[{"data":1,"prerenderedAt":3234},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/5-ways-to-defeat-identity-based-attacks":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1302,"subtitle":118,"metaTitle":1303,"synopsis":1304,"hashTags":118,"publishedDate":1305,"slug":1306,"ogImage":1307,"tagsCollection":1309,"relatedBlogPostsCollection":1319,"authorsCollection":2500,"content":2504,"_id":3229,"_type":3230,"_source":3231,"_file":3232,"_stem":3233,"_extension":3230},"/blog/5-ways-to-defeat-identity-based-attacks","blog",{"id":1280,"publishedAt":1281},"6rflXTFCRMvmM8JU8ZPSCt","2026-01-30T09:27:40.111Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1301},{},[1286,1295],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"In today's digital world, identities are the new frontier for attackers seeking to breach organizational perimeters. As the attack surface evolves, so too must our strategies for defending against threats. Below are five key tactics to bolster your defenses and thwart identity-based attacks.","text","paragraph",{"data":1296,"content":1297,"nodeType":1294},{},[1298],{"data":1299,"marks":1300,"value":37,"nodeType":1293},{},[],"document","5 ways to defeat identity-based attacks","Push Security: 5 Ways to Defeat Identity-Based Attacks","In this blog post we will cover what identities are, how we secure perimeters in general, and and how this maps to the identity space.\n","2024-02-26T00:00:00.000Z","5-ways-to-defeat-identity-based-attacks",{"url":1308},"https://images.ctfassets.net/y1cdw1ablpvd/4fNcMVZPgTYGgMRk7Wn0pd/9195a26bf242fa006e61ba45778f248f/Identity-Based-Attacks.png",{"items":1310},[1311,1315],{"sys":1312,"name":1314},{"id":1313},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":1316,"name":1318},{"id":1317},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1320},[1321,2152],{"__typename":1322,"sys":1323,"content":1325,"title":2132,"synopsis":2133,"hashTags":118,"publishedDate":2134,"slug":2135,"tagsCollection":2136,"authorsCollection":2144},"BlogPosts",{"id":1324},"6VZQJzQ2FNetGNMEjiuXB2",{"json":1326},{"nodeType":1301,"data":1327,"content":1328},{},[1329,1336,1343,1350,1357,1365,1372,1381,1403,1410,1456,1463,1471,1516,1536,1543,1550,1557,1577,1597,1604,1639,1646,1666,1673,1680,1712,1732,1739,1745,1752,1759,1766,1773,1780,1787,1794,1801,1808,1815,1822,1829,1845,1852,1923,1930,1937,1966,1981,1988,1995,2002,2035,2055,2062,2069,2076,2083,2102,2120,2126],{"nodeType":1294,"data":1330,"content":1331},{},[1332],{"nodeType":1293,"value":1333,"marks":1334,"data":1335},"Our goal at Push is simple — to stop identity attacks. Today, the vast majority of identity vulnerabilities exist in the context of SaaS apps. ",[],{},{"nodeType":1294,"data":1337,"content":1338},{},[1339],{"nodeType":1293,"value":1340,"marks":1341,"data":1342},"The reasons for this are clear: Security teams have reduced central oversight and control over SaaS apps than they are used to, these apps exist in large numbers per company, and the identities that are used to access these apps are... complicated, to say the least. Securing hundreds of apps, with thousands of associated identities, is therefore no mean feat. ",[],{},{"nodeType":1294,"data":1344,"content":1345},{},[1346],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"Securing SaaS use means building controls that are easy to use, easy to understand — and ultimately effective. Not just effective against the hand-wavy concept of “SaaS attacks,” but specific techniques — the most common techniques that are likely to cause real damage.",[],{},{"nodeType":1294,"data":1351,"content":1352},{},[1353],{"nodeType":1293,"value":1354,"marks":1355,"data":1356},"To talk about this, we need to have a shared understanding of what these techniques are. To get that conversation going, we’ve pulled together all the techniques we're aware of, and our research team has even added a bunch of new ones.",[],{},{"nodeType":1358,"data":1359,"content":1360},"heading-1",{},[1361],{"nodeType":1293,"value":1362,"marks":1363,"data":1364},"The SaaS attack matrix",[],{},{"nodeType":1294,"data":1366,"content":1367},{},[1368],{"nodeType":1293,"value":1369,"marks":1370,"data":1371},"We’ve taken inspiration from the MITRE ATT&CK framework (certainly intended as the sincerest form of flattery), but wanted to make a conscious break away from the endpoint-focused ATT&CK techniques and instead focus on techniques that are SaaS-specific. In fact, these techniques don’t touch endpoints (so they bypass EDR) or customer networks (so they bypass network detection) — so we’re calling them networkless attacks.",[],{},{"nodeType":1373,"data":1374,"content":1380},"embedded-entry-block",{"target":1375},{"sys":1376},{"id":1377,"type":1378,"linkType":1379},"768Zv5gTVHyu5rbzJAzL4F","Link","Entry",[],{"nodeType":1294,"data":1382,"content":1383},{},[1384,1388,1399],{"nodeType":1293,"value":1385,"marks":1386,"data":1387},"You can find more detailed descriptions of these techniques (and hopefully PRs for some we missed) on ",[],{},{"nodeType":1389,"data":1390,"content":1392},"hyperlink",{"uri":1391},"https://github.com/pushsecurity/saas-attacks",[1393],{"nodeType":1293,"value":1394,"marks":1395,"data":1398},"GitHub",[1396],{"type":1397},"underline",{},{"nodeType":1293,"value":1400,"marks":1401,"data":1402},".",[],{},{"nodeType":1294,"data":1404,"content":1405},{},[1406],{"nodeType":1293,"value":1407,"marks":1408,"data":1409},"Since we’re not targeting endpoints, let’s talk about the new targets: The accounts/identities on SaaS apps. We found it was useful to think about these identities not as standalone isolated islands — but much more like a graph; less a single web-server on the internet and more like many Windows endpoints on an Active Directory. ",[],{},{"nodeType":1294,"data":1411,"content":1412},{},[1413,1417,1426,1430,1439,1443,1452],{"nodeType":1293,"value":1414,"marks":1415,"data":1416},"You can leverage this access to an identity on a trusted platform to target (so laterally move or escalate privilege to) other users or identities. For example, attacks like using access to SaaS apps to ",[],{},{"nodeType":1389,"data":1418,"content":1420},{"uri":1419},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/in-app_phishing/description.md",[1421],{"nodeType":1293,"value":1422,"marks":1423,"data":1425},"phish other employees through comments",[1424],{"type":1397},{},{"nodeType":1293,"value":1427,"marks":1428,"data":1429}," and ",[],{},{"nodeType":1389,"data":1431,"content":1433},{"uri":1432},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_user_spoofing/description.md",[1434],{"nodeType":1293,"value":1435,"marks":1436,"data":1438},"spoofing users on IM platforms",[1437],{"type":1397},{},{"nodeType":1293,"value":1440,"marks":1441,"data":1442}," to social engineer them there — or perhaps ",[],{},{"nodeType":1389,"data":1444,"content":1446},{"uri":1445},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_backdooring/description.md",[1447],{"nodeType":1293,"value":1448,"marks":1449,"data":1451},"backdooring links",[1450],{"type":1397},{},{"nodeType":1293,"value":1453,"marks":1454,"data":1455}," in documents.",[],{},{"nodeType":1294,"data":1457,"content":1458},{},[1459],{"nodeType":1293,"value":1460,"marks":1461,"data":1462},"In this case, unusually, it’s not the data in these hundreds of SaaS apps that create risk, and you need to consider low-risk (from a data perspective) apps as a vector to pivot to higher-risk apps in your estate.",[],{},{"nodeType":1464,"data":1465,"content":1466},"heading-2",{},[1467],{"nodeType":1293,"value":1468,"marks":1469,"data":1470},"Initial access and poisoned tenants",[],{},{"nodeType":1294,"data":1472,"content":1473},{},[1474,1478,1487,1490,1499,1503,1512],{"nodeType":1293,"value":1475,"marks":1476,"data":1477},"Attacks like ",[],{},{"nodeType":1389,"data":1479,"content":1481},{"uri":1480},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/credential_stuffing/description.md",[1482],{"nodeType":1293,"value":1483,"marks":1484,"data":1486},"credential stuffing",[1485],{"type":1397},{},{"nodeType":1293,"value":1427,"marks":1488,"data":1489},[],{},{"nodeType":1389,"data":1491,"content":1493},{"uri":1492},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/email_phishing/description.md",[1494],{"nodeType":1293,"value":1495,"marks":1496,"data":1498},"email phishing",[1497],{"type":1397},{},{"nodeType":1293,"value":1500,"marks":1501,"data":1502}," that get you initial access to SaaS apps are fairly well known — because they work and are widely used. We’re also starting to see tools and attacks that suggest that ",[],{},{"nodeType":1389,"data":1504,"content":1506},{"uri":1505},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[1507],{"nodeType":1293,"value":1508,"marks":1509,"data":1511},"phishing employees through these IM apps",[1510],{"type":1397},{},{"nodeType":1293,"value":1513,"marks":1514,"data":1515}," is about to go mainstream.",[],{},{"nodeType":1294,"data":1517,"content":1518},{},[1519,1523,1532],{"nodeType":1293,"value":1520,"marks":1521,"data":1522},"Another interesting attack is a spin on the classic waterhole attack called a ",[],{},{"nodeType":1389,"data":1524,"content":1526},{"uri":1525},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[1527],{"nodeType":1293,"value":1528,"marks":1529,"data":1531},"poisoned tenant",[1530],{"type":1397},{},{"nodeType":1293,"value":1533,"marks":1534,"data":1535},". Rather than attacking a customer tenant for a SaaS app, the attacker lures employees into joining an attacker-controlled