[{"data":1,"prerenderedAt":1594},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/push-plus-cloud-security":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":649,"faqItemsCollection":650,"faqTitle":62,"featured":6,"hashTags":62,"meta":652,"metaTitle":228,"ogImage":62,"publishedDate":653,"relatedBlogPostsCollection":654,"slug":1570,"stem":1571,"subtitle":62,"summary":1572,"synopsis":1583,"sys":1584,"tagsCollection":1587,"__hash__":1593},"blog/blog/push-plus-cloud-security.json","Push + Cloud Security: What do you do when bad looks normal?",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Peyton Padfield","Peyton","Product Team",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/1GU01HXElmc07nwi89qP3b/3188050420106c62e9df2ed4e4893b7f/1677005177901__1_.jpeg",{"json":238,"links":636},{"nodeType":239,"data":240,"content":241},"document",{},[242,253,261,268,275,282,289,298,305,312,319,323,331,338,345,352,359,381,389,396,403,410,413,421,437,453,460,468,475,482,489,496,505,512,577,580,630],{"nodeType":243,"data":244,"content":245},"heading-1",{},[246],{"nodeType":247,"value":248,"marks":249,"data":252},"text","Cloud security tools ensure secure configurations",[250],{"type":251},"bold",{},{"nodeType":254,"data":255,"content":256},"paragraph",{},[257],{"nodeType":247,"value":258,"marks":259,"data":260},"If you’re a cloud security architect, you probably don’t think in terms of firewalls and perimeters anymore. You think in control planes. Your job isn’t protecting a box or a subnet; it’s governing a sprawling web of IAM roles, service principals, APIs, and permissions that exist mostly as configuration and code. In this world, the boundary isn’t physical or even networked, it’s defined entirely by how your environment is configured.",[],{},{"nodeType":254,"data":262,"content":263},{},[264],{"nodeType":247,"value":265,"marks":266,"data":267},"The way most teams approached that problem was pragmatic. As cloud environments scaled, it became impossible to secure it by inspection or tribal knowledge. Cloud Security Posture Management tools and, later, Cloud Native Application Protection Platforms emerged to solve a very real problem: visibility and control over cloud configuration at scale. They gave teams a way to continuously assess infrastructure, track misconfigurations, and understand risk across accounts, regions, and services without drowning in raw provider logs.",[],{},{"nodeType":254,"data":269,"content":270},{},[271],{"nodeType":247,"value":272,"marks":273,"data":274},"That capability is important. Without it, cloud security simply doesn’t function. ",[],{},{"nodeType":254,"data":276,"content":277},{},[278],{"nodeType":247,"value":279,"marks":280,"data":281},"CSPM and CNAPP answer the question of “is my cloud environment configured securely?”. They tell you whether an IAM role is too permissive, whether a resource is exposed, or whether a policy violates best practice. They tell you when a user or account is trying to do something they shouldn’t. ",[],{},{"nodeType":254,"data":283,"content":284},{},[285],{"nodeType":247,"value":286,"marks":287,"data":288},"What they don’t answer is a different, increasingly important question: “What happens when attacker behavior is indistinguishable from legitimate user behavior?”",[],{},{"nodeType":290,"data":291,"content":292},"heading-2",{},[293],{"nodeType":247,"value":294,"marks":295,"data":297},"But they can’t stop “legitimate” actions",[296],{"type":251},{},{"nodeType":254,"data":299,"content":300},{},[301],{"nodeType":247,"value":302,"marks":303,"data":304},"The gap (or lack of) between legitimate user behavior and malicious abuse is becoming more relevant as cloud breaches change shape. ",[],{},{"nodeType":254,"data":306,"content":307},{},[308],{"nodeType":247,"value":309,"marks":310,"data":311},"In many of today’s incidents, attackers aren’t exploiting misconfigurations or abusing the cloud control plane directly. They’re compromising users. Once an authentication has occurred through illegitimate means, whether phishing, session hijacking, or token theft, the attacker operates entirely within an approved session.",[],{},{"nodeType":254,"data":313,"content":314},{},[315],{"nodeType":247,"value":316,"marks":317,"data":318},"From the perspective of cloud security tooling, very little looks wrong. The identity is valid. The access patterns appear expected. The infrastructure remains correctly configured. As long as the attacker operates within the bounds of what looks “normal”, no alarms are triggered. Meanwhile, sensitive actions are carried out through the browser, using the same interfaces and workflows as a real user.",[],{},{"nodeType":320,"data":321,"content":322},"hr",{},[],{"nodeType":243,"data":324,"content":325},{},[326],{"nodeType":247,"value":327,"marks":328,"data":330},"The gap between the IdP and the final API call — the “missing middle” in your security stack",[329],{"type":251},{},{"nodeType":254,"data":332,"content":333},{},[334],{"nodeType":247,"value":335,"marks":336,"data":337},"The browser session sits outside the telemetry and control model of infrastructure-focused cloud security tools. We call this the \"missing middle.\" It’s the space between the IdP login and the final cloud API call. ",[],{},{"nodeType":254,"data":339,"content":340},{},[341],{"nodeType":247,"value":342,"marks":343,"data":344},"In theory, you could try to close the gap by stitching together logs from every SaaS application in your environment. In practice, anyone who’s attempted this knows how quickly it falls apart. ",[],{},{"nodeType":254,"data":346,"content":347},{},[348],{"nodeType":247,"value":349,"marks":350,"data":351},"Each integration is brittle and expensive to maintain, and many applications don’t expose the level of telemetry you actually need, even if you’re willing to fork out for the top Security++ product tier. When you’re dealing with hundreds of apps per enterprise, each with their own configuration complexity, there’s a good chance that your solution focused on “core” cloud apps doesn’t actually have visibility of the full attack surface.",[],{},{"nodeType":254,"data":353,"content":354},{},[355],{"nodeType":247,"value":356,"marks":357,"data":358},"When logs