1237,1252,1267,1282],{"data":1238,"content":1239,"nodeType":342},{},[1240],{"data":1241,"content":1242,"nodeType":243},{},[1243,1247],{"data":1244,"marks":1245,"value":1246,"nodeType":247},{},[],"Chrome sandbox RCE exploit (bug bounty value): ",{"data":1248,"marks":1249,"value":1251,"nodeType":247},{},[1250],{"type":299},"$250,000",{"data":1253,"content":1254,"nodeType":342},{},[1255],{"data":1256,"content":1257,"nodeType":243},{},[1258,1262],{"data":1259,"marks":1260,"value":1261,"nodeType":247},{},[],"IAB-provided IdP admin account: ",{"data":1263,"marks":1264,"value":1266,"nodeType":247},{},[1265],{"type":299},"~$3,000",{"data":1268,"content":1269,"nodeType":342},{},[1270],{"data":1271,"content":1272,"nodeType":243},{},[1273,1277],{"data":1274,"marks":1275,"value":1276,"nodeType":247},{},[],"1-year phishing kit rental (PhaaS): ",{"data":1278,"marks":1279,"value":1281,"nodeType":247},{},[1280],{"type":299},"~$1,000",{"data":1283,"content":1284,"nodeType":342},{},[1285],{"data":1286,"content":1287,"nodeType":243},{},[1288,1292],{"data":1289,"marks":1290,"value":1291,"nodeType":247},{},[],"Bulk stolen credential list: ",{"data":1293,"marks":1294,"value":1296,"nodeType":247},{},[1295],{"type":299},"~$15",{"data":1298,"content":1299,"nodeType":243},{},[1300,1304,1309],{"data":1301,"marks":1302,"value":1303,"nodeType":247},{},[],"Browser zero-days accounted for just ",{"data":1305,"marks":1306,"value":1308,"nodeType":247},{},[1307],{"type":299},"9% of all zero-days reported to Google in 2025",{"data":1310,"marks":1311,"value":1312,"nodeType":247},{},[]," — described by Google's own researchers as a \"historic low.\" Chrome's sandbox architecture, site isolation, and hardware-backed security features are the result of years of sustained hardening investment. When a browser vulnerability is discovered, Google typically deploys a patch within days.",{"data":1314,"content":1318,"nodeType":279},{"target":1315},{"sys":1316},{"id":1317,"type":284,"linkType":285},"5XWKHTT5J06yWcgZIOL95t",[],{"data":1320,"content":1321,"nodeType":243},{},[1322],{"data":1323,"marks":1324,"value":1325,"nodeType":247},{},[],"The bottom line: browser exploits are extraordinarily expensive to develop, increasingly difficult to execute reliably against a hardened modern browser, and patched rapidly when discovered. In sharp contrast, identity attacks are cheap to run, highly scalable, and have a low technical barrier to adoption — that’s why they’re responsible for the overwhelming majority of enterprise breaches. Attackers have voted with their resources.",{"data":1327,"content":1328,"nodeType":288},{},[],{"data":1330,"content":1331,"nodeType":292},{},[1332],{"data":1333,"marks":1334,"value":1336,"nodeType":247},{},[1335],{"type":299},"What you're actually buying with each vendor",{"data":1338,"content":1339,"nodeType":243},{},[1340],{"data":1341,"marks":1342,"value":1343,"nodeType":247},{},[],"Understanding the core architectural choice each vendor has made helps decode what their solution can and cannot protect you from.",{"data":1345,"content":1346,"nodeType":1226},{},[1347],{"data":1348,"marks":1349,"value":1351,"nodeType":247},{},[1350],{"type":299},"Seraphic (CrowdStrike)",{"data":1353,"content":1354,"nodeType":243},{},[1355],{"data":1356,"marks":1357,"value":1358,"nodeType":247},{},[],"Seraphic's architecture is built to inject into the browser's JavaScript runtime at the OS layer, scrambling browser internals to prevent exploits from executing. This is a technically sophisticated approach to a technically interesting problem that is, by every threat intelligence measure, not the problem causing enterprise breaches at scale.",{"data":1360,"content":1361,"nodeType":243},{},[1362],{"data":1363,"marks":1364,"value":1365,"nodeType":247},{},[],"Beyond the threat model mismatch, there are structural concerns with the approach itself. Injecting an agent into the browser's JS runtime is a technique with well-documented stability consequences. This is the same approach antivirus vendors have used for years, often at the cost of system stability. Seraphic now runs alongside the CrowdStrike Falcon sensor on managed devices, combining two heavyweight agents on the same machine. For any organization with CrowdStrike already deployed, the question isn't theoretical: how has that combination been validated in production environments?",{"data":1367,"content":1368,"nodeType":243},{},[1369,1373,1381,1385,1394],{"data":1370,"marks":1371,"value":1372,"nodeType":247},{},[],"There's also the managed-device limitation. Seraphic requires a kernel-level agent, which means it loses meaningful capability on unmanaged devices, BYOD machines, and contractor endpoints. This is not a niche concern: according to ",{"data":1374,"content":1376,"nodeType":252},{"uri":1375},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[1377],{"data":1378,"marks":1379,"value":1380,"nodeType":247},{},[],"Omdia's 2026 browser security survey",{"data":1382,"marks":1383,"value":1384,"nodeType":247},{},[],", 32% of users access corporate applications from unmanaged devices at least occasionally. Agent-based solutions are blind to nearly a third of your actual attack surface by design. The Okta breach began on a support engineer's personal device, where ",{"data":1386,"content":1388,"nodeType":252},{"uri":1387},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[1389],{"data":1390,"marks":1391,"value":1393,"nodeType":247},{},[1392],{"type":721},"corporate credentials had synced",{"data":1395,"marks":1396,"value":1397,"nodeType":247},{},[]," via Chrome's built-in profile sync. No agent, no visibility.",{"data":1399,"content":1400,"nodeType":243},{},[1401],{"data":1402,"marks":1403,"value":1404,"nodeType":247},{},[],"Teams evaluating Seraphic today are also buying into an integration roadmap, not a shipped capability. The acquisition by CrowdStrike closed in early 2026. The work of wiring browser telemetry into Falcon Fusion and correlating it with endpoint signals is currently a promise, not a production feature.",{"data":1406,"content":1407,"nodeType":1226},{},[1408],{"data":1409,"marks":1410,"value":1412,"nodeType":247},{},[1411],{"type":299},"SquareX (Zscaler)",{"data":1414,"content":1415,"nodeType":243},{},[1416],{"data":1417,"marks":1418,"value":1419,"nodeType":247},{},[],"SquareX's core capability is sandboxing suspicious file downloads inside disposable browser containers before they reach the endpoint. This is a legitimate approach to a real but declining problem. 82% of attack detections are now malware-free (CrowdStrike 2026 Global Threat Report) — attacks don't arrive as files to be sandboxed, they arrive as authenticated sessions. And the delivery channel shift makes the picture even starker: across Push's customer base, 1 in 3 phishing payloads are now delivered outside of email entirely — via social media, ads, and messaging platforms — and 4 in 5 ClickFix payloads arrive through search engines, not email. The threat that SquareX was architecturally designed to address is a shrinking share of the actual attack surface, and it's shrinking fast.",{"data":1421,"content":1422,"nodeType":243},{},[1423],{"data":1424,"marks":1425,"value":1426,"nodeType":247},{},[],"Zscaler already has sandboxing built into ZIA. For an existing Zscaler customer evaluating SquareX, the honest question is: what does this add beyond some extension analysis capability and what you already have? The AiTM phishing campaign that stole your user's credentials and accessed your cloud applications generates no malicious file, triggers no sandbox, and produces no network signal for Zscaler's traffic inspection to catch — because it happened entirely inside a browser session using legitimate authentication flows.",{"data":1428,"content":1429,"nodeType":243},{},[1430],{"data":1431,"marks":1432,"value":1433,"nodeType":247},{},[],"The acquisition also raises product focus questions. Being absorbed into a network-centric platform means SquareX is now optimized for Zscaler's priorities, not for standalone browser detection and response. Teams that care about investigation, threat hunting, and incident response should ask specifically what SquareX adds in those workflows under Zscaler ownership.",{"data":1435,"content":1436,"nodeType":1226},{},[1437],{"data":1438,"marks":1439,"value":1441,"nodeType":247},{},[1440],{"type":299},"LayerX",{"data":1443,"content":1444,"nodeType":243},{},[1445],{"data":1446,"marks":1447,"value":1448,"nodeType":247},{},[],"LayerX is primarily a policy enforcement and risk scoring platform focused on internal governance — controlling which applications employees access, what data moves through the browser, and whether behavior complies with internal rules.",{"data":1450,"content":1451,"nodeType":243},{},[1452],{"data":1453,"marks":1454,"value":1455,"nodeType":247},{},[],"Push Security covers that ground too. Push provides full visibility over AI tool usage, shadow SaaS, unmanaged identities, and data loss vectors — including sensitive data submitted through AI prompts, file uploads to personal cloud destinations, and OAuth grants to third-party applications. The same browser telemetry that detects external attacks also surfaces insider risks and powers DLP controls and compliance audit evidence, all from a single