[{"data":1,"prerenderedAt":3574},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1361,"faqItemsCollection":1362,"faqTitle":62,"featured":34,"hashTags":62,"meta":1364,"metaTitle":1365,"ogImage":62,"publishedDate":1366,"relatedBlogPostsCollection":1367,"slug":3550,"stem":3551,"subtitle":62,"summary":3552,"synopsis":3563,"sys":3564,"tagsCollection":3567,"__hash__":3573},"blog/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline.json","Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Kelly Davenport","Kelly","Product Team",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":238,"links":1202},{"data":239,"content":240,"nodeType":1201},{},[241,250,274,287,294,303,310,334,341,348,355,367,374,378,387,403,424,540,546,553,559,568,575,587,594,600,607,631,638,645,651,654,662,669,677,684,700,707,714,722,729,736,744,751,758,761,769,776,784,791,798,805,812,820,827,860,867,874,880,887,895,902,980,986,994,1010,1017,1023,1030,1046,1049,1057,1064,1071,1077,1084,1130,1137,1144,1151,1157,1160,1168,1175,1182],{"data":242,"content":243,"nodeType":249},{},[244],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"In March, our threat hunting engine flagged something it hadn’t seen before.","text","paragraph",{"data":251,"content":252,"nodeType":249},{},[253,257,270],{"data":254,"marks":255,"value":256,"nodeType":248},{},[],"Our research team had already been tracking the growing use of ",{"data":258,"content":264,"nodeType":269},{"target":259},{"sys":260},{"id":261,"type":262,"linkType":263},"2U6QpQ9rkY8x5ES48okHZB","Link","Entry",[265],{"data":266,"marks":267,"value":268,"nodeType":248},{},[],"malvertising","entry-hyperlink",{"data":271,"marks":272,"value":273,"nodeType":248},{},[]," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",{"data":275,"content":276,"nodeType":249},{},[277,281],{"data":278,"marks":279,"value":280,"nodeType":248},{},[],"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",{"data":282,"marks":283,"value":286,"nodeType":248},{},[284],{"type":285},"italic","But how to separate signal from noise?",{"data":288,"content":289,"nodeType":249},{},[290],{"data":291,"marks":292,"value":293,"nodeType":248},{},[],"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",{"data":295,"content":296,"nodeType":249},{},[297],{"data":298,"marks":299,"value":302,"nodeType":248},{},[300],{"type":301},"bold","Of those, one was novel. ",{"data":304,"content":305,"nodeType":249},{},[306],{"data":307,"marks":308,"value":309,"nodeType":248},{},[],"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",{"data":311,"content":312,"nodeType":249},{},[313,318,329],{"data":314,"marks":315,"value":317,"nodeType":248},{},[316],{"type":301},"We had found our first in-the-wild ",{"data":319,"content":323,"nodeType":269},{"target":320},{"sys":321},{"id":322,"type":262,"linkType":263},"7bG71Eo43crbIHKzczooVS",[324],{"data":325,"marks":326,"value":328,"nodeType":248},{},[327],{"type":301},"InstallFix attack",{"data":330,"marks":331,"value":333,"nodeType":248},{},[332],{"type":301},".",{"data":335,"content":336,"nodeType":249},{},[337],{"data":338,"marks":339,"value":340,"nodeType":248},{},[],"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",{"data":342,"content":343,"nodeType":249},{},[344],{"data":345,"marks":346,"value":347,"nodeType":248},{},[],"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",{"data":349,"content":350,"nodeType":249},{},[351],{"data":352,"marks":353,"value":354,"nodeType":248},{},[],"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",{"data":356,"content":357,"nodeType":249},{},[358,363],{"data":359,"marks":360,"value":362,"nodeType":248},{},[361],{"type":301},"So, can AI agents replace human threat researchers?",{"data":364,"marks":365,"value":366,"nodeType":248},{},[]," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",{"data":368,"content":372,"nodeType":373},{"target":369},{"sys":370},{"id":371,"type":262,"linkType":263},"3OiZ7BrViCTTMmHUAbloEt",[],"embedded-entry-block",{"data":375,"content":376,"nodeType":377},{},[],"hr",{"data":379,"content":380,"nodeType":386},{},[381],{"data":382,"marks":383,"value":385,"nodeType":248},{},[384],{"type":301},"Why scaling browser threat detection requires more than more analysts","heading-1",{"data":388,"content":389,"nodeType":249},{},[390,394,399],{"data":391,"marks":392,"value":393,"nodeType":248},{},[],"Already this year, we’ve ",{"data":395,"marks":396,"value":398,"nodeType":248},{},[397],{"type":301},"tripled",{"data":400,"marks":401,"value":402,"nodeType":248},{},[]," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",{"data":404,"content":405,"nodeType":249},{},[406,410,420],{"data":407,"marks":408,"value":409,"nodeType":248},{},[],"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",{"data":411,"content":415,"nodeType":269},{"target":412},{"sys":413},{"id":414,"type":262,"linkType":263},"211Dd0EIrXPOFpvRgs0fEE",[416],{"data":417,"marks":418,"value":419,"nodeType":248},{},[],"Browser & Identity Attacks Matrix",{"data":421,"marks":422,"value":423,"nodeType":248},{},[]," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",{"data":425,"content":426,"nodeType":539},{},[427,438,462],{"data":428,"content":429,"nodeType":437},{},[430],{"data":431,"content":432,"nodeType":249},{},[433],{"data":434,"marks":435,"value":436,"nodeType":248},{},[],"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ","list-item",{"data":439,"content":440,"nodeType":437},{},[441],{"data":442,"content":443,"nodeType":249},{},[444,448,458],{"data":445,"marks":446,"value":447,"nodeType":248},{},[],"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",{"data":449,"content":453,"nodeType":269},{"target":450},{"sys":451},{"id":452,"type":262,"linkType":263},"5DmCqTU2Tg4adYScA5vT2x",[454],{"data":455,"marks":456,"value":457,"nodeType":248},{},[],"device code phishing attacks",{"data":459,"marks":460,"value":461,"nodeType":248},{},[]," across our install base. ",{"data":463,"content":464,"nodeType":437},{},[465],{"data":466,"content":467,"nodeType":249},{},[468,472,482,486,495,499,509,513,522,525,535],{"data":469,"marks":470,"value":471,"nodeType":248},{},[],"We were also the first to detect a novel post-authorization attack we dubbed ",{"data":473,"content":477,"nodeType":269},{"target":474},{"sys":475},{"id":476,"type":262,"linkType":263},"71EaaK7lfl6bQBbkAU0qjv",[478],{"data":479,"marks":480,"value":481,"nodeType":248},{},[],"ConsentFix",{"data":483,"marks":484,"value":485,"nodeType":248},{},[]," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",{"data":487,"content":490,"nodeType":269},{"target":488},{"sys":489},{"id":322,"type":262,"linkType":263},[491],{"data":492,"marks":493,"value":494,"nodeType":248},{},[],"InstallFix technique",{"data":496,"marks":497,"value":498,"nodeType":248},{},[]," described earlier; and detected an array of other ",{"data":500,"content":504,"nodeType":269},{"target":501},{"sys":502},{"id":503,"type":262,"linkType":263},"2YmiesBvJHGw4wiKEKzLUq",[505],{"data":506,"marks":507,"value":508,"nodeType":248},{},[],"creative",{"data":510,"marks":511,"value":512,"nodeType":248},{},[]," ",{"data":514,"content":517,"nodeType":269},{"target":515},{"sys":516},{"id":261,"type":262,"linkType":263},[518],{"data":519,"marks":520,"value":521,"nodeType":248},{},[],"phishing",{"data":523,"marks":524,"value":512,"nodeType":248},{},[],{"data":526,"content":530,"nodeType":269},{"target":527},{"sys":528},{"id":529,"type":262,"linkType":263},"6Zosy4SU0LpjlaSWX75peb",[531],{"data":532,"marks":533,"value":534,"nodeType":248},{},[],"campaigns",{"data":536,"marks":537,"value":538,"nodeType":248},{},[]," tied to malvertising scams.","unordered-list",{"data":541,"content":545,"nodeType":373},{"target":542},{"sys":543},{"id":544,"type":262,"linkType":263},"53U3LHhhHFYnEpShdLmDqs",[],{"data":547,"content":548,"nodeType":249},{},[549],{"data":550,"marks":551,"value":552,"nodeType":248},{},[],"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",{"data":554,"content":558,"nodeType":373},{"target":555},{"sys":556},{"id":557,"type":262,"linkType":263},"1u00uFbC4xsvP9lqahXbgD",[],{"data":560,"content":561,"nodeType":567},{},[562],{"data":563,"marks":564,"value":566,"nodeType":248},{},[565],{"type":301},"Scaling behavioral detections, not just making bigger blocklists","heading-2",{"data":569,"content":570,"nodeType":249},{},[571],{"data":572,"marks":573,"value":574,"nodeType":248},{},[],"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",{"data":576,"content":577,"nodeType":249},{},[578,583],{"data":579,"marks":580,"value":582,"nodeType":248},{},[581],{"type":301},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",{"data":584,"marks":585,"value":586,"nodeType":248},{},[],"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",{"data":588,"content":589,"nodeType":249},{},[590],{"data":591,"marks":592,"value":593,"nodeType":248},{},[],"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",{"data":595,"content":599,"nodeType":373},{"target":596},{"sys":597},{"id":598,"type":262,"linkType":263},"5jR3YVUiusHGnXDOyrgYpr",[],{"data":601,"content":602,"nodeType":249},{},[603],{"data":604,"marks":605,"value":606,"nodeType":248},{},[],"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",{"data":608,"content":609,"nodeType":249},{},[610,615,626],{"data":611,"marks":612,"value":614,"nodeType":248},{},[613],{"type":301},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",{"data":616,"content":620,"nodeType":269},{"target":617},{"sys":618},{"id":619,"type":262,"linkType":263},"1qegIy4rMdm5XZXnIEoKpE",[621],{"data":622,"marks":623,"value":625,"nodeType":248},{},[624],{"type":301},"Pyramid of Pain",{"data":627,"marks":628,"value":630,"nodeType":248},{},[629],{"type":301},", the indicators that are hardest for attackers to change.",{"data":632,"content":633,"nodeType":249},{},[634],{"data":635,"marks":636,"value":637,"nodeType":248},{},[],"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",{"data":639,"content":640,"nodeType":249},{},[641],{"data":642,"marks":643,"value":644,"nodeType":248},{},[],"We did this not by replacing researchers, but by continuously activating their expertise. You can hear what our CEO and Co-founder Adam had to say about this below. ",{"data":646,"content":650,"nodeType":373},{"target":647},{"sys":648},{"id":649,"type":262,"linkType":263},"C9gr4nF3f6CW45Aol9xij",[],{"data":652,"content":653,"nodeType":377},{},[],{"data":655,"content":656,"nodeType":386},{},[657],{"data":658,"marks":659,"value":661,"nodeType":248},{},[660],{"type":301},"Core principles for agentic threat hunting",{"data":663,"content":664,"nodeType":249},{},[665],{"data":666,"marks":667,"value":668,"nodeType":248},{},[],"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",{"data":670,"content":671,"nodeType":567},{},[672],{"data":673,"marks":674,"value":676,"nodeType":248},{},[675],{"type":301},"Context matters more than custom models",{"data":678,"content":679,"nodeType":249},{},[680],{"data":681,"marks":682,"value":683,"nodeType":248},{},[],"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",{"data":685,"content":686,"nodeType":249},{},[687,691,696],{"data":688,"marks":689,"value":690,"nodeType":248},{},[],"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",{"data":692,"marks":693,"value":695,"nodeType":248},{},[694],{"type":301},"3 million browsers worldwide",{"data":697,"marks":698,"value":699,"nodeType":248},{},[],", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",{"data":701,"content":702,"nodeType":249},{},[703],{"data":704,"marks":705,"value":706,"nodeType":248},{},[],"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",{"data":708,"content":709,"nodeType":249},{},[710],{"data":711,"marks":712,"value":713,"nodeType":248},{},[],"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",{"data":715,"content":716,"nodeType":567},{},[717],{"data":718,"marks":719,"value":721,"nodeType":248},{},[720],{"type":301},"Agents are only as good as the context you give them. Good context is researcher-led",{"data":723,"content":724,"nodeType":249},{},[725],{"data":726,"marks":727,"value":728,"nodeType":248},{},[],"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",{"data":730,"content":731,"nodeType":249},{},[732],{"data":733,"marks":734,"value":735,"nodeType":248},{},[],"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",{"data":737,"content":738,"nodeType":567},{},[739],{"data":740,"marks":741,"value":743,"nodeType":248},{},[742],{"type":301},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",{"data":745,"content":746,"nodeType":249},{},[747],{"data":748,"marks":749,"value":750,"nodeType":248},{},[],"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",{"data":752,"content":753,"nodeType":249},{},[754],{"data":755,"marks":756,"value":757,"nodeType":248},{},[],"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",{"data":759,"content":760,"nodeType":377},{},[],{"data":762,"content":763,"nodeType":386},{},[764],{"data":765,"marks":766,"value":768,"nodeType":248},{},[767],{"type":301},"How the agentic detection pipeline runs",{"data":770,"content":771,"nodeType":249},{},[772],{"data":773,"marks":774,"value":775,"nodeType":248},{},[],"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",{"data":777,"content":778,"nodeType":567},{},[779],{"data":780,"marks":781,"value":783,"nodeType":248},{},[782],{"type":301},"Example 1: Autonomous threat