do exist, they rarely show what you actually need. To a CSPM or CNAPP, it looks like an authorized user doing authorized things. A file was accessed or a setting was changed. What those tools can’t see is that the browser session itself was being manipulated in real time.",[],{},{"nodeType":254,"data":360,"content":361},{},[362,366,377],{"nodeType":247,"value":363,"marks":364,"data":365},"For ",[],{},{"nodeType":367,"data":368,"content":370},"hyperlink",{"uri":369},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[371],{"nodeType":247,"value":372,"marks":373,"data":376},"modern, cloud-native threat groups",[374],{"type":375},"underline",{},{"nodeType":247,"value":378,"marks":379,"data":380},", this lack of session-level visibility is their greatest advantage. They bypass the strong configuration and identity controls you’ve already implemented by simply stepping into the authorized stream. And by the time infrastructure-level signals suggest something is wrong, the attacker has already accomplished what they came for.",[],{},{"nodeType":290,"data":382,"content":383},{},[384],{"nodeType":247,"value":385,"marks":386,"data":388},"Secure everything, still lose",[387],{"type":251},{},{"nodeType":254,"data":390,"content":391},{},[392],{"nodeType":247,"value":393,"marks":394,"data":395},"At some point, this forces a hard realization: you can do everything “right” at the cloud and identity layers and still lose.",[],{},{"nodeType":254,"data":397,"content":398},{},[399],{"nodeType":247,"value":400,"marks":401,"data":402},"You can lock down infrastructure-as-code, tighten IAM policies, enforce conditional access, and pass every posture check you care about. But none of that changes where access actually happens. When users work in cloud services, they do it through a browser. And once a session is established, that browser session becomes the real control plane.",[],{},{"nodeType":254,"data":404,"content":405},{},[406],{"nodeType":247,"value":407,"marks":408,"data":409},"That’s the shift cloud security teams are running into. The problem isn’t that CSPM or CNAPP failed, it’s that they can’t see the full picture. Bridging the missing middle means treating the browser session itself as something you can inspect and defend.",[],{},{"nodeType":320,"data":411,"content":412},{},[],{"nodeType":243,"data":414,"content":415},{},[416],{"nodeType":247,"value":417,"marks":418,"data":420},"Why moving detection and response to the browser is the solution",[419],{"type":251},{},{"nodeType":254,"data":422,"content":423},{},[424,428,433],{"nodeType":247,"value":425,"marks":426,"data":427},"First, ",[],{},{"nodeType":247,"value":429,"marks":430,"data":432},"detection has to move into the browser",[431],{"type":251},{},{"nodeType":247,"value":434,"marks":435,"data":436},". Modern cloud attacks don’t announce themselves with known indicators or suspicious IPs; it’s all about behavior. A phishing kit rendering inside a login page. A session token being silently exfiltrated. A user interacting with a page that looks legitimate but isn’t. You only see those signals by inspecting the page, the scripts, and the user’s interaction, in real time, inside the tab, before any cloud API ever gets touched.",[],{},{"nodeType":254,"data":438,"content":439},{},[440,444,449],{"nodeType":247,"value":441,"marks":442,"data":443},"Second, ",[],{},{"nodeType":247,"value":445,"marks":446,"data":448},"posture can’t stop at the IdP or cloud configuration.",[447],{"type":251},{},{"nodeType":247,"value":450,"marks":451,"data":452}," It’s not enough to enforce MFA and SSO at a handful of centrally managed apps and assume the rest of the estate follows suit. Shadow SaaS breaks that assumption immediately. Local accounts, duplicate identities, and MFA gaps undermine cloud access controls, even when your AWS or Azure configuration is otherwise airtight. If a sensitive app allows password-only access, that weakness propagates straight back into your cloud environment.",[],{},{"nodeType":254,"data":454,"content":455},{},[456],{"nodeType":247,"value":457,"marks":458,"data":459},"Finally, when something does go wrong, teams need more than a login timestamp and an IP address. They need to know what the user actually saw and did. Click-by-click browser session data is what allows responders to understand intent, scope impact accurately, and determine whether a session was abused or simply used.",[],{},{"nodeType":290,"data":461,"content":462},{},[463],{"nodeType":247,"value":464,"marks":465,"data":467},"Visibility into the browser session holds the answers",[466],{"type":251},{},{"nodeType":254,"data":469,"content":470},{},[471],{"nodeType":247,"value":472,"marks":473,"data":474},"If the browser session is where cloud access actually happens, then treating it as a black box is no longer viable.",[],{},{"nodeType":254,"data":476,"content":477},{},[478],{"nodeType":247,"value":479,"marks":480,"data":481},"This is where Push Security fits. Push is designed to cover the missing middle, not by replacing your existing cloud security stack, but by extending it into the one place it can’t reach on its own: the live browser session.",[],{},{"nodeType":254,"data":483,"content":484},{},[485],{"nodeType":247,"value":486,"marks":487,"data":488},"CSPM and CNAPP remain the right tools for securing cloud configuration and infrastructure. They tell you whether IAM policies are sane, resources are exposed, and guardrails are in place. Push addresses a different problem. It focuses on what happens once access is granted, when identity moves from configuration into motion.",[],{},{"nodeType":254,"data":490,"content":491},{},[492],{"nodeType":247,"value":493,"marks":494,"data":495},"Push does this by deploying a browser-native agent, like EDR operates at the host level. That agent gives defenders direct visibility into the application session itself like the page structure being rendered, the user’s interaction with it, and the behaviors attackers rely on when they hijack sessions in real time.",[],{},{"nodeType":497,"data":498,"content":504},"embedded-entry-block",{"target":499},{"sys":500},{"id":501,"type":502,"linkType":503},"6qMaivxhJ3xT9DkwXGcCSJ","Link","Entry",[],{"nodeType":254,"data":506,"content":507},{},[508],{"nodeType":247,"value":509,"marks":510,"data":511},"That