extension.",{"data":1457,"content":1458,"nodeType":243},{},[1459],{"data":1460,"marks":1461,"value":1462,"nodeType":247},{},[],"The critical difference is that Push goes significantly further. Where LayerX scores risk and enforces policy, Push detects active external attack techniques in real time: AiTM phishing kits as they execute, session tokens being stolen, ClickFix lures through behavioral analysis of page structure. These are the attacks causing the most damaging breaches today, and they don't surface on a risk score until after the damage is done. Push addresses both the governance problem and the external threat problem from the same platform. LayerX addresses only the first.",{"data":1464,"content":1465,"nodeType":288},{},[],{"data":1467,"content":1468,"nodeType":292},{},[1469],{"data":1470,"marks":1471,"value":1473,"nodeType":247},{},[1472],{"type":299},"Securing the organization via the browser: Push Security",{"data":1475,"content":1476,"nodeType":243},{},[1477,1482],{"data":1478,"marks":1479,"value":1481,"nodeType":247},{},[1480],{"type":299},"Push Security is built on a different architectural premise:",{"data":1483,"marks":1484,"value":1485,"nodeType":247},{},[]," the browser is not primarily a piece of software to harden against exploitation. It is the primary workplace, the primary SaaS access point, and the arena where the majority of modern identity attacks play out. The goal is to secure the organization via the browser — not just to secure the browser itself.",{"data":1487,"content":1488,"nodeType":243},{},[1489],{"data":1490,"marks":1491,"value":1492,"nodeType":247},{},[],"This means Push's detection surface is built around the attacks that are actually causing breaches: adversary-in-the-middle phishing, ClickFix and its many variants, credential stuffing against shadow identities, session token theft and replay, OAuth consent abuse, and the full spectrum of identity-based initial access techniques that dominate the modern threat landscape.",{"data":1494,"content":1495,"nodeType":243},{},[1496],{"data":1497,"marks":1498,"value":1499,"nodeType":247},{},[],"The deployment model reflects the threat model. Push deploys as a lightweight browser extension — no kernel-level agent, no device dependency, no migration to a new browser. It works on managed and unmanaged devices, across every traditional, enterprise and AI browser where employees are doing work and attackers are targeting them. The operational overhead is minimal by design: Push has been deployed to 100,000 users in under one hour during normal business hours.",{"data":1501,"content":1502,"nodeType":1226},{},[1503],{"data":1504,"marks":1505,"value":1507,"nodeType":247},{},[1506],{"type":299},"Detection philosophy: targeting what attackers can't change",{"data":1509,"content":1510,"nodeType":243},{},[1511],{"data":1512,"marks":1513,"value":1514,"nodeType":247},{},[],"Push's detection approach targets attacker TTPs rather than indicators of compromise that attackers can rotate in minutes. 95% of attacks detected by Push used some form of bot protection service — meaning the specific domain and IP were deliberately obscured. If your primary detection relies on blocklists, recent reports tell us that 89% of phishing domains will evade you: because they're active for less than two days, they can be spun up, down, and replaced faster than blocklists can keep up.",{"data":1516,"content":1517,"nodeType":243},{},[1518],{"data":1519,"marks":1520,"value":1521,"nodeType":247},{},[],"Behavioral detection of the attack technique — the AiTM relay structure, the credential entry on a cloned login page, the anomalous session context — remains valid regardless of what domain the attack is hosted on or which PhaaS kit was used to build it.",{"data":1523,"content":1524,"nodeType":1226},{},[1525],{"data":1526,"marks":1527,"value":1529,"nodeType":247},{},[1528],{"type":299},"Measuring the identity attack surface (it's bigger than you realize)",{"data":1531,"content":1532,"nodeType":243},{},[1533],{"data":1534,"marks":1535,"value":1536,"nodeType":247},{},[],"Because Push has visibility into actual login behavior across thousands of organizations, it can quantify the attack surface that identity-based attacks exploit. Of the last million logins observed by Push:",{"data":1538,"content":1539,"nodeType":338},{},[1540,1555,1570,1585],{"data":1541,"content":1542,"nodeType":342},{},[1543],{"data":1544,"content":1545,"nodeType":243},{},[1546,1551],{"data":1547,"marks":1548,"value":1550,"nodeType":247},{},[1549],{"type":299},"15 corporate identities were identified per employee",{"data":1552,"marks":1553,"value":1554,"nodeType":247},{},[]," used to access cloud apps",{"data":1556,"content":1557,"nodeType":342},{},[1558],{"data":1559,"content":1560,"nodeType":243},{},[1561,1566],{"data":1562,"marks":1563,"value":1565,"nodeType":247},{},[1564],{"type":299},"1 in 4",{"data":1567,"marks":1568,"value":1569,"nodeType":247},{},[]," were password logins, not SSO",{"data":1571,"content":1572,"nodeType":342},{},[1573],{"data":1574,"content":1575,"nodeType":243},{},[1576,1581],{"data":1577,"marks":1578,"value":1580,"nodeType":247},{},[1579],{"type":299},"2 in 5",{"data":1582,"marks":1583,"value":1584,"nodeType":247},{},[]," were not protected by MFA",{"data":1586,"content":1587,"nodeType":342},{},[1588],{"data":1589,"content":1590,"nodeType":243},{},[1591,1596],{"data":1592,"marks":1593,"value":1595,"nodeType":247},{},[1594],{"type":299},"1 in 5",{"data":1597,"marks":1598,"value":1599,"nodeType":247},{},[]," used a weak, breached, or reused password",{"data":1601,"content":1602,"nodeType":243},{},[1603,1607,1612],{"data":1604,"marks":1605,"value":1606,"nodeType":247},{},[],"And it's not just login hygiene. Across Push's customer base, ",{"data":1608,"marks":1609,"value":1611,"nodeType":247},{},[1610],{"type":299},"46%+ of browser extensions in corporate environments have the permission combinations required for direct account takeover via session theft if they are malicious or compromised by an attacker",{"data":1613,"marks":1614,"value":1615,"nodeType":247},{},[],". Most organizations have no inventory of what's running in their employees' browsers, let alone visibility into what those extensions can access.",{"data":1617,"content":1618,"nodeType":243},{},[1619,1623,1631],{"data":1620,"marks":1621,"value":1622,"nodeType":247},{},[],"These aren't theoretical vulnerabilities. They're the specific weaknesses that browser-native identity attacks are designed to exploit. ",{"data":1624,"content":1626,"nodeType":252},{"uri":1625},"https://pushsecurity.com/blog/the-cisos-data-problem-and-how-browser-telemetry-can-help/",[1627],{"data":1628,"marks":1629,"value":1630,"nodeType":247},{},[],"This visibility turns browser security from a reactive posture into a proactive one",{"data":1632,"marks":1633,"value":1634,"nodeType":247},{},[]," — you can see and remediate the identity weaknesses before an attacker exploits them, not just detect the attack while it's in progress.",{"data":1636,"content":1637,"nodeType":1226},{},[1638],{"data":1639,"marks":1640,"value":1642,"nodeType":247},{},[1641],{"type":299},"The ROI case",{"data":1644,"content":1645,"nodeType":243},{},[1646],{"data":1647,"marks":1648,"value":1649,"nodeType":247},{},[],"The ROI question for any security investment is: what quantum of real risk does this tool address, at what cost in money and operational friction?",{"data":1651,"content":1652,"nodeType":243},{},[1653],{"data":1654,"marks":1655,"value":1657,"nodeType":247},{},[1656],{"type":299},"That calculation looks very different depending on your threat model.",{"data":1659,"content":1660,"nodeType":243},{},[1661],{"data":1662,"marks":1663,"value":1664,"nodeType":247},{},[],"A solution focused on browser engine exploits and sandbox escapes is defending against an attack category that represents a tiny fraction of actual enterprise breaches, requires extraordinary attacker resources to execute, and is increasingly mitigated by browser vendors themselves through hardening and rapid patching. Chrome's automatic update cycle means that even when a browser vulnerability is discovered and disclosed, it is typically in front of users as a patch within days. The defenders here are Google, Mozilla, and Microsoft — with multi-billion dollar security teams and full access to the browser internals.",{"data":1666,"content":1667,"nodeType":243},{},[1668],{"data":1669,"marks":1670,"value":1671,"nodeType":247},{},[],"A solution focused on identity attacks via the browser — phishing, credential theft, session hijacking, OAuth abuse, malicious browser extensions — is defending against the primary cause of enterprise breaches, one that is accelerating (cloud-conscious intrusions up 37% in 2025, browser-based attacks increasing at 68% of organizations over the past two years per Omdia) and increasingly automated through PhaaS infrastructure that gives low-skill attackers enterprise-grade capability for $1,000 a year.",{"data":1673,"content":1674,"nodeType":243},{},[1675],{"data":1676,"marks":1677,"value":1678,"nodeType":247},{},[],"There's also a forward-looking dimension. The threat landscape isn't moving toward more browser exploitation. It's moving further into identity abuse. AI-powered phishing lowers the social