Technique-level detection is overtaking indicator-based threat hunting

At a glance

What this is: This is an analysis of how AI is accelerating the collapse of indicator-based detection and why browser-visible technique-level detections are becoming the durable layer.

Why it matters: It matters because IAM and security teams increasingly face identity attacks that rotate infrastructure faster than blocklists, so detection has to shift toward behaviours that survive domain churn, tool forks, and kit fragmentation.

By the numbers:

• 89% of phishing domains are active for fewer than two days, with just 6.5% surviving past 15 days.
• The most common AiTM kit detected over the last year was Tycoon 2FA, accounting for 59% of detections.
• Push Security reported a 37.5x increase in device code phishing detections this year alone.

👉 Read Push Security's analysis of how AI is changing technique-level detection

Context

Technique-level detection focuses on the behaviour of an attack rather than the domain, file hash, or kit name it happens to use. That distinction matters because AI is making infrastructure disposable, with attackers able to generate, rotate, and replace delivery assets far faster than traditional indicator-based controls can keep up. For identity teams, that means the problem is no longer just phishing volume but the speed at which identity abuse changes form.

The primary governance issue is not whether an attack uses AI, but whether the detection model assumes attackers will remain static long enough for indicators to stay useful. In browser-based identity attacks, the decisive evidence sits inside the session, where page behaviour, user interaction, and protocol abuse can be observed directly. That is why browser visibility has become a central control point for modern IAM-aligned defence.

Key questions

Q: How should security teams detect phishing when domains rotate quickly?

A: They should focus on the technique, not the domain. Domain-level blocks become stale as soon as attackers rotate infrastructure, while behavioural patterns such as page flow, credential prompts, redirect chains, and token-handling logic remain more stable. Browser visibility is the most reliable place to observe those behaviours and turn them into durable detections.

Q: Why do indicator-based detections fail against modern identity attacks?

A: They fail because the indicators are disposable. Attackers can regenerate domains, clone frontends, and swap hosting faster than blocklists and signatures can be updated. When the surface layer changes every few hours or days, the only stable target is the attack technique itself, especially in browser-based identity flows.

Q: What do security teams get wrong about kit-based phishing detection?

A: They often treat the kit name as the control boundary, but kits are now forked, mutated, and repackaged too quickly for that to be reliable. A detection that keys off one kit’s code or branding can miss the same abuse pattern when it appears in a different wrapper. Behavioural mechanics are more durable than kit identity.

Q: How can organisations measure whether technique-level detection is working?

A: They should measure how quickly novel abuse patterns move from first observation to production detection, and whether those detections still hold after infrastructure rotation. If coverage drops when the attacker changes domains or frontend code, the programme is still indicator-led rather than technique-led.

Technical breakdown

Why indicator-based detection is collapsing

Indicators of compromise were always a race against attacker replacement. A blocklisted domain, reusable kit hash, or known payload pattern can help when the same infrastructure survives long enough to matter, but AI has shortened that window. Attackers can now spin up new pages, alter frontend structure, and reuse the same attack logic across fresh infrastructure with minimal effort. The result is that the signal defenders once depended on is increasingly ephemeral, while the underlying technique remains stable. Detection systems that rely on the surface layer are forced to chase assets that are designed to be disposable, which makes operational coverage brittle even when response teams move quickly.

Practical implication: move detection emphasis away from domains and artefacts toward repeatable behavioural mechanics.

Technique-level detection in browser-based identity attacks

Technique-level detection looks for what the attacker is doing, not what the attacker is using. In browser-based identity attacks, that means observing the sequence of page render, user interaction, credential prompt, redirect, and token exchange. These patterns persist across different kits because they are shaped by the protocol abuse itself, not by the toolkit. That is why the browser is such a valuable vantage point: it exposes DOM activity, client-side logic, and user-driven flow that network tools and email gateways cannot see. When defenders can see the session, they can distinguish legitimate authentication from malicious orchestration even as infrastructure changes underneath it.

Practical implication: instrument the browser session if you want to detect identity attacks before the infrastructure rotates.

Why research velocity has become a detection control

The article’s deeper point is that research is no longer separate from detection quality. As attackers compress the time between technique discovery and commoditisation, defenders need a pipeline that can identify new behavioural patterns, validate them, and operationalise them before the technique becomes common. That is especially true for identity abuse techniques such as device code phishing and ClickFix variants, where the frontend can change rapidly but the interaction model remains detectable. In practice, this shifts detection maturity from static coverage to continuous behavioural curation.

Practical implication: treat detection engineering as a fast-cycle research function, not a signature-maintenance backlog.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Technique-level detection is now the only durable control plane for browser-based identity attacks. When infrastructure can be generated and discarded at machine speed, indicator-based detection loses structural value before it reaches operational maturity. The field needs to stop treating domains and hashes as the primary defence surface and start treating attacker behaviour as the control target. Practitioners should therefore re-centre detection strategy on techniques that survive infrastructure churn.

