Agentic threat hunting depends on telemetry, not just models

At a glance

What this is: This is an analysis of agentic threat hunting in the browser, with the key finding that model quality matters less than telemetry, domain knowledge, and enforcement.

Why it matters: It matters because IAM, NHI, and security teams cannot treat AI-driven detection as a model problem alone when the real control plane is session telemetry, identity behaviour, and response orchestration.

By the numbers:

• 61% of organizations cite staffing shortages as the top barrier to running a hunting program.
• The Push pipeline surfaced 12 meaningful results from trillions of browser events, and one of them was a novel attack technique.

👉 Read Push Security's analysis of agentic threat hunting in the browser

Context

Agentic threat hunting only works when the system can see behaviour that standard endpoint, network, and cloud logs do not capture. In the browser, that means DOM structure, redirect chains, credential entry, script execution context, and consent flow details, which are the raw materials for identity-aware detection.

The governance gap is simple: many security teams are still trying to detect browser-based identity abuse with telemetry designed for other layers. That leaves blind spots for AiTM phishing, clipboard injection, OAuth consent abuse, and other techniques that unfold inside the session rather than on the endpoint.

The source article uses commercial AI models as the starting point, but the editorial point is broader. Agentic detection becomes useful only when models are paired with structured telemetry, curated attack knowledge, and a response path that can enforce controls in real time.

Key questions

Q: How should security teams use AI for browser threat hunting without creating false confidence?

A: Use AI as an analysis layer, not as the control. Security teams should pair it with browser-session telemetry, curated attack knowledge, and a response path that can enforce action. Without those components, the AI may summarise activity well but still miss the identity abuse that matters most.

Q: Why do browser-based attacks need different hunting controls than endpoint threats?

A: Browser-based attacks often happen inside the live identity session, where endpoint tools may see little or nothing useful. Teams need visibility into DOM changes, redirect behaviour, consent flows, and credential entry so they can distinguish legitimate activity from identity theft and session abuse.

Q: What breaks when threat hunting depends only on generic commercial models?

A: The hunt becomes shallow and brittle. A general model can reason about code, but it will not reliably distinguish a malicious OAuth consent pattern from a normal login path unless the organisation provides structured context, labelled traces, and behavioural knowledge to interpret the session correctly.

Q: How should teams operationalise AI-generated detections in browser security?

A: They should require a direct enforcement route before rollout. That means each new detection must map to a control such as blocking credential entry, interrupting suspicious consent, or containing the session, so the result is protection rather than just visibility.

Technical breakdown

Browser session telemetry as a flight recorder

Browser-layer threat hunting depends on session telemetry that does not exist in endpoint or proxy logs. A browser extension can observe DOM elements, tab context, network requests, user actions, credential entry, and script execution in the live session. That turns the browser into a flight recorder for identity behaviour, which matters because many modern attacks are interaction-based and short-lived. Without that contextual layer, an LLM is forced to infer too much and will often miss the difference between normal login activity and malicious consent or credential capture patterns. The architecture is less about model intelligence and more about observability quality.

Practical implication: teams should treat browser telemetry as a first-class detection source, not a supplementary log feed.

Why curated attack knowledge beats generic model recall

Commercial models may understand code, but they do not know which browser patterns map to a real attack campaign unless that knowledge is encoded for them. In practice, the detection value comes from a curated knowledge base built from real phishing kits, TTP analysis, and labelled traces that teach the system what malicious behaviour looks like in context. This is how the pipeline avoids relying on blocklists or static bad-domain indicators, which fail as soon as infrastructure rotates. The technical shift is from memorising indicators to recognising behaviour across changing infrastructure.

Practical implication: teams need maintained behavioural knowledge bases, not just prompts or generic model access.

Hierarchy and enforcement turn analysis into a control

An agentic hunting pipeline fails if it stops at summarisation. The useful design is hierarchical: one agent scopes the hunt, others break traces into manageable blocks, separate signal from noise, back-test findings, and then author detections that can be deployed into the response layer. That last step is what converts research into control, because browser-layer enforcement can block credential entry, intercept clipboard injection, or warn on suspicious OAuth consent flows. The architectural lesson is that detection quality and enforcement quality are coupled; without the second, the first only produces reports.

Practical implication: align threat hunting output with a response mechanism before you operationalise any AI-assisted detection.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic threat hunting is an observability problem before it is a model problem. Commercial models can assist with reasoning, but the real differentiator is whether the security team can observe browser-session behaviour at the right granularity. DOM state, redirect chains, credential entry, and consent flow metadata create the evidential base that makes browser hunting possible. Practitioners should stop asking which model to buy first and start asking which identity events they can actually see.