engineering barrier. Agentic browsers will automate credential stuffing and account takeover at a scale that wasn't previously possible. And attackers are already adapting to authentication improvements: device code phishing has increased 37x since the start of 2026, a technique specifically designed to circumvent passkeys by bypassing the authentication flow entirely — the attacker never encounters a login page. The investment in identity-centric browser detection compounds over time as the attack surface evolves in the same direction.",{"data":1680,"content":1684,"nodeType":279},{"target":1681},{"sys":1682},{"id":1683,"type":284,"linkType":285},"cQ6WPV2NMYvDMZXifqzK1",[],{"data":1686,"content":1687,"nodeType":1226},{},[1688],{"data":1689,"marks":1690,"value":1692,"nodeType":247},{},[1691],{"type":299},"The verdict",{"data":1694,"content":1695,"nodeType":243},{},[1696],{"data":1697,"marks":1698,"value":1699,"nodeType":247},{},[],"Browser security is a real and growing priority — according to Omdia Research, it is now a top-five priority for 88% of security leaders and the top priority for 26% of them. 85% expect their browser security spending to increase over the next 12–24 months. The question isn't whether to invest. It's what to invest in.",{"data":1701,"content":1702,"nodeType":243},{},[1703],{"data":1704,"marks":1705,"value":1706,"nodeType":247},{},[],"The browser is where your users work, where attackers target them, and where the identity attacks causing the majority of enterprise breaches play out. But not all browser security investments address the same problem.",{"data":1708,"content":1712,"nodeType":279},{"target":1709},{"sys":1710},{"id":1711,"type":284,"linkType":285},"4nGzT9cNG0Yid93uUCCuTt",[],{"data":1714,"content":1715,"nodeType":243},{},[1716],{"data":1717,"marks":1718,"value":1719,"nodeType":247},{},[],"Solutions like Seraphic are built to defend against a browser being exploited by an attacker trying to break out of the sandbox — an attack that represents a historic low as a share of enterprise incidents, and one that Google's own hardening and rapid patching increasingly mitigates automatically. SquareX is built around malware sandboxing — a legitimate but declining share of the initial access landscape, and a capability Zscaler's existing customers already partially have. LayerX focuses on internal governance rather than external threats.",{"data":1721,"content":1722,"nodeType":243},{},[1723],{"data":1724,"marks":1725,"value":1726,"nodeType":247},{},[],"Push Security is built to defend against the attacks that are behind the major breaches hitting the headlines: identity theft, credential abuse, session hijacking, and the full identity attack kill chain that plays out inside the browser every time an attacker logs in as your user. Every major threat intelligence report points to these as the primary breach vectors. The economics of attack choice guarantee they'll remain so.",{"data":1728,"content":1729,"nodeType":243},{},[1730],{"data":1731,"marks":1732,"value":1733,"nodeType":247},{},[],"The security team that deploys Push gets the greatest coverage of the highest-impact threats, on managed and unmanaged devices, with the lightest operational footprint. That is the browser security investment that moves the needle on real organizational risk — not the browser security investment that defends the software nobody's actually attacking.",{"data":1735,"content":1739,"nodeType":279},{"target":1736},{"sys":1737},{"id":1738,"type":284,"linkType":285},"3a2sEWgWKZulGLCFfODwk0",[],{"data":1741,"content":1742,"nodeType":243},{},[1743],{"data":1744,"marks":1745,"value":29,"nodeType":247},{},[],"How to avoid the browser security buyer's trap","Securing the browser vs. securing the organization via the browser — what's the difference?","how-to-avoid-the-browser-security-buyers-trap",{"items":1750},[1751,1755],{"sys":1752,"name":1754},{"id":1753},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":1756,"name":1758},{"id":1757},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1760},[1761],{"fullName":1762,"firstName":1763,"jobTitle":1764,"profilePicture":1765},"Alex Henshall","Alex","Product Team",{"url":1766},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":973,"sys":1768,"content":1770,"title":2285,"synopsis":2286,"hashTags":62,"publishedDate":2287,"slug":2288,"tagsCollection":2289,"authorsCollection":2297},{"id":1769},"2MWicW07sNEBp59wxYtAiC",{"json":1771},{"nodeType":239,"data":1772,"content":1773},{},[1774,1782,1813,1819,1826,1845,1861,1864,1872,1888,1907,1932,1938,1954,1985,1991,1997,2013,2016,2024,2031,2039,2058,2074,2082,2108,2115,2123,2154,2161,2169,2176,2182,2185,2193,2200,2208,2214,2217,2225,2232,2239,2246,2258,2261,2268],{"nodeType":292,"data":1775,"content":1776},{},[1777],{"nodeType":247,"value":1778,"marks":1779,"data":1781},"The quantification problem nobody talks about",[1780],{"type":299},{},{"nodeType":243,"data":1783,"content":1784},{},[1785,1789,1797,1801,1809],{"nodeType":247,"value":1786,"marks":1787,"data":1788},"I was recently teaching ",[],{},{"nodeType":252,"data":1790,"content":1792},{"uri":1791},"https://www.sans.org/cyber-security-courses/cybersecurity-leaders/",[1793],{"nodeType":247,"value":1794,"marks":1795,"data":1796},"SANS LDR551",[],{},{"nodeType":247,"value":1798,"marks":1799,"data":1800},", where we cover some of the flawed approaches used in risk measurement and prioritization — for example, presenting ordinal data in a risk matrix as ratio data, implying that the matrix represents quantitative analysis when it’s more of a best guess. We then look at modeling using ",[],{},{"nodeType":252,"data":1802,"content":1804},{"uri":1803},"https://en.wikipedia.org/wiki/Loss_exceedance_curve",[1805],{"nodeType":247,"value":1806,"marks":1807,"data":1808},"Loss Exceedance Curves",[],{},{"nodeType":247,"value":1810,"marks":1811,"data":1812}," as a more accurate, if much more difficult, approach to quantitative risk assessment.",[],{},{"nodeType":279,"data":1814,"content":1818},{"target":1815},{"sys":1816},{"id":1817,"type":284,"linkType":285},"4S1wJUm6E1qvyZzwrl2DL",[],{"nodeType":243,"data":1820,"content":1821},{},[1822],{"nodeType":247,"value":1823,"marks":1824,"data":1825},"The only problem is, we rarely have the time or the data to construct such models. Ask a CISO how they measure risk for credential compromise and other account takeover attacks, and the answer will probably include one or more of the following: a risk assessment, a whiteboard, and a room full of smart people making educated guesses about attack frequency and control strength. ",[],{},{"nodeType":243,"data":1827,"content":1828},{},[1829,1833,1841],{"nodeType":247,"value":1830,"marks":1831,"data":1832},"That isn't a criticism — for most risk scenarios, expert elicitation is the best (and most convenient) available method. Breach cost data is sparse, threat actor behavior is unpredictable, and internal incident history is (ideally!) a limited sample. Quantitative risk frameworks like ",[],{},{"nodeType":252,"data":1834,"content":1836},{"uri":1835},"https://www.fairinstitute.org/",[1837],{"nodeType":247,"value":1838,"marks":1839,"data":1840},"FAIR",[],{},{"nodeType":247,"value":1842,"marks":1843,"data":1844}," give structure to that uncertainty, but they can't conjure data that just doesn't exist.",[],{},{"nodeType":243,"data":1846,"content":1847},{},[1848,1852,1857],{"nodeType":247,"value":1849,"marks":1850,"data":1851},"The results are usually estimates with wide confidence intervals and loss distributions that appear precise, but are hard to defend to a CFO or a board. Finance leaders have seen Monte Carlo simulations before; the capable ones will challenge the quality of the outputs if they doubt the quality of the inputs. ",[],{},{"nodeType":247,"value":1853,"marks":1854,"data":1856},"But with the right telemetry, we can get both",[1855],{"type":299},{},{"nodeType":247,"value":1858,"marks":1859,"data":1860},".",[],{},{"nodeType":288,"data":1862,"content":1863},{},[],{"nodeType":292,"data":1865,"content":1866},{},[1867],{"nodeType":247,"value":1868,"marks":1869,"data":1871},"Why the identity attack surface is uniquely measurable",[1870],{"type":299},{},{"nodeType":243,"data":1873,"content":1874},{},[1875,1879,1885],{"nodeType":247,"value":1876,"marks":1877,"data":1878},"We've written extensively about the shift to identity as a primary attack vector — and the evidence continues to stack up. Credential phishing, device code phishing, ClickFix, adversary-in-the-middle attacks, session hijacking, and SaaS account compromise now account for the majority of breach entry points in most enterprise environments. But the silver lining here is that this shift has created something valuable for risk quantification: ",[],{},{"nodeType":247,"value":1880,"marks":1881,"data":1884},"a highly observable threat surface",[1882],{"type":1883},"italic",{},{"nodeType":247,"value":1858,"marks":1886,"data":1887},[],{},{"nodeType":243,"data":1889,"content":1890},{},[1891,1895,1903],{"nodeType":247,"value":1892,"marks":1893,"data":1894},"Identity attacks execute ",[],{},{"nodeType":252,"data":1896,"content":1897},{"uri":908},[1898],{"nodeType":247,"value":1899,"marks":1900,"data":1902},"in the browser",[1901],{"type":721},{},{"nodeType":247,"value":1904,"marks":1905,"data":1906},". They