hunt",{"data":785,"content":786,"nodeType":249},{},[787],{"data":788,"marks":789,"value":790,"nodeType":248},{},[],"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",{"data":792,"content":793,"nodeType":249},{},[794],{"data":795,"marks":796,"value":797,"nodeType":248},{},[],"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",{"data":799,"content":800,"nodeType":249},{},[801],{"data":802,"marks":803,"value":804,"nodeType":248},{},[],"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",{"data":806,"content":807,"nodeType":249},{},[808],{"data":809,"marks":810,"value":811,"nodeType":248},{},[],"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",{"data":813,"content":814,"nodeType":567},{},[815],{"data":816,"marks":817,"value":819,"nodeType":248},{},[818],{"type":301},"Example 2: Human-initiated threat hunt",{"data":821,"content":822,"nodeType":249},{},[823],{"data":824,"marks":825,"value":826,"nodeType":248},{},[],"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",{"data":828,"content":829,"nodeType":249},{},[830,834,839,843,848,851,856],{"data":831,"marks":832,"value":833,"nodeType":248},{},[],"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",{"data":835,"marks":836,"value":838,"nodeType":248},{},[837],{"type":301},"*pages.dev",{"data":840,"marks":841,"value":842,"nodeType":248},{},[],", ",{"data":844,"marks":845,"value":847,"nodeType":248},{},[846],{"type":301},"*workers.dev",{"data":849,"marks":850,"value":842,"nodeType":248},{},[],{"data":852,"marks":853,"value":855,"nodeType":248},{},[854],{"type":301},"*squarespace.com",{"data":857,"marks":858,"value":859,"nodeType":248},{},[],", etc.",{"data":861,"content":862,"nodeType":249},{},[863],{"data":864,"marks":865,"value":866,"nodeType":248},{},[],"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",{"data":868,"content":869,"nodeType":249},{},[870],{"data":871,"marks":872,"value":873,"nodeType":248},{},[],"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",{"data":875,"content":879,"nodeType":373},{"target":876},{"sys":877},{"id":878,"type":262,"linkType":263},"4IWOrWuvbwzWRJUkINiwKH",[],{"data":881,"content":882,"nodeType":249},{},[883],{"data":884,"marks":885,"value":886,"nodeType":248},{},[],"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",{"data":888,"content":889,"nodeType":567},{},[890],{"data":891,"marks":892,"value":894,"nodeType":248},{},[893],{"type":301},"What infrastructure is needed for agentic threat hunting?",{"data":896,"content":897,"nodeType":249},{},[898],{"data":899,"marks":900,"value":901,"nodeType":248},{},[],"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",{"data":903,"content":904,"nodeType":539},{},[905,920,935,950,965],{"data":906,"content":907,"nodeType":437},{},[908],{"data":909,"content":910,"nodeType":249},{},[911,916],{"data":912,"marks":913,"value":915,"nodeType":248},{},[914],{"type":301},"A flight recorder: ",{"data":917,"marks":918,"value":919,"nodeType":248},{},[],"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",{"data":921,"content":922,"nodeType":437},{},[923],{"data":924,"content":925,"nodeType":249},{},[926,931],{"data":927,"marks":928,"value":930,"nodeType":248},{},[929],{"type":301},"A knowledge base:",{"data":932,"marks":933,"value":934,"nodeType":248},{},[]," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",{"data":936,"content":937,"nodeType":437},{},[938],{"data":939,"content":940,"nodeType":249},{},[941,946],{"data":942,"marks":943,"value":945,"nodeType":248},{},[944],{"type":301},"Agents as tools: ",{"data":947,"marks":948,"value":949,"nodeType":248},{},[],"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",{"data":951,"content":952,"nodeType":437},{},[953],{"data":954,"content":955,"nodeType":249},{},[956,961],{"data":957,"marks":958,"value":960,"nodeType":248},{},[959],{"type":301},"Humans in the loop: ",{"data":962,"marks":963,"value":964,"nodeType":248},{},[],"Human researchers who collaborate with agents to initiate hunts and tune detections.",{"data":966,"content":967,"nodeType":437},{},[968],{"data":969,"content":970,"nodeType":249},{},[971,976],{"data":972,"marks":973,"value":975,"nodeType":248},{},[974],{"type":301},"Platform controls: ",{"data":977,"marks":978,"value":979,"nodeType":248},{},[],"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",{"data":981,"content":985,"nodeType":373},{"target":982},{"sys":983},{"id":984,"type":262,"linkType":263},"7FY0vCBUXOt4vnudFuKALC",[],{"data":987,"content":988,"nodeType":567},{},[989],{"data":990,"marks":991,"value":993,"nodeType":248},{},[992],{"type":301},"What are the best practices for agentic threat detection?",{"data":995,"content":996,"nodeType":249},{},[997,1001,1006],{"data":998,"marks":999,"value":1000,"nodeType":248},{},[],"To be effective, agents must specialize and focus. This is the ",{"data":1002,"marks":1003,"value":1005,"nodeType":248},{},[1004],{"type":301},"agents as tools",{"data":1007,"marks":1008,"value":1009,"nodeType":248},{},[]," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",{"data":1011,"content":1012,"nodeType":249},{},[1013],{"data":1014,"marks":1015,"value":1016,"nodeType":248},{},[],"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",{"data":1018,"content":1022,"nodeType":373},{"target":1019},{"sys":1020},{"id":1021,"type":262,"linkType":263},"3fzJCknMUmh4Z7YnhBSbsT",[],{"data":1024,"content":1025,"nodeType":249},{},[1026],{"data":1027,"marks":1028,"value":1029,"nodeType":248},{},[],"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",{"data":1031,"content":1032,"nodeType":249},{},[1033,1037,1042],{"data":1034,"marks":1035,"value":1036,"nodeType":248},{},[],"It's vital too that the agent uses ",{"data":1038,"marks":1039,"value":1041,"nodeType":248},{},[1040],{"type":301},"privacy-preserving methods and infrastructure.",{"data":1043,"marks":1044,"value":1045,"nodeType":248},{},[]," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",{"data":1047,"content":1048,"nodeType":377},{},[],{"data":1050,"content":1051,"nodeType":386},{},[1052],{"data":1053,"marks":1054,"value":1056,"nodeType":248},{},[1055],{"type":301},"The compounding effect and how it benefits Push customers",{"data":1058,"content":1059,"nodeType":249},{},[1060],{"data":1061,"marks":1062,"value":1063,"nodeType":248},{},[],"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",{"data":1065,"content":1066,"nodeType":249},{},[1067],{"data":1068,"marks":1069,"value":1070,"nodeType":248},{},[],"The outer loop feeds the inner loop, and vice versa.",{"data":1072,"content":1076,"nodeType":373},{"target":1073},{"sys":1074},{"id":1075,"type":262,"linkType":263},"1Jjqll7IIX2QRxN37gjFMH",[],{"data":1078,"content":1079,"nodeType":249},{},[1080],{"data":1081,"marks":1082,"value":1083,"nodeType":248},{},[],"Customers benefit from this approach because it means they:",{"data":1085,"content":1086,"nodeType":539},{},[1087,1110,1120],{"data":1088,"content":1089,"nodeType":437},{},[1090],{"data":1091,"content":1092,"nodeType":249},{},[1093,1097,1106],{"data":1094,"marks":1095,"value":1096,"nodeType":248},{},[],"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",{"data":1098,"content":1100,"nodeType":1105},{"uri":1099},"/help/audience/engineering/resources/custom-detections",[1101],{"data":1102,"marks":1103,"value":1104,"nodeType":248},{},[],"custom detections","hyperlink",{"data":1107,"marks":1108,"value":1109,"nodeType":248},{},[],", too, for environment-specific use cases.)",{"data":1111,"content":1112,"nodeType":437},{},[1113],{"data":1114,"content":1115,"nodeType":249},{},[1116],{"data":1117,"marks":1118,"value":1119,"nodeType":248},{},[],"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",{"data":1121,"content":1122,"nodeType":437},{},[1123],{"data":1124,"content":1125,"nodeType":249},{},[1126],{"data":1127,"marks":1128,"value":1129,"nodeType":248},{},[],"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",{"data":1131,"content":1132,"nodeType":249},{},[1133],{"data":1134,"marks":1135,"value":1136,"nodeType":248},{},[],"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",{"data":1138,"content":1139,"nodeType":249},{},[1140],{"data":1141,"marks":1142,"value":1143,"nodeType":248},{},[],"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",{"data":1145,"content":1146,"nodeType":249},{},[1147],{"data":1148,"marks":1149,"value":1150,"nodeType":248},{},[],"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",{"data":1152,"content":1156,"nodeType":373},{"target":1153},{"sys":1154},{"id":1155,"type":262,"linkType":263},"607jrBjlD1vtcbkDfD04DE",[],{"data":1158,"content":1159,"nodeType":377},{},[],{"data":1161,"content":1162,"nodeType":386},{},[1163],{"data":1164,"marks":1165,"value":1167,"nodeType":248},{},[1166],{"type":301},"Learn more",{"data":1169,"content":1170,"nodeType":249},{},[1171],{"data":1172,"marks":1173,"value":1174,"nodeType":248},{},[],"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",{"data":1176,"content":1177,"nodeType":249},{},[1178],{"data":1179,"marks":1180,"value":1181,"nodeType":248},{},[],"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",{"data":1183,"content":1184,"nodeType":249},{},[1185,1189,1197],{"data":1186,"marks":1187,"value":1188,"nodeType":248},{},[],"Book a ",{"data":1190,"content":1192,"nodeType":1105},{"uri":1191},"/demo",[1193],{"data":1194,"marks":1195,"value":1196,"nodeType":248},{},[],"live demo",{"data":1198,"marks":1199,"value":1200,"nodeType":248},{},[]," to learn more.","document",{"entries":1203},{"inline":1204,"hyperlink":1205,"block":1239},[],[1206,1211,1215,1219,1223,1227,1231,1235],{"sys":1207,"__typename":1208,"title":1209,"slug":1210},{"id":261},"BlogPosts","How cyber criminals power malvertising scams with stolen accounts","cyber-criminal-ecosystem-analysis",{"sys":1212,"__typename":1208,"title":1213,"slug":1214},{"id":322},"InstallFix: How attackers are weaponizing malvertised install guides  ","installfix",{"sys":1216,"__typename":1208,"title":1217,"slug":1218},{"id":414},"Introducing the Browser & Identity Attacks Matrix","introducing-the-browser-and-identity-attacks-matrix",{"sys":1220,"__typename":1208,"title":1221,"slug":1222},{"id":452},"Device code phishing attacks have skyrocketed: here’s what you need to know","device-code-phishing",{"sys":1224,"__typename":1208,"title":1225,"slug":1226},{"id":476},"ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants","consentfix",{"sys":1228,"__typename":1208,"title":1229,"slug":1230},{"id":503},"Google Search malvertising campaign continues, now impersonating Ahrefs","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"sys":1232,"__typename":1208,"title":1233,"slug":1234},{"id":529},"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","uncovering-a-calendly-themed-phishing-campaign",{"sys":1236,"__typename":1208,"title":1237,"slug":1238},{"id":619},"Our design philosophy: Detecting what matters","our-design-philosophy-detecting-what-matters",[1240,1262,1270,1303,1311,1316,1324,1332,1346,1353],{"sys":1241,"__typename":1242,"content":1243,"name":1261,"title":62},{"id":371},"InsightTextBlockComponent",{"json":1244},{"nodeType":1201,"data":1245,"content":1246},{},[1247,1254],{"nodeType":249,"data":1248,"content":1249},{},[1250],{"nodeType":248,"value":1251,"marks":1252,"data":1253},"In this article, we’ll outline how Push uses AI agents as a force multiplier for identifying emerging threats that target organizations via the browser — think: ClickFix, vibecoded phishing sites, AiTM kits, cloned login pages, ConsentFix attacks, malicious OAuth apps, device code phishing, sites impersonating Claude Code installers, etc. — and share what we’ve learned. ",[],{},{"nodeType":249,"data":1255,"content":1256},{},[1257],{"nodeType":248,"value":1258,"marks":1259,"data":1260},"We’ll cover the architectural decisions we made that enable the successful implementation of agents and some emerging best practices we’ve identified; discuss why our hunts focus on extracting techniques, not indicators; and illustrate how Push customers are benefitting from this agentic pipeline.",[],{},"Agentic Threat Hunting Blog IB1",{"sys":1263,"__typename":1264,"title":419,"caption":1265,"layoutMode":62,"file":1266},{"id":544},"Image","Browser and identity-based techniques have exploded since we first launched our attack matrix",{"url":1267,"width":1268,"height":1269},"https://images.ctfassets.net/y1cdw1ablpvd/L0Yc77y9vzrKVD72BQGX2/4ffe0bf61bd62f025262b8efd74394b7/Browser___Identity_Attacks_Matrix__1_.png",6160,4432,{"sys":1271,"__typename":1242,"content":1272,"name":1302,"title":62},{"id":557},{"json":1273},{"nodeType":1201,"data":1274,"content":1275},{},[1276,1295],{"nodeType":249,"data":1277,"content":1278},{},[1279,1283,1291],{"nodeType":248,"value":1280,"marks":1281,"data":1282},"Push researchers are seeing ",[],{},{"nodeType":1105,"data":1284,"content":1286},{"uri":1285},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[1287],{"nodeType":248,"value":1288,"marks":1289,"data":1290},"extensive evidence of LLM use",[],{},{"nodeType":248,"value":1292,"marks":1293,"data":1294}," in attacks we detect, from LLM-generated phishing kits and tools to vibe-coded cloned pages, demonstrating how much adversaries have embraced these tools to expedite their work. ",[],{},{"nodeType":249,"data":1296,"content":1297},{},[1298],{"nodeType":248,"value":1299,"marks":1300,"data":1301},"In particular, we’ve observed operator-gated payload delivery that greatly reduces the likelihood that malicious sites will be flagged and added to known-bad detection lists because they’re only served to active targets, using gated landing pages, anti-bot checks, and other methods to evade proactive infrastructure scanning. This reinforces the need for browser-based detection at the point the user interacts with the page.",[],{},"Agentic Threat Hunting Blog IB2",{"sys":1304,"__typename":1264,"title":1305,"caption":1306,"layoutMode":62,"file":1307},{"id":598},"Sample detection - blog article - custom branding","Sample detection details in the Push admin console for a blocked phishing event",{"url":1308,"width":1309,"height":1310},"https://images.ctfassets.net/y1cdw1ablpvd/6k8qVn1iYXbBl6lcHvphIa/dd802537d883cf6ddafdd78034c3412a/sample_detection.png",1999,766,{"sys":1312,"__typename":1313,"title":1314,"youTubeUrl":1315},{"id":649},"EmbeddedVideo","Adam Bateman: Agentic AI is a Force Multiplier","https://www.youtube.com/watch?v=F5Qv-su0qQA",{"sys":1317,"__typename":1264,"title":1318,"caption":1319,"layoutMode":62,"file":1320},{"id":878},"Dissect agent output - agentic threat hunting blog","Summary from the work of Push’s deep investigation AI agent on the initial InstallFix attack detected by Push.",{"url":1321,"width":1322,"height":1323},"https://images.ctfassets.net/y1cdw1ablpvd/6t86kpGUwCVvrJEfVic1Cr/f41986585203764155d736d26cee2176/agentic_summary_example_installfix.png",1998,1428,{"sys":1325,"__typename":1264,"title":1326,"caption":1327,"layoutMode":62,"file":1328},{"id":984},"Detection engine diagram - agentic threat blog","The Push detection engine combines deep browser telemetry with agentic workflows to rapidly respond to emerging threats.  ",{"url":1329,"width":1330,"height":1331},"https://images.ctfassets.net/y1cdw1ablpvd/1zbE1t82gPo7pgqkAayTcZ/72046ea5db9b80c77053343223025163/platform_diagram_v3.png",1134,762,{"sys":1333,"__typename":1242,"content":1334,"name":1345,"title":62},{"id":1021},{"json":1335},{"data":1336,"content":1337,"nodeType":1201},{},[1338],{"data":1339,"content":1340,"nodeType":249},{},[1341],{"data":1342,"marks":1343,"value":1344,"nodeType":248},{},[],"Use agents as an excuse to operationalize your internal knowledge once and for all. Every security team has a venerable silo of knowledge — that one person who just knows how to do that one major thing. Now, that can be an AI resource accessible to all, at any time, whenever you need it most.","Agentic Threat Hunting Blog IB4",{"sys":1347,"__typename":1264,"title":1348,"caption":1349,"layoutMode":62,"file":1350},{"id":1075},"Learning loops diagram - agentic threat blog","Two learning loops for known and unknown threats create a compounding effect for Push’s ability to defend against browser-based attacks.",{"url":1351,"width":1352,"height":1310},"https://images.ctfassets.net/y1cdw1ablpvd/6TQdqvjhG4AYHITcR1MV9s/b1e1c337f50005186f6022004543023b/learning_loops_v3.png",1001,{"sys":1354,"__typename":1355,"type":1356,"ctaText":1357,"buttonLabel":1358,"buttonColour":1359,"buttonUrl":1360},{"id":1155},"CtaWidget","Custom","Book a demo to learn more about our agentic threat hunting capabilities and how they can benefit your security team.","Book a Demo","sunny orange","https://site.dev.pushsecurity.com/demo/","json",{"items":1363},[],{},"How we built an agentic threat hunting pipeline at Push","2026-05-12T00:00:00.000Z",{"items":1368},[1369,1953,2770],{"__typename":1208,"sys":1370,"content":1372,"title":1935,"synopsis":1936,"hashTags":62,"publishedDate":1937,"slug":1938,"tagsCollection":1939,"authorsCollection":1949},{"id":1371},"2nQU0gDEqgarstvFMqFTzn",{"json":1373},{"nodeType":1201,"data":1374,"content":1375},{},[1376,1383,1390,1411,1419,1426,1434,1437,1444,1451,1470,1477,1485,1492,1499,1506,1513,1519,1522,1529,1536,1543,1562,1569,1576,1583,1590,1597,1604,1611,1618,1637,1644,1651,1658,1661,1668,1675,1682,1689,1695,1702,1709,1716,1723,1729,1736,1743,1750,1757,1785,1792,1799,1806,1813,1829,1836,1843,1850,1857,1863,1870,1877,1884,1890,1893,1900,1917],{"nodeType":249,"data":1377,"content":1378},{},[1379],{"nodeType":248,"value":1380,"marks":1381,"data":1382},"What would it take to vibecode your own AI-driven threat hunting pipeline? ",[],{},{"nodeType":249,"data":1384,"content":1385},{},[1386],{"nodeType":248,"value":1387,"marks":1388,"data":1389},"The commercial models are right there. You’ve probably got a spare weekend coming up, a really nice espresso machine, and a few bucks for tokens. (Is there already an HGTV series on this?)",[],{},{"nodeType":249,"data":1391,"content":1392},{},[1393,1397,1407],{"nodeType":248,"value":1394,"marks":1395,"data":1396},"We recently published a ",[],{},{"nodeType":1105,"data":1398,"content":1400},{"uri":1399},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",[1401],{"nodeType":248,"value":1402,"marks":1403,"data":1406},"detailed look",[1404],{"type":1405},"underline",{},{"nodeType":248,"value":1408,"marks":1409,"data":1410}," at how we use AI agents as a force multiplier for Push’s threat hunting and detection engineering capabilities.One intriguing detail you might have noticed in that article is that at Push, we treat commercial AI models as commoditized infrastructure, akin to cloud computing.",[],{},{"nodeType":249,"data":1412,"content":1413},{},[1414],{"nodeType":248,"value":1415,"marks":1416,"data":1418},"So it’s a cheeky question, but a fair one, because if Push is using commercial models, what exactly are you paying for?",[1417],{"type":301},{},{"nodeType":249,"data":1420,"content":1421},{},[1422],{"nodeType":248,"value":1423,"marks":1424,"data":1425},"It turns out that the models are the easiest things to replace, and in fact we swap out different models with little impact on detection performance. What’s much harder to build is the expertise: the technical knowledge of various attack techniques, the instrumentation in the browser that produces the structured telemetry, and the enforcement layer that turns detections into real-time protection.",[],{},{"nodeType":249,"data":1427,"content":1428},{},[1429],{"nodeType":248,"value":1430,"marks":1431,"data":1433},"Let’s break it down.",[1432],{"type":301},{},{"nodeType":377,"data":1435,"content":1436},{},[],{"nodeType":386,"data":1438,"content":1439},{},[1440],{"nodeType":248,"value":1441,"marks":1442,"data":1443},"The promise and the perils of threat hunting (and where agentic capabilities fit in)",[],{},{"nodeType":249,"data":1445,"content":1446},{},[1447],{"nodeType":248,"value":1448,"marks":1449,"data":1450},"Threat hunting — the practice of proactively searching for threats that haven’t been seen before — is one of the most effective practices in security and one of the least accessible.",[],{},{"nodeType":249,"data":1452,"content":1453},{},[1454,1458,1466],{"nodeType":248,"value":1455,"marks":1456,"data":1457},"The ",[],{},{"nodeType":1105,"data":1459,"content":1461},{"uri":1460},"https://www.sans.org/white-papers/sans-2025-threat-hunting-survey-advancements-threat-hunting-amid-ai-cloud-challenges",[1462],{"nodeType":248,"value":1463,"marks":1464,"data":1465},"SANS 2025 Threat Hunting Survey",[],{},{"nodeType":248,"value":1467,"marks":1468,"data":1469}," found that 61% of organizations cite staffing shortages as the top barrier to running a hunting program. A single manual hunt takes 10 to 20 hours of sustained analyst focus — forming hypotheses about what an attacker might be doing, querying data sources sequentially, correlating results by hand, documenting findings. Many organizations hunt infrequently or not at all.",[],{},{"nodeType":249,"data":1471,"content":1472},{},[1473],{"nodeType":248,"value":1474,"marks":1475,"data":1476},"Threat hunting in the browser poses specific challenges: The stakes are high as AI-enabled attacks accelerate, and the availability of training and knowledge is low. ",[],{},{"nodeType":249,"data":1478,"content":1479},{},[1480],{"nodeType":248,"value":1481,"marks":1482,"data":1484},"AiTM phishing kits that manipulate DOM elements in real time, ClickFix variants that inject malicious payloads through clipboard manipulation, ConsentFix attacks that abuse OAuth consent flows, credential harvesting on pages that rotate infrastructure hourly — these techniques don't map cleanly onto the endpoint-focused threat models most SOC teams were built around, or the data sources they’re used to interrogating. ",[1483],{"type":301},{},{"nodeType":249,"data":1486,"content":1487},{},[1488],{"nodeType":248,"value":1489,"marks":1490,"data":1491},"Even well-staffed security organizations tend to have a blind spot in the browser layer because the expertise required to hunt there is specialized and the telemetry to support it hasn't historically been available.",[],{},{"nodeType":249,"data":1493,"content":1494},{},[1495],{"nodeType":248,"value":1496,"marks":1497,"data":1498},"Using AI agents to hunt for browser-based threats promises a net-new capability for smaller teams without dedicated threat hunting staff. For larger enterprises, the value of an agentic threat hunting capability lies in its ability to provide (or augment) expertise on emerging attack methods.",[],{},{"nodeType":249,"data":1500,"content":1501},{},[1502],{"nodeType":248,"value":1503,"marks":1504,"data":1505},"Most SOC teams have deep expertise at the endpoint, IdP, cloud, and network layers, built over years of working with those systems’ telemetry and workflows. But browser-based attacks operate in a different domain with different telemetry, different TTPs, and a different evasion model.",[],{},{"nodeType":249,"data":1507,"content":1508},{},[1509],{"nodeType":248,"value":1510,"marks":1511,"data":1512},"A capability like Push’s provides an answer to these three hurdles: providing expertise, without any additional burden on staff, and at a speed that matches the acceleration we’re currently witnessing in browser-based attack techniques.",[],{},{"nodeType":373,"data":1514,"content":1518},{"target":1515},{"sys":1516},{"id":1517,"type":262,"linkType":263},"1uw9eFMPDdrevj26fyix5f",[],{"nodeType":377,"data":1520,"content":1521},{},[],{"nodeType":386,"data":1523,"content":1524},{},[1525],{"nodeType":248,"value":1526,"marks":1527,"data":1528},"This isn’t chatbot log analysis",[],{},{"nodeType":249,"data":1530,"content":1531},{},[1532],{"nodeType":248,"value":1533,"marks":1534,"data":1535},"When you hear “AI-powered threat hunting,” you might imagine an AI copilot sitting on top of your SIEM, summarizing alerts and correlating log entries faster than a human analyst could. It’s a fair assumption because many products use this kind of implementation, and tools like those are useful.",[],{},{"nodeType":249,"data":1537,"content":1538},{},[1539],{"nodeType":248,"value":1540,"marks":1541,"data":1542},"That’s not what we built at Push.",[],{},{"nodeType":249,"data":1544,"content":1545},{},[1546,1550,1558],{"nodeType":248,"value":1547,"marks":1548,"data":1549},"If you’re not familiar with Push, it’s a browser security platform deployed as an extension that detects and stops advanced browser-based attacks while also providing visibility and control over shadow apps and identities, including AI usage. You can use the same telemetry Push provides for these use cases to ",[],{},{"nodeType":1105,"data":1551,"content":1553},{"uri":1552},"https://pushsecurity.com/blog/why-you-cant-control-ai-without-being-in-the-browser/",[1554],{"nodeType":248,"value":1555,"marks":1556,"data":1557},"perform data loss and insider risk investigations",[],{},{"nodeType":248,"value":1559,"marks":1560,"data":1561},", too.",[],{},{"nodeType":249,"data":1563,"content":1564},{},[1565],{"nodeType":248,"value":1566,"marks":1567,"data":1568},"What we built is an agentic threat hunting and detection pipeline where AI agents collaborate with in-house threat researchers to continuously hunt for emerging browser-based attack techniques across our customer base, and then automatically write and deploy new detections.",[],{},{"nodeType":249,"data":1570,"content":1571},{},[1572],{"nodeType":248,"value":1573,"marks":1574,"data":1575},"Our pipeline differs from AI-enabled log analysis in three key ways:",[],{},{"nodeType":567,"data":1577,"content":1578},{},[1579],{"nodeType":248,"value":1580,"marks":1581,"data":1582},"A new telemetry source is the foundation",[],{},{"nodeType":249,"data":1584,"content":1585},{},[1586],{"nodeType":248,"value":1587,"marks":1588,"data":1589},"First, the Push platform generates its own telemetry. The Push browser extension operates as a flight recorder, locally collecting browser session metadata that doesn’t exist anywhere else in the security stack — details like DOM structure, script execution contexts, redirect chains, credential entry behavior, OAuth consent flows, and network requests observed from inside the session. ",[],{},{"nodeType":249,"data":1591,"content":1592},{},[1593],{"nodeType":248,"value":1594,"marks":1595,"data":1596},"This metadata is stored locally and only queried during targeted threat hunts, preserving user and customer privacy.",[],{},{"nodeType":567,"data":1598,"content":1599},{},[1600],{"nodeType":248,"value":1601,"marks":1602,"data":1603},"Proactive hunting, not just reactive triage",[],{},{"nodeType":249,"data":1605,"content":1606},{},[1607],{"nodeType":248,"value":1608,"marks":1609,"data":1610},"The pipeline