Notifications
Clear all
Topic starter
09/06/2026 11:43 pm
TL;DR: Attackers are increasingly bypassing exploit-based entry and using logins, stolen sessions, MFA gaps, and browser-based social engineering instead, according to Push Security’s recap of its conversation with Matt Johansen. The control problem is no longer just preventing compromise; it is governing identity, sessions, and browser trust assumptions that conventional perimeter tooling was not built to handle.
NHIMG editorial — based on content published by Push Security: Security theatre vs. security that works, the third episode in its State of Browser Attacks series
By the numbers:
- CrowdStrike's 2026 Global Threat Report found that 82% of attack detections are now malware-free.
- Google/Mandiant recently reported that identity issues were the initial access vector in 83% of cloud-related incidents.
Questions worth separating out
Q: How should security teams respond when browser sessions survive token revocation?
A: They should treat session termination as a separate control from IdP token revocation and test it against the actual SaaS applications in use.
Q: Why do browser-based attacks bypass many IAM controls?
A: They exploit the point after authentication succeeds.
Q: How can organisations tell whether their browser security controls are working?
A: Look for visibility into post-authentication behaviour, not just blocked logins.
Practitioner guidance
- Instrument browser identity telemetry Collect signals on login provenance, consent grants, session reuse, extension behaviour, and unusual SaaS access so that identity abuse can be detected before broad lateral movement starts.
- Map what token revocation really kills Test the full revocation chain from IdP token invalidation to downstream SaaS session termination, then document the applications where a revoked upstream token still leaves a live session.
- Review browser extensions as delegated access Put approved extensions on a continuous review path that tracks permissions, publisher changes, and updates, because install-time approval does not reflect post-install risk.
What's in the full article
Push Security's full recap covers the operational detail this post intentionally leaves for the source:
- The full conversation on why browser-based identity abuse is replacing exploit-led intrusion in day-to-day incident work.
- Detailed examples of ClickFix, consent phishing, and extension abuse patterns that practitioners can use in threat modelling.
- The containment discussion on what revocation really removes from IdP, SaaS, and browser sessions.
- Matt Johansen’s commentary on response timing, including the practical 30-minute containment benchmark.
👉 Read Push Security's recap of security theatre vs. security that works →
Browser identity attacks , are your controls keeping up?
Explore further
10/06/2026 2:10 am
Identity trust has shifted from the network edge into the browser session. That matters because the browser now mediates authentication, consent, extensions, and downstream SaaS access in one place. Security programmes that still treat the browser as a client rather than an identity control plane miss the point. The practitioner conclusion is that browser-layer identity telemetry belongs in IAM governance, not only in endpoint operations.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What is the difference between MFA coverage and session control?
A: MFA controls how a user proves identity at login, while session control governs what happens after that login. If session tokens, OAuth grants, or browser cookies remain valid after revocation, MFA may be strong while the real access path stays open.
👉 Read our full editorial: Browser identity attacks are outpacing legacy security controls
