AI-native browser threat hunting changes secure enterprise detection

At a glance

What this is: Push Security’s browser-focused update argues that AI-native threat hunting should target attacker techniques rather than fragile indicators, using richer telemetry to improve detection in the browser.

Why it matters: For IAM and security teams, the shift matters because browser identity, session abuse, and credential theft now sit inside the same control plane as user access, which raises the bar for NHI, autonomous, and human identity governance.

By the numbers:

• 55% of organisations reported a successful or suspected browser-based attack in the last 12 months.
• 88% of organisations said browser security is among their top five security priorities.

👉 Read Push Security's analysis of AI-native browser threat hunting and detection

Context

Browser security has become an identity problem as much as a threat-detection problem. The browser is where credentials, sessions, and access decisions meet live attacker activity, so controls that rely on static indicators quickly lose value when campaigns mutate.

Push Security’s update is best understood as a move away from searching for bad artefacts and toward identifying attacker behaviour in context. That matters for NHI and human identity programmes because browser-mediated access now often determines whether stolen credentials, tokens, or session material can be turned into real access.

The practical question for practitioners is whether their current detection stack can see technique-level abuse inside a browser session, not just block known-bad destinations. If it cannot, the programme is still optimised for yesterday’s attack pattern.

Key questions

Q: How should security teams reduce browser-based identity abuse when attackers keep changing infrastructure?

A: Security teams should focus on repeatable attacker techniques rather than disposable infrastructure. Browser telemetry should be used to detect session abuse, consent phishing, token theft, and abnormal navigation patterns. That approach keeps detections useful even when attackers rotate domains, URLs, and IP addresses at scale.

Q: Why do browser-based attacks create extra risk for NHI and human identity programmes?

A: Because the browser is where access is actually exercised, not just authenticated. Human sessions, delegated tokens, API-backed workflows, and AI-assisted actions can all converge there, so a weak browser layer can turn a valid identity into a live compromise path before traditional controls notice.

Q: What do security teams get wrong about IOC-based browser defence?

A: They often assume a blocked domain or flagged URL is enough to stop the campaign. In practice, AI-assisted attackers can change those indicators quickly while reusing the same technique. That means IOC-only defence leaves the underlying behaviour untouched and repeatedly relearned.

Q: How can organisations tell whether browser threat hunting is actually improving?

A: Look for fewer false positives, faster detection of new tactics, and more detections tied to repeatable attacker behaviour rather than one-off indicators. If the programme only improves alert volume, not detection fidelity, it is scaling noise instead of security.

How it works in practice

Technique-led detection in the browser

Technique-led detection focuses on how an attacker behaves, not on whether a domain, URL, or IP has already been labelled malicious. In a browser context, that means looking for patterns such as consent phishing, device code abuse, session theft, suspicious extension behaviour, and rapid changes in navigation or authentication flow. This approach is more resilient because AI-enabled attackers can rotate infrastructure quickly, but they cannot easily stop using the same core tactics. The browser extension becomes the telemetry layer that preserves context across the session and lets detection logic pivot from static indicators to behaviour.

Practical implication: tune detections to browser behaviour and session abuse patterns rather than relying on known-bad lists alone.

AI agents in detection engineering

When vendors describe AI agents in detection engineering, the useful question is not whether the model is smart but whether the workflow is autonomous enough to produce operational detections. In this case, the agent is being used to analyse telemetry, test hypotheses, and translate research into detections. That is automation with analytic assistance, not necessarily an autonomous security identity. The key architectural point is that the model is acting on supplied context inside a bounded security workflow, which keeps the identity problem inside NHI governance rather than agentic autonomy.

Practical implication: govern these systems as NHI-backed security workflows and verify who authorises the detections they generate.

Pyramid of Pain for browser-based attacks

The Pyramid of Pain remains useful because attackers can change indicators far faster than they can change tactics. Browser attacks often depend on a small set of repeatable behaviours, such as initial access through phishing, token capture, or malicious consent flows, while domains and URLs turn over constantly. A security programme that stops at IOC-based blocking will always lag the campaign lifecycle. By moving up the pyramid, detection teams invest in logic that survives infrastructure churn and forces attackers to change tradecraft rather than just rotate artefacts.

Practical implication: prioritise detections that force attacker tradecraft changes, not just indicator replacement.

NHI Mgmt Group analysis

Browser security is now an identity governance problem, not just a detection problem. The browser is where human sessions, NHI-backed tokens, and identity-mediated access collide in real time. That makes session context, consent events, and browser telemetry part of the identity control surface, not a separate endpoint concern. Practitioners should treat browser-layer visibility as a prerequisite for governing modern access paths.