also hunts proactively rather than triaging reactively, as with log analysis agents.",[],{},{"nodeType":249,"data":1612,"content":1613},{},[1614],{"nodeType":248,"value":1615,"marks":1616,"data":1617},"Push agents generate hypotheses, craft queries against the telemetry corpus, run them across millions of browsers, and triage the results — searching for techniques that haven't triggered any existing alert or rule. ",[],{},{"nodeType":249,"data":1619,"content":1620},{},[1621,1624,1633],{"nodeType":248,"value":1455,"marks":1622,"data":1623},[],{},{"nodeType":1105,"data":1625,"content":1627},{"uri":1626},"https://pushsecurity.com/blog/installfix/",[1628],{"nodeType":248,"value":1629,"marks":1630,"data":1632},"InstallFix discovery",[1631],{"type":1405},{},{"nodeType":248,"value":1634,"marks":1635,"data":1636}," described in the original agentic threat hunting article is the clearest example: The Push pipeline surfaced 12 meaningful results from trillions of browser events, and one of them was a novel attack technique. That's threat hunting at machine scale, not just alert triage.",[],{},{"nodeType":567,"data":1638,"content":1639},{},[1640],{"nodeType":248,"value":1641,"marks":1642,"data":1643},"Not just analysis, but new detections, too",[],{},{"nodeType":249,"data":1645,"content":1646},{},[1647],{"nodeType":248,"value":1648,"marks":1649,"data":1650},"Finally, the output isn’t (only) a natural-language summary of what the agents found. It’s a production detection rule that ships to every Push customer and wires into real-time enforcement controls defined by Push admins. ",[],{},{"nodeType":249,"data":1652,"content":1653},{},[1654],{"nodeType":248,"value":1655,"marks":1656,"data":1657},"The pipeline's job isn’t to help you understand an alert faster. Rather, it’s producing detection rules that didn't exist before at a speed that enables those detections to address emerging attack techniques and organization-specific campaigns within minutes.",[],{},{"nodeType":377,"data":1659,"content":1660},{},[],{"nodeType":386,"data":1662,"content":1663},{},[1664],{"nodeType":248,"value":1665,"marks":1666,"data":1667},"Agentic threat hunting as core product infrastructure",[],{},{"nodeType":249,"data":1669,"content":1670},{},[1671],{"nodeType":248,"value":1672,"marks":1673,"data":1674},"The nice thing about commercially available AI models is that they’re really good at understanding web code. That arcane Javascript function you’d have to look up in the docs? They recognize it immediately. That makes them perfectly suited to provide domain knowledge that can be harnessed with the right security expertise.",[],{},{"nodeType":249,"data":1676,"content":1677},{},[1678],{"nodeType":248,"value":1679,"marks":1680,"data":1681},"Using commercial models in our agentic detection pipeline then becomes a force multiplier for our research team’s understanding of TTPs — not a security engine in and of itself.",[],{},{"nodeType":249,"data":1683,"content":1684},{},[1685],{"nodeType":248,"value":1686,"marks":1687,"data":1688},"The four core components of our agentic pipeline can’t be replaced by using the same models we do, because the value is not in the models, but in the product infrastructure, product telemetry, and research expertise those models capitalize on.",[],{},{"nodeType":373,"data":1690,"content":1694},{"target":1691},{"sys":1692},{"id":1693,"type":262,"linkType":263},"7oif7PEEC3UMoTqVfRz3ZJ",[],{"nodeType":567,"data":1696,"content":1697},{},[1698],{"nodeType":248,"value":1699,"marks":1700,"data":1701},"Component 1: The flight recorder",[],{},{"nodeType":249,"data":1703,"content":1704},{},[1705],{"nodeType":248,"value":1706,"marks":1707,"data":1708},"We deploy as a browser extension — not a separate browser, a proxy or an endpoint agent — which means we sit inside the browser session itself, seeing what the user sees. ",[],{},{"nodeType":249,"data":1710,"content":1711},{},[1712],{"nodeType":248,"value":1713,"marks":1714,"data":1715},"A component of the extension acts as a flight recorder, collecting and locally storing browser-level metadata: DOM elements, tab context, script execution, network traffic, user actions, credential entry, and more. This body of structured browser event metadata is the searchable landscape for every hunt.",[],{},{"nodeType":249,"data":1717,"content":1718},{},[1719],{"nodeType":248,"value":1720,"marks":1721,"data":1722},"That's a data source most security teams have never had access to. You can't get it from an endpoint agent, a network proxy, or a cloud access log, because it doesn't exist outside the browser session. Turns out, it matters more than the model itself: When the model has this full browser context — the DOM, redirect chains, user behavior — it can reason about what happened. When it has to start guessing at those details, it starts hallucinating.",[],{},{"nodeType":373,"data":1724,"content":1728},{"target":1725},{"sys":1726},{"id":1727,"type":262,"linkType":263},"6qs9xZvmKlVXOLVhFfMVFx",[],{"nodeType":567,"data":1730,"content":1731},{},[1732],{"nodeType":248,"value":1733,"marks":1734,"data":1735},"Component 2: The internal knowledge base",[],{},{"nodeType":249,"data":1737,"content":1738},{},[1739],{"nodeType":248,"value":1740,"marks":1741,"data":1742},"As we mentioned earlier, commercial LLMs understand web code exceedingly well. What they don’t know is which patterns in that code indicate a credential-harvesting AiTM kit versus a legitimate login page, or which redirect behavior signals an InstallFix lure versus a normal marketing funnel.",[],{},{"nodeType":249,"data":1744,"content":1745},{},[1746],{"nodeType":248,"value":1747,"marks":1748,"data":1749},"That distinction comes from our internal knowledge base — years of TTP analysis, curated libraries of traces from real phishing kits encountered in the wild, and hunt parameters refined through hundreds of investigations led by our experienced human research team. ",[],{},{"nodeType":249,"data":1751,"content":1752},{},[1753],{"nodeType":248,"value":1754,"marks":1755,"data":1756},"This knowledge base also reflects a deliberate architectural choice. ",[],{},{"nodeType":1758,"data":1759,"content":1760},"blockquote",{},[1761],{"nodeType":249,"data":1762,"content":1763},{},[1764,1768,1776,1780],{"nodeType":248,"value":1765,"marks":1766,"data":1767},"As our CPO Jacques Louw put it on ",[],{},{"nodeType":1105,"data":1769,"content":1771},{"uri":1770},"https://risky.biz/RBNEWSSI128/",[1772],{"nodeType":248,"value":1773,"marks":1774,"data":1775},"Risky Business",[],{},{"nodeType":248,"value":1777,"marks":1778,"data":1779},": ",[],{},{"nodeType":248,"value":1781,"marks":1782,"data":1784},"\"There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain.\"",[1783],{"type":285},{},{"nodeType":249,"data":1786,"content":1787},{},[1788],{"nodeType":248,"value":1789,"marks":1790,"data":1791},"Our knowledge base encodes behavioral patterns and TTP signatures instead, which means detections remain effective even as infrastructure rotates underneath them.",[],{},{"nodeType":249,"data":1793,"content":1794},{},[1795],{"nodeType":248,"value":1796,"marks":1797,"data":1798},"We've also learned that even high-quality security data isn’t AI-ready out of the box. Structuring data and knowledge for agent consumption requires dedicated engineering. ",[],{},{"nodeType":249,"data":1800,"content":1801},{},[1802],{"nodeType":248,"value":1803,"marks":1804,"data":1805},"Our researchers have spent that time identifying, naming, and documenting browser-based attack techniques and encoding that knowledge into a format that agents can operationalize and extend.",[],{},{"nodeType":567,"data":1807,"content":1808},{},[1809],{"nodeType":248,"value":1810,"marks":1811,"data":1812},"Component 3: The thoughtfully organized agents",[],{},{"nodeType":249,"data":1814,"content":1815},{},[1816,1820,1825],{"nodeType":248,"value":1817,"marks":1818,"data":1819},"The engineering challenge isn't getting a model to analyze one browser event — it's keeping it reliable across thousands of events. If you fill a context window with too much data and the model loses the ability to discern signal from noise, you get something called ",[],{},{"nodeType":248,"value":1821,"marks":1822,"data":1824},"context rot",[1823],{"type":301},{},{"nodeType":248,"value":1826,"marks":1827,"data":1828},". That's been our primary engineering focus over the last quarter: not making agents objectively smarter, but keeping them focused to improve their outputs.",[],{},{"nodeType":249,"data":1830,"content":1831},{},[1832],{"nodeType":248,"value":1833,"marks":1834,"data":1835},"Our solution is hierarchy. A hunting agent oversees the overall hunt — it understands the query and knows what it's looking for. It dispatches an army of analysis agents, each picking up a single result trace, the term we use for a series of events in a session or tab context. ",[],{},{"nodeType":249,"data":1837,"content":1838},{},[1839],{"nodeType":248,"value":1840,"marks":1841,"data":1842},"But even a single trace can contain thousands of events, so each analysis agent breaks it down into blocks, analyzes and summarizes each one, looks for connections between them, and then bubbles up only the interesting signal. Layer by layer, the context narrows until what reaches the top is workable.",[],{},{"nodeType":249,"data":1844,"content":1845},{},[1846],{"nodeType":248,"value":1847,"marks":1848,"data":1849},"Different agents handle hypothesis generation, query crafting, triage, deep investigation, detection authoring, and meta-analysis for quality control. We back-test detections against real data before they ship. This segmentation and hierarchy took significant trial and error — you can swap out almost any individual model in the chain, but the hierarchy itself is the thing that ultimately makes it work.",[],{},{"nodeType":249,"data":1851,"content":1852},{},[1853],{"nodeType":248,"value":1854,"marks":1855,"data":1856},"The consensus coming out of RSAC this year reinforces this approach. The industry's focus has shifted from “which model is the best?” to “how do we build reliable systems around these models?” ",[],{},{"nodeType":373,"data":1858,"content":1862},{"target":1859},{"sys":1860},{"id":1861,"type":262,"linkType":263},"4cXhgVflbtxiKs604aemSt",[],{"nodeType":567,"data":1864,"content":1865},{},[1866],{"nodeType":248,"value":1867,"marks":1868,"data":1869},"Component 4: The response engine",[],{},{"nodeType":249,"data":1871,"content":1872},{},[1873],{"nodeType":248,"value":1874,"marks":1875,"data":1876},"Finally, a hunt without a response you can operationalize is just a report. When our agents identify a new technique, the detection they write feeds directly into the same platform that enforces real-time controls in the browser: blocking credential entry on phishing pages, intercepting clipboard injection attacks, warning users during suspicious OAuth consent flows, etc.",[],{},{"nodeType":249,"data":1878,"content":1879},{},[1880],{"nodeType":248,"value":1881,"marks":1882,"data":1883},"Detection and response share the same infrastructure, which means a new technique can go seamlessly from hunt analysis to production enforcement.",[],{},{"nodeType":373,"data":1885,"content":1889},{"target":1886},{"sys":1887},{"id":1888,"type":262,"linkType":263},"vIrkHJ4ec1I41nXeRHfT2",[],{"nodeType":377,"data":1891,"content":1892},{},[],{"nodeType":386,"data":1894,"content":1895},{},[1896],{"nodeType":248,"value":1897,"marks":1898,"data":1899},"Learn more about Push and how we develop new detections",[],{},{"nodeType":249,"data":1901,"content":1902},{},[1903,1907,1914],{"nodeType":248,"value":1904,"marks":1905,"data":1906},"For a deeper look at how the pipeline works in practice, including a step-by-step walkthrough of how we discovered a novel InstallFix attack targeting NotebookLM users, the two-loop detection architecture that creates a compounding effect for customers, and the emerging best practices we've identified for using AI agents in security operations, check out our companion article: ",[],{},{"nodeType":1105,"data":1908,"content":1909},{"uri":1399},[1910],{"nodeType":248,"value":1911,"marks":1912,"data":1913},"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline at Push",[],{},{"nodeType":248,"value":333,"marks":1915,"data":1916},[],{},{"nodeType":249,"data":1918,"content":1919},{},[1920,1924,1932],{"nodeType":248,"value":1921,"marks":1922,"data":1923},"If you'd like to see how our agentic detection capabilities apply to your environment, ",[],{},{"nodeType":1105,"data":1925,"content":1927},{"uri":1926},"https://pushsecurity.com/demo",[1928],{"nodeType":248,"value":1929,"marks":1930,"data":1931},"book a demo",[],{},{"nodeType":248,"value":333,"marks":1933,"data":1934},[],{},"No, you can’t just vibecode an AI-driven threat hunting pipeline","Push uses commercial AI models to deliver agentic threat hunting. Can’t you just build something yourself with those same models? Well, no.","2026-06-02T00:00:00.000Z","why-you-cant-vibecode-an-ai-driven-threat-hunting-pipeline",{"items":1940},[1941,1945],{"sys":1942,"name":1944},{"id":1943},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":1946,"name":1948},{"id":1947},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1950},[1951],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1952},{"url":236},{"__typename":1208,"sys":1954,"content":1956,"title":2750,"synopsis":2751,"hashTags":62,"publishedDate":2752,"slug":2753,"tagsCollection":2754,"authorsCollection":2762},{"id":1955},"Gcg7PGuICrlRcqq1QFXxH",{"json":1957},{"nodeType":1201,"data":1958,"content":1959},{},[1960,1967,1974,2005,2012,2018,2024,2036,2039,2047,2063,2070,2076,2083,2090,2096,2099,2107,2114,2120,2126,2133,2140,2158,2164,2167,2175,2193,2199,2206,2209,2217,2224,2231,2237,2243,2287,2294,2297,2305,2312,2319,2362,2369,2400,2407,2450,2457,2460,2468,2487,2494,2502,2518,2525,2544,2551,2554,2560,2566,2584,2587,2595,2614,2621,2744],{"nodeType":249,"data":1961,"content":1962},{},[1963],{"nodeType":248,"value":1964,"marks":1965,"data":1966},"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.  ",[],{},{"nodeType":249,"data":1968,"content":1969},{},[1970],{"nodeType":248,"value":1971,"marks":1972,"data":1973},"The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.",[],{},{"nodeType":249,"data":1975,"content":1976},{},[1977,1981,1989,1993,2001],{"nodeType":248,"value":1978,"marks":1979,"data":1980},"Several variants of this technique have been ",[],{},{"nodeType":1105,"data":1982,"content":1984},{"uri":1983},"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/",[1985],{"nodeType":248,"value":1986,"marks":1987,"data":1988},"reported over the past few months",[],{},{"nodeType":248,"value":1990,"marks":1991,"data":1992},". The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake \"Apple Support\" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer. ",[],{},{"nodeType":1105,"data":1994,"content":1996},{"uri":1995},"https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/",[1997],{"nodeType":248,"value":1998,"marks":1999,"data":2000},"Kaspersky documented a parallel campaign",[],{},{"nodeType":248,"value":2002,"marks":2003,"data":2004}," using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern. ",[],{},{"nodeType":249,"data":2006,"content":2007},{},[2008],{"nodeType":248,"value":2009,"marks":2010,"data":2011},"Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable. ",[],{},{"nodeType":373,"data":2013,"content":2017},{"target":2014},{"sys":2015},{"id":2016,"type":262,"linkType":263},"5lz9zt223pecGvdaqdvSTQ",[],{"nodeType":373,"data":2019,"content":2023},{"target":2020},{"sys":2021},{"id":2022,"type":262,"linkType":263},"51GomAj3VOjnbmgd1DWYu0",[],{"nodeType":249,"data":2025,"content":2026},{},[2027,2032],{"nodeType":248,"value":2028,"marks":2029,"data":2031},"This is a live campaign which is still generating detections across our customer base at the time of writing. ",[2030],{"type":301},{},{"nodeType":248,"value":2033,"marks":2034,"data":2035},"Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change. ",[],{},{"nodeType":377,"data":2037,"content":2038},{},[],{"nodeType":386,"data":2040,"content":2041},{},[2042],{"nodeType":248,"value":2043,"marks":2044,"data":2046},"A fake page, not a fake conversation",[2045],{"type":301},{},{"nodeType":249,"data":2048,"content":2049},{},[2050,2054,2059],{"nodeType":248,"value":2051,"marks":2052,"data":2053},"Previously reported variants relied on shared ",[],{},{"nodeType":248,"value":2055,"marks":2056,"data":2058},"conversations",[2057],{"type":285},{},{"nodeType":248,"value":2060,"marks":2061,"data":2062}," — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the \"AI assistant\" appeared to be helpfully guiding the user through an installation process.",[],{},{"nodeType":249,"data":2064,"content":2065},{},[2066],{"nodeType":248,"value":2067,"marks":2068,"data":2069},"But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:",[],{},{"nodeType":373,"data":2071,"content":2075},{"target":2072},{"sys":2073},{"id":2074,"type":262,"linkType":263},"1O9gyQab81SnbxhQp2aa5Z",[],{"nodeType":249,"data":2077,"content":2078},{},[2079],{"nodeType":248,"value":2080,"marks":2081,"data":2082},"A professional-looking error message reads: \"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.\" A prominent download button sits below.",[],{},{"nodeType":249,"data":2084,"content":2085},{},[2086],{"nodeType":248,"value":2087,"marks":2088,"data":2089},"The \"Show code\" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.",[],{},{"nodeType":373,"data":2091,"content":2095},{"target":2092},{"sys":2093},{"id":2094,"type":262,"linkType":263},"4kQTfxB3aVH9W9BeYOuljP",[],{"nodeType":377,"data":2097,"content":2098},{},[],{"nodeType":386,"data":2100,"content":2101},{},[2102],{"nodeType":248,"value":2103,"marks":2104,"data":2106},"The download page",[2105],{"type":301},{},{"nodeType":249,"data":2108,"content":2109},{},[2110],{"nodeType":248,"value":2111,"marks":2112,"data":2113},"Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.",[],{},{"nodeType":373,"data":2115,"content":2119},{"target":2116},{"sys":2117},{"id":2118,"type":262,"linkType":263},"4MdFc4OB37ZihTGx506QJ6",[],{"nodeType":373,"data":2121,"content":2125},{"target":2122},{"sys":2123},{"id":2124,"type":262,"linkType":263},"LaPUy0zpIeY8s4PF2wkat",[],{"nodeType":249,"data":2127,"content":2128},{},[2129],{"nodeType":248,"value":2130,"marks":2131,"data":2132},"The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT. ",[],{},{"nodeType":249,"data":2134,"content":2135},{},[2136],{"nodeType":248,"value":2137,"marks":2138,"data":2139},"Real users in a browser see the fake download page; automated scanners and bots see something benign. This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.",[],{},{"nodeType":249,"data":2141,"content":2142},{},[2143,2147,2155],{"nodeType":248,"value":2144,"marks":2145,"data":2146},"The downloaded executable poses as \"ChatGPT for Desktop\" and is ",[],{},{"nodeType":1105,"data":2148,"content":2150},{"uri":2149},"https://www.virustotal.com/gui/file/de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[2151],{"nodeType":248,"value":2152,"marks":2153,"data":2154},"flagged on VirusTotal",[],{},{"nodeType":248,"value":333,"marks":2156,"data":2157},[],{},{"nodeType":373,"data":2159,"content":2163},{"target":2160},{"sys":2161},{"id":2162,"type":262,"linkType":263},"3FSbwoFJYQrcyo9uMsQIWI",[],{"nodeType":377,"data":2165,"content":2166},{},[],{"nodeType":386,"data":2168,"content":2169},{},[2170],{"nodeType":248,"value":2171,"marks":2172,"data":2174},"The Claude variant: same campaign, different platform",[2173],{"type":301},{},{"nodeType":249,"data":2176,"content":2177},{},[2178,2182,2189],{"nodeType":248,"value":2179,"marks":2180,"data":2181},"Alongside the ChatGPT rendered-page variant, Push has also detected the previously reported style of attack using shared Claude.ai conversations. These follow the pattern documented by ",[],{},{"nodeType":1105,"data":2183,"content":2184},{"uri":1983},[2185],{"nodeType":248,"value":2186,"marks":2187,"data":2188},"BleepingComputer",[],{},{"nodeType":248,"value":2190,"marks":2191,"data":2192},": a shared chat disguised as a \"Claude Code on Mac\" installation guide, attributed to \"Apple Support,\" containing a curl command that downloads and executes malware.",[],{},{"nodeType":373,"data":2194,"content":2198},{"target":2195},{"sys":2196},{"id":2197,"type":262,"linkType":263},"5sWayuTsVdiLSLoS4sv2Vc",[],{"nodeType":249,"data":2200,"content":2201},{},[2202],{"nodeType":248,"value":2203,"marks":2204,"data":2205},"The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best.",[],{},{"nodeType":377,"data":2207,"content":2208},{},[],{"nodeType":386,"data":2210,"content":2211},{},[2212],{"nodeType":248,"value":2213,"marks":2214,"data":2216},"Malvertising remains one of the top phishing delivery channels",[2215],{"type":301},{},{"nodeType":249,"data":2218,"content":2219},{},[2220],{"nodeType":248,"value":2221,"marks":2222,"data":2223},"Push has detected this variant across multiple customer environments, with users arriving at these shared chat URLs after searching for terms including \"chatgpt,\" \"chatgpt free,\" \"chat gpt,\" and common typos like \"chatgo,\" \"chatgot,\" and \"cvhatgpt.\" ",[],{},{"nodeType":249,"data":2225,"content":2226},{},[2227],{"nodeType":248,"value":2228,"marks":2229,"data":2230},"You can see an example of this below: it's incredibly convincing, and uses the real ChatGPT domain — so even users that are paying attention are liable to fall for it. ",[],{},{"nodeType":373,"data":2232,"content":2236},{"target":2233},{"sys":2234},{"id":2235,"type":262,"linkType":263},"1GYWOyHpZT1rdTm6IGOKu8",[],{"nodeType":373,"data":2238,"content":2242},{"target":2239},{"sys":2240},{"id":2241,"type":262,"linkType":263},"4HpFJRAZH2lbygaEk2xOnN",[],{"nodeType":249,"data":2244,"content":2245},{},[2246,2250,2258,2262,2270,2274,2283],{"nodeType":248,"value":2247,"marks":2248,"data":2249},"This fits a pattern Push has tracked extensively. ",[],{},{"nodeType":1105,"data":2251,"content":2253},{"uri":2252},"https://pushsecurity.com/blog/verizon-dbir-2026-review/",[2254],{"nodeType":248,"value":2255,"marks":2256,"data":2257},"Search-based delivery is now the dominant channel for malware distribution",[],{},{"nodeType":248,"value":2259,"marks":2260,"data":2261}," — our own data shows that ClickFix attacks are reached via search results rather than email in 4 of 5 cases, and Push's own research into ",[],{},{"nodeType":1105,"data":2263,"content":2265},{"uri":2264},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[2266],{"nodeType":248,"value":2267,"marks":2268,"data":2269},"malvertising campaigns impersonating brands like TradingView",[],{},{"nodeType":248,"value":2271,"marks":2272,"data":2273}," and ",[],{},{"nodeType":1105,"data":2275,"content":2277},{"uri":2276},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[2278],{"nodeType":248,"value":2279,"marks":2280,"data":2282},"Ahrefs",[2281],{"type":1405},{},{"nodeType":248,"value":2284,"marks":2285,"data":2286}," has demonstrated how effectively search ads can funnel victims to malicious pages. ",[],{},{"nodeType":249,"data":2288,"content":2289},{},[2290],{"nodeType":248,"value":2291,"marks":2292,"data":2293},"The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious.",[],{},{"nodeType":377,"data":2295,"content":2296},{},[],{"nodeType":386,"data":2298,"content":2299},{},[2300],{"nodeType":248,"value":2301,"marks":2302,"data":2304},"Legitimate platform abuse is everywhere",[2303],{"type":301},{},{"nodeType":249,"data":2306,"content":2307},{},[2308],{"nodeType":248,"value":2309,"marks":2310,"data":2311},"This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure. The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.",[],{},{"nodeType":567,"data":2313,"content":2314},{},[2315],{"nodeType":248,"value":2316,"marks":2317,"data":2318},"Legit platform abuse for delivery",[],{},{"nodeType":249,"data":2320,"content":2321},{},[2322,2326,2334,2338,2346,2350,2358],{"nodeType":248,"value":2323,"marks":2324,"data":2325},"On the delivery side, attackers have been ",[],{},{"nodeType":1105,"data":2327,"content":2329},{"uri":2328},"https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/",[2330],{"nodeType":248,"value":2331,"marks":2332,"data":2333},"weaponizing stolen AWS credentials to send phishing through Amazon SES",[],{},{"nodeType":248,"value":2335,"marks":2336,"data":2337}," that passes SPF, DKIM, and DMARC validation because SES is a legitimate Amazon service. A Vietnamese operation dubbed ",[],{},{"nodeType":1105,"data":2339,"content":2341},{"uri":2340},"https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html",[2342],{"nodeType":248,"value":2343,"marks":2344,"data":2345},"AccountDumpling used Google AppSheet's built-in email capability",[],{},{"nodeType":248,"value":2347,"marks":2348,"data":2349}," as a phishing relay to harvest 30,000 Facebook credentials. ",[],{},{"nodeType":1105,"data":2351,"content":2353},{"uri":2352},"https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/",[2354],{"nodeType":248,"value":2355,"marks":2356,"data":2357},"Scammers exploited Microsoft's own internal notification pipeline",[],{},{"nodeType":248,"value":2359,"marks":2360,"data":2361}," — sending phishing from the same msonlineservicesteam@microsoftonline.com address that delivers legitimate 2FA codes — with Spamhaus confirming months of ongoing abuse.",[],{},{"nodeType":567,"data":2363,"content":2364},{},[2365],{"nodeType":248,"value":2366,"marks":2367,"data":2368},"Legit platform abuse for hosting",[],{},{"nodeType":249,"data":2370,"content":2371},{},[2372,2376,2384,2388,2396],{"nodeType":248,"value":2373,"marks":2374,"data":2375},"For hosting, the platforms being abused read like a who's who of modern web infrastructure. ",[],{},{"nodeType":1105,"data":2377,"content":2379},{"uri":2378},"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/",[2380],{"nodeType":248,"value":2381,"marks":2382,"data":2383},"Operation HookedWing ran for four years",[],{},{"nodeType":248,"value":2385,"marks":2386,"data":2387}," on GitHub Pages and Vercel, compromising 500+ organizations across more than 100 GitHub Pages domains before anyone documented it publicly. Cofense has separately ",[],{},{"nodeType":1105,"data":2389,"content":2391},{"uri":2390},"https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing/",[2392],{"nodeType":248,"value":2393,"marks":2394,"data":2395},"documented the growing abuse of Vercel",[],{},{"nodeType":248,"value":2397,"marks":2398,"data":2399}," for credential phishing hosting. Pixm's Q1 2026 phishing report tracked over 100 unique Azure Blob Storage