[{"data":1,"prerenderedAt":4780},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/browser-extension-management-guide":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1296,"synopsis":1297,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"authorsCollection":1310,"content":1318,"relatedBlogPostsCollection":2530,"_id":4775,"_type":4776,"_source":4777,"_file":4778,"_stem":4779,"_extension":4776},"/blog/browser-extension-management-guide","blog",{"id":1280,"publishedAt":1281},"4DqTwJKeCSPnJUc6YPFC5A","2026-03-05T09:35:38.620Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Detect risky and malicious extensions and block them from running in employee browsers using Push.","text","paragraph","document","Guide: How to manage and block browser extensions using Push","How to detect risky and malicious extensions and block them from running in employee browsers. ","2026-03-04T00:00:00.000Z","browser-extension-management-guide",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1307,"name":1309},{"id":1308},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1311},[1312],{"fullName":1313,"firstName":1314,"jobTitle":1315,"profilePicture":1316},"Dan Green","Dan","Threat Research",{"url":1317},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":1319,"links":2386},{"nodeType":1295,"data":1320,"content":1321},{},[1322,1395,1402,1411,1415,1425,1432,1439,1448,1455,1513,1530,1537,1544,1547,1555,1562,1624,1632,1639,1645,1651,1658,1665,1684,1691,1739,1745,1753,1774,1781,1788,1881,1888,1904,1910,1917,1924,1931,1938,1999,2005,2011,2019,2026,2033,2056,2063,2069,2092,2098,2105,2112,2119,2126,2159,2178,2185,2197,2200,2208,2215,2221,2224,2232,2240,2247,2267,2274,2281,2287,2294,2301,2307,2310,2318,2335,2342],{"nodeType":1294,"data":1323,"content":1324},{},[1325,1329,1340,1344,1353,1356,1365,1369,1378,1382,1391],{"nodeType":1293,"value":1326,"marks":1327,"data":1328},"Attackers are doubling down on malicious browser extensions as their method of choice. Recent campaigns like ",[],{},{"nodeType":1330,"data":1331,"content":1333},"hyperlink",{"uri":1332},"https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/",[1334],{"nodeType":1293,"value":1335,"marks":1336,"data":1339},"ShadyPanda",[1337],{"type":1338},"underline",{},{"nodeType":1293,"value":1341,"marks":1342,"data":1343},", ",[],{},{"nodeType":1330,"data":1345,"content":1347},{"uri":1346},"https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/",[1348],{"nodeType":1293,"value":1349,"marks":1350,"data":1352},"ZoomStealer",[1351],{"type":1338},{},{"nodeType":1293,"value":1341,"marks":1354,"data":1355},[],{},{"nodeType":1330,"data":1357,"content":1359},{"uri":1358},"https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/",[1360],{"nodeType":1293,"value":1361,"marks":1362,"data":1364},"GhostPoster",[1363],{"type":1338},{},{"nodeType":1293,"value":1366,"marks":1367,"data":1368},", and the breaches impacting vendors like ",[],{},{"nodeType":1330,"data":1370,"content":1372},{"uri":1371},"https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/",[1373],{"nodeType":1293,"value":1374,"marks":1375,"data":1377},"Cyberhaven",[1376],{"type":1338},{},{"nodeType":1293,"value":1379,"marks":1380,"data":1381}," and ",[],{},{"nodeType":1330,"data":1383,"content":1385},{"uri":1384},"https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/",[1386],{"nodeType":1293,"value":1387,"marks":1388,"data":1390},"Trust Wallet",[1389],{"type":1338},{},{"nodeType":1293,"value":1392,"marks":1393,"data":1394},", all highlight the threat posed by malicious extensions. ",[],{},{"nodeType":1294,"data":1396,"content":1397},{},[1398],{"nodeType":1293,"value":1399,"marks":1400,"data":1401},"Most malicious extensions didn’t start that way. Attackers often begin with a legitimate extension — either by creating something that is initially benign, purchasing an extension that already exists and has a large number of installs, or by phishing an extension developer’s account to publish a malicious version. Then, they bide their time, waiting for the right moment to flip the switch and deploy a malicious update, compromising every browser that they’re deployed