Technique-first detection is the right response to AI-enabled attacker adaptation. Static IOCs fail when attackers can automate infrastructure rotation and mutate delivery faster than defenders can update signatures. TTP-based hunting is harder to evade because it tracks the method of abuse rather than the disposable artefact. That pushes the market toward behavioural detection engineering as a core identity security discipline.

Browser telemetry creates a practical bridge between human IAM and NHI governance. The same browser session can carry a human login, a delegated token, or an AI-assisted workflow, which means identity teams need one view of access behaviour across all three actor types. This is where cross-domain governance becomes valuable: the browser reveals when credential use, session use, and access use no longer line up cleanly.

Signal-rich telemetry changes the economics of threat hunting. If a platform can collect broad metadata locally and only pull additional context during an investigation, it reduces noise without turning the browser into a dragnet. That matters because detection quality now depends on context density, not raw event volume. The implication is that security teams should evaluate whether their browser controls expose enough context to support real hunting, not just blocking.

AI-native hunting is becoming a category marker, but the governance question remains the same. The market will increasingly reward systems that can continuously learn and ship detections faster than attacker mutation cycles. Even so, the operational question for practitioners is unchanged: who owns the logic, who validates the output, and how does the programme prove that detections are trustworthy across the identity estate?

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That policy gap matters because browser-layer AI hunting is moving into the same governance problem space, which is why OWASP Agentic Applications Top 10 is becoming a useful reference point for teams mapping agent-driven access paths.

What this signals

Browser telemetry is becoming the control point where identity, session, and attacker behaviour meet. Teams that still separate browser defence from IAM will miss the way stolen tokens, delegated sessions, and consent abuse propagate through access paths. The practical next step is to connect browser findings to access governance and incident response instead of treating them as standalone endpoint events.

Technique-led hunting will matter more as attacker infrastructure becomes cheaper to rotate. AI lowers the cost of mutation, but it does not change the defender’s need to identify durable behaviours. Programmes that align browser detections with the OWASP Top 10 for Agentic Applications 2026 will be better positioned to recognise tool misuse and identity abuse patterns as they emerge.

Identity teams should expect browser security to pull NHI and human governance closer together. The same session data that reveals human phishing can also expose service-account misuse or AI-assisted access drift. That creates a useful operating model: one monitoring layer, multiple actor types, and governance decisions that reflect how access is actually exercised in the browser.

For practitioners

• Map browser telemetry to identity risk signals Identify which browser events expose session hijack, consent abuse, token theft, and suspicious navigation so they can feed IAM and SOC detections. Prioritise telemetry that preserves session context across authentication, access, and post-login behaviour.
• Shift detections from indicators to techniques Replace heavy dependence on known-bad domains and URLs with detections for repeatable browser tactics such as device code abuse, AitM phishing, and malicious consent flows. Use technique libraries to keep rules stable when infrastructure changes.
• Treat AI-assisted detections as governed outputs Require clear ownership for any agent-generated detection, including validation steps, change control, and rollback criteria. If the detection engine is producing production logic, the security team must be able to explain, test, and audit it.
• Connect browser controls to identity lifecycle reviews Use browser findings to inform access reviews for users, service accounts, and AI-enabled workflows that repeatedly touch sensitive systems. That makes recurring browser abuse visible in lifecycle decisions instead of leaving it trapped in alert queues.

Key takeaways

• Browser-based attacks are increasingly an identity governance issue because the browser is where sessions, tokens, and access are exercised.
• Technique-driven detection outperforms IOC chasing when attackers can automate infrastructure rotation and campaign mutation.
• Practitioners should link browser telemetry, identity reviews, and governed AI-assisted detection workflows into one operating model.

Key terms

• Browser telemetry: Browser telemetry is the collection of activity signals generated while a user or workflow operates in the browser. In identity security, it provides context for sessions, authentication flows, consent events, and suspicious navigation patterns that can reveal compromise before a traditional endpoint or IAM control does.
• Technique-led detection: Technique-led detection identifies attacker behaviour by focusing on repeatable methods rather than disposable indicators such as domains or IP addresses. It is more durable in fast-moving browser attacks because the underlying tactic often stays stable even when infrastructure, payloads, and delivery paths change.
• Session abuse: Session abuse is the misuse of an already established browser session to perform actions that were not intended by the legitimate user or system owner. It can include token theft, consent misuse, hijacked navigation, or post-authentication actions that bypass the original access decision.
• AI-assisted detection engineering: AI-assisted detection engineering uses models to analyse telemetry, test hypotheses, and generate candidate detections for security review. The model may accelerate analyst work, but the resulting logic still requires governance, validation, and ownership before it becomes production security control.

Deepen your knowledge

Browser-based identity abuse and technique-led detection are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are connecting browser telemetry to access governance, this course provides a useful baseline for the programme design choices involved.

This post draws on content published by Push Security: AI-native agentic threat hunting for the browser. Read the original.