leave traces in authentication flows, login behaviors, OAuth integrations, extension activity, and SaaS access patterns — all of which are captured in real time by the Push extension. Unlike network or endpoint attacks, where the signal is often binary and retroactive, browser-based identity threats generate continuous, high-frequency telemetry that maps directly onto the inputs that drive quantitative risk models.",[],{},{"nodeType":243,"data":1908,"content":1909},{},[1910,1914,1919,1923,1928],{"nodeType":247,"value":1911,"marks":1912,"data":1913},"This telemetry directly informs the hardest inputs in any quantitative risk model. One is ",[],{},{"nodeType":247,"value":1915,"marks":1916,"data":1918},"Threat Event Frequency (TEF)",[1917],{"type":299},{},{"nodeType":247,"value":1920,"marks":1921,"data":1922},": how often a threat agent acts against an asset in a given period. For identity risks, this can be answered in how many credential phishing attempts reached your users across all delivery channels (social media, email, malvertising, etc.), or how frequently your users authorize malicious or compromised SaaS apps. Browser-level telemetry can answer these questions with ",[],{},{"nodeType":247,"value":1924,"marks":1925,"data":1927},"observed",[1926],{"type":1883},{},{"nodeType":247,"value":1929,"marks":1930,"data":1931}," data rather than industry lookups and general benchmarks. ",[],{},{"nodeType":279,"data":1933,"content":1937},{"target":1934},{"sys":1935},{"id":1936,"type":284,"linkType":285},"EvjT68MCWW7nz5q86xe8S",[],{"nodeType":243,"data":1939,"content":1940},{},[1941,1945,1950],{"nodeType":247,"value":1942,"marks":1943,"data":1944},"The other input to risk modeling that's difficult to express in concrete terms is ",[],{},{"nodeType":247,"value":1946,"marks":1947,"data":1949},"vulnerability",[1948],{"type":299},{},{"nodeType":247,"value":1951,"marks":1952,"data":1953},": the probability a threat becomes a loss event or, more specifically, how likely it is that your controls will fail. ",[],{},{"nodeType":243,"data":1955,"content":1956},{},[1957,1961,1969,1973,1981],{"nodeType":247,"value":1958,"marks":1959,"data":1960},"This is where browser telemetry gets especially concrete. ",[],{},{"nodeType":252,"data":1962,"content":1964},{"uri":1963},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[1965],{"nodeType":247,"value":1966,"marks":1967,"data":1968},"Analysis of login telemetry across Push-monitored environments",[],{},{"nodeType":247,"value":1970,"marks":1971,"data":1972}," shows that 1 in 4 logins are still password-only (not SSO), 2 in 5 are not protected by MFA, and 1 in 5 use a weak, breached, or reused password. Many of these logins occur outside the visibility of a central IdP platform like Microsoft, Google or Okta — the result of downstream ",[],{},{"nodeType":252,"data":1974,"content":1976},{"uri":1975},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1977],{"nodeType":247,"value":1978,"marks":1979,"data":1980},"ghost logins",[],{},{"nodeType":247,"value":1982,"marks":1983,"data":1984},". ",[],{},{"nodeType":279,"data":1986,"content":1990},{"target":1987},{"sys":1988},{"id":1989,"type":284,"linkType":285},"5GctExdVGjHRwKifiP00Fp",[],{"nodeType":279,"data":1992,"content":1996},{"target":1993},{"sys":1994},{"id":1995,"type":284,"linkType":285},"2mWToHCJcuB9FMwxxzd67F",[],{"nodeType":243,"data":1998,"content":1999},{},[2000,2004,2009],{"nodeType":247,"value":2001,"marks":2002,"data":2003},"In a FAIR-based model, TEF and vulnerability together determine ",[],{},{"nodeType":247,"value":2005,"marks":2006,"data":2008},"loss event frequency",[2007],{"type":299},{},{"nodeType":247,"value":2010,"marks":2011,"data":2012},": the foundational driver of the entire risk calculation. Using telemetry from your own environment as the basis for these calculations makes them far more accurate, and more likely to stand up to scrutiny.",[],{},{"nodeType":288,"data":2014,"content":2015},{},[],{"nodeType":292,"data":2017,"content":2018},{},[2019],{"nodeType":247,"value":2020,"marks":2021,"data":2023},"The attack surface is bigger than most models assume",[2022],{"type":299},{},{"nodeType":243,"data":2025,"content":2026},{},[2027],{"nodeType":247,"value":2028,"marks":2029,"data":2030},"One of the consistent failures in identity risk modeling is the tendency to model risks defenders can see, and leave the rest off the balance sheet. These omissions create a systematic understatement of exposure that browser-based telemetry can offset.",[],{},{"nodeType":1226,"data":2032,"content":2033},{},[2034],{"nodeType":247,"value":2035,"marks":2036,"data":2038},"Shadow AI and OAuth sprawl",[2037],{"type":299},{},{"nodeType":243,"data":2040,"content":2041},{},[2042,2045,2054],{"nodeType":247,"value":29,"marks":2043,"data":2044},[],{},{"nodeType":252,"data":2046,"content":2048},{"uri":2047},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[2049],{"nodeType":247,"value":2050,"marks":2051,"data":2053},"The Vercel breach in April 2026",[2052],{"type":721},{},{"nodeType":247,"value":2055,"marks":2056,"data":2057}," was the result of an OAuth connection to a third-party AI SaaS tool a developer connected into the organization's Google Workspace tenant (without admin approval). When the AI vendor was compromised, the attacker leveraged stored OAuth tokens to access downstream accounts, ultimately reaching internal dashboards, API keys, and source code. ",[],{},{"nodeType":243,"data":2059,"content":2060},{},[2061,2065,2070],{"nodeType":247,"value":2062,"marks":2063,"data":2064},"Push telemetry across customer environments shows an average of ",[],{},{"nodeType":247,"value":2066,"marks":2067,"data":2069},"17 unique AI app integrations per organization in Microsoft and Google alone",[2068],{"type":299},{},{"nodeType":247,"value":2071,"marks":2072,"data":2073},", most of which security teams would describe as unapproved. These generally don't appear in a conventional risk model that isn't looking for them.",[],{},{"nodeType":1226,"data":2075,"content":2076},{},[2077],{"nodeType":247,"value":2078,"marks":2079,"data":2081},"Browser extensions",[2080],{"type":299},{},{"nodeType":243,"data":2083,"content":2084},{},[2085,2089,2099,2104],{"nodeType":247,"value":29,"marks":2086,"data":2088},[2087],{"type":299},{},{"nodeType":252,"data":2090,"content":2092},{"uri":2091},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[2093],{"nodeType":247,"value":2094,"marks":2095,"data":2098},"Analysis of 20,000 unique extensions deployed across Push customer environments",[2096,2097],{"type":721},{"type":299},{},{"nodeType":247,"value":2100,"marks":2101,"data":2103}," found that 46.76% have the permission combinations required for account takeover without user interaction. ",[2102],{"type":299},{},{"nodeType":247,"value":2105,"marks":2106,"data":2107},"The extensions carrying these permissions aren't flagged by risk scoring systems because the same permissions are used by ad blockers, password managers, and translation tools (the downside of relying on tools that rely on dubious scoring to assess extensions, but I digress). ",[],{},{"nodeType":243,"data":2109,"content":2110},{},[2111],{"nodeType":247,"value":2112,"marks":2113,"data":2114},"What matters for risk quantification isn't the permission set or an arbitrary score assigned by a vendor; it's whether the monitoring exists to detect when a previously-clean extension changes ownership, escalates permissions, or behaves anomalously. Without that monitoring, the exposure is real but unquantified.",[],{},{"nodeType":1226,"data":2116,"content":2117},{},[2118],{"nodeType":247,"value":2119,"marks":2120,"data":2122},"ClickFix and non-email delivery channels",[2121],{"type":299},{},{"nodeType":243,"data":2124,"content":2125},{},[2126,2130,2138,2142,2150],{"nodeType":247,"value":2127,"marks":2128,"data":2129},"ClickFix — where a malicious page silently writes a PowerShell or mshta command into the victim's clipboard and instructs them to paste it — was ",[],{},{"nodeType":252,"data":2131,"content":2133},{"uri":2132},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[2134],{"nodeType":247,"value":2135,"marks":2136,"data":2137},"the most common initial access vector observed by Microsoft in 2025",[],{},{"nodeType":247,"value":2139,"marks":2140,"data":2141},", and CrowdStrike reported a",[],{},{"nodeType":252,"data":2143,"content":2145},{"uri":2144},"https://www.crowdstrike.com/explore/2026-global-threat-report",[2146],{"nodeType":247,"value":2147,"marks":2148,"data":2149}," 563% increase in fake CAPTCHA lures",[],{},{"nodeType":247,"value":2151,"marks":2152,"data":2153}," (one of the most common ClickFix styles in which the user has to \"verify they're human\" by running a command on their machine). ",[],{},{"nodeType":243,"data":2155,"content":2156},{},[2157],{"nodeType":247,"value":2158,"marks":2159,"data":2160},"What makes this particularly relevant for risk quantification is the delivery channel: 4 in 5 ClickFix payloads intercepted by Push arrive via search engines, not email. A risk model that estimates threat event frequency from email-based phishing telemetry alone is structurally blind to an entire category of attack that has become one of the most prevalent initial access