tenant. ",[],{},{"nodeType":1294,"data":1537,"content":1538},{},[1539],{"nodeType":1293,"value":1540,"marks":1541,"data":1542},"SaaS apps allow anyone to name app tenants (a.k.a. spaces, teams, or instances) anything they like — including your company name. Attackers send invites to your employees from within the app with a customized message explaining why they should join this new tenant (or sign up to the app if they are not already a user). ",[],{},{"nodeType":1294,"data":1544,"content":1545},{},[1546],{"nodeType":1293,"value":1547,"marks":1548,"data":1549},"Attackers might even pay for premium licenses in the app to further entice employees to join. The attacker then waits for the employee to upload sensitive data or create integrations with other company apps containing crown jewels.",[],{},{"nodeType":1464,"data":1551,"content":1552},{},[1553],{"nodeType":1293,"value":1554,"marks":1555,"data":1556},"Living-off-the-(SaaS)-land to persist and avoid detection",[],{},{"nodeType":1294,"data":1558,"content":1559},{},[1560,1564,1573],{"nodeType":1293,"value":1561,"marks":1562,"data":1563},"In the endpoint world, a favorite technique is the use of legit OS utilities or ",[],{},{"nodeType":1389,"data":1565,"content":1567},{"uri":1566},"https://lolbas-project.github.io",[1568],{"nodeType":1293,"value":1569,"marks":1570,"data":1572},"LOLBaS",[1571],{"type":1397},{},{"nodeType":1293,"value":1574,"marks":1575,"data":1576}," (Living-Off-the-Land Binaries and Scripts), which are often signed Microsoft utilities. Perhaps the most well-known example is executing scripts through PowerShell rather than building custom malware. That isn’t as useful these days, but there was a time when PowerShell was routinely used to bypass AV, EDR, and even app allow-listing.",[],{},{"nodeType":1294,"data":1578,"content":1579},{},[1580,1584,1593],{"nodeType":1293,"value":1581,"marks":1582,"data":1583},"In that same living-off-the-land mindset, an attacker trying to maintain access to each SaaS app they compromise using custom OAuth integration apps might instead choose to use legit SaaS apps that specialize in workflow automation to create ",[],{},{"nodeType":1389,"data":1585,"content":1587},{"uri":1586},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[1588],{"nodeType":1293,"value":1589,"marks":1590,"data":1592},"shadow workflows",[1591],{"type":1397},{},{"nodeType":1293,"value":1594,"marks":1595,"data":1596},". Utilizing legit SaaS apps also means they can hide in plain sight from incident responders, instead of having to rely on unverified or unpublished integrations.",[],{},{"nodeType":1294,"data":1598,"content":1599},{},[1600],{"nodeType":1293,"value":1601,"marks":1602,"data":1603},"Perhaps the best example here is using a well-known automation app like Zapier, which claims to have more than 5,000 integrations. These integrations are often verified, approved, and connected to a trusted vendor (Zapier). An attacker might create workflows to:",[],{},{"nodeType":1605,"data":1606,"content":1607},"unordered-list",{},[1608,1619,1629],{"nodeType":1609,"data":1610,"content":1611},"list-item",{},[1612],{"nodeType":1294,"data":1613,"content":1614},{},[1615],{"nodeType":1293,"value":1616,"marks":1617,"data":1618},"Do daily data exfiltration from a victim’s data lake.",[],{},{"nodeType":1609,"data":1620,"content":1621},{},[1622],{"nodeType":1294,"data":1623,"content":1624},{},[1625],{"nodeType":1293,"value":1626,"marks":1627,"data":1628},"Configure a webhook that adds malicious accounts to a Github repo on demand.",[],{},{"nodeType":1609,"data":1630,"content":1631},{},[1632],{"nodeType":1294,"data":1633,"content":1634},{},[1635],{"nodeType":1293,"value":1636,"marks":1637,"data":1638},"Automatically find and replace bank account numbers in emails to the finance team.",[],{},{"nodeType":1294,"data":1640,"content":1641},{},[1642],{"nodeType":1293,"value":1643,"marks":1644,"data":1645},"All appear as legitimate Zapier integrations. But, before you put in alerts specifically for Zapier, know that it’s one of dozens of apps that support these kinds of offensive workflows.",[],{},{"nodeType":1294,"data":1647,"content":1648},{},[1649,1653,1662],{"nodeType":1293,"value":1650,"marks":1651,"data":1652},"A sneaky attacker might go further and use an ",[],{},{"nodeType":1389,"data":1654,"content":1656},{"uri":1655},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[1657],{"nodeType":1293,"value":1658,"marks":1659,"data":1661},"evil twin integration",[1660],{"type":1397},{},{"nodeType":1293,"value":1663,"marks":1664,"data":1665}," to make another instance of an existing integration — making this backdoor almost impossible to discover.",[],{},{"nodeType":1464,"data":1667,"content":1668},{},[1669],{"nodeType":1293,"value":1670,"marks":1671,"data":1672},"Features or vulnerabilities?",[],{},{"nodeType":1294,"data":1674,"content":1675},{},[1676],{"nodeType":1293,"value":1677,"marks":1678,"data":1679},"When looking for attack techniques, you’re typically going after features that have weaknesses you can abuse rather than bugs in a single app that will be patched. ",[],{},{"nodeType":1294,"data":1681,"content":1682},{},[1683,1687,1696,1699,1708],{"nodeType":1293,"value":1684,"marks":1685,"data":1686},"It’s pretty common for SaaS apps to skip email verification or allow multiple simultaneous authentication methods. Both of these are conscious design choices in the name of lowering the friction of account creation and reducing customer support. However, these features make techniques like ",[],{},{"nodeType":1389,"data":1688,"content":1690},{"uri":1689},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_ambushing/description.md",[1691],{"nodeType":1293,"value":1692,"marks":1693,"data":1695},"account ambushing",[1694],{"type":1397},{},{"nodeType":1293,"value":1427,"marks":1697,"data":1698},[],{},{"nodeType":1389,"data":1700,"content":1702},{"uri":1701},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1703],{"nodeType":1293,"value":1704,"marks":1705,"data":1707},"ghost logins",[1706],{"type":1397},{},{"nodeType":1293,"value":1709,"marks":1710,"data":1711}," possible. If these attacks become widespread, these might come to be seen more as bugs rather than a positive feature for users.",[],{},{"nodeType":1294,"data":1713,"content":1714},{},[1715,1719,1728],{"nodeType":1293,"value":1716,"marks":1717,"data":1718},"In other cases, the bugs are serious enough and hard enough to patch that they’re worth noting as a technique. The recently disclosed (and perfectly named) ",[],{},{"nodeType":1389,"data":1720,"content":1722},{"uri":1721},"https://www.descope.com/blog/post/noauth",[1723],{"nodeType":1293,"value":1724,"marks":1725,"data":1727},"nOAuth",[1726],{"type":1397},{},{"nodeType":1293,"value":1729,"marks":1730,"data":1731}," bug fits this bill. ",[],{},{"nodeType":1294,"data":1733,"content":1734},{},[1735],{"nodeType":1293,"value":1736,"marks":1737,"data":1738},"The bug arises from a confusion between an email identity and email metadata field in Microsoft integrations and without a central fix from MS (the fix isn’t trivial), these bugs are likely to be discovered and re-occur on third-party OAuth apps for a while to come.",[],{},{"nodeType":1373,"data":1740,"content":1744},{"target":1741},{"sys":1742},{"id":1743,"type":1378,"linkType":1379},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":1358,"data":1746,"content":1747},{},[1748],{"nodeType":1293,"value":1749,"marks":1750,"data":1751},"The SaaS market is driving these offensive techniques",[],{},{"nodeType":1294,"data":1753,"content":1754},{},[1755],{"nodeType":1293,"value":1756,"marks":1757,"data":1758},"SaaS apps are basically web apps that are run in the cloud and accessed from endpoints, so then WebApp, endpoint, and cloud security should cover all of SaaS, right? ",[],{},{"nodeType":1294,"data":1760,"content":1761},{},[1762],{"nodeType":1293,"value":1763,"marks":1764,"data":1765},"That was our assumption when we started, but what we found instead was that SaaS marketing practices are driving a lot of pretty interesting techniques that you don’t run into in standalone web apps.",[],{},{"nodeType":1464,"data":1767,"content":1768},{},[1769],{"nodeType":1293,"value":1770,"marks":1771,"data":1772},"Modern SaaS is easy to adopt, easy to use, low friction, low cost, low overhead",[],{},{"nodeType":1294,"data":1774,"content":1775},{},[1776],{"nodeType":1293,"value":1777,"marks":1778,"data":1779},"Making apps easy to sign up for and low effort to support means you need to make some interesting choices when it comes to designing account creation and recovery flows. ",[],{},{"nodeType":1294,"data":1781,"content":1782},{},[1783],{"nodeType":1293,"value":1784,"marks":1785,"data":1786},"Many apps allow users to sign into apps using multiple methods, easily invite collaborators (internal and external) and avoid any additional friction during the signup process. ",[],{},{"nodeType":1294,"data":1788,"content":1789},{},[1790],{"nodeType":1293,"value":1791,"marks":1792,"data":1793},"For example, many apps avoid verifying new account email addresses. This is not laziness, these are conscious design choices — not driven by security clearly, but not accidents.",[],{},{"nodeType":1464,"data":1795,"content":1796},{},[1797],{"nodeType":1293,"value":1798,"marks":1799,"data":1800},"Modern SaaS is highly integrated",[],{},{"nodeType":1294,"data":1802,"content":1803},{},[1804],{"nodeType":1293,"value":1805,"marks":1806,"data":1807},"Most SaaS apps are trying to build app marketplaces or perform well in other apps' marketplaces (often both), and it’s rare these days to find apps that don’t integrate with other