to. ",[],{},{"nodeType":1403,"data":1404,"content":1410},"embedded-entry-block",{"target":1405},{"sys":1406},{"id":1407,"type":1408,"linkType":1409},"7eTmqh5jqYA3l1Xk4GikVO","Link","Entry",[],{"nodeType":1412,"data":1413,"content":1414},"hr",{},[],{"nodeType":1416,"data":1417,"content":1418},"heading-1",{},[1419],{"nodeType":1293,"value":1420,"marks":1421,"data":1424},"Why tackling malicious extensions is a hard problem for security teams",[1422],{"type":1423},"bold",{},{"nodeType":1294,"data":1426,"content":1427},{},[1428],{"nodeType":1293,"value":1429,"marks":1430,"data":1431},"The Chrome extension store alone has in excess of 100k extensions with a wide range of use cases. Pretty much every major app today has an extension counterpart, and there are countless smaller extensions — from AI overlays, to screen recording, spell checking, and color matching. AI-assisted development has further increased the rate at which new extensions are created and added to the marketplace (for both legit developers and malicious ones). ",[],{},{"nodeType":1294,"data":1433,"content":1434},{},[1435],{"nodeType":1293,"value":1436,"marks":1437,"data":1438},"For organizations just beginning to think about extension management, this isn’t an easy problem to get a handle on. If you’ve allowed your employees to freely install extensions without restriction, then there could be hundreds, if not thousands, of different extensions in use across your business. ",[],{},{"nodeType":1440,"data":1441,"content":1442},"heading-2",{},[1443],{"nodeType":1293,"value":1444,"marks":1445,"data":1447},"Malicious extensions are good at hiding bad code",[1446],{"type":1423},{},{"nodeType":1294,"data":1449,"content":1450},{},[1451],{"nodeType":1293,"value":1452,"marks":1453,"data":1454},"Right now, extension stores are fighting a losing battle against attackers. ",[],{},{"nodeType":1456,"data":1457,"content":1458},"unordered-list",{},[1459,1483,1493,1503],{"nodeType":1460,"data":1461,"content":1462},"list-item",{},[1463],{"nodeType":1294,"data":1464,"content":1465},{},[1466,1470,1479],{"nodeType":1293,"value":1467,"marks":1468,"data":1469},"Malicious extensions are being regularly uploaded, bypassing code analysis checks, and even achieving ",[],{},{"nodeType":1330,"data":1471,"content":1473},{"uri":1472},"https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html",[1474],{"nodeType":1293,"value":1475,"marks":1476,"data":1478},"“Featured” or “Verified” status",[1477],{"type":1338},{},{"nodeType":1293,"value":1480,"marks":1481,"data":1482}," in the app stores. This is because attackers are using dynamically compiled, stealthily smuggled code that can’t be reliably spotted through static code checks or sandbox analysis. ",[],{},{"nodeType":1460,"data":1484,"content":1485},{},[1486],{"nodeType":1294,"data":1487,"content":1488},{},[1489],{"nodeType":1293,"value":1490,"marks":1491,"data":1492},"Bad isn't detected until an extension is observed doing malicious things in the wild. Most of the time, this is because there’s been a breach. ",[],{},{"nodeType":1460,"data":1494,"content":1495},{},[1496],{"nodeType":1294,"data":1497,"content":1498},{},[1499],{"nodeType":1293,"value":1500,"marks":1501,"data":1502},"When an extension is reported as bad, it enters a lengthy review process. Unless there’s pressure to act quickly (e.g. there’s a large amount of reporting), it won’t get prioritized. ",[],{},{"nodeType":1460,"data":1504,"content":1505},{},[1506],{"nodeType":1294,"data":1507,"content":1508},{},[1509],{"nodeType":1293,"value":1510,"marks":1511,"data":1512},"Just because an extension is removed from the store doesn’t mean that it’s automatically removed from browsers where it is installed. ",[],{},{"nodeType":1294,"data":1514,"content":1515},{},[1516,1521,1525],{"nodeType":1293,"value":1517,"marks":1518,"data":1520},"The bottom line:",[1519],{"type":1423},{},{"nodeType":1293,"value":1522,"marks":1523,"data":1524}," ",[],{},{"nodeType":1293,"value":1526,"marks":1527,"data":1529},"The security teams at Google and Microsoft analyse and manually approve every single extension upload and code change that enters their store, and even they aren’t detecting bad before malware executes in the victim’s browser. ",[1528],{"type":1423},{},{"nodeType":1294,"data":1531,"content":1532},{},[1533],{"nodeType":1293,"value":1534,"marks":1535,"data":1536},"Today, there’s no single magic bullet tool or control that