methods in the landscape.",[],{},{"nodeType":1226,"data":2162,"content":2163},{},[2164],{"nodeType":247,"value":2165,"marks":2166,"data":2168},"Authorization attacks",[2167],{"type":299},{},{"nodeType":243,"data":2170,"content":2171},{},[2172],{"nodeType":247,"value":2173,"marks":2174,"data":2175},"Device code phishing and OAuth consent abuse represent a slightly separate category of identity attack that most risk models don't account for because they operate after the authentication flow has already completed — meaning password strength, MFA coverage, and SSO adoption are irrelevant to whether the attack succeeds. ",[],{},{"nodeType":279,"data":2177,"content":2181},{"target":2178},{"sys":2179},{"id":2180,"type":284,"linkType":285},"7qtHmxCzBm5664jD6HsCwN",[],{"nodeType":288,"data":2183,"content":2184},{},[],{"nodeType":292,"data":2186,"content":2187},{},[2188],{"nodeType":247,"value":2189,"marks":2190,"data":2192},"The key lesson for CISOs",[2191],{"type":299},{},{"nodeType":243,"data":2194,"content":2195},{},[2196],{"nodeType":247,"value":2197,"marks":2198,"data":2199},"A risk model that measures identity vulnerability purely in terms of authentication hygiene at the IdP layer — how many accounts have MFA, how many use SSO — will correctly quantify one dimension of exposure while completely missing another that is growing faster and is structurally immune to the controls being measured.",[],{},{"nodeType":243,"data":2201,"content":2202},{},[2203],{"nodeType":247,"value":2204,"marks":2205,"data":2207},"For a CISO building a risk model, these aren't edge cases. They represent a real attack surface that doesn't show up in models built on conventional network, endpoint, and cloud telemetry. We aren't just talking about better inputs to risk modeling — we're talking about entirely new risk scenarios that aren't being modeled at all, supported by live data.",[2206],{"type":299},{},{"nodeType":279,"data":2209,"content":2213},{"target":2210},{"sys":2211},{"id":2212,"type":284,"linkType":285},"2ObEcO1gqz8lrOLCZzfpNw",[],{"nodeType":288,"data":2215,"content":2216},{},[],{"nodeType":1226,"data":2218,"content":2219},{},[2220],{"nodeType":247,"value":2221,"marks":2222,"data":2224},"Browser telemetry makes a CISO's life easier",[2223],{"type":299},{},{"nodeType":243,"data":2226,"content":2227},{},[2228],{"nodeType":247,"value":2229,"marks":2230,"data":2231},"Browser-based telemetry changes the conversation a CISO can have with a CFO or board. Instead of \"industry benchmarks suggest our expected annual loss from account compromise is somewhere in this range,\" the answer is, \"We can see how often these attacks are attempted against our users, and we can measure what percentage of our accounts have the controls in place to stop them,\" or \"We know how many shadow AI apps our users self-provision and share data with each month.\" ",[],{},{"nodeType":243,"data":2233,"content":2234},{},[2235],{"nodeType":247,"value":2236,"marks":2237,"data":2238},"Identity risk is only a piece of the quantification problem. Loss magnitude, regulatory exposure, and reputational impact are still extremely hard to estimate regardless of how good your frequency inputs are. ",[],{},{"nodeType":243,"data":2240,"content":2241},{},[2242],{"nodeType":247,"value":2243,"marks":2244,"data":2245},"But the identity attack surface is one of the few areas in security where measurement is genuinely achievable right now, and the gap between what most organizations are modeling and what's actually observable is significant. Shadow SaaS integrations, unapproved AI connections, browser extensions with excessive privileges — these are enumerable risks that don't appear in models built on network, endpoint, and cloud access telemetry alone. ",[],{},{"nodeType":243,"data":2247,"content":2248},{},[2249,2254],{"nodeType":247,"value":2250,"marks":2251,"data":2253},"The lesson for CISOs serious about quantitative risk management is this: the frameworks exist, the talent is available, and the bottleneck is almost always data quality. ",[2252],{"type":299},{},{"nodeType":247,"value":2255,"marks":2256,"data":2257},"Browser telemetry is a good example of the kind of high-fidelity, environment-specific measurement that closes that gap.",[],{},{"nodeType":288,"data":2259,"content":2260},{},[],{"nodeType":243,"data":2262,"content":2263},{},[2264],{"nodeType":247,"value":2265,"marks":2266,"data":2267},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":243,"data":2269,"content":2270},{},[2271,2275,2282],{"nodeType":247,"value":2272,"marks":2273,"data":2274},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see. ",[],{},{"nodeType":252,"data":2276,"content":2278},{"uri":2277},"https://pushsecurity.com/book-demo/",[2279],{"nodeType":247,"value":822,"marks":2280,"data":2281},[],{},{"nodeType":247,"value":827,"marks":2283,"data":2284},[],{},"The CISO's data problem (and how browser telemetry can help)","How CISOs can use browser telemetry to support cyber risk quantification in areas where traditional data points fall short. ","2026-05-11T00:00:00.000Z","the-cisos-data-problem-and-how-browser-telemetry-can-help",{"items":2290},[2291,2293],{"sys":2292,"name":1758},{"id":1757},{"sys":2294,"name":2296},{"id":2295},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2298},[2299],{"fullName":2300,"firstName":2301,"jobTitle":2302,"profilePicture":2303},"Mark Orlando","Mark","Field CTO",{"url":2304},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"__typename":973,"sys":2306,"content":2308,"title":3280,"synopsis":3281,"hashTags":62,"publishedDate":3282,"slug":3283,"tagsCollection":3284,"authorsCollection":3292},{"id":2307},"3jF1fypt08TNlSoWuoMWhj",{"json":2309},{"nodeType":239,"data":2310,"content":2311},{},[2312,2338,2369,2412,2455,2461,2473,2476,2484,2536,2543,2566,2572,2575,2583,2612,2619,2627,2633,2636,2644,2651,2669,2676,2718,2725,2728,2736,2755,2810,2813,2821,2839,2858,2866,2873,2885,2897,2909,2921,2938,2946,2953,2956,2962,2968,2985,2988,2996,3014,3274],{"nodeType":243,"data":2313,"content":2314},{},[2315,2319,2325,2329,2334],{"nodeType":247,"value":2316,"marks":2317,"data":2318},"ShinyHunters and the broader SLH (",[],{},{"nodeType":252,"data":2320,"content":2321},{"uri":860},[2322],{"nodeType":247,"value":863,"marks":2323,"data":2324},[],{},{"nodeType":247,"value":2326,"marks":2327,"data":2328},") collective have claimed breaches at thousands of organizations over the past twelve months across retail, technology, aviation, financial services, media, gaming, and education, in what amounts to the most sustained data theft and extortion operation in recent cybercrime history. SLH's genealogy traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, all parts of ",[],{},{"nodeType":247,"value":2330,"marks":2331,"data":2333},"the Com",[2332],{"type":299},{},{"nodeType":247,"value":2335,"marks":2336,"data":2337},", a broader community of English-speaking cybercriminals with international links. ",[],{},{"nodeType":243,"data":2339,"content":2340},{},[2341,2345,2353,2357,2365],{"nodeType":247,"value":2342,"marks":2343,"data":2344},"The confirmed victim list reads like a Fortune 500 directory: Coca-Cola, Cisco, Qantas, Coinbase, ADT, Aflac, SoundCloud, Rockstar Games, Charter Communications, and recently ",[],{},{"nodeType":252,"data":2346,"content":2348},{"uri":2347},"https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/",[2349],{"nodeType":247,"value":2350,"marks":2351,"data":2352},"Instructure",[],{},{"nodeType":247,"value":2354,"marks":2355,"data":2356}," — whose breach ",[],{},{"nodeType":252,"data":2358,"content":2360},{"uri":2359},"https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/",[2361],{"nodeType":247,"value":2362,"marks":2363,"data":2364},"disrupted schools and universities nationwide",[],{},{"nodeType":247,"value":2366,"marks":2367,"data":2368}," during final exams — among dozens more named publicly and likely many more that haven't been (breaches settled quickly behind closed doors don't always make it into the public eye). ShinyHunters alone claimed over 1.5 billion stolen Salesforce records from a single campaign targeting more than 1,000 organizations.",[],{},{"nodeType":243,"data":2370,"content":2371},{},[2372,2376,2384,2388,2396,2400,2408],{"nodeType":247,"value":2373,"marks":2374,"data":2375},"Additional operating clusters, including Cordial Spider and Snarky Spider (which CrowdStrike ",[],{},{"nodeType":252,"data":2377,"content":2379},{"uri":2378},"https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/",[2380],{"nodeType":247,"value":2381,"marks":2382,"data":2383},"characterizes as the new generation of Scattered Spider",[],{},{"nodeType":247,"value":2385,"marks":2386,"data":2387},") run parallel campaigns against different target sectors, unified not by shared infrastructure but by a shared playbook of techniques that exploit the structural weakness in modern SaaS-first organizations. ",[],{},{"nodeType":252,"data":2389,"content":2391},{"uri":2390},"https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt",[2392],{"nodeType":247,"value":2393,"marks":2394,"data":2395},"Unit 42 documented",[],{},{"nodeType":247,"value":2397,"marks":2398,"data":2399}," these groups moving from initial compromise to complete data exfiltration in under an hour — faster than most