apps. ",[],{},{"nodeType":1294,"data":1809,"content":1810},{},[1811],{"nodeType":1293,"value":1812,"marks":1813,"data":1814},"OAuth has become the de facto standard protocol for doing this, and most users have become quite used to approving OAuth2.0 consent flows. These integrations have opened up lots of incredibly useful doors for attackers to persist access and move laterally across SaaS apps that few incident response teams have run into yet. These tokens don’t expire when you reset passwords, aren’t protected by MFA, and actions they performed are rarely logged. ",[],{},{"nodeType":1294,"data":1816,"content":1817},{},[1818],{"nodeType":1293,"value":1819,"marks":1820,"data":1821},"These are not bugs or oversights but rather a consequence of how these APIs are intended to be used (by machines, not human adversaries).",[],{},{"nodeType":1358,"data":1823,"content":1824},{},[1825],{"nodeType":1293,"value":1826,"marks":1827,"data":1828},"Problems with observing SaaS attacks ",[],{},{"nodeType":1294,"data":1830,"content":1831},{},[1832,1836,1841],{"nodeType":1293,"value":1833,"marks":1834,"data":1835},"This research begs one question above others: ",[],{},{"nodeType":1293,"value":1837,"marks":1838,"data":1840},"“Are we seeing these attacks in the wild?",[1839],{"type":312},{},{"nodeType":1293,"value":1842,"marks":1843,"data":1844},"” ",[],{},{"nodeType":1464,"data":1846,"content":1847},{},[1848],{"nodeType":1293,"value":1849,"marks":1850,"data":1851},"Yes, definitely",[],{},{"nodeType":1294,"data":1853,"content":1854},{},[1855,1859,1868,1871,1880,1884,1893,1897,1906,1910,1919],{"nodeType":1293,"value":1856,"marks":1857,"data":1858},"For some of the better-known techniques, like credential stuffing and email phishing, the answer is an easy yes. Stats from ",[],{},{"nodeType":1389,"data":1860,"content":1862},{"uri":1861},"https://www.microsoft.com/en-us/security/blog/2023/05/04/how-microsoft-can-help-you-go-passwordless-this-world-password-day/",[1863],{"nodeType":1293,"value":1864,"marks":1865,"data":1867},"Microsoft (1,287 password attacks every second)",[1866],{"type":1397},{},{"nodeType":1293,"value":1427,"marks":1869,"data":1870},[],{},{"nodeType":1389,"data":1872,"content":1874},{"uri":1873},"https://auth0.com/blog/top-insights-from-our-2022-state-of-secure-identity-report/",[1875],{"nodeType":1293,"value":1876,"marks":1877,"data":1879},"Auth0 (a third of their traffic is credential stuffing)",[1878],{"type":1397},{},{"nodeType":1293,"value":1881,"marks":1882,"data":1883}," speaks volumes. Other sources like the ",[],{},{"nodeType":1389,"data":1885,"content":1887},{"uri":1886},"https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022",[1888],{"nodeType":1293,"value":1889,"marks":1890,"data":1892},"NCSC's Cyber Security Breaches Survey 2022",[1891],{"type":1397},{},{"nodeType":1293,"value":1894,"marks":1895,"data":1896}," and the ",[],{},{"nodeType":1389,"data":1898,"content":1900},{"uri":1899},"https://www.verizon.com/business/resources/reports/dbir/",[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1905},"Verizon 2023 Data Breach Investigations Report",[1904],{"type":1397},{},{"nodeType":1293,"value":1907,"marks":1908,"data":1909}," suggest that phishing is also a major cause of SaaS breaches. Anecdotal reports from colleagues in the Incident Response field suggest that malicious mail forwarding rules are seen a lot, something which is supported by the ",[],{},{"nodeType":1389,"data":1911,"content":1913},{"uri":1912},"https://expel.com/expel-quarterly-threat-report/",[1914],{"nodeType":1293,"value":1915,"marks":1916,"data":1918},"Expel Quarterly Threat Report for Q1 2023",[1917],{"type":1397},{},{"nodeType":1293,"value":1920,"marks":1921,"data":1922}," (see page 6).",[],{},{"nodeType":1294,"data":1924,"content":1925},{},[1926],{"nodeType":1293,"value":1927,"marks":1928,"data":1929},"The takeaway is that the current focus for defenders should be to ensure users have good phishing-resistant account security in place — make sure you have basics like strong unique passwords and MFA in place across your entire SaaS estate.",[],{},{"nodeType":1464,"data":1931,"content":1932},{},[1933],{"nodeType":1293,"value":1934,"marks":1935,"data":1936},"For newer OAuth attacks, it’s a lot less clear …",[],{},{"nodeType":1294,"data":1938,"content":1939},{},[1940,1944,1949,1953,1962],{"nodeType":1293,"value":1941,"marks":1942,"data":1943},"Other techniques like consent phishing have been discussed in some breach disclosures like the ",[],{},{"nodeType":1293,"value":1945,"marks":1946,"data":1948},"2020 SANS breach",[1947],{"type":1397},{},{"nodeType":1293,"value":1950,"marks":1951,"data":1952},". These OAuth techniques also pop up in the news (for example, the ",[],{},{"nodeType":1389,"data":1954,"content":1956},{"uri":1955},"https://www.bleepingcomputer.com/news/security/github-how-stolen-oauth-tokens-helped-breach-dozens-of-orgs/",[1957],{"nodeType":1293,"value":1958,"marks":1959,"data":1961},"2022 Github/Heroku/Travis-CI breach",[1960],{"type":1397},{},{"nodeType":1293,"value":1963,"marks":1964,"data":1965}," where GitHub accounts were breached using stolen Heroku and Travis-CI OAuth tokens). ",[],{},{"nodeType":1294,"data":1967,"content":1968},{},[1969,1973,1978],{"nodeType":1293,"value":1970,"marks":1971,"data":1972},"That said, none of these techniques come up as frequently as their usefulness would suggest. This means one of two things: ",[],{},{"nodeType":1293,"value":1974,"marks":1975,"data":1977},"Either attackers aren’t yet using them widely, or they are and we aren’t detecting them",[1976],{"type":312},{},{"nodeType":1293,"value":1400,"marks":1979,"data":1980},[],{},{"nodeType":1294,"data":1982,"content":1983},{},[1984],{"nodeType":1293,"value":1985,"marks":1986,"data":1987},"There is certainly a case to be made that attackers simply don’t need these newer techniques yet. Many organizations don’t have a way of discovering SaaS use in their organization yet, never mind breached accounts, so new persistence techniques might be a bit more than necessary at the moment.",[],{},{"nodeType":1464,"data":1989,"content":1990},{},[1991],{"nodeType":1293,"value":1992,"marks":1993,"data":1994},"But would we know if it was happening?",[],{},{"nodeType":1294,"data":1996,"content":1997},{},[1998],{"nodeType":1293,"value":1999,"marks":2000,"data":2001},"On the other hand, there is certainly the possibility that these attacks are increasingly used, but are simply not being discovered. A strong argument in favor of this view is the difficulty in investigating these attacks. Very few SaaS apps provide enough logging capability to discover these attacks as a customer. This is true even for the biggest, most mature apps like Office 365 and Google Workspace unless you are on top license tiers. This is doubly true for attacks that use OAuth, with many apps providing no insight or details into actions made using OAuth-authenticated APIs. ",[],{},{"nodeType":1294,"data":2003,"content":2004},{},[2005,2009,2018,2022,2031],{"nodeType":1293,"value":2006,"marks":2007,"data":2008},"This suggests only the SaaS providers for these apps are really in a position to discover and investigate them. This does ring true when you consider that ",[],{},{"nodeType":1389,"data":2010,"content":2012},{"uri":2011},"https://blog.heroku.com/april-2022-incident-review",[2013],{"nodeType":1293,"value":2014,"marks":2015,"data":2017},"Heroku",[2016],{"type":1397},{},{"nodeType":1293,"value":2019,"marks":2020,"data":2021}," relied heavily on Github during the investigation (and in one case even the detection of) their 2022 breaches, and the same seems true for a similar breach affecting ",[],{},{"nodeType":1389,"data":2023,"content":2025},{"uri":2024},"https://circleci.com/blog/jan-4-2023-incident-report/",[2026],{"nodeType":1293,"value":2027,"marks":2028,"data":2030},"CircleCI",[2029],{"type":1397},{},{"nodeType":1293,"value":2032,"marks":2033,"data":2034}," later that year. Github and CircleCI’s customers prompted the investigation after seeing strange behavior, but Github had access to the logs to investigate. It’s difficult to imagine that most or even many SaaS vendors have the resources or inclination to run these investigations effectively as GitHub appears to have.",[],{},{"nodeType":1294,"data":2036,"content":2037},{},[2038,2042,2052],{"nodeType":1293,"value":2039,"marks":2040,"data":2041},"So, are these attacks happening in the real world? My best guess is it’s a little bit of column A and a little bit of column B — there are likely not so many of these attacks happening yet, and when they do, I suspect the vast majority go undetected. ",[],{},{"nodeType":1389,"data":2043,"content":2045},{"uri":2044},"https://www.youtube.com/watch?v=j95kNwZw8YY",[2046],{"nodeType":1293,"value":2047,"marks":2048,"data":2051},"But that’s just like my opinion, man.",[2049,2050],{"type":1397},{"type":312},{},{"nodeType":1293,"value":37,"marks":2053,"data":2054},[],{},{"nodeType":1294,"data":2056,"content":2057},{},[2058],{"nodeType":1293,"value":2059,"marks":2060,"data":2061},"This is part of the reason we think enabling red teamers to try these techniques in anger is useful — this is the time-proven way to understand these risks.",[],{},{"nodeType":1358,"data":2063,"content":2064},{},[2065],{"nodeType":1293,"value":2066,"marks":2067,"data":2068},"What’s next?",[],{},{"nodeType":1294,"data":2070,"content":2071},{},[2072],{"nodeType":1293,"value":2073,"marks":2074,"data":2075},"We’ve barely scratched the surface, but perhaps there is enough here to get the discussion going. From past experience, discussion