The browser is becoming a primary identity attack surface, not a side channel. AiTM phishing, consent abuse, and clipboard injection all exploit the gap between authentication, session state, and user action inside the browser. That means traditional endpoint-centred hunting misses a growing class of identity theft patterns. The implication is that browser-layer telemetry now belongs in the same governance conversation as IdP logs and endpoint EDR.

Commercial AI models are commoditised, but the operating advantage sits in the pipeline. The article makes the right distinction: the model is replaceable, while structured telemetry, curated TTP knowledge, and enforcement logic are not. That is a useful field-level concept for security leaders, because it prevents over-investment in the model layer and under-investment in the surrounding control plane. The practical conclusion is to fund the system around the model, not the model itself.

Browser-layer detection creates a new form of identity blast radius control. When detections can move directly into blocking or consent-warning actions, the control objective is no longer only visibility. It becomes containing identity abuse before it spreads from a single session into token theft, lateral movement, or cloud access. That aligns strongly with OWASP-NHI and ZT-NIST-207 thinking, where trust is continuously evaluated at the point of use.

Context rot is a governance issue as much as an engineering issue. The article shows that even capable agents fail when too much event data is pushed into one context window. The lesson for practitioners is that autonomous analysis needs scoped inputs, reviewable intermediate outputs, and quality gates that preserve signal. Teams planning AI-assisted detection should define where context is narrowed and who validates the result before it becomes a control.

From our research:

• The Push pipeline surfaced 12 meaningful results from trillions of browser events, and one of them was a novel attack technique, according to Moltbook AI agent keys breach.
• Another useful benchmark is that 80% of organisations report their AI agents have already performed actions beyond their intended scope, including revealing access credentials, according to AI Agents: The New Attack Surface report.
• For a broader view of the browser-side attack problem, see The 52 NHI breaches Report, which helps teams connect session abuse to identity governance failures.

What this signals

Context rot is the operating constraint teams need to plan around. As hunting pipelines become more agentic, the issue is not whether the model can reason, but whether the surrounding workflow preserves enough signal for the model to act on. That means scoped inputs, intermediate validation, and clear handoff points are now part of detection engineering, not just AI engineering.

The browser layer is becoming the place where identity abuse first becomes visible, which means IAM and detection teams need shared telemetry assumptions. If your programme cannot observe consent abuse, credential entry behaviour, and session context together, you will keep overestimating the quality of your detection coverage.

For teams building out browser security, the next step is not broader model use. It is better telemetry design, stronger behavioural baselines, and a control path that can turn a high-confidence hunt result into immediate containment.

For practitioners

• Prioritise browser telemetry in your detection architecture Map which browser session events you can currently collect, then identify the gaps in DOM, redirect, consent, and credential-entry visibility. If you cannot see those behaviours, you cannot reliably hunt browser-based identity abuse.
• Separate model access from detection capability Treat commercial model access as a replaceable component and invest instead in structured telemetry, labelled attack traces, and a maintained behavioural knowledge base. That is the part that converts generic reasoning into reliable hunting.
• Bind every AI-assisted hunt to a response path Require each detection workflow to end in an enforceable control such as credential blocking, consent interruption, or session containment. If the output is only a report, the pipeline is not operational.
• Back-test detections before rollout Validate new browser detections against real traces and known benign patterns before pushing them into production. That reduces false positives and ensures the control is tuned to the behaviour you actually need to stop.

Key takeaways

• Agentic threat hunting is only as strong as the browser telemetry underneath it, because models cannot detect what they cannot see.
• Commercial AI models are replaceable components, while structured context, attack knowledge, and enforcement logic create the real security value.
• Browser-based identity abuse demands detection pipelines that end in control, not just analysis, or the team stays in report-only mode.

Key terms

• Browser session telemetry: Browser session telemetry is the structured record of what happens inside a user’s browser during a live session. It includes DOM changes, redirect chains, tab context, credential entry, network requests, and script execution details that standard endpoint or cloud logs usually do not capture.
• Context rot: Context rot is the loss of signal quality that happens when too much irrelevant or unstructured data is placed into an agent’s working context. In detection pipelines, it causes the model to miss the important behaviour, so teams need hierarchy, scoping, and validation to preserve analytical accuracy.
• Browser-layer enforcement: Browser-layer enforcement is the ability to apply a security control directly inside the browser session where the risky behaviour occurs. It can block credential entry, interrupt suspicious consent flows, or contain the session before abuse spreads into downstream identity systems.
• Behavioural knowledge base: A behavioural knowledge base is a curated set of attack patterns, labelled traces, and operational heuristics that teaches a detection system what malicious activity looks like. It is more durable than blocklists because it focuses on how threats behave rather than where they are hosted.

Deepen your knowledge

Browser telemetry and agentic detection are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building around browser-layer identity risk, it is worth exploring.

This post draws on content published by Push Security: agentic threat hunting using commercial AI models. Read the original.