subdomain variants hosting phishing content that carried Microsoft's own domain reputation, alongside abuse of Cloudflare CDN, Cloudflare Workers, Cloudflare R2, Backblaze B2, and Supabase. ",[],{},{"nodeType":567,"data":2401,"content":2402},{},[2403],{"nodeType":248,"value":2404,"marks":2405,"data":2406},"Abuse of compromised websites that are otherwise legit",[],{},{"nodeType":249,"data":2408,"content":2409},{},[2410,2414,2422,2426,2434,2438,2446],{"nodeType":248,"value":2411,"marks":2412,"data":2413},"Compromised legitimate sites are also being repurposed at scale. A mass exploitation of a ",[],{},{"nodeType":1105,"data":2415,"content":2417},{"uri":2416},"https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/",[2418],{"nodeType":248,"value":2419,"marks":2420,"data":2421},"Ghost CMS vulnerability planted ClickFix pages across 700+ websites",[],{},{"nodeType":248,"value":2423,"marks":2424,"data":2425}," including Harvard, Oxford, and DuckDuckGo subdomains. Microsoft recently documented a campaign where ",[],{},{"nodeType":1105,"data":2427,"content":2429},{"uri":2428},"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",[2430],{"nodeType":248,"value":2431,"marks":2432,"data":2433},"SEO poisoning was combined with AI chatbot recommendation manipulation",[],{},{"nodeType":248,"value":2435,"marks":2436,"data":2437}," to deliver GPU mining malware — extending the poisoning from traditional search results into AI-generated software recommendations. And ",[],{},{"nodeType":1105,"data":2439,"content":2441},{"uri":2440},"https://www.helpnetsecurity.com/2026/05/27/deno-rat-malware-fake-chatgpt-claude-installers/",[2442],{"nodeType":248,"value":2443,"marks":2444,"data":2445},"fake ChatGPT and Claude installers on GitHub and SourceForge",[],{},{"nodeType":248,"value":2447,"marks":2448,"data":2449}," have been delivering the DinDoor backdoor and a Deno-based RAT via repositories that mimic legitimate developer tool distributions.",[],{},{"nodeType":249,"data":2451,"content":2452},{},[2453],{"nodeType":248,"value":2454,"marks":2455,"data":2456},"The structural problem is that every one of these platforms is genuinely legitimate, and the security controls that evaluate them — domain reputation, email authentication, URL categorization — confirm them as trusted because they are trusted. This attack extends this pattern into new territory by weaponizing the content-sharing features of AI chatbot platforms specifically, but the underlying principles are the same. ",[],{},{"nodeType":377,"data":2458,"content":2459},{},[],{"nodeType":386,"data":2461,"content":2462},{},[2463],{"nodeType":248,"value":2464,"marks":2465,"data":2467},"Impact analysis",[2466],{"type":301},{},{"nodeType":249,"data":2469,"content":2470},{},[2471,2475,2483],{"nodeType":248,"value":2472,"marks":2473,"data":2474},"Shared-chat malware delivery exploits a structural property of AI platforms that traditional security controls aren't designed to handle. Domain reputation, URL categorization, and safe browsing databases all treat chatgpt.com and claude.ai as trusted — because they are. Using these trusted pages to link off to further convincing-looking pages hosting malware allows the attacker to run campaigns that blend in, as well as rotate the phishing delivery pages later in the chain should they ever be flagged, allowing the campaign to continue without interruption (a well known ",[],{},{"nodeType":1105,"data":2476,"content":2478},{"uri":2477},"https://phishing-techniques.pushsecurity.com/",[2479],{"nodeType":248,"value":2480,"marks":2481,"data":2482},"detection evasion technique",[],{},{"nodeType":248,"value":2484,"marks":2485,"data":2486},"). ",[],{},{"nodeType":249,"data":2488,"content":2489},{},[2490],{"nodeType":248,"value":2491,"marks":2492,"data":2493},"What makes the rendered-page variant particularly concerning is that it eliminates the most obvious red flag in the earlier attacks. The Claude.ai conversation variants required the victim to recognize that a shared chat instructing them to paste terminal commands might be suspicious — a tall order for many users, but at least the attack surface was visible. The rendered-page variant shows nothing that looks like an attack. It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT. ",[],{},{"nodeType":567,"data":2495,"content":2496},{},[2497],{"nodeType":248,"value":2498,"marks":2499,"data":2501},"How Push detected the attack",[2500],{"type":301},{},{"nodeType":249,"data":2503,"content":2504},{},[2505,2509,2514],{"nodeType":248,"value":2506,"marks":2507,"data":2508},"We've aligned our detection logic for this technique under the name ",[],{},{"nodeType":248,"value":2510,"marks":2511,"data":2513},"LLMShare",[2512],{"type":301},{},{"nodeType":248,"value":2515,"marks":2516,"data":2517}," — a technique-level detection that covers shared content abuse across LLM platforms, not tied to any single campaign or set of IOCs. ",[],{},{"nodeType":249,"data":2519,"content":2520},{},[2521],{"nodeType":248,"value":2522,"marks":2523,"data":2524},"Because Push sees the full context of how a user arrived at a page and what that page does once it renders, we can identify LLMShare attacks regardless of which AI platform is being abused or what social engineering wrapper the attacker has chosen. ",[],{},{"nodeType":249,"data":2526,"content":2527},{},[2528,2532,2540],{"nodeType":248,"value":2529,"marks":2530,"data":2531},"When we identified the initial instances of this campaign, we used our ",[],{},{"nodeType":1105,"data":2533,"content":2535},{"uri":2534},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[2536],{"nodeType":248,"value":2537,"marks":2538,"data":2539},"agentic threat hunting pipeline",[],{},{"nodeType":248,"value":2541,"marks":2542,"data":2543}," to hunt for additional examples across our customer telemetry, develop the LLMShare detection, and rapidly deploy it to customers. Push blocks users from interacting with the page before any malicious activity can occur. ",[],{},{"nodeType":249,"data":2545,"content":2546},{},[2547],{"nodeType":248,"value":2548,"marks":2549,"data":2550},"Push customers do not need to take any further action.",[],{},{"nodeType":377,"data":2552,"content":2553},{},[],{"nodeType":249,"data":2555,"content":2556},{},[2557],{"nodeType":248,"value":1174,"marks":2558,"data":2559},[],{},{"nodeType":249,"data":2561,"content":2562},{},[2563],{"nodeType":248,"value":1181,"marks":2564,"data":2565},[],{},{"nodeType":249,"data":2567,"content":2568},{},[2569,2572,2581],{"nodeType":248,"value":29,"marks":2570,"data":2571},[],{},{"nodeType":1105,"data":2573,"content":2575},{"uri":2574},"https://pushsecurity.com/demo/",[2576],{"nodeType":248,"value":2577,"marks":2578,"data":2580},"Book a live demo to learn more.",[2579],{"type":1405},{},{"nodeType":248,"value":29,"marks":2582,"data":2583},[],{},{"nodeType":377,"data":2585,"content":2586},{},[],{"nodeType":386,"data":2588,"content":2589},{},[2590],{"nodeType":248,"value":2591,"marks":2592,"data":2594},"Indicators of compromise",[2593],{"type":301},{},{"nodeType":249,"data":2596,"content":2597},{},[2598,2602,2610],{"nodeType":248,"value":2599,"marks":2600,"data":2601},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1105,"data":2603,"content":2605},{"uri":2604},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2606],{"nodeType":248,"value":2607,"marks":2608,"data":2609},"quickly spin up and rotate the sites used",[],{},{"nodeType":248,"value":2611,"marks":2612,"data":2613}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":249,"data":2615,"content":2616},{},[2617],{"nodeType":248,"value":2618,"marks":2619,"data":2620},"At the time of writing, the indicators observed were:",[],{},{"nodeType":2622,"data":2623,"content":2624},"table",{},[2625,2652,2676,2698,2721],{"nodeType":2626,"data":2627,"content":2628},"table-row",{},[2629,2641],{"nodeType":2630,"data":2631,"content":2632},"table-header-cell",{},[2633],{"nodeType":249,"data":2634,"content":2635},{},[2636],{"nodeType":248,"value":2637,"marks":2638,"data":2640},"Indicator",[2639],{"type":301},{},{"nodeType":2630,"data":2642,"content":2643},{},[2644],{"nodeType":249,"data":2645,"content":2646},{},[2647],{"nodeType":248,"value":2648,"marks":2649,"data":2651},"Type",[2650],{"type":301},{},{"nodeType":2626,"data":2653,"content":2654},{},[2655,2666],{"nodeType":2656,"data":2657,"content":2658},"table-cell",{},[2659],{"nodeType":249,"data":2660,"content":2661},{},[2662],{"nodeType":248,"value":2663,"marks":2664,"data":2665},"hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131",[],{},{"nodeType":2656,"data":2667,"content":2668},{},[2669],{"nodeType":249,"data":2670,"content":2671},{},[2672],{"nodeType":248,"value":2673,"marks":2674,"data":2675},"URL",[],{},{"nodeType":2626,"data":2677,"content":2678},{},[2679,2689],{"nodeType":2656,"data":2680,"content":2681},{},[2682],{"nodeType":249,"data":2683,"content":2684},{},[2685],{"nodeType":248,"value":2686,"marks":2687,"data":2688},"hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d",[],{},{"nodeType":2656,"data":2690,"content":2691},{},[2692],{"nodeType":249,"data":2693,"content":2694},{},[2695],{"nodeType":248,"value":2673,"marks":2696,"data":2697},[],{},{"nodeType":2626,"data":2699,"content":2700},{},[2701,2711],{"nodeType":2656,"data":2702,"content":2703},{},[2704],{"nodeType":249,"data":2705,"content":2706},{},[2707],{"nodeType":248,"value":2708,"marks":2709,"data":2710},"openew[.]app",[],{},{"nodeType":2656,"data":2712,"content":2713},{},[2714],{"nodeType":249,"data":2715,"content":2716},{},[2717],{"nodeType":248,"value":2718,"marks":2719,"data":2720},"Domain",[],{},{"nodeType":2626,"data":2722,"content":2723},{},[2724,2734],{"nodeType":2656,"data":2725,"content":2726},{},[2727],{"nodeType":249,"data":2728,"content":2729},{},[2730],{"nodeType":248,"value":2731,"marks":2732,"data":2733},"de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[],{},{"nodeType":2656,"data":2735,"content":2736},{},[2737],{"nodeType":249,"data":2738,"content":2739},{},[2740],{"nodeType":248,"value":2741,"marks":2742,"data":2743},"SHA256",[],{},{"nodeType":249,"data":2745,"content":2746},{},[2747],{"nodeType":248,"value":29,"marks":2748,"data":2749},[],{},"LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms","How attackers are using shared content features on AI chatbot platforms to deliver malware via pages hosted on legitimate domains, sent via malvertising.","2026-05-29T00:00:00.000Z","llmshare-malvertising-campaign",{"items":2755},[2756,2758],{"sys":2757,"name":1948},{"id":1947},{"sys":2759,"name":2761},{"id":2760},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2763},[2764],{"fullName":2765,"firstName":2766,"jobTitle":2767,"profilePicture":2768},"Keanu Maharaj","Keanu","Senior Security Researcher",{"url":2769},"https://images.ctfassets.net/y1cdw1ablpvd/VCGOm62jiocjwngWTh32U/e9a30637b1c76bf988d2fec90f5b6c36/1689361049351_1.png",{"__typename":1208,"sys":2771,"content":2773,"title":3532,"synopsis":3533,"hashTags":62,"publishedDate":3534,"slug":3535,"tagsCollection":3536,"authorsCollection":3542},{"id":2772},"5RDOpmzJolwT1hk0fNIxzf",{"json":2774},{"nodeType":1201,"data":2775,"content":2776},{},[2777,2796,2802,2809,2816,2819,2827,2846,2865,2872,2878,2885,2891,2898,2906,2913,2931,2963,2969,2975,2983,2990,3009,3040,3072,3079,3085,3093,3100,3112,3119,3160,3166,3208,3247,3253,3256,3264,3271,3277,3284,3291,3297,3304,3311,3333,3336,3344,3351,3359,3366,3373,3392,3399,3405,3412,3420,3427,3444,3451,3468,3471,3479,3486,3493,3500,3503,3509,3515],{"nodeType":249,"data":2778,"content":2779},{},[2780,2784,2792],{"nodeType":248,"value":2781,"marks":2782,"data":2783},"Back in 2024, we wrote about ",[],{},{"nodeType":1105,"data":2785,"content":2787},{"uri":2786},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[2788],{"nodeType":248,"value":2789,"marks":2790,"data":2791},"how the Pyramid of Pain shapes Push's detection philosophy",[],{},{"nodeType":248,"value":2793,"marks":2794,"data":2795}," — detections targeting indicators that are easy for attackers to change deliver diminishing returns, while detections targeting attacker techniques impose a cost that's hard to absorb. Two years on, every force that made IoC-based detection fragile has intensified.",[],{},{"nodeType":373,"data":2797,"content":2801},{"target":2798},{"sys":2799},{"id":2800,"type":262,"linkType":263},"1iuLYxwI8T1wDUIFSom0G0",[],{"nodeType":249,"data":2803,"content":2804},{},[2805],{"nodeType":248,"value":2806,"marks":2807,"data":2808},"AI hasn't introduced a new problem so much as it's compressed the timelines on an existing one — attackers can generate infrastructure, iterate on tooling, and industrialize newly discovered techniques faster than before. The bottom layers of the Pyramid are collapsing under the weight of machine-speed operations, and the middle layers are starting to buckle too.",[],{},{"nodeType":249,"data":2810,"content":2811},{},[2812],{"nodeType":248,"value":2813,"marks":2814,"data":2815},"These changes mean that technique-level detection is more important than ever. In this article, we’ll dig into how the Pyramid is changing, and what this means for our detection philosophy at Push (TL;DR — it reinforces the path we’re already on: building detections at the top of the Pyramid by harnessing browser