may not be enough, and it’s likely that live offensive work like penetration tests or more likely red team exercises will be required to make the risks of using these techniques real for the wider security community. ",[],{},{"nodeType":1294,"data":2077,"content":2078},{},[2079],{"nodeType":1293,"value":2080,"marks":2081,"data":2082},"After all, seeing is believing. We think some more practical examples and tools to help red  teamers use these techniques on engagements will help drive awareness forward, so we’ll be looking to build out this content.",[],{},{"nodeType":1294,"data":2084,"content":2085},{},[2086,2090,2099],{"nodeType":1293,"value":2087,"marks":2088,"data":2089},"We’ve started with pure networkless attacks that don’t touch customer networks or endpoints, but there are many useful techniques to connect the old endpoint world to the SaaS world. Consider stealing OAuth tokens from a thick client on an endpoint, or using a ",[],{},{"nodeType":1389,"data":2091,"content":2093},{"uri":2092},"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/",[2094],{"nodeType":1293,"value":2095,"marks":2096,"data":2098},"backdoored GitHub repo to get code execution on endpoints",[2097],{"type":1397},{},{"nodeType":1293,"value":1400,"marks":2100,"data":2101},[],{},{"nodeType":1294,"data":2103,"content":2104},{},[2105,2109,2116],{"nodeType":1293,"value":2106,"marks":2107,"data":2108},"Help us all better understand how widespread these attacks are by sharing some war stories. We’d love some comments, discussions, or PRs on ",[],{},{"nodeType":1389,"data":2110,"content":2111},{"uri":1391},[2112],{"nodeType":1293,"value":1394,"marks":2113,"data":2115},[2114],{"type":1397},{},{"nodeType":1293,"value":2117,"marks":2118,"data":2119},"!",[],{},{"nodeType":1373,"data":2121,"content":2125},{"target":2122},{"sys":2123},{"id":2124,"type":1378,"linkType":1379},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":2127,"content":2128},{},[2129],{"nodeType":1293,"value":37,"marks":2130,"data":2131},[],{},"Let’s talk about SaaS attack techniques","Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.","2023-07-27T00:00:00.000Z","saas-attack-techniques",{"items":2137},[2138,2142],{"sys":2139,"name":2141},{"id":2140},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2143,"name":1318},{"id":1317},{"items":2145},[2146],{"fullName":2147,"firstName":2148,"jobTitle":2149,"profilePicture":2150},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2151},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":1322,"sys":2153,"content":2155,"title":2481,"synopsis":2169,"hashTags":118,"publishedDate":2482,"slug":2483,"tagsCollection":2484,"authorsCollection":2492},{"id":2154},"3m48a0kFoN8gh0IZQBup5U",{"json":2156},{"nodeType":1301,"data":2157,"content":2158},{},[2159,2165,2174,2186,2193,2200,2243,2249,2256,2263,2270,2277,2302,2309,2316,2388,2395,2402,2409,2415,2422,2429,2435,2442,2449,2455,2462],{"nodeType":1373,"data":2160,"content":2164},{"target":2161},{"sys":2162},{"id":2163,"type":1378,"linkType":1379},"3OXZccsHUbm5vXq1Ouv9H8",[],{"nodeType":1294,"data":2166,"content":2167},{},[2168],{"nodeType":1293,"value":2169,"marks":2170,"data":2173},"Don’t leave it up to your employees to figure out how to use cloud apps securely. Guide them directly in their browsers when they access their apps.",[2171],{"type":2172},"bold",{},{"nodeType":1294,"data":2175,"content":2176},{},[2177,2181],{"nodeType":1293,"value":2178,"marks":2179,"data":2180},"That’s the concept behind our latest feature, in-browser app banners. They allow you to",[],{},{"nodeType":1293,"value":2182,"marks":2183,"data":2185}," create custom messages that guide employees to follow your security policies on the apps they use for work.",[2184],{"type":2172},{},{"nodeType":1294,"data":2187,"content":2188},{},[2189],{"nodeType":1293,"value":2190,"marks":2191,"data":2192},"For example, at the top of this page you can see an app banner that tells employees using ChatGPT not to put company or customer data into the app, and provides a link to the company’s GenAI policy:",[],{},{"nodeType":1294,"data":2194,"content":2195},{},[2196],{"nodeType":1293,"value":2197,"marks":2198,"data":2199},"The banners are fully customizable, so you can enter whatever text you like. Here are a few ideas to get you started:",[],{},{"nodeType":1605,"data":2201,"content":2202},{},[2203,2213,2223,2233],{"nodeType":1609,"data":2204,"content":2205},{},[2206],{"nodeType":1294,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2212},"Encourage employees to use an approved app over a new, unsupported alternative.",[],{},{"nodeType":1609,"data":2214,"content":2215},{},[2216],{"nodeType":1294,"data":2217,"content":2218},{},[2219],{"nodeType":1293,"value":2220,"marks":2221,"data":2222},"Remind employees not to enter sensitive information into ChatGPT or other GenAI tools.",[],{},{"nodeType":1609,"data":2224,"content":2225},{},[2226],{"nodeType":1294,"data":2227,"content":2228},{},[2229],{"nodeType":1293,"value":2230,"marks":2231,"data":2232},"Tell employees not to use an app until it can be reviewed by the security team.",[],{},{"nodeType":1609,"data":2234,"content":2235},{},[2236],{"nodeType":1294,"data":2237,"content":2238},{},[2239],{"nodeType":1293,"value":2240,"marks":2241,"data":2242},"Ask employees to use their federated identity on apps supporting SSO.",[],{},{"nodeType":1373,"data":2244,"content":2248},{"target":2245},{"sys":2246},{"id":2247,"type":1378,"linkType":1379},"6XuJbfjhrr9JDKY6fcD5hZ",[],{"nodeType":1358,"data":2250,"content":2251},{},[2252],{"nodeType":1293,"value":2253,"marks":2254,"data":2255},"Why did we build it?",[],{},{"nodeType":1294,"data":2257,"content":2258},{},[2259],{"nodeType":1293,"value":2260,"marks":2261,"data":2262},"We co-created this feature with our customers. They wanted a more flexible and nuanced way of managing the risks associated with using SaaS apps than just allowlisting or blocklisting apps. ",[],{},{"nodeType":1294,"data":2264,"content":2265},{},[2266],{"nodeType":1293,"value":2267,"marks":2268,"data":2269},"That means guiding employees to use apps more safely rather than just blocking new tools by default.",[],{},{"nodeType":1294,"data":2271,"content":2272},{},[2273],{"nodeType":1293,"value":2274,"marks":2275,"data":2276},"Now don’t get us wrong — there’s a time and a place for blocking. But for most organizations, there are more scenarios when it's better to help employees do something safely. ",[],{},{"nodeType":1294,"data":2278,"content":2279},{},[2280,2284,2289,2293,2298],{"nodeType":1293,"value":2281,"marks":2282,"data":2283},"That’s the reason why we ",[],{},{"nodeType":1293,"value":2285,"marks":2286,"data":2288},"wanted",[2287],{"type":312},{},{"nodeType":1293,"value":2290,"marks":2291,"data":2292}," to build the feature. The reason we were ",[],{},{"nodeType":1293,"value":2294,"marks":2295,"data":2297},"able",[2296],{"type":312},{},{"nodeType":1293,"value":2299,"marks":2300,"data":2301}," to build it is because Push’s superpower is a browser extension that detects signups and logins to supported and unsupported apps, and then helps you manage and secure accounts and identities on all of them. ",[],{},{"nodeType":1294,"data":2303,"content":2304},{},[2305],{"nodeType":1293,"value":2306,"marks":2307,"data":2308},"The Push browser extension gets you the closest to the user, providing the ideal platform for security teams to guide employees at exactly the right time and place — when they’re accessing an app in their browser.",[],{},{"nodeType":1358,"data":2310,"content":2311},{},[2312],{"nodeType":1293,"value":2313,"marks":2314,"data":2315},"How does it work?",[],{},{"nodeType":2317,"data":2318,"content":2319},"ordered-list",{},[2320,2330,2340,2359,2378],{"nodeType":1609,"data":2321,"content":2322},{},[2323],{"nodeType":1294,"data":2324,"content":2325},{},[2326],{"nodeType":1293,"value":2327,"marks":2328,"data":2329},"You can configure an app banner in less than 1 minute. Here are the 4 steps, or just scroll down to the demos below to see for yourself. ",[],{},{"nodeType":1609,"data":2331,"content":2332},{},[2333],{"nodeType":1294,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2339},"Find an app in your app inventory on the Push platform.",[],{},{"nodeType":1609,"data":2341,"content":2342},{},[2343],{"nodeType":1294,"data":2344,"content":2345},{},[2346,2350,2355],{"nodeType":1293,"value":2347,"marks":2348,"data":2349},"Hit ",[],{},{"nodeType":1293,"value":2351,"marks":2352,"data":2354},"Configure on the app details slideout",[2353],{"type":2172},{},{"nodeType":1293,"value":2356,"marks":2357,"data":2358},", and then add your custom banner message. ",[],{},{"nodeType":1609,"data":2360,"content":2361},{},[2362],{"nodeType":1294,"data":2363,"content":2364},{},[2365,2369,2374],{"nodeType":1293,"value":2366,"marks":2367,"data":2368},"Use the ",[],{},{"nodeType":1293,"value":2370,"marks":2371,"data":2373},"Preview",[2372],{"type":2172},{},{"nodeType":1293,"value":2375,"marks":2376,"data":2377}," button to see what it will look like. ",[],{},{"nodeType":1609,"data":2379,"content":2380},{},[2381],{"nodeType":1294,"data":2382,"content":2383},{},[2384],{"nodeType":1293,"value":2385,"marks":2386,"data":2387},"Then once you're happy, save it to enable it on the signup and login pages for that app. Now your banner will appear every time an employee accesses the app using a browser with the Push browser extension on it. ",[],{},{"nodeType":1358,"data":2389,"content":2390},{},[2391],{"nodeType":1293,"value":2392,"marks":2393,"data":2394},"Use case