organizations can even begin to respond. Newer groups with links to the SLH ecosystem like CoinbaseCartel have also continued the tradition of weaponizing stolen credentials from the infostealer economy at scale, as ShinyHunters did in the ",[],{},{"nodeType":252,"data":2401,"content":2403},{"uri":2402},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[2404],{"nodeType":247,"value":2405,"marks":2406,"data":2407},"2024 Snowflake breach",[],{},{"nodeType":247,"value":2409,"marks":2410,"data":2411}," that compromised over 165 customer environments (and claimed another billion-plus records).",[],{},{"nodeType":243,"data":2413,"content":2414},{},[2415,2419,2427,2431,2439,2443,2451],{"nodeType":247,"value":2416,"marks":2417,"data":2418},"Not every SLH breach is browser-based — the Instructure breach (275 million individuals, ~330 school login portals defaced) began with a Salesforce tenant compromise in September 2025, but resurfaced in May 2026 after attackers exploited a ",[],{},{"nodeType":252,"data":2420,"content":2422},{"uri":2421},"https://www.bitdefender.com/en-gb/blog/businessinsights/technical-advisory-shinyhunters-breach-instructure-canvas-lms",[2423],{"nodeType":247,"value":2424,"marks":2425,"data":2426},"vulnerability affecting Canvas's Free-For-Teacher program",[],{},{"nodeType":247,"value":2428,"marks":2429,"data":2430}," (it's now been confirmed that Instructure \"",[],{},{"nodeType":252,"data":2432,"content":2434},{"uri":2433},"https://www.instructure.com/incident_update",[2435],{"nodeType":247,"value":2436,"marks":2437,"data":2438},"reached a settlement",[],{},{"nodeType":247,"value":2440,"marks":2441,"data":2442},"\" for the deletion of the data, and shut down the free account tier), while the Coinbase breach cost ",[],{},{"nodeType":252,"data":2444,"content":2446},{"uri":2445},"https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/",[2447],{"nodeType":247,"value":2448,"marks":2449,"data":2450},"$180M–400M through insider bribery",[],{},{"nodeType":247,"value":2452,"marks":2453,"data":2454}," — but these are the exceptions that prove the rule. ",[],{},{"nodeType":279,"data":2456,"content":2460},{"target":2457},{"sys":2458},{"id":2459,"type":284,"linkType":285},"4qNrbDyMJIumQfdbh9YVkU",[],{"nodeType":243,"data":2462,"content":2463},{},[2464,2469],{"nodeType":247,"value":2465,"marks":2466,"data":2468},"The vast majority of SLH campaigns over the past year converge on three browser-based attack vectors: vishing combined with AiTM phishing, device code phishing exploiting account authorization flows, and OAuth supply chain attacks through compromised third-party integrators.",[2467],{"type":299},{},{"nodeType":247,"value":2470,"marks":2471,"data":2472}," Each is well-documented, each has produced confirmed victims at scale, and each is detectable or preventable through browser-layer security controls.",[],{},{"nodeType":288,"data":2474,"content":2475},{},[],{"nodeType":292,"data":2477,"content":2478},{},[2479],{"nodeType":247,"value":2480,"marks":2481,"data":2483},"Vector 1: Vishing combined with AiTM phishing",[2482],{"type":299},{},{"nodeType":243,"data":2485,"content":2486},{},[2487,2491,2499,2503,2511,2515,2522,2526,2533],{"nodeType":247,"value":2488,"marks":2489,"data":2490},"The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that ",[],{},{"nodeType":252,"data":2492,"content":2494},{"uri":2493},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[2495],{"nodeType":247,"value":2496,"marks":2497,"data":2498},"Mandiant",[],{},{"nodeType":247,"value":2500,"marks":2501,"data":2502},",",[],{},{"nodeType":252,"data":2504,"content":2506},{"uri":2505},"https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/",[2507],{"nodeType":247,"value":2508,"marks":2509,"data":2510}," CrowdStrike",[],{},{"nodeType":247,"value":2512,"marks":2513,"data":2514},", and",[],{},{"nodeType":252,"data":2516,"content":2517},{"uri":2390},[2518],{"nodeType":247,"value":2519,"marks":2520,"data":2521}," Unit 42",[],{},{"nodeType":247,"value":2523,"marks":2524,"data":2525}," have all documented from the incident response side, and which Push has ",[],{},{"nodeType":252,"data":2527,"content":2528},{"uri":939},[2529],{"nodeType":247,"value":2530,"marks":2531,"data":2532},"documented from inside the attacker's own operator panels",[],{},{"nodeType":247,"value":1858,"marks":2534,"data":2535},[],{},{"nodeType":243,"data":2537,"content":2538},{},[2539],{"nodeType":247,"value":2540,"marks":2541,"data":2542},"An attacker impersonating IT support calls the target employee, establishes urgency — often citing a \"mandatory passkey rollout\" or a \"security compliance update\" — and directs them to a victim-branded AiTM phishing page (typically at a domain like \u003Ccompany>sso.com or \u003Ccompany>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session. ",[],{},{"nodeType":243,"data":2544,"content":2545},{},[2546,2550,2557,2561],{"nodeType":247,"value":2547,"marks":2548,"data":2549},"One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's ",[],{},{"nodeType":252,"data":2551,"content":2552},{"uri":939},[2553],{"nodeType":247,"value":2554,"marks":2555,"data":2556},"infiltration of the criminal phishing panels",[],{},{"nodeType":247,"value":2558,"marks":2559,"data":2560}," identified over 400 linked domains across four distinct infrastructure clusters. ",[],{},{"nodeType":247,"value":2562,"marks":2563,"data":2565},"This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.",[2564],{"type":299},{},{"nodeType":279,"data":2567,"content":2571},{"target":2568},{"sys":2569},{"id":2570,"type":284,"linkType":285},"1Yhthl0PILGW7EmCcZUrNv",[],{"nodeType":288,"data":2573,"content":2574},{},[],{"nodeType":292,"data":2576,"content":2577},{},[2578],{"nodeType":247,"value":2579,"marks":2580,"data":2582},"Vector 2: Vishing combined with device code phishing",[2581],{"type":299},{},{"nodeType":243,"data":2584,"content":2585},{},[2586,2589,2597,2601,2608],{"nodeType":247,"value":248,"marks":2587,"data":2588},[],{},{"nodeType":252,"data":2590,"content":2592},{"uri":2591},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[2593],{"nodeType":247,"value":2594,"marks":2595,"data":2596},"ShinyHunters Salesforce campaign",[],{},{"nodeType":247,"value":2598,"marks":2599,"data":2600}," that ran through 2025 and into 2026 used device code phishing as one of its core methods, ",[],{},{"nodeType":252,"data":2602,"content":2603},{"uri":2402},[2604],{"nodeType":247,"value":2605,"marks":2606,"data":2607},"compromising over 1,000 organizations and claiming 1.5 billion stolen records",[],{},{"nodeType":247,"value":2609,"marks":2610,"data":2611}," — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled \"DataLoader\" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.",[],{},{"nodeType":243,"data":2613,"content":2614},{},[2615],{"nodeType":247,"value":2616,"marks":2617,"data":2618},"Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. ",[],{},{"nodeType":243,"data":2620,"content":2621},{},[2622],{"nodeType":247,"value":2623,"marks":2624,"data":2626},"This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.",[2625],{"type":299},{},{"nodeType":279,"data":2628,"content":2632},{"target":2629},{"sys":2630},{"id":2631,"type":284,"linkType":285},"3ElQz8sLATnR8RY5nVlBGM",[],{"nodeType":288,"data":2634,"content":2635},{},[],{"nodeType":292,"data":2637,"content":2638},{},[2639],{"nodeType":247,"value":2640,"marks":2641,"data":2643},"Vector 3: OAuth supply chain attacks through compromised integrators",[2642],{"type":299},{},{"nodeType":243,"data":2645,"content":2646},{},[2647],{"nodeType":247,"value":2648,"marks":2649,"data":2650},"The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.",[],{},{"nodeType":243,"data":2652,"content":2653},{},[2654,2657,2665],{"nodeType":247,"value":248,"marks":2655,"data":2656},[],{},{"nodeType":252,"data":2658,"content":2660},{"uri":2659},"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift",[2661],{"nodeType":247,"value":2662,"marks":2663,"data":2664},"Salesloft/Drift supply chain attack",[],{},{"nodeType":247,"value":2666,"marks":2667,"data":2668}," demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight. ",[],{},{"nodeType":243,"data":2670,"content":2671},{},[2672],{"nodeType":247,"value":2673,"marks":2674,"data":2675},"Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.",[],{},{"nodeType":243,"data":2677,"content":2678},{},[2679,2683,2691,2695,2703,2707,2714],{"nodeType":247,"value":2680,"marks":2681,"data":2682},"The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at ",[],{},{"nodeType":252,"data":2684,"content":2686},{"uri":2685},"https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/",[2687],{"nodeType":247,"value":2688,"marks":2689,"data":2690},"Vimeo",[],{},{"nodeType":247,"value":2692,"marks":2693,"data":2694}," (119,000 users), Rockstar Games (78.6 million records), and ",[],{},{"nodeType":252,"data":2696,"content":2698},{"uri":2697},"https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/",[2699],{"nodeType":247,"value":2700,"marks":2701,"data":2702},"Zara/Inditex",[],{},{"nodeType":247,"value":2704,"marks":2705,"data":2706}," (197,000 people), with further downstream victims likely still emerging. The ",[],{},{"nodeType":252,"data":2708,"content":2709},{"uri":2047},[2710],{"nodeType":247,"value":2711,"marks":2712,"data":2713},"Vercel