Notifications
Clear all
Topic starter
09/06/2026 11:54 pm
TL;DR: The number of detections shipped each month has tripled by combining human researchers with AI agents to sift trillions of browser events, surface novel attacks like InstallFix, and turn behavioral findings into production detections, according to Push Security. The key lesson is that speed and fidelity come from operationalised context, not bigger blocklists.
NHIMG editorial — based on content published by Push Security: agentic threat hunting against modern browser-based attacks
By the numbers:
- We’ve detected a 37x increase in device code phishing attacks across our install base.
Questions worth separating out
Q: How should security teams build browser detections that survive rotating infrastructure?
A: They should base detections on behavior, not infrastructure.
Q: Why do browser attacks create identity risk instead of just web risk?
A: Because the browser is where users approve access, enter credentials, and grant consent.
Q: What do security teams get wrong about using AI agents for threat hunting?
A: They often assume the agent is the source of insight.
Practitioner guidance
- Shift detections from indicators to behaviors Map the browser events that remain stable across infrastructure changes, including redirects, script loading, user interaction, and credential entry.
- Operationalise research knowledge for agent use Turn investigator heuristics, TTP notes, and prior hunt findings into structured context that agents can reuse.
- Treat browser telemetry as identity telemetry Route browser-derived signals into identity investigations when the attack path involves login, consent, OAuth grant, or token abuse.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- How the agentic hunt pipeline is structured across hypothesis generation, triage, and deeper analysis
- Examples of browser telemetry fields used in hunts, including DOM context, script execution, and user actions
- Details of how detections are tuned to survive rotating infrastructure and avoid IOC dependence
- The internal feedback loop that turns prior investigations into reusable detection logic
👉 Read Push Security's analysis of agentic threat hunting for browser attacks →
Browser threat hunting with AI agents: what changes for IAM teams?
Explore further
10/06/2026 2:27 am
Behavioral hunting is now an identity control problem, not just a browser security problem. The article shows that the useful signal lives in consent prompts, redirected pages, credential entry, and post-click behavior. Those are identity events as much as they are web events, because the attacker is targeting the point where trust is granted. The practitioner takeaway is that browser telemetry belongs inside identity risk operations, not outside them.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How can teams tell whether agent-assisted detection is actually working?
A: Look for detections that remain effective after infrastructure changes, plus a measurable drop in time from new technique discovery to production coverage. If the workflow only catches known bad domains, it is not really scaling threat hunting. It is just automating blocklists.
👉 Read our full editorial: Agentic threat hunting for browser attacks needs human context