inspo",[],{},{"nodeType":1464,"data":2396,"content":2397},{},[2398],{"nodeType":1293,"value":2399,"marks":2400,"data":2401},"Help employees use ChatGPT and GenAI apps safely",[],{},{"nodeType":1294,"data":2403,"content":2404},{},[2405],{"nodeType":1293,"value":2406,"marks":2407,"data":2408},"Lots of security teams we speak to are happy for their employees to use GenAI apps like ChatGPT, as long as no sensitive data goes into them. Here we create a banner telling employees not to share sensitive information and to read the GenAI policy to understand how to use apps like this securely.",[],{},{"nodeType":1373,"data":2410,"content":2414},{"target":2411},{"sys":2412},{"id":2413,"type":1378,"linkType":1379},"N6E38qUzEe8fNvpoJwBXH",[],{"nodeType":1464,"data":2416,"content":2417},{},[2418],{"nodeType":1293,"value":2419,"marks":2420,"data":2421},"Guide your employees toward approved apps and prevent SaaS sprawl",[],{},{"nodeType":1294,"data":2423,"content":2424},{},[2425],{"nodeType":1293,"value":2426,"marks":2427,"data":2428},"You’ll probably prefer that your employees use approved and supported apps, and not to self-adopt new duplicate apps that contribute to SaaS sprawl. Here we use a banner to tell employees to use an approved file-sharing app.",[],{},{"nodeType":1373,"data":2430,"content":2434},{"target":2431},{"sys":2432},{"id":2433,"type":1378,"linkType":1379},"2VhggiMOWCu9ZXqh4U7pZ9",[],{"nodeType":1464,"data":2436,"content":2437},{},[2438],{"nodeType":1293,"value":2439,"marks":2440,"data":2441},"Encourage employees to use their federated identities instead of creating shadow identities",[],{},{"nodeType":1294,"data":2443,"content":2444},{},[2445],{"nodeType":1293,"value":2446,"marks":2447,"data":2448},"If you’ve invested in an SSO solution like Okta, you probably want to get as many of your apps and accounts behind it as possible. This banner tells employees to access the app using their Okta federated identity rather than using or creating a local account. ",[],{},{"nodeType":1373,"data":2450,"content":2454},{"target":2451},{"sys":2452},{"id":2453,"type":1378,"linkType":1379},"6cJcIJ8GpsioU6JQs3afxy",[],{"nodeType":1358,"data":2456,"content":2457},{},[2458],{"nodeType":1293,"value":2459,"marks":2460,"data":2461},"Find out more",[],{},{"nodeType":1294,"data":2463,"content":2464},{},[2465,2469,2477],{"nodeType":1293,"value":2466,"marks":2467,"data":2468},"To see Push in action, ",[],{},{"nodeType":1389,"data":2470,"content":2472},{"uri":2471},"https://pushsecurity.com/demo/",[2473],{"nodeType":1293,"value":2474,"marks":2475,"data":2476},"book a demo",[],{},{"nodeType":1293,"value":2478,"marks":2479,"data":2480},". We’ll be happy to show you this feature along with how we discover all the apps your employees are using and how we detect vulnerable identities. ",[],{},"Introducing in-browser app banners: Set guardrails for cloud apps","2024-02-06T00:00:00.000Z","introducing-in-browser-app-banners-set-guardrails-for-cloud-apps",{"items":2485},[2486,2488],{"sys":2487,"name":1314},{"id":1313},{"sys":2489,"name":2491},{"id":2490},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"items":2493},[2494],{"fullName":2495,"firstName":2496,"jobTitle":2497,"profilePicture":2498},"Alex Henshall","Alex","Product Team",{"url":2499},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"items":2501},[2502],{"fullName":2147,"firstName":2148,"jobTitle":2149,"profilePicture":2503},{"url":2151},{"json":2505,"links":3193},{"nodeType":1301,"data":2506,"content":2507},{},[2508,2515,2522,2529,2536,2543,2550,2556,2563,2570,2577,2584,2600,2607,2614,2621,2628,2635,2642,2649,2655,2662,2669,2676,2683,2689,2697,2704,2711,2718,2725,2733,2740,2746,2753,2760,2783,2790,2823,2830,2846,2854,2861,2868,2875,2882,2935,2942,2948,2955,2962,2969,2977,2984,2991,2998,3030,3037,3070,3077,3084,3091,3098,3106,3113,3120,3127,3134,3141,3148,3155,3162,3181,3187],{"nodeType":1358,"data":2509,"content":2510},{},[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2514},"What is in an identity?",[],{},{"nodeType":1294,"data":2516,"content":2517},{},[2518],{"nodeType":1293,"value":2519,"marks":2520,"data":2521},"Like real identities, digital identities are a little hard to define. Formally it’s a mapping of a human into the digital world, but more often this term is used as synonymous with a credential (e.g. a username and password, a Multi-Factor Authentication (MFA) device, or a fingerprint) - the thing you use to prove you own the identity in an authentication process. When people say an identity is breached, they typically mean the credentials have been stolen.",[],{},{"nodeType":1294,"data":2523,"content":2524},{},[2525],{"nodeType":1293,"value":2526,"marks":2527,"data":2528},"This is a useful simplification, but bear in mind that reality is a bit more complex. For example - identities are typically tied to an account on an application (you want to login to Slack, Slack knows your password), but can also trust a third party (an Identity Provider or IdP) to authenticate an identity on your behalf in what’s known as federation (“login with Google” on Slack).",[],{},{"nodeType":1294,"data":2530,"content":2531},{},[2532],{"nodeType":1293,"value":2533,"marks":2534,"data":2535},"Surprisingly, it’s very common for modern apps to allow a user to authenticate to the same account using a local credential (a username and password) and a federated identity (e.g. the “login with Google” or “login with Microsoft” buttons) interchangeably.",[],{},{"nodeType":1294,"data":2537,"content":2538},{},[2539],{"nodeType":1293,"value":2540,"marks":2541,"data":2542},"That’s how you could wind up with multiple identities tied to a single account, or multiple accounts tied to a single federated identity. This is exactly what you see for real users - and every weird in-between case to boot.",[],{},{"nodeType":1358,"data":2544,"content":2545},{},[2546],{"nodeType":1293,"value":2547,"marks":2548,"data":2549},"The “new perimeter” … from a red-teamer’s perspective",[],{},{"nodeType":1294,"data":2551,"content":2552},{},[2553],{"nodeType":1293,"value":37,"marks":2554,"data":2555},[],{},{"nodeType":1294,"data":2557,"content":2558},{},[2559],{"nodeType":1293,"value":2560,"marks":2561,"data":2562},"To see how identities are the new thing, it helps to see how we got here.",[],{},{"nodeType":1464,"data":2564,"content":2565},{},[2566],{"nodeType":1293,"value":2567,"marks":2568,"data":2569},"The good old days",[],{},{"nodeType":1294,"data":2571,"content":2572},{},[2573],{"nodeType":1293,"value":2574,"marks":2575,"data":2576},"A couple of decades ago, I was just getting started as a red-teamer or penetration tester, or whatever you want to call it. The job is to do what real attackers do so clients could understand the attack techniques and better defend against them. The most stressful part of each project was the first step - getting initial access to the target - getting past their perimeter and into the (usually) soft internals.",[],{},{"nodeType":1294,"data":2578,"content":2579},{},[2580],{"nodeType":1293,"value":2581,"marks":2582,"data":2583},"A security perimeter is a boundary at which controls can be enforced. From an offensive perspective, a security perimeter is the same as an attack surface: where you can target initial attacks to gain a foothold, from which you can launch further attacks. I use perimeter and attack surface interchangeably going forward.",[],{},{"nodeType":1294,"data":2585,"content":2586},{},[2587,2591,2596],{"nodeType":1293,"value":2588,"marks":2589,"data":2590},"A perimeter can be physical, like a wall around a house, or virtual like the network boundary between an internal network and the internet where controls are things like firewalls. A couple of decades ago this internet network boundary was ",[],{},{"nodeType":1293,"value":2592,"marks":2593,"data":2595},"the",[2594],{"type":312},{},{"nodeType":1293,"value":2597,"marks":2598,"data":2599}," perimeter. As any decent red-teamer during this era, we had a pretty well-oiled process of mapping a client’s external network, scanning it for services, and then identifying and exploiting known vulnerabilities in those services. With this foothold on a target network, we could pivot to other, more sensitive internal systems.",[],{},{"nodeType":1294,"data":2601,"content":2602},{},[2603],{"nodeType":1293,"value":2604,"marks":2605,"data":2606},"Blue teams started having success with automated vulnerability scanning and patching programs, during this time. Then red teams responded by focusing on finding new vulnerabilities, especially in custom code like web applications. I fondly remember using techniques like xp_cmdshell with SQL injection to get access to breach perimeter systems and get access to internal networks. As DMZs, SDLC, vuln scanning and a dozen other tactics became generally adopted things improved to the point where those standard red-team playbooks weren’t working anymore. ",[],{},{"nodeType":1464,"data":2608,"content":2609},{},[2610],{"nodeType":1293,"value":2611,"marks":2612,"data":2613},"The shift to targeting users and their endpoints",[],{},{"nodeType":1294,"data":2615,"content":2616},{},[2617],{"nodeType":1293,"value":2618,"marks":2619,"data":2620},"About a decade ago, attackers realized it was easier to breach the perimeter and gain access to internal networks by simply targeting users with endpoints directly connected to the internal network. At the time the main techniques were email phishing and malicious web pages delivering exploits or straight malware. We put down Burp and our other web app testing tools and started spending our time crafting phishing emails with malicious macro-laden Microsoft Office documents for that initial entrypoint.",[],{},{"nodeType":1294,"data":2622,"content":2623},{},[2624],{"nodeType":1293,"value":2625,"marks":2626,"data":2627},"Defenders were on the back foot and even back then the “train your employees to spot attacks” advice felt as totally unrealistic as it’s now proved to be. The zeitgeist suggested, \"Attackers only need to succeed once; defenders must succeed every time.