visibility changes how cloud access can be defended.",[],{},{"nodeType":513,"data":514,"content":515},"unordered-list",{},[516,532,547,562],{"nodeType":517,"data":518,"content":519},"list-item",{},[520],{"nodeType":254,"data":521,"content":522},{},[523,528],{"nodeType":247,"value":524,"marks":525,"data":527},"Real-time detection in the browser:",[526],{"type":251},{},{"nodeType":247,"value":529,"marks":530,"data":531}," Detect in-browser attacker techniques as they happen, left of boom. Phishing kits rendering inside login flows, session tokens being intercepted, credential submission into lookalike pages — Push observes these behaviors directly and can block them before any cloud API is touched or a console is reached.",[],{},{"nodeType":517,"data":533,"content":534},{},[535],{"nodeType":254,"data":536,"content":537},{},[538,543],{"nodeType":247,"value":539,"marks":540,"data":542},"Complete visibility into cloud access paths:",[541],{"type":251},{},{"nodeType":247,"value":544,"marks":545,"data":546}," Build an accurate inventory of how users are actually accessing cloud services. Push surfaces every application in use, including shadow SaaS, and shows which accounts are local, duplicated, missing MFA, or bypassing SSO — crucial visibility that falls between the cracks of application and identity provider. ",[],{},{"nodeType":517,"data":548,"content":549},{},[550],{"nodeType":254,"data":551,"content":552},{},[553,558],{"nodeType":247,"value":554,"marks":555,"data":557},"Active hardening at the point of access:",[556],{"type":251},{},{"nodeType":247,"value":559,"marks":560,"data":561}," Enforce secure login behavior across the entire application surface, not just centrally managed apps. Push can steer users toward using MFA and SSO and block risky credentials on unmanaged tools, closing identity gaps before they’re exploited.",[],{},{"nodeType":517,"data":563,"content":564},{},[565],{"nodeType":254,"data":566,"content":567},{},[568,573],{"nodeType":247,"value":569,"marks":570,"data":572},"Session-level context for rapid response:",[571],{"type":251},{},{"nodeType":247,"value":574,"marks":575,"data":576}," When something does go wrong, Push provides the missing ground truth. Instead of stitching together partial logs or relying on brittle app-level integrations, responders can see exactly what the user saw and did in the browser (from context generated directly from the browser session itself) making it possible to understand intent, assess scope accurately, and contain a compromised session quickly.",[],{},{"nodeType":320,"data":578,"content":579},{},[],{"nodeType":581,"data":582,"content":583},"blockquote",{},[584],{"nodeType":254,"data":585,"content":586},{},[587,591,600,604,613,617,626],{"nodeType":247,"value":588,"marks":589,"data":590},"Want to learn more about Push? ",[],{},{"nodeType":367,"data":592,"content":594},{"uri":593},"https://pushsecurity.com/resources/product-brochure",[595],{"nodeType":247,"value":596,"marks":597,"data":599},"Check out our latest product overview",[598],{"type":375},{},{"nodeType":247,"value":601,"marks":602,"data":603},", ",[],{},{"nodeType":367,"data":605,"content":607},{"uri":606},"https://pushsecurity.com/product-demo/",[608],{"nodeType":247,"value":609,"marks":610,"data":612},"visit our demo library",[611],{"type":375},{},{"nodeType":247,"value":614,"marks":615,"data":616},", or ",[],{},{"nodeType":367,"data":618,"content":620},{"uri":619},"https://pushsecurity.com/demo",[621],{"nodeType":247,"value":622,"marks":623,"data":625},"book some time with one of our team for a live demo",[624],{"type":375},{},{"nodeType":247,"value":627,"marks":628,"data":629},".",[],{},{"nodeType":254,"data":631,"content":632},{},[633],{"nodeType":247,"value":29,"marks":634,"data":635},[],{},{"entries":637},{"hyperlink":638,"inline":639,"block":640},[],[],[641],{"sys":642,"__typename":643,"title":644,"caption":644,"layoutMode":62,"file":645},{"id":501},"Image","The browser sees the \"missing middle\" that is key to stopping modern attacks.",{"url":646,"width":647,"height":648},"https://images.ctfassets.net/y1cdw1ablpvd/62kkmEzar8I24kELigqdoq/8e4c0476ba9bec03c418977bed5f40e6/Screenshot_2026-01-30_at_16.42.19.png",3372,1560,"json",{"items":651},[],{},"2026-02-06T00:00:00.000Z",{"items":655},[656,1173],{"__typename":657,"sys":658,"content":660,"title":1155,"synopsis":1156,"hashTags":62,"publishedDate":1157,"slug":1158,"tagsCollection":1159,"authorsCollection":1169},"BlogPosts",{"id":659},"5caCcGCqMMPm5KlwUv0sbz",{"json":661},{"data":662,"content":663,"nodeType":239},{},[664,672,679,686,698,706,713,720,727,735,738,746,753,760,767,786,792,799,816,825,947,950,958,965,977,984,989,996,1003,1011,1018,1026,1033,1040,1047,1095,1107,1143,1149],{"data":665,"content":666,"nodeType":243},{},[667],{"data":668,"marks":669,"value":671,"nodeType":247},{},[670],{"type":251},"Defense used to start at the network perimeter",{"data":673,"content":674,"nodeType":254},{},[675],{"data":676,"marks":677,"value":678,"nodeType":247},{},[],"If you've been working in security for any length of time, you know where defense starts: the network. Long before cloud-first or SaaS-first became default, the perimeter was where defenders had leverage: visibility, enforcement, and control over traffic moving in and out of the organization.",{"data":680,"content":681,"nodeType":254},{},[682],{"data":683,"marks":684,"value":685,"nodeType":247},{},[],"That mental model hasn’t disappeared. Secure Web Gateways, Cloud Access Security Brokers, and the converged Security Service Edge architecture exist because the problem they solve is still real. Organizations generate an enormous volume of web traffic, and someone has to monitor it, filter it, and enforce policy at scale. These tools sit inline, log metadata, apply categorization, and block what’s already known to be dangerous. Without them, the environment quickly becomes unmanageable and extremely difficult to secure.",{"data":687,"content":688,"nodeType":254},{},[689,693],{"data":690,"marks":691,"value":692,"nodeType":247},{},[],"They are very good at what they were designed to do: securing the