Notifications
Clear all
Topic starter
09/06/2026 11:54 pm
TL;DR: Browser security is moving from IOC chasing to technique-driven detection that can keep up with AI-enabled attack mutation, with Push Security saying its browser extension now pairs rich telemetry with AI agents to hunt for new attacker techniques, while Omdia found 55% of organisations reported a successful or suspected browser-based attack in the last 12 months. The real shift is that browser security is moving from IOC chasing to technique-driven detection that can keep up with AI-enabled attack mutation.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 55% of organisations reported a successful or suspected browser-based attack in the last 12 months.
- 88% of organisations said browser security is among their top five security priorities.
Questions worth separating out
A: Security teams should focus on repeatable attacker techniques rather than disposable infrastructure.
Q: Why do browser-based attacks create extra risk for NHI and human identity programmes?
A: Because the browser is where access is actually exercised, not just authenticated.
Q: What do security teams get wrong about IOC-based browser defence?
A: They often assume a blocked domain or flagged URL is enough to stop the campaign.
Practitioner guidance
- Map browser telemetry to identity risk signals Identify which browser events expose session hijack, consent abuse, token theft, and suspicious navigation so they can feed IAM and SOC detections.
- Shift detections from indicators to techniques Replace heavy dependence on known-bad domains and URLs with detections for repeatable browser tactics such as device code abuse, AitM phishing, and malicious consent flows.
- Treat AI-assisted detections as governed outputs Require clear ownership for any agent-generated detection, including validation steps, change control, and rollback criteria.
What's in the full announcement
Push Security's full blog post covers the operational detail this post intentionally leaves for the source:
- How the browser extension captures high-fidelity telemetry across millions of browsers for hunting use cases
- How the inner-loop and outer-loop detection model turns research into production-ready detections
- Examples of emerging browser attack techniques such as ConsentFix and InstallFix
- How Push describes privacy-preserving collection and selective context queries during investigations
👉 Read Push Security's analysis of AI-native browser threat hunting and detection →
AI-native browser threat hunting: what it means for IAM teams?
Explore further
10/06/2026 2:27 am
Browser security is now an identity governance problem, not just a detection problem. The browser is where human sessions, NHI-backed tokens, and identity-mediated access collide in real time. That makes session context, consent events, and browser telemetry part of the identity control surface, not a separate endpoint concern. Practitioners should treat browser-layer visibility as a prerequisite for governing modern access paths.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can organisations tell whether browser threat hunting is actually improving?
A: Look for fewer false positives, faster detection of new tactics, and more detections tied to repeatable attacker behaviour rather than one-off indicators. If the programme only improves alert volume, not detection fidelity, it is scaling noise instead of security.
👉 Read our full editorial: AI-native browser threat hunting changes secure enterprise detection