\" Defenders were blind and the focus was firmly on detection. Much much better telemetry was needed, which spawned the endpoint detection and response (EDR) revolution. ",[],{},{"nodeType":1294,"data":2629,"content":2630},{},[2631],{"nodeType":1293,"value":2632,"marks":2633,"data":2634},"EDR required immediate changes to red team tactics, and together with better endpoint security defaults, automatic OS updates (that actually started working) and memory exploit protections (things like DEP and ASLR) the timelines for successful attacks were stretching a lot.",[],{},{"nodeType":1464,"data":2636,"content":2637},{},[2638],{"nodeType":1293,"value":2639,"marks":2640,"data":2641},"The modern perimeter",[],{},{"nodeType":1294,"data":2643,"content":2644},{},[2645],{"nodeType":1293,"value":2646,"marks":2647,"data":2648},"Attackers have had to change tactics yet again, due to the rising cost of attacking endpoints and the fact that data has moved off endpoints and internal networks and onto cloud systems or Software as a Service (SaaS) applications.",[],{},{"nodeType":1373,"data":2650,"content":2654},{"target":2651},{"sys":2652},{"id":2653,"type":1378,"linkType":1379},"79wGG37CY7aBdRrdjO5eQY",[],{"nodeType":1294,"data":2656,"content":2657},{},[2658],{"nodeType":1293,"value":2659,"marks":2660,"data":2661},"Identities have always existed as a target for attackers and were a critical part of the kill chain, but they used to be protected by some other perimeter, be that a network perimeter or an endpoint perimeter. ",[],{},{"nodeType":1294,"data":2663,"content":2664},{},[2665],{"nodeType":1293,"value":2666,"marks":2667,"data":2668},"This has fundamentally changed as modern work applications are now directly exposed to the internet  - and the only thing needed to access these apps are identities. That means identities are now no longer the second or third target but the initial target, the new perimeter.",[],{},{"nodeType":1358,"data":2670,"content":2671},{},[2672],{"nodeType":1293,"value":2673,"marks":2674,"data":2675},"Securing the (identity) perimeter",[],{},{"nodeType":1294,"data":2677,"content":2678},{},[2679],{"nodeType":1293,"value":2680,"marks":2681,"data":2682},"To understand how we can protect this new perimeter, I’ll discuss the general approach to securing any perimeter, and then how this applies to the identity attack surface.",[],{},{"nodeType":1373,"data":2684,"content":2688},{"target":2685},{"sys":2686},{"id":2687,"type":1378,"linkType":1379},"c0YSk60vVULBPorLkkBPL",[],{"nodeType":1464,"data":2690,"content":2691},{},[2692],{"nodeType":1293,"value":2693,"marks":2694,"data":2696},"1. Map your perimeter",[2695],{"type":2172},{},{"nodeType":1294,"data":2698,"content":2699},{},[2700],{"nodeType":1293,"value":2701,"marks":2702,"data":2703},"It’s impossible to secure what you don’t know about. Whether your perimeter is made of network services, user endpoints or identities, you must know what they are before you can implement controls to protect them, and crucially, verify those controls are effective.",[],{},{"nodeType":1294,"data":2705,"content":2706},{},[2707],{"nodeType":1293,"value":2708,"marks":2709,"data":2710},"In a traditional network setting, you might ask IT to inventory public network ranges, domains you own, and internet facing servers and services to get visibility into your attack surface. This is a pretty complex task and lots of the static inventory will quickly become outdated and incomplete. That’s why many orgs will perform network discovery activities to find internet-exposed network services, using anything from basic network scans to find onsite or self-hosted services to querying APIs in cloud infrastructure platforms (like AWS or Azure).",[],{},{"nodeType":1294,"data":2712,"content":2713},{},[2714],{"nodeType":1293,"value":2715,"marks":2716,"data":2717},"There are parallels in the identity perimeter space, like querying Identity Providers (IdPs like Entra/AzureAD or Okta) for federated identities to map the attack surface. Unfortunately there is no equivalent to scanning your public network ranges for identities, since you can’t scan or query an app to find accounts on your domain (would that we could!). This problem is compounded by the fact that while IT and developers are typically the only ones that can create and expose new network services, most apps allow any employee to create a new identity by signing up to a free account outside your SSO solution.",[],{},{"nodeType":1294,"data":2719,"content":2720},{},[2721],{"nodeType":1293,"value":2722,"marks":2723,"data":2724},"Knowing your perimeter without a technical solution is going to be a very hit and miss affair. To have confidence that you understand your identity perimeter, you need an inventory solution that can discover SSO identities (the easy part), as well as identities created outside SSO, like local accounts those employees created just by signing up. To secure identities it’s not enough to know that an employee is accessing an app website, you need to know if they are logged in and what identity they are using (is the username a company email or personal gmail?) or you’ll be dealing with endless false positives.",[],{},{"nodeType":1464,"data":2726,"content":2727},{},[2728],{"nodeType":1293,"value":2729,"marks":2730,"data":2732},"2. Reduce the size of your attack surface",[2731],{"type":2172},{},{"nodeType":1294,"data":2734,"content":2735},{},[2736],{"nodeType":1293,"value":2737,"marks":2738,"data":2739},"Once you have an idea of what makes up your perimeter, it’s generally a good idea to make it as small as possible. If you halve the number of network services an attacker can target, that means you can spend twice as long per service to secure the ones that remain - the same goes for identities!",[],{},{"nodeType":1373,"data":2741,"content":2745},{"target":2742},{"sys":2743},{"id":2744,"type":1378,"linkType":1379},"2XZ5vADLzuEnc2aAdZrkbO",[],{"nodeType":1294,"data":2747,"content":2748},{},[2749],{"nodeType":1293,"value":2750,"marks":2751,"data":2752},"To start this process, remove unused or unnecessary targets from the perimeter. ",[],{},{"nodeType":1294,"data":2754,"content":2755},{},[2756],{"nodeType":1293,"value":2757,"marks":2758,"data":2759},"On a network perimeter that might mean:",[],{},{"nodeType":1605,"data":2761,"content":2762},{},[2763,2773],{"nodeType":1609,"data":2764,"content":2765},{},[2766],{"nodeType":1294,"data":2767,"content":2768},{},[2769],{"nodeType":1293,"value":2770,"marks":2771,"data":2772},"Shutting down unused servers or",[],{},{"nodeType":1609,"data":2774,"content":2775},{},[2776],{"nodeType":1294,"data":2777,"content":2778},{},[2779],{"nodeType":1293,"value":2780,"marks":2781,"data":2782},"Firewalling services that don’t need to be exposed to the internet.",[],{},{"nodeType":1294,"data":2784,"content":2785},{},[2786],{"nodeType":1293,"value":2787,"marks":2788,"data":2789},"In the identity space, you might:",[],{},{"nodeType":1605,"data":2791,"content":2792},{},[2793,2803,2813],{"nodeType":1609,"data":2794,"content":2795},{},[2796],{"nodeType":1294,"data":2797,"content":2798},{},[2799],{"nodeType":1293,"value":2800,"marks":2801,"data":2802},"Make sure new accounts use existing federated identities,",[],{},{"nodeType":1609,"data":2804,"content":2805},{},[2806],{"nodeType":1294,"data":2807,"content":2808},{},[2809],{"nodeType":1293,"value":2810,"marks":2811,"data":2812},"Delete or disable unused SSO identities on your IdP, or ",[],{},{"nodeType":1609,"data":2814,"content":2815},{},[2816],{"nodeType":1294,"data":2817,"content":2818},{},[2819],{"nodeType":1293,"value":2820,"marks":2821,"data":2822},"Manually delete unnecessary user accounts on work apps.",[],{},{"nodeType":1294,"data":2824,"content":2825},{},[2826],{"nodeType":1293,"value":2827,"marks":2828,"data":2829},"Manually deleting an unmanaged local identity on an app, e.g. after an employee leaves your org, is a (very) non-trivial task. This is because you often don’t known of the accounts and don't have access to manage the account (the IT or security team aren’t admin on the app tenant where it exists). You might have access to the user’s mailbox and be able to get access to the account by going through an account recovery flow and delete the account that way - but this is very time consuming and even more difficult if the user enabled MFA (which is what you want them to do!).",[],{},{"nodeType":1294,"data":2831,"content":2832},{},[2833,2837,2842],{"nodeType":1293,"value":2834,"marks":2835,"data":2836},"Given the difficulty of managing these accounts, a better strategy is to ",[],{},{"nodeType":1293,"value":2838,"marks":2839,"data":2841},"make sure they never exist in the first place",[2840],{"type":2172},{},{"nodeType":1293,"value":2843,"marks":2844,"data":2845},". If you find you have lots of identities on an app you may decide the risk warrants IT effort and you can take over management of the app and integrate it with your IdP solution - or ask employees to use an alternative app instead. You can also use browser-based technical controls to prevent users from creating local identities in the first