wire. ",{"data":694,"marks":695,"value":697,"nodeType":247},{},[696],{"type":251},"But what happens over the wire is not the full picture. ",{"data":699,"content":700,"nodeType":290},{},[701],{"data":702,"marks":703,"value":705,"nodeType":247},{},[704],{"type":251},"Traffic isn't the whole picture anymore",{"data":707,"content":708,"nodeType":254},{},[709],{"data":710,"marks":711,"value":712,"nodeType":247},{},[],"A significant amount of activity happens locally, inside the browser, beyond the visibility of network controls. Modern webpages are effectively complicated web apps that are rendered client-side via JavaScript — and not everything that happens on the page is traffic-generating. ",{"data":714,"content":715,"nodeType":254},{},[716],{"data":717,"marks":718,"value":719,"nodeType":247},{},[],"That distinction matters more than it used to. Authentication, data access, administrative actions, almost all of it now happens inside a browser tab. As a result, the browser has become a central point of both productivity and risk.",{"data":721,"content":722,"nodeType":254},{},[723],{"data":724,"marks":725,"value":726,"nodeType":247},{},[],"Network tools still see the pipeline of traffic moving back and forth. But attackers have adapted to operate within that pipeline rather than around it. They don’t need to break the connection or trigger obvious anomalies. They target the content rendered inside the browser and the user interacting with it.",{"data":728,"content":729,"nodeType":254},{},[730],{"data":731,"marks":732,"value":734,"nodeType":247},{},[733],{"type":251},"That leaves security teams with noisy traffic visibility and very little insight into the actual attack unfolding inside the browser session.",{"data":736,"content":737,"nodeType":320},{},[],{"data":739,"content":740,"nodeType":243},{},[741],{"data":742,"marks":743,"value":745,"nodeType":247},{},[744],{"type":251},"Traffic visibility vs. in-browser context",{"data":747,"content":748,"nodeType":254},{},[749],{"data":750,"marks":751,"value":752,"nodeType":247},{},[],"The modern attacker's playbook is built on a simple idea: stay inside the network’s line of sight without triggering detections or enforcement. Containing operations to the browser layer provides attackers with an easy bypass of many traditional network controls without ever needing to break or evade them outright.",{"data":754,"content":755,"nodeType":254},{},[756],{"data":757,"marks":758,"value":759,"nodeType":247},{},[],"They do this by staying ahead of known-bad detection models, constantly rotating domains and URLs, using anti-analysis techniques, and delivering phishing lures through channels that bypass traditional network ingress points like the email gateway (like social media or SMS). In many cases, the link is never evaluated by perimeter controls at all.",{"data":761,"content":762,"nodeType":254},{},[763],{"data":764,"marks":765,"value":766,"nodeType":247},{},[],"This creates a fundamental visibility gap. Network security tools can see a request going to a legitimate-looking destination, but they can’t observe what happens once the page executes client-side in the browser. Malicious scripts and phishing elements often don’t appear until after the page loads and a user interacts with it, leaving nothing obviously known-bad for network controls to detect.",{"data":768,"content":769,"nodeType":254},{},[770,774,782],{"data":771,"marks":772,"value":773,"nodeType":247},{},[],"Blocklists don’t help much here either. Domains rotate constantly, and the window between a phishing site going live and being categorized as malicious is more than enough time for an attacker to succeed. Until that happens, the traffic appears benign and the user is free to interact with the page. And to make matters worse, attackers are leveraging ",{"data":775,"content":777,"nodeType":367},{"uri":776},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[778],{"data":779,"marks":780,"value":781,"nodeType":247},{},[],"detection evasion techniques",{"data":783,"marks":784,"value":785,"nodeType":247},{},[]," designed to frustrate these detections — meaning most bad pages aren't spotted until it's way too late. ",{"data":787,"content":791,"nodeType":497},{"target":788},{"sys":789},{"id":790,"type":502,"linkType":503},"38X1De97xJ8B6GNXTHW6Y5",[],{"data":793,"content":794,"nodeType":254},{},[795],{"data":796,"marks":797,"value":798,"nodeType":247},{},[],"Consider attacker-in-the-middle phishing. From the proxy’s perspective, everything looks clean: user → reputable domain → “standard” web traffic. The phishing infrastructure is often hidden behind redirects or conditional logic designed to screen out proxies and scanners. Inside the browser session, however, credentials are intercepted, session tokens are harvested, and MFA is bypassed in real time.",{"data":800,"content":801,"nodeType":254},{},[802,805,812],{"data":803,"marks":804,"value":363,"nodeType":247},{},[],{"data":806,"content":807,"nodeType":367},{"uri":369},[808],{"data":809,"marks":810,"value":811,"nodeType":247},{},[],"modern threat groups",{"data":813,"marks":814,"value":815,"nodeType":247},{},[],", these obscured attack vectors lead directly to initial access and account takeover. The network is no longer the control point where the most consequential attacks can be reliably stopped.",{"data":817,"content":818,"nodeType":254},{},[819],{"data":820,"marks":821,"value":824,"nodeType":247},{},[822],{"type":823},"italic","Browser telemetry is key to detecting and blocking malicious content in real-time, rather than relying on blocklists using known-bad indicators like domains and IPs that go out of date as quickly as new entries appear.",{"data":826,"content":827,"nodeType":946},{},[828,853,877,900,923],{"data":829,"content":830,"nodeType":852},{},[831,842],{"data":832,"content":833,"nodeType":841},{},[834],{"data":835,"content":836,"nodeType":254},{},[837],{"data":838,"marks":839,"value":840,"nodeType":247},{},[],"What you see with traffic analysis","table-header-cell",{"data":843,"content":844,"nodeType":841},{},[845],{"data":846,"content":847,"nodeType":254},{},[848],{"data":849,"marks":850,"value":851,"nodeType":247},{},[],"What you can see with browser