Notifications
Clear all
Topic starter
09/06/2026 11:54 pm
TL;DR: Omdia’s survey of 400 IT and security professionals found 49% of organisations suffered a successful browser-based attack in the last 12 months, while 88% rank browser security as a top-five priority and 85% expect spend to rise, showing the browser has become a board-level control point. The real issue is that security programmes still assume visibility outside the session is enough, when the attack, the identity action, and the data loss now happen inside the browser.
NHIMG editorial — based on content published by Push Security: analysis of Omdia's browser management and security research
By the numbers:
- 49% of organizations suffered a successful browser-based attack in the last 12 months.
- 88% of respondents rank browser security as at least a top-five security priority.
- 85% of respondents expect to increase that spend over the next 12-24 months.
Questions worth separating out
Q: How should security teams handle browser-based attacks that happen inside the session?
A: They should move detection closer to the interaction layer and treat the browser session as a control point.
Q: Why do traditional network and endpoint controls miss so many browser attacks?
A: Because they observe traffic and device state, not the user’s actual actions inside the rendered page.
Q: When should organisations prioritise secure browser controls over broader web controls?
A: When the main risk is what happens after a user has already reached a trusted site or SaaS app.
Practitioner guidance
- Instrument browser sessions directly Prioritise controls that can observe credential entry, token creation, page interactions, and data movement inside the browser session rather than relying only on perimeter logs.
- Align GenAI policy with enforcement Make sure sanctioned and unsanctioned AI use is enforceable at the session layer, especially where employees can paste source code, customer records, or regulated data into web prompts.
- Review extension risk as an identity issue Treat malicious and vulnerable browser extensions as in-session supply chain risk because they can read page content, alter requests, and harvest sessions without traditional network alerts.
What's in the full report
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- A seven-finding breakdown of how respondents ranked browser threats, investment priorities, and use cases.
- Detailed figures on budget allocation, including where secure enterprise browser spend is coming from.
- Vendor-category and deployment-model comparisons that help teams evaluate how browser controls fit existing estates.
- Examples of browser-native detection and control capabilities that matter once you move from strategy to implementation.
👉 Read Push Security's analysis of Omdia's browser security market research →
Browser session attacks are rising fast, but are controls keeping up?
Explore further
10/06/2026 2:26 am
Browser-layer visibility is now an identity governance requirement, not a convenience feature. The report shows that the decisive security event increasingly occurs inside the session where authentication, data handling, and application use converge. That breaks the old assumption that network logs, endpoint data, and IAM logs together provide enough context to understand abuse. Practitioners should treat browser telemetry as part of the identity control plane.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What is the difference between browser security and secure web gateway controls?
A: Secure web gateways primarily inspect and filter traffic, while browser security can observe and govern what happens inside the session itself. That difference matters for GenAI, credential theft, and session hijacking because the relevant action often occurs after the page loads. Browser-layer controls provide the contextual evidence SWGs cannot.
👉 Read our full editorial: Browser security is now the enterprise attack surface teams must govern