visibility). ",[],{},{"nodeType":377,"data":2817,"content":2818},{},[],{"nodeType":386,"data":2820,"content":2821},{},[2822],{"nodeType":248,"value":2823,"marks":2824,"data":2826},"The bottom of the Pyramid was already crumbling",[2825],{"type":301},{},{"nodeType":249,"data":2828,"content":2829},{},[2830,2834,2842],{"nodeType":248,"value":2831,"marks":2832,"data":2833},"The case against indicator-based detection didn't need AI to be compelling. ",[],{},{"nodeType":1105,"data":2835,"content":2837},{"uri":2836},"https://www.spamhaus.org/",[2838],{"nodeType":248,"value":2839,"marks":2840,"data":2841},"89% of phishing domains are active for fewer than two days",[],{},{"nodeType":248,"value":2843,"marks":2844,"data":2845},", with just 6.5% surviving past 15 days — by the time a domain makes it onto a blocklist, the campaign has moved on.",[],{},{"nodeType":249,"data":2847,"content":2848},{},[2849,2853,2861],{"nodeType":248,"value":2850,"marks":2851,"data":2852},"We've ",[],{},{"nodeType":1105,"data":2854,"content":2856},{"uri":2855},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[2857],{"nodeType":248,"value":2858,"marks":2859,"data":2860},"written before",[],{},{"nodeType":248,"value":2862,"marks":2863,"data":2864}," about how this makes every phishing attack effectively a zero-day for organizations relying on known-bad detection. The phishing kit's behavior — its page structure, script signatures, malicious payload mechanics — is the only detection target that outlasts a single campaign.",[],{},{"nodeType":249,"data":2866,"content":2867},{},[2868],{"nodeType":248,"value":2869,"marks":2870,"data":2871},"When we blogged about the Pyramid of Pain for modern attacks that happen predominantly over the internet, with minimal (or zero) endpoint contact, it first looked like this: ",[],{},{"nodeType":373,"data":2873,"content":2877},{"target":2874},{"sys":2875},{"id":2876,"type":262,"linkType":263},"2N04ycJ6RKGfHdX5X1TwU3",[],{"nodeType":249,"data":2879,"content":2880},{},[2881],{"nodeType":248,"value":2882,"marks":2883,"data":2884},"Now, it looks more like this:",[],{},{"nodeType":373,"data":2886,"content":2890},{"target":2887},{"sys":2888},{"id":2889,"type":262,"linkType":263},"mfhP4WToOQkrHnVkXU0tX",[],{"nodeType":249,"data":2892,"content":2893},{},[2894],{"nodeType":248,"value":2895,"marks":2896,"data":2897},"Let’s explore why. ",[],{},{"nodeType":567,"data":2899,"content":2900},{},[2901],{"nodeType":248,"value":2902,"marks":2903,"data":2905},"AI is accelerating phishing rotation and delivery",[2904],{"type":301},{},{"nodeType":249,"data":2907,"content":2908},{},[2909],{"nodeType":248,"value":2910,"marks":2911,"data":2912},"Attackers are harnessing AI at every stage, speeding up the process of creating, rotating, and replacing phishing infrastructure at every level, as well as capitalizing on AI adoption itself to enhance their lures. The operational signature is more domains, shorter lifespans, more variation, and fewer of the reuse patterns that blocklists depend on.",[],{},{"nodeType":249,"data":2914,"content":2915},{},[2916,2920,2927],{"nodeType":248,"value":2917,"marks":2918,"data":2919},"Attackers can ",[],{},{"nodeType":1105,"data":2921,"content":2922},{"uri":2534},[2923],{"nodeType":248,"value":2924,"marks":2925,"data":2926},"vibe-code entire phishing pages in minutes",[],{},{"nodeType":248,"value":2928,"marks":2929,"data":2930}," — not just cloning legitimate login pages but vibe-cloning them, feeding an AI a screenshot and having it rebuild a convincing frontend with a completely unique backend. ",[],{},{"nodeType":249,"data":2932,"content":2933},{},[2934,2938,2947,2951,2959],{"nodeType":248,"value":2935,"marks":2936,"data":2937},"We've seen attackers clone free SaaS tools like background removers and PDF converters, then inject phishing components or ClickFix payloads into what looks like a functional utility. We’ve even seen attackers distributing malware using AI-generated pages shared using ",[],{},{"nodeType":1105,"data":2939,"content":2941},{"uri":2940},"https://pushsecurity.com/blog/llmshare-malvertising-campaign/",[2942],{"nodeType":248,"value":2943,"marks":2944,"data":2946},"LLM tool sharing functionality",[2945],{"type":1405},{},{"nodeType":248,"value":2948,"marks":2949,"data":2950},", resulting in phishing delivery pages hosted on real claude.ai and chatgpt.com. And legitimate cloud platforms like ",[],{},{"nodeType":1105,"data":2952,"content":2954},{"uri":2953},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[2955],{"nodeType":248,"value":2956,"marks":2957,"data":2958},"Railway",[],{},{"nodeType":248,"value":2960,"marks":2961,"data":2962},", Cloudflare Workers, and Vercel host and dynamically rotate attack infrastructure, so the domains feeding into blocklists often belong to reputable services that can't simply be blocked. ",[],{},{"nodeType":373,"data":2964,"content":2968},{"target":2965},{"sys":2966},{"id":2967,"type":262,"linkType":263},"5yoLmqysyQazfzLITCUTfc",[],{"nodeType":373,"data":2970,"content":2974},{"target":2971},{"sys":2972},{"id":2973,"type":262,"linkType":263},"5XK5qZMQU19xlA8L2T5y0Z",[],{"nodeType":567,"data":2976,"content":2977},{},[2978],{"nodeType":248,"value":2979,"marks":2980,"data":2982},"The kit ecosystem is fragmenting faster than anyone can track",[2981],{"type":301},{},{"nodeType":249,"data":2984,"content":2985},{},[2986],{"nodeType":248,"value":2987,"marks":2988,"data":2989},"What we see across our install base is a huge and growing variation in phishing kits — new kits, derivative kits of known platforms, derivatives of those derivatives — appearing on a weekly basis.",[],{},{"nodeType":249,"data":2991,"content":2992},{},[2993,2997,3005],{"nodeType":248,"value":2994,"marks":2995,"data":2996},"As we reported in our ",[],{},{"nodeType":1105,"data":2998,"content":3000},{"uri":2999},"https://pushsecurity.com/thank-you/browser-attacks-report",[3001],{"nodeType":248,"value":3002,"marks":3003,"data":3004},"Browser Attacks Report",[],{},{"nodeType":248,"value":3006,"marks":3007,"data":3008},", the most common AiTM kits we detected over the last year were Tycoon 2FA (59% of detections), followed by Sneaky 2FA, FlowerStorm, Evilginx (nominally a red team tool, but widely abused by attackers), NakedPages, Gabagool, and dozens more — but those established names are just the visible layer.",[],{},{"nodeType":249,"data":3010,"content":3011},{},[3012,3016,3024,3028,3036],{"nodeType":248,"value":3013,"marks":3014,"data":3015},"Code is forked, modified, and redeployed across kits in a pattern that ",[],{},{"nodeType":1105,"data":3017,"content":3019},{"uri":3018},"https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere",[3020],{"nodeType":248,"value":3021,"marks":3022,"data":3023},"resembles open-source development",[],{},{"nodeType":248,"value":3025,"marks":3026,"data":3027}," more than traditional criminal enterprise, and the rate at which new variants appear is accelerating. The ",[],{},{"nodeType":1105,"data":3029,"content":3031},{"uri":3030},"https://pushsecurity.com/blog/device-code-phishing/",[3032],{"nodeType":248,"value":3033,"marks":3034,"data":3035},"Venom kit",[],{},{"nodeType":248,"value":3037,"marks":3038,"data":3039}," reuses Sneaky 2FA's AiTM infrastructure but carries different branding and adds device code phishing — whether it's the same developers, stolen code, or a deliberate fork is unclear.",[],{},{"nodeType":249,"data":3041,"content":3042},{},[3043,3047,3055,3059,3068],{"nodeType":248,"value":3044,"marks":3045,"data":3046},"Tycoon 2FA illustrates the scale of the evolution. The kit evolves continuously, addingnew capabilities, new evasion techniques, and hybridizing with other platforms. Even when Sekoia and Microsoft seized 330+ Tycoon domains in March 2026, the techniques it popularized were already embedded across competitors, and the slack was taken up by rival platforms within days. And in any case, Tycoon was back to ",[],{},{"nodeType":1105,"data":3048,"content":3050},{"uri":3049},"https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/",[3051],{"nodeType":248,"value":3052,"marks":3053,"data":3054},"normal levels of operation",[],{},{"nodeType":248,"value":3056,"marks":3057,"data":3058}," shortly after. It has also been observed ",[],{},{"nodeType":1105,"data":3060,"content":3062},{"uri":3061},"https://www.okta.com/en-nl/blog/threat-intelligence/tycoon_2fa_phishing_actors_scatter/",[3063],{"nodeType":248,"value":3064,"marks":3065,"data":3067},"pivoting to add new device code phishing capabilities",[3066],{"type":1405},{},{"nodeType":248,"value":3069,"marks":3070,"data":3071}," (more on that below). ",[],{},{"nodeType":249,"data":3073,"content":3074},{},[3075],{"nodeType":248,"value":3076,"marks":3077,"data":3078},"Tear one down and there are many more to take its place — and meanwhile the original is already evolving into something new.",[],{},{"nodeType":373,"data":3080,"content":3084},{"target":3081},{"sys":3082},{"id":3083,"type":262,"linkType":263},"3UDzUCCizPJhXp3SsoZuSK",[],{"nodeType":567,"data":3086,"content":3087},{},[3088],{"nodeType":248,"value":3089,"marks":3090,"data":3092},"New techniques are being industrialized faster than ever",[3091],{"type":301},{},{"nodeType":249,"data":3094,"content":3095},{},[3096],{"nodeType":248,"value":3097,"marks":3098,"data":3099},"As well as the fragmentation of existing kits, we’re seeing new techniques added at an accelerating rate. ",[],{},{"nodeType":249,"data":3101,"content":3102},{},[3103,3108],{"nodeType":248,"value":3104,"marks":3105,"data":3107},"Device code phishing",[3106],{"type":301},{},{"nodeType":248,"value":3109,"marks":3110,"data":3111}," is the clearest case study. From early nation state adoption in 2024, it took until 2026 for criminal adoption to really take off, but the take-up this year is unprecedented. The EvilTokens kit packaged device code phishing into a PhaaS offering with GPT-powered spear-phishing and adaptive landing pages, hitting 340+ organizations across five countries in March 2026. ",[],{},{"nodeType":249,"data":3113,"content":3114},{},[3115],{"nodeType":248,"value":3116,"marks":3117,"data":3118},"Now, device code functionality is now a core phish kit component. We’re tracking 18+ kits with device code phishing capabilities and a 37.5x increase in device code phishing detections this year alone, with the technique moving from state-sponsored exclusivity to something any PhaaS customer can rent.",[],{},{"nodeType":249,"data":3120,"content":3121},{},[3122,3126,3134,3138,3143,3147,3156],{"nodeType":248,"value":3123,"marks":3124,"data":3125},"Similarly, when we ",[],{},{"nodeType":1105,"data":3127,"content":3129},{"uri":3128},"https://pushsecurity.com/blog/inside-criminal-phishing-panel",[3130],{"nodeType":248,"value":3131,"marks":3132,"data":3133},"infiltrated Doko's Panel",[],{},{"nodeType":248,"value":3135,"marks":3136,"data":3137}," — a ",[],{},{"nodeType":248,"value":3139,"marks":3140,"data":3142},"real-time vishing and AiTM platform",[3141],{"type":301},{},{"nodeType":248,"value":3144,"marks":3145,"data":3146}," used by ShinyHunters and affiliated groups — the codebase was full of LLM-generated artifacts. Multiple groups were using the templated vishing panel and spinning up their own variants, but the AI-generated indicators persisted throughout. This approach to real-time vishing + browser payload has been a ",[],{},{"nodeType":1105,"data":3148,"content":3150},{"uri":3149},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[3151],{"nodeType":248,"value":3152,"marks":3153,"data":3155},"mainstay of the Com affiliates like ShinyHunters this year",[3154],{"type":1405},{},{"nodeType":248,"value":3157,"marks":3158,"data":3159},". ",[],{},{"nodeType":373,"data":3161,"content":3165},{"target":3162},{"sys":3163},{"id":3164,"type":262,"linkType":263},"01mOiserRBXraawXwQyJNm",[],{"nodeType":249,"data":3167,"content":3168},{},[3169,3173,3178,3182,3191,3195,3204],{"nodeType":248,"value":3170,"marks":3171,"data":3172},"The broader ",[],{},{"nodeType":248,"value":3174,"marks":3175,"data":3177},"ClickFix",[3176],{"type":301},{},{"nodeType":248,"value":3179,"marks":3180,"data":3181}," family shows the same acceleration: First reported in early 2024 and adopted by four nation-state groups within a single quarter. Fast forward and ",[],{},{"nodeType":1105,"data":3183,"content":3185},{"uri":3184},"https://www.crowdstrike.com/en-us/global-threat-report/",[3186],{"nodeType":248,"value":3187,"marks":3188,"data":3190},"CrowdStrike's data",[3189],{"type":1405},{},{"nodeType":248,"value":3192,"marks":3193,"data":3194}," shows a 563% increase in fake CAPTCHA incidents (one of the more common ClickFix lure types), while ",[],{},{"nodeType":1105,"data":3196,"content":3198},{"uri":3197},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[3199],{"nodeType":248,"value":3200,"marks":3201,"data":3203},"Microsoft reported",[3202],{"type":1405},{},{"nodeType":248,"value":3205,"marks":3206,"data":3207}," it as making up 47% of observed attacks according to their Digital Defense Report.",[],{},{"nodeType":249,"data":3209,"content":3210},{},[3211,3215,3219,3223,3231,3235,3243],{"nodeType":248,"value":3212,"marks":3213,"data":3214},"And ",[],{},{"nodeType":248,"value":481,"marks":3216,"data":3218},[3217],{"type":301},{},{"nodeType":248,"value":3220,"marks":3221,"data":3222}," — a combination of ClickFix and OAuth consent phishing techniques — suggests the next