telemetry","table-row",{"data":854,"content":855,"nodeType":852},{},[856,867],{"data":857,"content":858,"nodeType":866},{},[859],{"data":860,"content":861,"nodeType":254},{},[862],{"data":863,"marks":864,"value":865,"nodeType":247},{},[],"HTTP request/response bodies ","table-cell",{"data":868,"content":869,"nodeType":866},{},[870],{"data":871,"content":872,"nodeType":254},{},[873],{"data":874,"marks":875,"value":876,"nodeType":247},{},[],"DOM structure fingerprints",{"data":878,"content":879,"nodeType":852},{},[880,890],{"data":881,"content":882,"nodeType":866},{},[883],{"data":884,"content":885,"nodeType":254},{},[886],{"data":887,"marks":888,"value":889,"nodeType":247},{},[],"URLs and headers",{"data":891,"content":892,"nodeType":866},{},[893],{"data":894,"content":895,"nodeType":254},{},[896],{"data":897,"marks":898,"value":899,"nodeType":247},{},[],"User interaction metadata ",{"data":901,"content":902,"nodeType":852},{},[903,913],{"data":904,"content":905,"nodeType":866},{},[906],{"data":907,"content":908,"nodeType":254},{},[909],{"data":910,"marks":911,"value":912,"nodeType":247},{},[],"Cookie values in transit",{"data":914,"content":915,"nodeType":866},{},[916],{"data":917,"content":918,"nodeType":254},{},[919],{"data":920,"marks":921,"value":922,"nodeType":247},{},[],"Cookie names and attributes",{"data":924,"content":925,"nodeType":852},{},[926,936],{"data":927,"content":928,"nodeType":866},{},[929],{"data":930,"content":931,"nodeType":254},{},[932],{"data":933,"marks":934,"value":935,"nodeType":247},{},[],"Static JS code",{"data":937,"content":938,"nodeType":866},{},[939],{"data":940,"content":941,"nodeType":254},{},[942],{"data":943,"marks":944,"value":945,"nodeType":247},{},[],"Script execution patterns and dynamic JS analysis","table",{"data":948,"content":949,"nodeType":320},{},[],{"data":951,"content":952,"nodeType":243},{},[953],{"data":954,"marks":955,"value":957,"nodeType":247},{},[956],{"type":251},"Securing the browser session is key to stopping modern threats",{"data":959,"content":960,"nodeType":254},{},[961],{"data":962,"marks":963,"value":964,"nodeType":247},{},[],"If the browser is where users actually work, and where attackers actually operate, then that’s the layer that defenders need to understand and control.",{"data":966,"content":967,"nodeType":254},{},[968,972],{"data":969,"marks":970,"value":971,"nodeType":247},{},[],"Modern web-based attacks don’t succeed because traffic goes uninspected. They succeed because network inspection can’t follow the interaction far enough. Traffic shows where data went, not what the user actually saw or did, ",{"data":973,"marks":974,"value":976,"nodeType":247},{},[975],{"type":251},"and in today’s attacks, that distinction matters.",{"data":978,"content":979,"nodeType":254},{},[980],{"data":981,"marks":982,"value":983,"nodeType":247},{},[],"To stop these threats, you have to see what the user is actually interacting with. Things like what scripts are loading, how the DOM is being manipulated, or whether the login form a user is using is legitimate or being proxied. Those are page-level signals, and they only exist inside the browser tab.",{"data":985,"content":988,"nodeType":497},{"target":986},{"sys":987},{"id":501,"type":502,"linkType":503},[],{"data":990,"content":991,"nodeType":254},{},[992],{"data":993,"marks":994,"value":995,"nodeType":247},{},[],"That same shift applies to control. Destination-based blocking breaks down when the destination itself appears legitimate. Effective intervention requires decisions based on behavior as it unfolds so teams can stop risky or malicious activity that would compromise an account.",{"data":997,"content":998,"nodeType":254},{},[999],{"data":1000,"marks":1001,"value":1002,"nodeType":247},{},[],"And visibility can’t stop at centrally managed applications. Shadow SaaS breaks any assumption that access patterns are uniform or fully governed by the IdP. Local accounts, duplicate identities, and password-only logins don’t show up clearly in network telemetry, but they materially expand the attack surface. Seeing every login, across every app, directly from the browser is the only way to build an accurate picture of who has access to what.",{"data":1004,"content":1005,"nodeType":290},{},[1006],{"data":1007,"marks":1008,"value":1010,"nodeType":247},{},[1009],{"type":251},"Push provides the missing context for network security",{"data":1012,"content":1013,"nodeType":254},{},[1014],{"data":1015,"marks":1016,"value":1017,"nodeType":247},{},[],"At this point, the gap should be clear. Network security gives you strong control over traffic, but very little insight into what actually happens once that traffic lands in a user’s browser.",{"data":1019,"content":1020,"nodeType":254},{},[1021],{"data":1022,"marks":1023,"value":1025,"nodeType":247},{},[1024],{"type":251},"This is where Push can help.",{"data":1027,"content":1028,"nodeType":254},{},[1029],{"data":1030,"marks":1031,"value":1032,"nodeType":247},{},[],"The Push browser agent extends monitoring into the browser itself, providing the visibility and control that perimeter-based tools can’t deliver. It doesn’t replace SSE, SWG, or CASB. Those tools remain the right way to manage traffic and enforce policy at the edge. Push complements them by operating in the one place they can’t: inside the live browser session.",{"data":1034,"content":1035,"nodeType":254},{},[1036],{"data":1037,"marks":1038,"value":1039,"nodeType":247},{},[],"Push does this by deploying a browser-native agent, similar in spirit to how EDR works at the host level. That agent gives defenders direct insight into what the network can’t see like the page being rendered, how the user is interacting with it, and the attack techniques that play out entirely within the tab.",{"data":1041,"content":1042,"nodeType":254},{},[1043],{"data":1044,"marks":1045,"value":1046,"nodeType":247},{},[],"With Push deployed, teams gain:",{"data":1048,"content":1049,"nodeType":513},{},[1050,1065,1080],{"data":1051,"content":1052,"nodeType":517},{},[1053],{"data":1054,"content":1055,"nodeType":254},{},[1056,1061],{"data":1057,"marks":1058,"value":1060,"nodeType":247},{},[1059],{"type":251},"Real-time, in-browser threat detection:",{"data":1062,"marks":1063,"value":1064,"nodeType":247},{},[]," Detect