breach",[],{},{"nodeType":247,"value":2715,"marks":2716,"data":2717},", which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, also reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).",[],{},{"nodeType":243,"data":2719,"content":2720},{},[2721],{"nodeType":247,"value":2722,"marks":2723,"data":2724},"A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.",[],{},{"nodeType":288,"data":2726,"content":2727},{},[],{"nodeType":292,"data":2729,"content":2730},{},[2731],{"nodeType":247,"value":2732,"marks":2733,"data":2735},"The infostealer credential playbook sits alongside these attacks",[2734],{"type":299},{},{"nodeType":243,"data":2737,"content":2738},{},[2739,2743,2751],{"nodeType":247,"value":2740,"marks":2741,"data":2742},"Alongside the three vectors above, ShinyHunters has a track record of exploiting the infostealer credential economy at scale — and it predates any of them. The 2024 Snowflake campaign — 165+ customer environments compromised, over a billion records stolen from AT&T, Ticketmaster, Santander, and Advance Auto Parts among others — was built entirely on infostealer-harvested credentials replayed against MFA-less tenants, with ",[],{},{"nodeType":252,"data":2744,"content":2746},{"uri":2745},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[2747],{"nodeType":247,"value":2748,"marks":2749,"data":2750},"Mandiant's investigation",[],{},{"nodeType":247,"value":2752,"marks":2753,"data":2754}," finding that 80% of compromised accounts had prior breach exposure in datasets dating back to 2020. The credentials were already circulating in criminal marketplaces; ShinyHunters simply purchased and operationalized them at industrial scale.",[],{},{"nodeType":243,"data":2756,"content":2757},{},[2758,2762,2770,2774,2782,2786,2794,2798,2806],{"nodeType":247,"value":2759,"marks":2760,"data":2761},"The same methodology powered the ",[],{},{"nodeType":252,"data":2763,"content":2765},{"uri":2764},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials/",[2766],{"nodeType":247,"value":2767,"marks":2768,"data":2769},"HellCat Jira campaign",[],{},{"nodeType":247,"value":2771,"marks":2772,"data":2773}," through 2024–2025, and has now been industrialized as a standalone operation by ",[],{},{"nodeType":252,"data":2775,"content":2777},{"uri":2776},"https://www.halcyon.ai/jp/threat-group/coinbasecartel",[2778],{"nodeType":247,"value":2779,"marks":2780,"data":2781},"CoinbaseCartel",[],{},{"nodeType":247,"value":2783,"marks":2784,"data":2785},", another criminal group reported to be an offshoot of SLH. CoinbaseCartel's model is familiar: purchase old infostealer credentials, use them to access cloud and development environments, exfiltrate data, and demand ransom. ",[],{},{"nodeType":252,"data":2787,"content":2789},{"uri":2788},"https://www.infostealers.com/article/inside-the-coinbase-cartel-how-infostealer-credentials-fueled-a-100-company-ransomware-spree/",[2790],{"nodeType":247,"value":2791,"marks":2792,"data":2793},"Hudson Rock's analysis",[],{},{"nodeType":247,"value":2795,"marks":2796,"data":2797}," of the group's 170+ claimed victims confirms that roughly 80% had prior infostealer infections predating the attacks. The most recent named victim is ",[],{},{"nodeType":252,"data":2799,"content":2801},{"uri":2800},"https://www.bleepingcomputer.com/news/security/grafana-says-stolen-github-token-let-hackers-steal-codebase/",[2802],{"nodeType":247,"value":2803,"marks":2804,"data":2805},"Grafana",[],{},{"nodeType":247,"value":2807,"marks":2808,"data":2809},", where a GitHub token compromised via the TanStack npm supply chain attack and missed during credential rotation was used to download the codebase and attempt extortion. ",[],{},{"nodeType":288,"data":2811,"content":2812},{},[],{"nodeType":292,"data":2814,"content":2815},{},[2816],{"nodeType":247,"value":2817,"marks":2818,"data":2820},"These attacks all happen in the browser",[2819],{"type":299},{},{"nodeType":243,"data":2822,"content":2823},{},[2824,2828,2835],{"nodeType":247,"value":2825,"marks":2826,"data":2827},"Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the",[],{},{"nodeType":252,"data":2829,"content":2830},{"uri":952},[2831],{"nodeType":247,"value":2832,"marks":2833,"data":2834}," same criminal kits now offer AiTM and device code phishing side by side",[],{},{"nodeType":247,"value":2836,"marks":2837,"data":2838},", and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.",[],{},{"nodeType":243,"data":2840,"content":2841},{},[2842,2846,2854],{"nodeType":247,"value":2843,"marks":2844,"data":2845},"Additionally, infostealer infections themselves are increasingly delivered through browser-based methods like ",[],{},{"nodeType":252,"data":2847,"content":2849},{"uri":2848},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection",[2850],{"nodeType":247,"value":2851,"marks":2852,"data":2853},"ClickFix",[],{},{"nodeType":247,"value":2855,"marks":2856,"data":2857},", closing the loop between the credential supply side and the browser-layer detection point.",[],{},{"nodeType":1226,"data":2859,"content":2860},{},[2861],{"nodeType":247,"value":2862,"marks":2863,"data":2865},"How Push can help",[2864],{"type":299},{},{"nodeType":243,"data":2867,"content":2868},{},[2869],{"nodeType":247,"value":2870,"marks":2871,"data":2872},"Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise. ",[],{},{"nodeType":243,"data":2874,"content":2875},{},[2876,2881],{"nodeType":247,"value":2877,"marks":2878,"data":2880},"For vishing + AiTM attacks, ",[2879],{"type":299},{},{"nodeType":247,"value":2882,"marks":2883,"data":2884},"Push's behavioral phishing detection analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.  ",[],{},{"nodeType":243,"data":2886,"content":2887},{},[2888,2893],{"nodeType":247,"value":2889,"marks":2890,"data":2892},"For device code phishing,",[2891],{"type":299},{},{"nodeType":247,"value":2894,"marks":2895,"data":2896}," Push detects the phishing pages associated with device code phishing kits — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.",[],{},{"nodeType":243,"data":2898,"content":2899},{},[2900,2905],{"nodeType":247,"value":2901,"marks":2902,"data":2904},"For OAuth supply chain attacks,",[2903],{"type":299},{},{"nodeType":247,"value":2906,"marks":2907,"data":2908}," Push's detects and controls OAuth consent flows at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place. ",[],{},{"nodeType":243,"data":2910,"content":2911},{},[2912,2917],{"nodeType":247,"value":2913,"marks":2914,"data":2916},"For the infostealer credential playbook,",[2915],{"type":299},{},{"nodeType":247,"value":2918,"marks":2919,"data":2920}," Push's stolen credential detection identifies when employees are using credentials that have appeared in breach datasets or dark web feeds — catching the moment a dormant infostealer credential surfaces at a browser-based login, as well as surfacing insecure login methods missing mitigating controls like MFA and enforcing them through in-browser guardrails. And on the supply side, Push's ClickFix detection addresses the browser-based delivery vector that is now the primary method for distributing infostealer malware in the first place.",[],{},{"nodeType":243,"data":2922,"content":2923},{},[2924,2927,2935],{"nodeType":247,"value":29,"marks":2925,"data":2926},[],{},{"nodeType":252,"data":2928,"content":2930},{"uri":2929},"https://pushsecurity.com/blog/guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks/",[2931],{"nodeType":247,"value":2932,"marks":2933,"data":2934},"Learn more about how you can use Push controls to protect your users from in-browser threats here. ",[],{},{"nodeType":247,"value":29,"marks":2936,"data":2937},[],{},{"nodeType":1226,"data":2939,"content":2940},{},[2941],{"nodeType":247,"value":2942,"marks":2943,"data":2945},"Closing thoughts",[2944],{"type":299},{},{"nodeType":243,"data":2947,"content":2948},{},[2949],{"nodeType":247,"value":2950,"marks":2951,"data":2952},"The campaigns documented in this post are not historical — they are ongoing, with new victims surfacing weekly and the underlying criminal infrastructure still actively developing. But the defensive strategy does not require anticipating which specific group, vector, or target sector comes next, because all of them converge on the same control point: the browser, where the attack begins or the integration decision is made. Organizations with browser-layer detection and OAuth governance in place have defense-in-depth against the full range of techniques these groups employ, regardless of which specific vector any given campaign uses.",[],{},{"nodeType":288,"data":2954,"content":2955},{},[],{"nodeType":243,"data":2957,"content":2958},{},[2959],{"nodeType":247,"value":2265,"marks":2960,"data":2961},[],{},{"nodeType":243,"data":2963,"content":2964},{},[2965],{"nodeType":247,"value":808,"marks":2966,"data":2967},[],{},{"nodeType":243,"data":2969,"content":2970},{},[2971,2974,2982],{"nodeType":247,"value":29,"marks":2972,"data":2973},[],{},{"nodeType":252,"data":2975,"content":2977},{"uri":2976},"https://pushsecurity.com/demo/",[2978],{"nodeType":247,"value":2979,"marks":2980,"data":2981},"Book a live demo to learn more.",[],{},{"nodeType":247,"value":29,"marks":2983,"data":2984},[],{},{"nodeType":288,"data":2986,"content":2987},{},[],{"nodeType":292,"data":2989,"content":2990},{},[2991],{"nodeType":247,"value":2992,"marks":2993,"data":2995},"Appendix: named ShinyHunters victims since May 2025",[2994],{"type":299},{},{"nodeType":243,"data":2997,"content":2998},{},[2999,3003,3010],{"nodeType":247,"value":3000,"marks":3001,"data":3002},"To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the ",[],{},{"nodeType":252,"data":3004,"content":3005},{"uri":860},[3006],{"nodeType":247,"value":3007,"marks":3008,"data":3009},"Scattered Lapsus$ Hunters \"brand\"",[],{},{"nodeType":247,"value":3011,"marks":3012,"data":3013}," also aren't listed below. ",[],{},{"nodeType":3015,"data":3016,"content":3017},"table",{},[3018,3067,3131,3179,3227],{"nodeType":3019,"data":3020,"content":3021},"table-row",{},[3022,3034,3045,3056],{"nodeType":3023,"data":3024,"content":3025},"table-cell",{},[3026],{"nodeType":243,"data":3027,"content":3028},{},[3029],{"nodeType":247,"value":3030,"marks":3031,"data":3033},"Campaign",[3032],{"type":299},{},{"nodeType":3023,"data":3035,"content":3036},{},[3037],{"nodeType":243,"data":3038,"content":3039},{},[3040],{"nodeType":247,"value":3041,"marks":3042,"data":3044},"Began",[3043],{"type":299},{},{"nodeType":3023,"data":3046,"content":3047},{},[3048],{"nodeType":243,"data":3049,"content":3050},{},[3051],{"nodeType":247,"value":3052,"marks":3053,"data":3055},"Named victims",[3054],{"type":299},{},{"nodeType":3023,"data":3057,"content":3058},{},[3059],{"nodeType":243,"data":3060,"content":3061},{},[3062],{"nodeType":247,"value":3063,"marks":3064,"data":3066},"Confirmed impact",[3065],{"type":299},{},{"nodeType":3019,"data":3068,"content":3069},{},[3070,3094,3104,3114],{"nodeType":3023,"data":3071,"content":3072},{},[3073],{"nodeType":243,"data":3074,"content":3075},{},[3076,3081,3085,3090],{"nodeType":247,"value":3077,"marks":3078,"data":3080},"ShinyHunters Salesforce Vishing",[3079],{"type":299},{},{"nodeType":247,"value":3082,"marks":3083,"data":3084}," (vishing + device code phishing → Salesforce connected app authorization) \n\n& ",[],{},{"nodeType":247,"value":3086,"marks":3087,"data":3089},"Salesloft/Drift Supply Chain",[3088],{"type":299},{},{"nodeType":247,"value":3091,"marks":3092,"data":3093}," (stolen OAuth tokens → downstream Salesforce access)",[],{},{"nodeType":3023,"data":3095,"content":3096},{},[3097],{"nodeType":243,"data":3098,"content":3099},{},[3100],{"nodeType":247,"value":3101,"marks":3102,"data":3103},"May 2025",[],{},{"nodeType":3023,"data":3105,"content":3106},{},[3107],{"nodeType":243,"data":3108,"content":3109},{},[3110],{"nodeType":247,"value":3111,"marks":3112,"data":3113},"Coca-Cola Europacific Partners, Cisco, Qantas, LVMH, Adidas, Google, Chanel, Pandora, Allianz Life, Air France-KLM, Farmers Insurance, Workday, TransUnion, Stellantis, Kering, Odido, Hallmark, Salesloft (origin), Toast, Avalara, Fastly, Cato Networks, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Elastic, JFrog, CyberArk, Rubrik, BeyondTrust, Proofpoint, Workiva, Mercer Advisors, Beacon Pointe, Ameriprise, Kemper, Udemy, 7-Eleven, Mytheresa, Marcus & Millichap, Carnival, Pitney Bowes, Alert 360, Amtrak, McGraw-Hill, Canada Life, Charter Communications",[],{},{"nodeType":3023,"data":3115,"content":3116},{},[3117,3124],{"nodeType":243,"data":3118,"content":3119},{},[3120],{"nodeType":247,"value":3121,"marks":3122,"data":3123},"49 named victims. Confirmed individual impact includes 23M+ records (Coca-Cola), 5.7M records (Qantas), 6.2M customers (Odido), 4.4M consumers (TransUnion), up to 18M records (Stellantis), 13.5M emails (McGraw-Hill), 8.2M emails (Pitney Bowes), 7.5M emails (Carnival), 7-Eleven: 185K confirmed by HIBP (SSNs, driver's licenses; franchisee data), Charter Communications: millions of records claimed (company disputes scope). ",[],{},{"nodeType":243,"data":3125,"content":3126},{},[3127],{"nodeType":247,"value":3128,"marks":3129,"data":3130},"ShinyHunters claims 1.5B+ Salesforce records across 1,000+ organizations total.",[],{},{"nodeType":3019,"data":3132,"content":3133},{},[3134,3149,3159,3169],{"nodeType":3023,"data":3135,"content":3136},{},[3137],{"nodeType":243,"data":3138,"content":3139},{},[3140,3145],{"nodeType":247,"value":3141,"marks":3142,"data":3144},"Vishing + AiTM SSO",[3143],{"type":299},{},{"nodeType":247,"value":3146,"marks":3147,"data":3148}," (vishing → AiTM phishing page → SSO session capture → SaaS data exfiltration)",[],{},{"nodeType":3023,"data":3150,"content":3151},{},[3152],{"nodeType":243,"data":3153,"content":3154},{},[3155],{"nodeType":247,"value":3156,"marks":3157,"data":3158},"Aug 2025",[],{},{"nodeType":3023,"data":3160,"content":3161},{},[3162],{"nodeType":243,"data":3163,"content":3164},{},[3165],{"nodeType":247,"value":3166,"marks":3167,"data":3168},"SoundCloud, GrubHub, Panera Bread, Match Group, Crunchbase, Betterment, CarMax, Edmunds, CarGurus, Hims & Hers, University of Pennsylvania, Harvard University, Optimizely, TELUS Digital, Crunchyroll, ADT",[],{},{"nodeType":3023,"data":3170,"content":3171},{},[3172],{"nodeType":243,"data":3173,"content":3174},{},[3175],{"nodeType":247,"value":3176,"marks":3177,"data":3178},"16 named victims. Confirmed individual impact includes ~30M records (SoundCloud), ~14M records (Panera), 10M+ records (Match Group), ~20M records (Betterment), 5.5M people (ADT), 1M+ records (UPenn), ~1PB stolen from TELUS Digital ($65M ransom refused).",[],{},{"nodeType":3019,"data":3180,"content":3181},{},[3182,3197,3207,3217],{"nodeType":3023,"data":3183,"content":3184},{},[3185],{"nodeType":243,"data":3186,"content":3187},{},[3188,3193],{"nodeType":247,"value":3189,"marks":3190,"data":3192},"Anodot Supply Chain",[3191],{"type":299},{},{"nodeType":247,"value":3194,"marks":3195,"data":3196}," (stolen OAuth tokens → downstream Snowflake/BigQuery access)",[],{},{"nodeType":3023,"data":3198,"content":3199},{},[3200],{"nodeType":243,"data":3201,"content":3202},{},[3203],{"nodeType":247,"value":3204,"marks":3205,"data":3206},"Apr 2026",[],{},{"nodeType":3023,"data":3208,"content":3209},{},[3210],{"nodeType":243,"data":3211,"content":3212},{},[3213],{"nodeType":247,"value":3214,"marks":3215,"data":3216},"Anodot/Glassbox (origin), Rockstar Games, Vimeo, Zara/Inditex",[],{},{"nodeType":3023,"data":3218,"content":3219},{},[3220],{"nodeType":243,"data":3221,"content":3222},{},[3223],{"nodeType":247,"value":3224,"marks":3225,"data":3226},"4 named victims (12+ total claimed). 78.6M records (Rockstar Games), 197K individuals (Zara), 119K individuals (Vimeo).",[],{},{"nodeType":3019,"data":3228,"content":3229},{},[3230,3245,3254,3264],{"nodeType":3023,"data":3231,"content":3232},{},[3233],{"nodeType":243,"data":3234,"content":3235},{},[3236,3241],{"nodeType":247,"value":3237,"marks":3238,"data":3240},"Other SLH-attributed",[3239],{"type":299},{},{"nodeType":247,"value":3242,"marks":3243,"data":3244}," (misc. vectors including infostealer chains, CI/CD supply chain, SaaS platform compromise)",[],{},{"nodeType":3023,"data":3246,"content":3247},{},[3248],{"nodeType":243,"data":3249,"content":3250},{},[3251],{"nodeType":247,"value":3101,"marks":3252,"data":3253},[],{},{"nodeType":3023,"data":3255,"content":3256},{},[3257],{"nodeType":243,"data":3258,"content":3259},{},[3260],{"nodeType":247,"value":3261,"marks":3262,"data":3263},"UK Legal Aid Agency, Mixpanel, Wynn Resorts, Woflow, Vercel, European Commission, Mercor, Medtronic, Instructure",[],{},{"nodeType":3023,"data":3265,"content":3266},{},[3267],{"nodeType":243,"data":3268,"content":3269},{},[3270],{"nodeType":247,"value":3271,"marks":3272,"data":3273},"10 named victims across varied vectors. Notable: Vercel (Lumma Stealer → Context.ai OAuth app → Google Workspace), European Commission (poisoned Trivy GitHub Action → 340GB across 71 EU entities)",[],{},{"nodeType":243,"data":3275,"content":3276},{},[3277],{"nodeType":247,"value":29,"marks":3278,"data":3279},[],{},"The three attack techniques behind ShinyHunters' 2026 campaigns ","ShinyHunters' breach of Instructure is the latest in a long series of attacks. Here's our view of the big picture. ","2026-05-08T00:00:00.000Z","analyzing-the-instructure-breach",{"items":3285},[3286,3290],{"sys":3287,"name":3289},{"id":3288},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":3291,"name":2296},{"id":2295},{"items":3293},[3294],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3295},{"url":236},"7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market","blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market",{"json":3299},{"data":3300,"content":3301,"nodeType":239},{},[3302],{"data":3303,"content":3304,"nodeType":243},{},[3305],{"data":3306,"marks":3307,"value":3308,"nodeType":247},{},[],"New research from Omdia has put hard numbers behind something security teams have been feeling for the past two years: the browser has become the primary attack surface in the enterprise, organizations are investing accordingly, and the results are already measurable.","Unpacking the latest research report from Omdia and what it means for the secure enterprise browser market.",{"id":3311,"publishedAt":3312},"217s8zu5idSdX25TUgbPQ1","2026-06-01T16:42:33.145Z",{"items":3314},[3315,3317],{"sys":3316,"name":1754},{"id":1753},{"sys":3318,"name":1758},{"id":1757},"xpEQ7dm_0hNdjNeEFjVdfwHAc7YHs_VNxdJnfDuYSCk",1784196729709]