Behavioural visibility inside the browser is the missing control boundary for modern IAM defence. Network and email controls see delivery, not the actual identity interaction that determines compromise. In-browser observation captures the page mechanics, redirect logic, and user flow that identity attacks depend on, which makes it the only vantage point that consistently survives phishing kit rotation. The implication is that browser telemetry is no longer optional if identity assurance is the goal.

Kit fragmentation is turning signature-based detection into a lagging indicator. As platforms fork, mutate, and republish each other’s code, the old assumption that a small number of kit fingerprints can cover most abuse breaks down. This is not just a tooling problem, it is an identity governance problem because the attack surface is increasingly composed of interchangeable delivery layers wrapped around the same abuse mechanics. Practitioners should expect coverage gaps whenever they treat tool names as the unit of defence.

Research velocity has become a defensive capability, not just an analyst function. The window between a new technique appearing and being commoditised is shrinking, which means detection teams need a pipeline that can move from observation to production in days, not quarters. That changes how the discipline should be measured: not by how many indicators are blocked, but by how quickly a novel technique is recognised and converted into a durable behavioural detection. Practitioners should build for detection turnaround, not alert volume.

From our research:

• 89% of phishing domains are active for fewer than two days, with just 6.5% surviving past 15 days, according to The 52 NHI breaches Report.
• In our research, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% only partial visibility.
• Forward pivot: The NHI Lifecycle Management Guide shows why visibility and offboarding discipline matter when identity abuse keeps changing form.

What this signals

Technique-first detection will become the default expectation as attacker infrastructure keeps shrinking in lifetime. Teams that still optimise around blocklists will see diminishing returns, especially where browser-native identity attacks never touch the endpoint in a way traditional tools can inspect. Browser telemetry and behavioural curation are now the practical path to coverage, not an advanced option.

Phishing defence is increasingly an IAM visibility problem as much as a security operations problem. When identity flows happen through the browser and are repeatedly rewrapped by attacker infrastructure, the question becomes whether the organisation can see the action sequence at the moment it occurs. That is why the right control boundary is now inside the session, not just around the perimeter.

Adaptive detection is becoming a governance requirement rather than a tuning exercise. The organisations that will keep pace are the ones that can connect browser visibility, threat research, and response workflows into a single operating model. For practitioners, the signal is clear: if a control cannot survive infrastructure rotation, it will not survive AI-assisted abuse either.

For practitioners

• Shift coverage from indicators to behaviours Prioritise detections that key off page mechanics, interaction sequences, redirect behaviour, and protocol abuse rather than domains, hashes, or static kit fingerprints.
• Instrument browser-visible identity flows Use telemetry that can observe the full browsing session, including render events, DOM activity, credential prompts, and token exchange patterns that network tools cannot see.
• Build a fast-cycle detection research pipeline Treat detection engineering as continuous research so new techniques can be validated and deployed before they are commoditised across multiple kits.
• Re-test blocklist dependence in phishing response Measure how much of your phishing defence still depends on short-lived infrastructure indicators and document where those controls fail once domains rotate.

Key takeaways

• AI has not created a new detection problem so much as it has accelerated an old one, making indicator-based controls expire faster than teams can refresh them.
• Technique-level detections hold because they target attacker behaviour inside the browser session, where identity abuse is actually executed.
• Defenders now need faster research-to-production cycles, or they will keep shipping controls that arrive after the attack has already moved on.

Key terms

• Technique-level detection: Technique-level detection identifies the method of attack rather than the artefact an attacker used to deliver it. In browser-based identity abuse, that means watching interaction sequences, redirect behaviour, and protocol misuse that remain stable even when infrastructure, domains, and frontends change.
• Browser visibility: Browser visibility is the ability to observe what happens inside the user’s session, including page rendering, DOM activity, and interaction flow. It matters because many identity attacks execute entirely in the browser, where perimeter and email controls cannot see the actual abuse mechanics.
• Indicator-based detection: Indicator-based detection relies on known bad domains, hashes, URLs, or other reusable artefacts. It is useful when attackers reuse infrastructure, but it degrades quickly when campaigns rotate assets at speed or generate new delivery layers on demand.
• Kit fragmentation: Kit fragmentation describes the rapid splitting, cloning, and mutation of phishing toolsets across multiple operators and variants. As fragmentation increases, signature coverage gets weaker because no single kit fingerprint represents the full attack ecosystem for long.

Deepen your knowledge

Technique-level detection and browser visibility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity defence around changing phishing infrastructure, it is a useful next step.

This post draws on content published by Push Security: AI is accelerating the collapse of indicator-based threat detection. Read the original.