and stop attacks like AiTM phishing and session hijacking based on what’s actually happening in the browser. Instead of relying on blocklists or downstream signals, Push identifies attacker behavior as it unfolds and can intervene before credentials or session tokens are stolen.",{"data":1066,"content":1067,"nodeType":517},{},[1068],{"data":1069,"content":1070,"nodeType":254},{},[1071,1076],{"data":1072,"marks":1073,"value":1075,"nodeType":247},{},[1074],{"type":251},"Complete visibility into SaaS access: ",{"data":1077,"marks":1078,"value":1079,"nodeType":247},{},[],"Build a true inventory of user identities and authentication methods across every application in use, including shadow SaaS. Push fills the gaps left by network and IdP logs, giving teams a real picture of where access exists and how it’s being granted.",{"data":1081,"content":1082,"nodeType":517},{},[1083],{"data":1084,"content":1085,"nodeType":254},{},[1086,1091],{"data":1087,"marks":1088,"value":1090,"nodeType":247},{},[1089],{"type":251},"Streamlined hardening at the point of access:",{"data":1092,"marks":1093,"value":1094,"nodeType":247},{},[]," Use the browser as a control point to enforce secure login behavior everywhere it matters. Mandate MFA, steer users toward SSO, and block risky credentials on unmanaged apps, shifting from reactive cleanup to continuous, preventative hardening.",{"data":1096,"content":1097,"nodeType":254},{},[1098,1102],{"data":1099,"marks":1100,"value":1101,"nodeType":247},{},[],"The result is a unified model and real defense in depth. ",{"data":1103,"marks":1104,"value":1106,"nodeType":247},{},[1105],{"type":251},"Network tools secure the pipeline, and Push secures the user moving through it.",{"data":1108,"content":1109,"nodeType":581},{},[1110],{"data":1111,"content":1112,"nodeType":254},{},[1113,1116,1122,1125,1131,1134,1140],{"data":1114,"marks":1115,"value":588,"nodeType":247},{},[],{"data":1117,"content":1118,"nodeType":367},{"uri":593},[1119],{"data":1120,"marks":1121,"value":596,"nodeType":247},{},[],{"data":1123,"marks":1124,"value":601,"nodeType":247},{},[],{"data":1126,"content":1127,"nodeType":367},{"uri":606},[1128],{"data":1129,"marks":1130,"value":609,"nodeType":247},{},[],{"data":1132,"marks":1133,"value":614,"nodeType":247},{},[],{"data":1135,"content":1136,"nodeType":367},{"uri":619},[1137],{"data":1138,"marks":1139,"value":622,"nodeType":247},{},[],{"data":1141,"marks":1142,"value":627,"nodeType":247},{},[],{"data":1144,"content":1148,"nodeType":497},{"target":1145},{"sys":1146},{"id":1147,"type":502,"linkType":503},"1doMkOu2ZuGqMp2VJgV5pb",[],{"data":1150,"content":1151,"nodeType":254},{},[1152],{"data":1153,"marks":1154,"value":29,"nodeType":247},{},[],"Push + Network Security: The gap between seeing the packet and securing the session","Why network and web traffic only gives you part of the picture when it comes to modern browser-based attacks. ","2026-01-30T00:00:00.000Z","push-plus-network-security",{"items":1160},[1161,1165],{"sys":1162,"name":1164},{"id":1163},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1166,"name":1168},{"id":1167},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1170},[1171],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1172},{"url":236},{"__typename":657,"sys":1174,"content":1176,"title":1557,"synopsis":1558,"hashTags":62,"publishedDate":1157,"slug":1559,"tagsCollection":1560,"authorsCollection":1566},{"id":1175},"6YWYKGESlyUKQxvhKmBzeH",{"json":1177},{"data":1178,"content":1179,"nodeType":239},{},[1180,1188,1195,1202,1214,1226,1234,1241,1248,1255,1261,1264,1272,1279,1286,1298,1305,1312,1320,1327,1375,1391,1398,1406,1413,1440,1447,1455,1503,1510,1546,1551],{"data":1181,"content":1182,"nodeType":243},{},[1183],{"data":1184,"marks":1185,"value":1187,"nodeType":247},{},[1186],{"type":251},"EDR is still the best tool for attacks that touch the endpoint",{"data":1189,"content":1190,"nodeType":254},{},[1191],{"data":1192,"marks":1193,"value":1194,"nodeType":247},{},[],"Endpoint Detection and Response (EDR) tooling is fundamental to modern security. It earned its place as a foundational control by moving defense away from static, known-bad indicators and toward deep, real-time detection, investigation, and response based on behavior observed in a live environment. ",{"data":1196,"content":1197,"nodeType":254},{},[1198],{"data":1199,"marks":1200,"value":1201,"nodeType":247},{},[],"By running an agent inside the operating system, EDR gave defenders something they never had before: visibility into what was actually happening on the host as it happened, and the ability to act on it.",{"data":1203,"content":1204,"nodeType":254},{},[1205,1209],{"data":1206,"marks":1207,"value":1208,"nodeType":247},{},[],"That agent-level visibility is still incredibly powerful. File system changes, process execution, memory behavior, or registry modifications is the kind of telemetry that enables threat hunting, exposes fileless attacks, and allows teams to contain incidents by isolating a device or killing a malicious process. ",{"data":1210,"marks":1211,"value":1213,"nodeType":247},{},[1212],{"type":251},"For anything that touches the endpoint, EDR remains the right tool.",{"data":1215,"content":1216,"nodeType":254},{},[1217,1221],{"data":1218,"marks":1219,"value":1220,"nodeType":247},{},[],"But that’s the key constraint: ",{"data":1222,"marks":1223,"value":1225,"nodeType":247},{},[1224],{"type":823},"for anything that touches the endpoint.",{"data":1227,"content":1228,"nodeType":290},{},[1229],{"data":1230,"marks":1231,"value":1233,"nodeType":247},{},[1232],{"type":251},"But modern attacks have moved beyond the endpoint",{"data":1235,"content":1236,"nodeType":254},{},[1237],{"data":1238,"marks":1239,"value":1240,"nodeType":247},{},[],"The reality of how work gets done has shifted. Most applications are now SaaS-based and accessed entirely through a browser. Employees authenticate, move data, administer systems, and interact with customers inside a browser window. And attackers have followed them there.",{"data":1242,"content":1243,"nodeType":254},{},[1244],{"data":1245,"marks":1246,"value":1247,"nodeType":247},{},[],"When attacks play out in the browser, endpoint-level signals