place.",[],{},{"nodeType":1464,"data":2847,"content":2848},{},[2849],{"nodeType":1293,"value":2850,"marks":2851,"data":2853},"3. Harden the perimeter",[2852],{"type":2172},{},{"nodeType":1294,"data":2855,"content":2856},{},[2857],{"nodeType":1293,"value":2858,"marks":2859,"data":2860},"Once you’ve made the perimeter as small as possible, the next step is to make it more difficult to breach that perimeter. Similar to the other objectives, but especially here, there are two sides to this. First the implementation; you have processes, configuration standards, and tools to make sure network services are updated and securely configured. Virtually no one achieves success simply through implementing good processes, you must continually verify that these processes work and that it continues to work.",[],{},{"nodeType":1294,"data":2862,"content":2863},{},[2864],{"nodeType":1293,"value":2865,"marks":2866,"data":2867},"To verify network controls are in place and working you do something like vulnerability scanning, where you check the perimeter for known vulnerabilities that an attacker could exploit and gain a foothold on your internal network. You might even have a risk profile that means you are concerned about more targeted attacks and hire pentesters or run a bug-bounty program to find weaknesses that can’t be automatically discovered. Very few organizations with an external network of any significant size perform a vulnerability scan for the first time - even a low-quality automated one - and find no serious issues. ",[],{},{"nodeType":1294,"data":2869,"content":2870},{},[2871],{"nodeType":1293,"value":2872,"marks":2873,"data":2874},"In the identity space, the status-quo is to be content with making policies and implementing and configuring an SSO system without explicit verification that it works as it should. We should be following the same level of verification processes for the identity perimeter as we do/did for the endpoint and network perimeter. ",[],{},{"nodeType":1294,"data":2876,"content":2877},{},[2878],{"nodeType":1293,"value":2879,"marks":2880,"data":2881},"In this case, the vulnerabilities we are looking for aren’t unpatched systems or zero-days. Instead, we’re looking for:",[],{},{"nodeType":1605,"data":2883,"content":2884},{},[2885,2895,2905,2915,2925],{"nodeType":1609,"data":2886,"content":2887},{},[2888],{"nodeType":1294,"data":2889,"content":2890},{},[2891],{"nodeType":1293,"value":2892,"marks":2893,"data":2894},"Accounts without MFA, ",[],{},{"nodeType":1609,"data":2896,"content":2897},{},[2898],{"nodeType":1294,"data":2899,"content":2900},{},[2901],{"nodeType":1293,"value":2902,"marks":2903,"data":2904},"Those using weak MFA methods that make them phish-able,",[],{},{"nodeType":1609,"data":2906,"content":2907},{},[2908],{"nodeType":1294,"data":2909,"content":2910},{},[2911],{"nodeType":1293,"value":2912,"marks":2913,"data":2914},"Employees re-using the same password across multiple accounts, ",[],{},{"nodeType":1609,"data":2916,"content":2917},{},[2918],{"nodeType":1294,"data":2919,"content":2920},{},[2921],{"nodeType":1293,"value":2922,"marks":2923,"data":2924},"Passwords that exist in public breach dumps,",[],{},{"nodeType":1609,"data":2926,"content":2927},{},[2928],{"nodeType":1294,"data":2929,"content":2930},{},[2931],{"nodeType":1293,"value":2932,"marks":2933,"data":2934},"Identities that should be in SSO but aren’t.",[],{},{"nodeType":1294,"data":2936,"content":2937},{},[2938],{"nodeType":1293,"value":2939,"marks":2940,"data":2941},"It’s not yet standard practice to test or verify that identity controls are in place, but if the past has taught us anything it soon will be. You'd be surprised how many times we find that the MFA policies security teams thought they had in place, actually aren't.",[],{},{"nodeType":1373,"data":2943,"content":2947},{"target":2944},{"sys":2945},{"id":2946,"type":1378,"linkType":1379},"4w5UZcf5hJ7ADuoT5W2tkC",[],{"nodeType":1294,"data":2949,"content":2950},{},[2951],{"nodeType":1293,"value":2952,"marks":2953,"data":2954},"Part of the reason for this lack of verification is due to lack of awareness. While identities used to be an internal thing that we protected with the network perimeter, online identities today are external and have slowly become the perimeter, almost without anyone noticing. While online identities are external, they are absolutely part of your attack surface and must be controlled and hardened to some extent.",[],{},{"nodeType":1294,"data":2956,"content":2957},{},[2958],{"nodeType":1293,"value":2959,"marks":2960,"data":2961},"Verifying controls is also really difficult, which is another reason we may not be making it a crucial step in the process. Customers feel that SSO solutions are security solutions and using security tools on security tools feel wrong. But it’s no different to vuln-scanning to ensure your firewalls are patched and don’t have default passwords. ",[],{},{"nodeType":1294,"data":2963,"content":2964},{},[2965],{"nodeType":1293,"value":2966,"marks":2967,"data":2968},"Verification can also be legally challenging because it’s not yet clear whether pentesters or red teamers are allowed to target online identities during assessments. Often these assets aren’t considered in scope during client assessments. This means these vulnerabilities rarely end up in pentest reports and therefore don’t enter many organization’s security or risk management processes. Since you own the identities (even on a third party identity solution or app) and are allowed to grant permission to the red team to use these identities, it seems to me that adding identities to the scope is distinct from bug hunting or vulnerability research on these apps (which is the legally challenging aspect). I would strongly recommend that you discuss including online identities with the red team as part of your next pentest.",[],{},{"nodeType":1464,"data":2970,"content":2971},{},[2972],{"nodeType":1293,"value":2973,"marks":2974,"data":2976},"4. Limit breach impact",[2975],{"type":2172},{},{"nodeType":1294,"data":2978,"content":2979},{},[2980],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"The unfortunate reality is that regardless of what we do to harden a perimeter, there will always be a chance that breaches occur. The goal is to reduce that risk by minimizing the attack surface and hardening identities. ",[],{},{"nodeType":1294,"data":2985,"content":2986},{},[2987],{"nodeType":1293,"value":2988,"marks":2989,"data":2990},"When an attacker does get a foothold (by compromising an identity, for instance) you need to to restrict their further actions. Risk involves both the likelihood and the impact of an event. Previously, we focused on reducing the likelihood of breaches. Now, we're also aiming to lessen the impact if they do occur.",[],{},{"nodeType":1294,"data":2992,"content":2993},{},[2994],{"nodeType":1293,"value":2995,"marks":2996,"data":2997},"In our network perimeter story, we might think of using a DMZ network to restrict network access for systems exposed to the internet. A common example of a failure to limit impact on a Windows endpoint breach is having service accounts on all endpoints with Domain Administrator permission - which effectively turns a breach of any endpoint very quickly into a breach of every endpoint.",[],{},{"nodeType":1294,"data":2999,"content":3000},{},[3001,3005,3014,3018,3026],{"nodeType":1293,"value":3002,"marks":3003,"data":3004},"In an identity context, we need to think not only of the direct effect of an identity compromise (e.g. what data can this account read), but also of further lateral movement attacks. Consider this ",[],{},{"nodeType":1389,"data":3006,"content":3008},{"uri":3007},"https://pushsecurity.com/blog/oktajacking/",[3009],{"nodeType":1293,"value":3010,"marks":3011,"data":3013},"Oktajacking",[3012],{"type":1397},{},{"nodeType":1293,"value":3015,"marks":3016,"data":3017}," case study where a breached identity with admin permissions on an otherwise low-risk app which is connected to SSO can be used to perform a ",[],{},{"nodeType":1389,"data":3019,"content":3021},{"uri":3020},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[3022],{"nodeType":1293,"value":3023,"marks":3024,"data":3025},"SAMLjacking",[],{},{"nodeType":1293,"value":3027,"marks":3028,"data":3029}," attack that compromises SSO credentials for all other users of the same low-risk app.",[],{},{"nodeType":1294,"data":3031,"content":3032},{},[3033],{"nodeType":1293,"value":3034,"marks":3035,"data":3036},"In contrast to traditional network or endpoint breaches, identity breaches are scoped to the permissions that the compromised account has. If an identity is compromised, whatever that identity is authorized to do is the scope of the breach. For example:",[],{},{"nodeType":1605,"data":3038,"content":3039},{},[3040,3050],{"nodeType":1609,"data":3041,"content":3042},{},[3043],{"nodeType":1294,"data":3044,"content":3045},{},[3046],{"nodeType":1293,"value":3047,"marks":3048,"data":3049},"If an identity with read access to a code repository was breached you might consider that all the source code (hopefully no secrets!) they had read access to was taken unless you can prove otherwise. This is often more difficult than you expect - last time I checked Github (by far the world's most popular source code repository app) logs didn’t include, for example, zipped repo downloads. ",[],{},{"nodeType":1609,"data":3051,"content":3052},{},[3053],{"nodeType":1294,"data":3054,"content":3055},{},[3056,3060,3067],{"nodeType":1293,"value":3057,"marks":3058,"data":3059},"If an identity with write permission was compromised, you would also need to check all