compression is already underway. Push researchers ",[],{},{"nodeType":1105,"data":3224,"content":3226},{"uri":3225},"https://pushsecurity.com/blog/consentfix/",[3227],{"nodeType":248,"value":3228,"marks":3229,"data":3230},"discovered the technique",[],{},{"nodeType":248,"value":3232,"marks":3233,"data":3234}," in December 2025 — a browser-native ClickFix variant hijacking OAuth consent grants via Azure CLI's localhost redirect. It was later confirmed to be tied to APT29. By January 2026, a ",[],{},{"nodeType":1105,"data":3236,"content":3238},{"uri":3237},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[3239],{"nodeType":248,"value":3240,"marks":3241,"data":3242},"criminal ConsentFix v3 toolkit",[],{},{"nodeType":248,"value":3244,"marks":3245,"data":3246}," had appeared on the XSS forum with Cloudflare Workers, ZoomInfo targeting, and automated exfiltration via Pipedream.",[],{},{"nodeType":373,"data":3248,"content":3252},{"target":3249},{"sys":3250},{"id":3251,"type":262,"linkType":263},"41FMif4T0y1maflzonWgL8",[],{"nodeType":377,"data":3254,"content":3255},{},[],{"nodeType":386,"data":3257,"content":3258},{},[3259],{"nodeType":248,"value":3260,"marks":3261,"data":3263},"Why technique-level detection is the only layer that holds",[3262],{"type":301},{},{"nodeType":249,"data":3265,"content":3266},{},[3267],{"nodeType":248,"value":3268,"marks":3269,"data":3270},"The middle of the Pyramid — tool signatures and artifacts — used to offer much more durable detection than infrastructure indicators. Fingerprinting a specific phishing kit by its JavaScript structure or HTML patterns provided a detection target that survived across dozens or hundreds of campaigns, even as the underlying domains rotated. Tool level detections are still better, but not by quite the same margin.",[],{},{"nodeType":373,"data":3272,"content":3276},{"target":3273},{"sys":3274},{"id":3275,"type":262,"linkType":263},"5pxaYdCIFiFKLPhRaPoldX",[],{"nodeType":249,"data":3278,"content":3279},{},[3280],{"nodeType":248,"value":3281,"marks":3282,"data":3283},"When the kit landscape was dominated by a handful of platforms, you could write signatures for Tycoon, Sneaky2FA, EvilProxy, and so on, and cover the lion's share of attacks. With the ecosystem now producing new variants and entirely new kits on a weekly basis, detecting by kit fingerprint starts to look uncomfortably similar to detecting by domain.",[],{},{"nodeType":249,"data":3285,"content":3286},{},[3287],{"nodeType":248,"value":3288,"marks":3289,"data":3290},"But many of these proliferating kits do share behavioral patterns at a deeper level than their code signatures. For example, every device code phishing kit implements fundamentally the same flow: present a lure, generate a device code via the OAuth Device Authorization endpoint, get the user to enter it on the legitimate authorization page, and poll for the resulting tokens. The frontends vary, the infrastructure varies, but the behavioral pattern doesn't.",[],{},{"nodeType":373,"data":3292,"content":3296},{"target":3293},{"sys":3294},{"id":3295,"type":262,"linkType":263},"FyyHayQtsJTwoB1kluMOl",[],{"nodeType":249,"data":3298,"content":3299},{},[3300],{"nodeType":248,"value":3301,"marks":3302,"data":3303},"Genuinely new attack techniques still require human creativity — an attacker has to identify a gap in how a legitimate protocol or feature can be subverted. That kind of innovation hasn't been automated. But the window to discover a technique, build a detection, and then deploy it before it is adopted by criminals at scale is compressing with each generation.",[],{},{"nodeType":249,"data":3305,"content":3306},{},[3307],{"nodeType":248,"value":3308,"marks":3309,"data":3310},"Organizations that detect at the technique level and deploy before commoditization have a structural advantage that increases over time. Waiting for indicators — even tool-level indicators — means chasing a curve that's accelerating away from you. This is the challenge we grapple with every day as we strive for the most resilient detections possible. ",[],{},{"nodeType":1758,"data":3312,"content":3313},{},[3314],{"nodeType":249,"data":3315,"content":3316},{},[3317,3320,3326,3329],{"nodeType":248,"value":1765,"marks":3318,"data":3319},[],{},{"nodeType":1105,"data":3321,"content":3322},{"uri":1770},[3323],{"nodeType":248,"value":1773,"marks":3324,"data":3325},[],{},{"nodeType":248,"value":1777,"marks":3327,"data":3328},[],{},{"nodeType":248,"value":1781,"marks":3330,"data":3332},[3331],{"type":285},{},{"nodeType":377,"data":3334,"content":3335},{},[],{"nodeType":386,"data":3337,"content":3338},{},[3339],{"nodeType":248,"value":3340,"marks":3341,"data":3343},"What it takes to detect at the top of the Pyramid",[3342],{"type":301},{},{"nodeType":249,"data":3345,"content":3346},{},[3347],{"nodeType":248,"value":3348,"marks":3349,"data":3350},"If technique-level detection is the only layer that holds, two things have to be true about your detection capability: You need the right vantage point, and you need the research velocity to stay ahead.",[],{},{"nodeType":567,"data":3352,"content":3353},{},[3354],{"nodeType":248,"value":3355,"marks":3356,"data":3358},"You need the right vantage point",[3357],{"type":301},{},{"nodeType":249,"data":3360,"content":3361},{},[3362],{"nodeType":248,"value":3363,"marks":3364,"data":3365},"Technique-level behaviors in browser-based identity attacks — how a phishing page orchestrates credential entry, how a device code flow presents its authorization prompt, how a ClickFix variant manipulates the clipboard — are visible in the browser session and nowhere else.",[],{},{"nodeType":249,"data":3367,"content":3368},{},[3369],{"nodeType":248,"value":3370,"marks":3371,"data":3372},"Network proxies see encrypted traffic and can attempt to reconstruct page behavior from metadata, but DOM manipulation, user interaction sequences, and script execution aren't visible from that vantage point. Email gateways see the delivery mechanism (or nothing at all in the increasing number of social media and search engine based attacks) but not the payload.",[],{},{"nodeType":249,"data":3374,"content":3375},{},[3376,3380,3388],{"nodeType":248,"value":3377,"marks":3378,"data":3379},"As we disclosed in our ",[],{},{"nodeType":1105,"data":3381,"content":3382},{"uri":2999},[3383],{"nodeType":248,"value":3384,"marks":3385,"data":3387},"browser attacks report",[3386],{"type":1405},{},{"nodeType":248,"value":3389,"marks":3390,"data":3391},", 95% of in-browser attacks we detect use some form of bot protection, often combined with conditional loading techniques like referrer and browser checks, reliably defeating automated analysis techniques. ",[],{},{"nodeType":249,"data":3393,"content":3394},{},[3395],{"nodeType":248,"value":3396,"marks":3397,"data":3398},"Behavioral detection at the technique level requires observing what happens on the page at the moment the user interacts with it — analyzing pages, not links. When you see the entire browsing flow — ad click, redirect chain, page render, credential prompt — an attack stands out immediately. Without that context, any detection system is forced to fill in gaps, and the gaps are where attacks hide.",[],{},{"nodeType":373,"data":3400,"content":3404},{"target":3401},{"sys":3402},{"id":3403,"type":262,"linkType":263},"4804g6u4POUDpL42bzP0EY",[],{"nodeType":249,"data":3406,"content":3407},{},[3408],{"nodeType":248,"value":3409,"marks":3410,"data":3411},"Push sits inside the browser session, observing this in real time. Its detections target the behavioral mechanics of techniques rather than the surface characteristics of individual kits or infrastructure.",[],{},{"nodeType":567,"data":3413,"content":3414},{},[3415],{"nodeType":248,"value":3416,"marks":3417,"data":3419},"You need the research expertise",[3418],{"type":301},{},{"nodeType":249,"data":3421,"content":3422},{},[3423],{"nodeType":248,"value":3424,"marks":3425,"data":3426},"When the window between technique discovery and industrialized exploitation is measured in weeks rather than years, the detection pipeline needs to operate on that same compressed timescale.",[],{},{"nodeType":249,"data":3428,"content":3429},{},[3430,3434,3440],{"nodeType":248,"value":3431,"marks":3432,"data":3433},"This is where our ",[],{},{"nodeType":1105,"data":3435,"content":3436},{"uri":2534},[3437],{"nodeType":248,"value":2537,"marks":3438,"data":3439},[],{},{"nodeType":248,"value":3441,"marks":3442,"data":3443}," fits. It's tripled our monthly detection output — not by generating bigger blocklists, but by scaling the process of discovering behavioral patterns across the telemetry generated by 3+ million browser deployments.",[],{},{"nodeType":249,"data":3445,"content":3446},{},[3447],{"nodeType":248,"value":3448,"marks":3449,"data":3450},"The detections it produces are technique-class by design, targeting how attacks work rather than the infrastructure or specific tool that implements them. The goal is curation, not accumulation — hundreds of high-fidelity behavioral detections rather than the billions of signatures and domain entries that traditional approaches require.",[],{},{"nodeType":249,"data":3452,"content":3453},{},[3454,3458,3464],{"nodeType":248,"value":3455,"marks":3456,"data":3457},"When we detected the first in-the-wild ",[],{},{"nodeType":1105,"data":3459,"content":3460},{"uri":1626},[3461],{"nodeType":248,"value":328,"marks":3462,"data":3463},[],{},{"nodeType":248,"value":3465,"marks":3466,"data":3467}," through the pipeline — a user had searched for NotebookLM, clicked a paid Google ad, and was redirected to a fake page with a WebAssembly C2 connector — the detection shipped to all customers within minutes. It didn't depend on knowing the domain, the ad creative, or the specific kit. It depended on recognizing the technique itself.",[],{},{"nodeType":377,"data":3469,"content":3470},{},[],{"nodeType":386,"data":3472,"content":3473},{},[3474],{"nodeType":248,"value":3475,"marks":3476,"data":3478},"Technique-level detection is now the only option",[3477],{"type":301},{},{"nodeType":249,"data":3480,"content":3481},{},[3482],{"nodeType":248,"value":3483,"marks":3484,"data":3485},"As a framework for detection durability, the Pyramid of Pain is more relevant than ever. ",[],{},{"nodeType":249,"data":3487,"content":3488},{},[3489],{"nodeType":248,"value":3490,"marks":3491,"data":3492},"AI has made infrastructure indicators essentially disposable. The tools tier is compressing as criminal vendors vibe-code, fork, and clone tooling at machine speed. Technique-level detection is the layer that holds long-term to be able to proactively detect and block net-new attacks and the kits that power them. ",[],{},{"nodeType":249,"data":3494,"content":3495},{},[3496],{"nodeType":248,"value":3497,"marks":3498,"data":3499},"Novel attack techniques still require human creativity to discover, and detections built around how those techniques work can survive infrastructure rotation, tool proliferation, and kit fragmentation. Defending that layer requires a vantage point inside the browser session and a research pipeline fast enough to stay ahead of the accelerating path from discovery to industrialization.",[],{},{"nodeType":377,"data":3501,"content":3502},{},[],{"nodeType":249,"data":3504,"content":3505},{},[3506],{"nodeType":248,"value":1174,"marks":3507,"data":3508},[],{},{"nodeType":249,"data":3510,"content":3511},{},[3512],{"nodeType":248,"value":1181,"marks":3513,"data":3514},[],{},{"nodeType":249,"data":3516,"content":3517},{},[3518,3521,3529],{"nodeType":248,"value":29,"marks":3519,"data":3520},[],{},{"nodeType":1105,"data":3522,"content":3523},{"uri":1926},[3524],{"nodeType":248,"value":3525,"marks":3526,"data":3528},"Book a live demo",[3527],{"type":1405},{},{"nodeType":248,"value":1200,"marks":3530,"data":3531},[],{},"The Pyramid of Pain in the AI era: Why technique-level detection matters more than ever","AI is accelerating the collapse of indicator-based threat detection. Here's why you need technique-level detection to stay ahead.","2026-06-01T00:00:00.000Z","the-pyramid-of-pain-in-the-ai-era",{"items":3537},[3538,3540],{"sys":3539,"name":2761},{"id":2760},{"sys":3541,"name":1948},{"id":1947},{"items":3543},[3544],{"fullName":3545,"firstName":3546,"jobTitle":3547,"profilePicture":3548},"Dan Green","Dan","Threat Research",{"url":3549},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png","can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline","blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"json":3553},{"data":3554,"content":3555,"nodeType":1201},{},[3556],{"data":3557,"content":3558,"nodeType":249},{},[3559],{"data":3560,"marks":3561,"value":3562,"nodeType":248},{},[],"What does agentic threat hunting against modern browser-based attacks actually look like? At Push, we built an end-to-end threat hunting and detection engineering capability that uses AI agents as a force multiplier, tripling the number of new detections we’re shipping each month. Here’s how it works.","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.",{"id":3565,"publishedAt":3566},"1jfqiWQlL6qkn3i9yjNbFB","2026-06-02T10:17:47.377Z",{"items":3568},[3569,3571],{"sys":3570,"name":1948},{"id":1947},{"sys":3572,"name":2761},{"id":2760},"MxIEl4a6Ti33M-fJilgbfObS5fFB0_GerJEqhsLdnd8",1784196731085]