often never appear. From the operating system’s perspective, there’s just a browser process behaving normally. The EDR agent is doing exactly what it was designed to do, but the activity that matters is happening within the browser itself.",{"data":1249,"content":1250,"nodeType":254},{},[1251],{"data":1252,"marks":1253,"value":1254,"nodeType":247},{},[],"That’s the gap teams are running into. EDR protects the integrity of the host, but it has no visibility into the live application session inside the browser. And as attackers consciously avoid the endpoint entirely, that blind spot is becoming harder to ignore.",{"data":1256,"content":1260,"nodeType":497},{"target":1257},{"sys":1258},{"id":1259,"type":502,"linkType":503},"7aVTgi4Btxl6PpzQl8kipW",[],{"data":1262,"content":1263,"nodeType":320},{},[],{"data":1265,"content":1266,"nodeType":243},{},[1267],{"data":1268,"marks":1269,"value":1271,"nodeType":247},{},[1270],{"type":251},"Attackers are consciously evading EDR",{"data":1273,"content":1274,"nodeType":254},{},[1275],{"data":1276,"marks":1277,"value":1278,"nodeType":247},{},[],"The gap endpoint teams are running into isn’t accidental. It’s the result of attackers adapting to where defenders are strongest (and weakest).",{"data":1280,"content":1281,"nodeType":254},{},[1282],{"data":1283,"marks":1284,"value":1285,"nodeType":247},{},[],"Modern EDR has made compromising the host operating system expensive and noisy. Deep telemetry and constant monitoring mean that even when an attacker manages to execute code on a device, that action is quickly under scrutiny. From there, progress is slow. After all, lateral movement and persistence take time, and all of it carries risk and generates signals defenders are good at catching.",{"data":1287,"content":1288,"nodeType":254},{},[1289,1294],{"data":1290,"marks":1291,"value":1293,"nodeType":247},{},[1292],{"type":251},"So attackers take a different route. ",{"data":1295,"marks":1296,"value":1297,"nodeType":247},{},[],"Instead of targeting the OS, they operate inside the browser session, abusing legitimate access paths to cloud applications directly over the internet. The endpoint just sees a browser session, not the malicious activity that's happening inside it. ",{"data":1299,"content":1300,"nodeType":254},{},[1301],{"data":1302,"marks":1303,"value":1304,"nodeType":247},{},[],"EDR agents are extremely good at protecting the operating system, but their visibility largely stops at the browser boundary. They can see that a browser process is running. They can’t see what a user is actually interacting with inside a specific tab, or what code is executing within the browser.",{"data":1306,"content":1307,"nodeType":254},{},[1308],{"data":1309,"marks":1310,"value":1311,"nodeType":247},{},[],"This is the shift security teams are feeling. Attacks don’t trigger endpoint alerts because they aren’t endpoint attacks. They unfold inside the browser, over standard web sessions, using legitimate accounts. To EDR, the host is unaffected. To the business, the damage is already underway.",{"data":1313,"content":1314,"nodeType":290},{},[1315],{"data":1316,"marks":1317,"value":1319,"nodeType":247},{},[1318],{"type":251},"How modern attacks circumvent EDR",{"data":1321,"content":1322,"nodeType":254},{},[1323],{"data":1324,"marks":1325,"value":1326,"nodeType":247},{},[],"Examples of modern attacks that are consciously evading EDR by staying off the endpoint include:",{"data":1328,"content":1329,"nodeType":513},{},[1330,1345,1360],{"data":1331,"content":1332,"nodeType":517},{},[1333],{"data":1334,"content":1335,"nodeType":254},{},[1336,1341],{"data":1337,"marks":1338,"value":1340,"nodeType":247},{},[1339],{"type":251},"AiTM phishing: ",{"data":1342,"marks":1343,"value":1344,"nodeType":247},{},[],"Sophisticated attacker-in-the-middle phishing kits render convincing login pages directly in the browser and proxy authentication in real time, stealing credentials or MFA tokens as the user enters them. From the OS perspective, nothing appears unusual; EDR can’t see the page structure or scripts running inside the tab.",{"data":1346,"content":1347,"nodeType":517},{},[1348],{"data":1349,"content":1350,"nodeType":254},{},[1351,1356],{"data":1352,"marks":1353,"value":1355,"nodeType":247},{},[1354],{"type":251},"Session hijacking:",{"data":1357,"marks":1358,"value":1359,"nodeType":247},{},[]," When attackers obtain a valid session token, they gain persistent access to an account without needing a password at all. Once in use, the session typically blends into normal browser activity, generating no endpoint data. ",{"data":1361,"content":1362,"nodeType":517},{},[1363],{"data":1364,"content":1365,"nodeType":254},{},[1366,1371],{"data":1367,"marks":1368,"value":1370,"nodeType":247},{},[1369],{"type":251},"Malicious browser extensions:",{"data":1372,"marks":1373,"value":1374,"nodeType":247},{},[]," Malicious extensions (either made by attackers or hijacked by them) can read page content, intercept credentials, or siphon session tokens. Because extensions operate inside the browser’s execution model, their behavior is largely invisible to endpoint tooling focused on OS-level activity.",{"data":1376,"content":1377,"nodeType":254},{},[1378,1382,1387],{"data":1379,"marks":1380,"value":1381,"nodeType":247},{},[],"Even attacks that nominally involve the endpoint often stay outside EDR’s strongest visibility. ",{"data":1383,"marks":1384,"value":1386,"nodeType":247},{},[1385],{"type":251},"ClickFix-style social engineering",{"data":1388,"marks":1389,"value":1390,"nodeType":247},{},[]," is a good example. Attackers manipulate users into taking risky actions that look legitimate, the most prominent example being executing malicious commands on the host that are deliberately obfuscated or broken into benign-looking steps. While EDR may catch the code execution (and any malware the execution attempts to install), these techniques are designed to stay ambiguous enough to avoid reliable detection.",{"data":1392,"content":1393,"nodeType":254},{},[1394],{"data":1395,"marks":1396,"value":1397,"nodeType":247},{},[],"All of these attacks succeed for the same reason: the activity unfolds inside the browser. And because EDR was never designed