commits/changes to ensure no code was backdoored. The same applies for other apps - think of an identity with write access to a wiki being used to ",[],{},{"nodeType":1389,"data":3061,"content":3062},{"uri":1445},[3063],{"nodeType":1293,"value":3064,"marks":3065,"data":3066},"drop links to phishing pages",[],{},{"nodeType":1293,"value":1400,"marks":3068,"data":3069},[],{},{"nodeType":1294,"data":3071,"content":3072},{},[3073],{"nodeType":1293,"value":3074,"marks":3075,"data":3076},"For primary cloud collaboration platforms with complex data types (think O365 or Google Workspace) your IT team is likely already managing policies to limit the data that a user can read. For primary cloud hosting platforms your DevOps teams are likely maintaining policies to manage privileged access to production systems. The situation is typically very different for the few dozen high risk “core apps” beyond the 2 or 3 apps that receive a lot of attention and have dedicated teams.",[],{},{"nodeType":1294,"data":3078,"content":3079},{},[3080],{"nodeType":1293,"value":3081,"marks":3082,"data":3083},"Starting to review roles and permissions across the few dozen or so high-risk apps that are not as actively managed (or more likely self-managed by the teams using them) is a good way to start addressing the residual risk. The good news here is that most modern work apps use a much simpler permission model based largely around predefined roles like Owner, Admin, or Employee or similar variations. This means less flexibility, but also makes it a lot easier to manage permissions for identities on these apps - on balance, a good trade!",[],{},{"nodeType":1294,"data":3085,"content":3086},{},[3087],{"nodeType":1293,"value":3088,"marks":3089,"data":3090},"Consider this as part of your identity and access management review process. Something that used to be scoped around Active Directory group membership, but in a modern online identity context, now must be applied across many different work apps. ",[],{},{"nodeType":1294,"data":3092,"content":3093},{},[3094],{"nodeType":1293,"value":3095,"marks":3096,"data":3097},"Unless you want to try to get access to each tenant of each app and normalize this data into a mega-spreadsheet, you need access to this data in your identity inventory. This is an especially big challenge as teams find many of the apps they care about support authentication through SSO, but not authorization.",[],{},{"nodeType":1464,"data":3099,"content":3100},{},[3101],{"nodeType":1293,"value":3102,"marks":3103,"data":3105},"5. Detect and respond to attacks",[3104],{"type":2172},{},{"nodeType":1294,"data":3107,"content":3108},{},[3109],{"nodeType":1293,"value":3110,"marks":3111,"data":3112},"Your last line of defense in protecting a perimeter is to monitor for attacks. It’s typically when controls and detections fail that breaches end in the news. ",[],{},{"nodeType":1294,"data":3114,"content":3115},{},[3116],{"nodeType":1293,"value":3117,"marks":3118,"data":3119},"Telemetry is the core building block of attack detection. Typically, you might ingest audit or event logs into a SIEM system. To detect attacks against identities, you’ll typically want to start with telemetry from SSO or IdP logs. These will provide some minimal coverage of many of the IT managed apps, but unfortunately attacks are more likely to happen on apps that aren’t SSO integrated, so we need a strategy to cover these as well. An identity inventory is a critical starting point to identify non-SSO apps from which you can collect event logs, as well as giving you visibility of the identities that are not covered.",[],{},{"nodeType":1294,"data":3121,"content":3122},{},[3123],{"nodeType":1293,"value":3124,"marks":3125,"data":3126},"Monitoring breaches for hosted work apps is different from other domains, largely because you are almost totally reliant on the app vendor to produce the telemetry. Unfortunately (I suspect primarily due to lack of customer demand), many apps don’t offer any centralized logging functionality at all, and those that do offer limited audit logs, or only do so on the top tier “enterprise” license plans. ",[],{},{"nodeType":1294,"data":3128,"content":3129},{},[3130],{"nodeType":1293,"value":3131,"marks":3132,"data":3133},"In the network or endpoint world, when you need more telemetry you have all the access you need to install software or hardware to generate that additional telemetry. You could put a network monitoring appliance in-line with your internet gateways or install an endpoint (EDR) agent to generate more telemetry than your router or endpoint OS will generate. You can add a proxy in front of an app for your users, but (except for a very small number of highly configurable apps) you can’t make attackers go through your proxy.",[],{},{"nodeType":1294,"data":3135,"content":3136},{},[3137],{"nodeType":1293,"value":3138,"marks":3139,"data":3140},"What you can do, however, is generate additional telemetry on what happens to your employee’s identities in the browser. This is possible through browser extensions which can be managed through the enterprise management features available for all mainstream browsers (Chrome, Edge, Firefox, Safari, Brave etc. etc.). This is incredibly powerful, and useful in directly detecting a range of identity attacks like phishing (is an employee trying to enter an SSO password into an app that isn’t the SSO login page?), but also through correlations with existing application or IdP logs that indicate account takeover (e.g. has there been a login event that wasn’t observed through the employee’s browser as well).",[],{},{"nodeType":1358,"data":3142,"content":3143},{},[3144],{"nodeType":1293,"value":3145,"marks":3146,"data":3147},"Same, but different",[],{},{"nodeType":1294,"data":3149,"content":3150},{},[3151],{"nodeType":1293,"value":3152,"marks":3153,"data":3154},"Whether we’re looking at the Verizon DBIR or just keeping up with security news, it’s clear that identity-based attacks are already responsible for a significant number of breaches. Attackers have started shifting their focus and security teams need to recognize this shift and adapt.",[],{},{"nodeType":1294,"data":3156,"content":3157},{},[3158],{"nodeType":1293,"value":3159,"marks":3160,"data":3161},"This doesn’t require that we fundamentally rethink security or anything that radical, just that we apply what we’ve learned over the last couple of decades to this new domain. There are some new technologies and protocols to understand, new tools are needed, but the fundamentals like authentication and authorization are already familiar to any security professional. ",[],{},{"nodeType":1294,"data":3163,"content":3164},{},[3165,3169,3177],{"nodeType":1293,"value":3166,"marks":3167,"data":3168},"If you follow what I’ve outlined here, a lot of the decisions we’ve made with building Push will make perfect sense. For example, you can’t make API integrations with apps to find identities when you don’t know about the apps or identities yet, so we needed a unique new data source. We use our own custom-built browser extension that’s force-deployed to your workforce, so we can observe employee identities as they are used in the browser. This gives us some pretty unique capabilities. If you found this interesting, follow us on ",[],{},{"nodeType":1389,"data":3170,"content":3172},{"uri":3171},"https://www.linkedin.com/company/push-security",[3173],{"nodeType":1293,"value":3174,"marks":3175,"data":3176},"Linkedin",[],{},{"nodeType":1293,"value":3178,"marks":3179,"data":3180}," for more detailed blogs as we unpack this topic.",[],{},{"nodeType":1373,"data":3182,"content":3186},{"target":3183},{"sys":3184},{"id":3185,"type":1378,"linkType":1379},"H7m9DHmbE945FO193oLYP",[],{"nodeType":1294,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":37,"marks":3191,"data":3192},[],{},{"entries":3194},{"hyperlink":3195,"inline":3196,"block":3197},[],[],[3198,3206,3212,3218,3222],{"sys":3199,"__typename":3200,"title":3201,"caption":118,"layoutMode":118,"file":3202},{"id":2653},"Image","Identity Security Attack Graphic",{"url":3203,"width":3204,"height":3205},"https://images.ctfassets.net/y1cdw1ablpvd/4x0xxIRhYLw1v8NyXfSIKG/e10b949c8d5694239dc3d9e0a0e9d7a2/IdentitySecurity101_A.png",2560,1440,{"sys":3207,"__typename":3200,"title":2673,"caption":118,"layoutMode":118,"file":3208},{"id":2687},{"url":3209,"width":3210,"height":3211},"https://images.ctfassets.net/y1cdw1ablpvd/3vdIRlCwvBIk9RVpjRXojS/8092a8c05abb75206373e55340bbd07e/IdentitySecurity101_B.png",1280,720,{"sys":3213,"__typename":3214,"background":3215,"text":3217},{"id":2744},"CalloutWidget",[3216],"Sea Blue","“If you halve the number of network services an attacker can target, that means you can spend twice as long per service to secure the ones that remain - the same goes for identities!”",{"sys":3219,"__typename":3214,"background":3220,"text":3221},{"id":2946},[3216],"It’s not yet standard practice to test or verify that identity controls are in place, but if the past has taught us anything it soon will be.",{"sys":3223,"__typename":3224,"type":3225,"ctaText":3226,"buttonLabel":3227,"buttonColour":3228,"buttonUrl":118},{"id":3185},"CtaWidget","Demo","Push maps your identity attack surface, hardens and minimizes it, helps you reduce impact and provides a unique telemetry source to help you detect and respond to identity attacks.","Book a demo","sunny orange","content:blog:5-ways-to-defeat-identity-based-attacks.json","json","content","blog/5-ways-to-defeat-identity-based-attacks.json","blog/5-ways-to-defeat-identity-based-attacks",1776359989596]