to observe or control what happens inside a live browser session, attackers can operate there with far less resistance.",{"data":1399,"content":1400,"nodeType":290},{},[1401],{"data":1402,"marks":1403,"value":1405,"nodeType":247},{},[1404],{"type":251},"Extending detection and response to the browser",{"data":1407,"content":1408,"nodeType":254},{},[1409],{"data":1410,"marks":1411,"value":1412,"nodeType":247},{},[],"Defenders need to meet attackers where they actually operate. That means establishing real detection and response capabilities inside the browser itself.",{"data":1414,"content":1415,"nodeType":254},{},[1416,1420,1425,1429,1437],{"data":1417,"marks":1418,"value":1419,"nodeType":247},{},[],"When endpoint security evolved, it did so by putting an agent on the host to observe behavior, collect telemetry, and act at the source — ",{"data":1421,"marks":1422,"value":1424,"nodeType":247},{},[1423],{"type":251},"getting inside the data stream",{"data":1426,"marks":1427,"value":1428,"nodeType":247},{},[],". The same logic applies here. If the browser is where credentials are entered, sessions are established, and attacks unfold, then it needs to be treated as a security surface in its own right. ",{"data":1430,"content":1432,"nodeType":367},{"uri":1431},"https://pushsecurity.com/blog/push-plus-network-security",[1433],{"data":1434,"marks":1435,"value":1436,"nodeType":247},{},[],"That doesn't mean just looking at web traffic, but examining client-side browser processes and activity that are the best, earliest indicators of bad activity. ",{"data":1438,"marks":1439,"value":29,"nodeType":247},{},[],{"data":1441,"content":1442,"nodeType":254},{},[1443],{"data":1444,"marks":1445,"value":1446,"nodeType":247},{},[],"This doesn’t replace EDR. EDR secures the host. Identity tools govern authentication. But the browser, the layer that connects users to everything else, is a blind spot. Extending detection and response into that layer fills the gap while complementing the controls that already work.",{"data":1448,"content":1449,"nodeType":290},{},[1450],{"data":1451,"marks":1452,"value":1454,"nodeType":247},{},[1453],{"type":251},"Your browser detection and response checklist",{"data":1456,"content":1457,"nodeType":513},{},[1458,1473,1488],{"data":1459,"content":1460,"nodeType":517},{},[1461],{"data":1462,"content":1463,"nodeType":254},{},[1464,1469],{"data":1465,"marks":1466,"value":1468,"nodeType":247},{},[1467],{"type":251},"Browser-native protection: ",{"data":1470,"marks":1471,"value":1472,"nodeType":247},{},[],"Running inside the browser is the only way you can see what page a user is interacting with, what scripts are running, and how the session is behaving in real time. It’s also the only place you can reliably distinguish between normal user activity and attacker-driven manipulation.",{"data":1474,"content":1475,"nodeType":517},{},[1476],{"data":1477,"content":1478,"nodeType":254},{},[1479,1484],{"data":1480,"marks":1481,"value":1483,"nodeType":247},{},[1482],{"type":251},"Behavioral detection:",{"data":1485,"marks":1486,"value":1487,"nodeType":247},{},[]," Detection can’t rely on static indicators. It has to be based on behaviors — like how pages render, how credentials are submitted, and how sessions are established and abused. ",{"data":1489,"content":1490,"nodeType":517},{},[1491],{"data":1492,"content":1493,"nodeType":254},{},[1494,1499],{"data":1495,"marks":1496,"value":1498,"nodeType":247},{},[1497],{"type":251},"Real-time interception:",{"data":1500,"marks":1501,"value":1502,"nodeType":247},{},[]," Response has to be immediate. Blocking credential submission, interrupting a malicious action, capturing high-fidelity context, all of that needs to happen at the point of interaction — before an account is compromised.",{"data":1504,"content":1505,"nodeType":254},{},[1506],{"data":1507,"marks":1508,"value":1509,"nodeType":247},{},[],"This is what it means to extend detection and response to the browser: not another tool bolted onto the stack, but a necessary evolution in how modern attacks are actually stopped.",{"data":1511,"content":1512,"nodeType":581},{},[1513],{"data":1514,"content":1515,"nodeType":254},{},[1516,1519,1525,1528,1534,1537,1543],{"data":1517,"marks":1518,"value":588,"nodeType":247},{},[],{"data":1520,"content":1521,"nodeType":367},{"uri":593},[1522],{"data":1523,"marks":1524,"value":596,"nodeType":247},{},[],{"data":1526,"marks":1527,"value":601,"nodeType":247},{},[],{"data":1529,"content":1530,"nodeType":367},{"uri":606},[1531],{"data":1532,"marks":1533,"value":609,"nodeType":247},{},[],{"data":1535,"marks":1536,"value":614,"nodeType":247},{},[],{"data":1538,"content":1539,"nodeType":367},{"uri":619},[1540],{"data":1541,"marks":1542,"value":622,"nodeType":247},{},[],{"data":1544,"marks":1545,"value":627,"nodeType":247},{},[],{"data":1547,"content":1550,"nodeType":497},{"target":1548},{"sys":1549},{"id":1147,"type":502,"linkType":503},[],{"data":1552,"content":1553,"nodeType":254},{},[1554],{"data":1555,"marks":1556,"value":29,"nodeType":247},{},[],"Push + Endpoint Security: Extending detection and response to the browser","Why extending detection and response into the browser is crucial in the face of modern attacks that consciously evade the network and endpoint. ","push-plus-endpoint-security",{"items":1561},[1562,1564],{"sys":1563,"name":1164},{"id":1163},{"sys":1565,"name":1168},{"id":1167},{"items":1567},[1568],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1569},{"url":236},"push-plus-cloud-security","blog/push-plus-cloud-security",{"json":1573},{"data":1574,"content":1575,"nodeType":239},{},[1576],{"data":1577,"content":1578,"nodeType":254},{},[1579],{"data":1580,"marks":1581,"value":1582,"nodeType":247},{},[],"One of the key questions we often hear is, \"We've already got CSPM/CNAPP, so why do we need to be in the browser too?\" Well, here's the answer!","Why cloud security tools only give you part of the picture when it comes to modern attacks. ",{"id":1585,"publishedAt":1586},"2k2aDK5dyQKlQBrk66pMXE","2026-02-06T16:45:21.455Z",{"items":1588},[1589,1591],{"sys":1590,"name":1164},{"id":1163},{"sys":1592,"name":1168},{"id":1167},"84CALTtQCFfXa6jR1tH9qSCmtUO5xkjxkUbt-BSJ1_k",1784196729569]