organizations can use — unless you simply want to disable browser extensions altogether, which might not be the best option for users and their productivity.",[],{},{"nodeType":1294,"data":1538,"content":1539},{},[1540],{"nodeType":1293,"value":1541,"marks":1542,"data":1543},"Fortunately, Push is in a good position to help, with its ability to inventory all your browser extensions and help you find and block malicious ones.",[],{},{"nodeType":1412,"data":1545,"content":1546},{},[],{"nodeType":1416,"data":1548,"content":1549},{},[1550],{"nodeType":1293,"value":1551,"marks":1552,"data":1554},"How to securely manage browser extensions (and how Push can help)",[1553],{"type":1423},{},{"nodeType":1294,"data":1556,"content":1557},{},[1558],{"nodeType":1293,"value":1559,"marks":1560,"data":1561},"Here’s our step-by-step guide to securely using browser extensions in your organization.",[],{},{"nodeType":1456,"data":1563,"content":1564},{},[1565,1584,1594,1604,1614],{"nodeType":1460,"data":1566,"content":1567},{},[1568],{"nodeType":1294,"data":1569,"content":1570},{},[1571,1575,1580],{"nodeType":1293,"value":1572,"marks":1573,"data":1574},"Step 0: Enable ",[],{},{"nodeType":1293,"value":1576,"marks":1577,"data":1579},"malicious browser extension detection",[1578],{"type":1423},{},{"nodeType":1293,"value":1581,"marks":1582,"data":1583}," to stop known-bad extensions from running in your environment. ",[],{},{"nodeType":1460,"data":1585,"content":1586},{},[1587],{"nodeType":1294,"data":1588,"content":1589},{},[1590],{"nodeType":1293,"value":1591,"marks":1592,"data":1593},"Step 1: Establish an inventory of extensions currently in use across your users and their browsers. ",[],{},{"nodeType":1460,"data":1595,"content":1596},{},[1597],{"nodeType":1294,"data":1598,"content":1599},{},[1600],{"nodeType":1293,"value":1601,"marks":1602,"data":1603},"Step 2: Risk-assess the extensions running in your environment using Push data.",[],{},{"nodeType":1460,"data":1605,"content":1606},{},[1607],{"nodeType":1294,"data":1608,"content":1609},{},[1610],{"nodeType":1293,"value":1611,"marks":1612,"data":1613},"Step 3: Create an allowlist or blocklist to control the extensions active in your environment.",[],{},{"nodeType":1460,"data":1615,"content":1616},{},[1617],{"nodeType":1294,"data":1618,"content":1619},{},[1620],{"nodeType":1293,"value":1621,"marks":1622,"data":1623},"Step 4: Monitor for risky changes.",[],{},{"nodeType":1440,"data":1625,"content":1626},{},[1627],{"nodeType":1293,"value":1628,"marks":1629,"data":1631},"Step 0: Enable malicious browser extension detection in the Push platform",[1630],{"type":1423},{},{"nodeType":1294,"data":1633,"content":1634},{},[1635],{"nodeType":1293,"value":1636,"marks":1637,"data":1638},"First, we recommend you take action to ensure that extensions reported as suspicious or malicious are blocked from running in your environment. ",[],{},{"nodeType":1403,"data":1640,"content":1644},{"target":1641},{"sys":1642},{"id":1643,"type":1408,"linkType":1409},"yniMglSNypgyxmdGVcFxJ",[],{"nodeType":1403,"data":1646,"content":1650},{"target":1647},{"sys":1648},{"id":1649,"type":1408,"linkType":1409},"37bID8AChVgerAnD6q8NPZ",[],{"nodeType":1294,"data":1652,"content":1653},{},[1654],{"nodeType":1293,"value":1655,"marks":1656,"data":1657},"If you’re a Push customer, you can ensure that any extension that is reported as malicious is automatically blocked in your environment. This means that the extension gets disabled and cannot run in any browser with the Push extension installed. ",[],{},{"nodeType":1294,"data":1659,"content":1660},{},[1661],{"nodeType":1293,"value":1662,"marks":1663,"data":1664},"The Push Security research team maintains a global list of known-bad extensions based on threat intelligence reporting. This list is continuously updated and ensures that as soon as an extension is reported as malicious, it is blocked. ",[],{},{"nodeType":1294,"data":1666,"content":1667},{},[1668,1672,1680],{"nodeType":1293,"value":1669,"marks":1670,"data":1671},"You can enable the control via the Controls page in the Push admin console. Admins can configure rules in Off, Monitor, or Block mode. Block mode is recommended, meaning that extensions are disabled and web store access is blocked. You can read more about this in our ",[],{},{"nodeType":1330,"data":1673,"content":1675},{"uri":1674},"https://pushsecurity.com/help/how-does-push-detect-malicious-browser-extensions",[1676],{"nodeType":1293,"value":1677,"marks":1678,"data":1679},"Help Center",[],{},{"nodeType":1293,"value":1681,"marks":1682,"data":1683},". ",[],{},{"nodeType":1294,"data":1685,"content":1686},{},[1687],{"nodeType":1293,"value":1688,"marks":1689,"data":1690},"When an extension is flagged as malicious, a detection event will be generated and appear on the Detections page in the Push admin console. The severity of these detections is classified as follows:",[],{},{"nodeType":1456,"data":1692,"content":1693},{},[1694,1709,1724],{"nodeType":1460,"data":1695,"content":1696},{},[1697],{"nodeType":1294,"data":1698,"content":1699},{},[1700,1705],{"nodeType":1293,"value":1701,"marks":1702,"data":1704},"Low",[1703],{"type":1423},{},{"nodeType":1293,"value":1706,"marks":1707,"data":1708}," for an extension that has never been enabled. The control prevented either the installation or the extension from being enabled.",[],{},{"nodeType":1460,"data":1710,"content":1711},{},[1712],{"nodeType":1294,"data":1713,"content":1714},{},[1715,1720],{"nodeType":1293,"value":1716,"marks":1717,"data":1719},"Medium",[1718],{"type":1423},{},{"nodeType":1293,"value":1721,"marks":1722,"data":1723}," for an extension that was installed and enabled, but has been disabled by the control. ",[],{},{"nodeType":1460,"data":1725,"content":1726},{},[1727],{"nodeType":1294,"data":1728,"content":1729},{},[1730,1735],{"nodeType":1293,"value":1731,"marks":1732,"data":1734},"High",[1733],{"type":1423},{},{"nodeType":1293,"value":1736,"marks":1737,"data":1738}," if the extension was enabled and is still active (i.e. the control was in monitor mode).",[],{},{"nodeType":1403,"data":1740,"content":1744},{"target":1741},{"sys":1742},{"id":1743,"type":1408,"linkType":1409},"1yOPlBKtLGYyN80OCJ9qMn",[],{"nodeType":1440,"data":1746,"content":1747},{},[1748],{"nodeType":1293,"value":1749,"marks":1750,"data":1752},"Step 1: Establish an inventory of existing extensions.",[1751],{"type":1423},{},{"nodeType":1294,"data":1754,"content":1755},{},[1756,1760,1765,1769],{"nodeType":1293,"value":1757,"marks":1758,"data":1759},"Next, we recommend you take stock of what’s already running in your environment so you can begin to make risk-based decisions about what you allow, and what you don’t. This means building an inventory of ",[],{},{"nodeType":1293,"value":1761,"marks":1762,"data":1764},"every extension ",[1763],{"type":1423},{},{"nodeType":1293,"value":1766,"marks":1767,"data":1768},"running in ",[],{},{"nodeType":1293,"value":1770,"marks":1771,"data":1773},"every browser. ",[1772],{"type":1423},{},{"nodeType":1294,"data":1775,"content":1776},{},[1777],{"nodeType":1293,"value":1778,"marks":1779,"data":1780},"Push provides real-time visibility of extensions installed in every browser across your workforce. ",[],{},{"nodeType":1294,"data":1782,"content":1783},{},[1784],{"nodeType":1293,"value":1785,"marks":1786,"data":1787},"Push tracks several key data points, including: ",[],{},{"nodeType":1456,"data":1789,"content":1790},{},[1791,1801,1811,1821,1831,1841,1851,1861,1871],{"nodeType":1460,"data":1792,"content":1793},{},[1794],{"nodeType":1294,"data":1795,"content":1796},{},[1797],{"nodeType":1293,"value":1798,"marks":1799,"data":1800},"Extension name, ID, and version number",[],{},{"nodeType":1460,"data":1802,"content":1803},{},[1804],{"nodeType":1294,"data":1805,"content":1806},{},[1807],{"nodeType":1293,"value":1808,"marks":1809,"data":1810},"Update & homepage URL",[],{},{"nodeType":1460,"data":1812,"content":1813},{},[1814],{"nodeType":1294,"data":1815,"content":1816},{},[1817],{"nodeType":1293,"value":1818,"marks":1819,"data":1820},"Extension permissions",[],{},{"nodeType":1460,"data":1822,"content":1823},{},[1824],{"nodeType":1294,"data":1825,"content":1826},{},[1827],{"nodeType":1293,"value":1828,"marks":1829,"data":1830},"Host permissions (where applicable)",[],{},{"nodeType":1460,"data":1832,"content":1833},{},[1834],{"nodeType":1294,"data":1835,"content":1836},{},[1837],{"nodeType":1293,"value":1838,"marks":1839,"data":1840},"Deployment method (e.g. managed, manual, sideloaded or development)",[],{},{"nodeType":1460,"data":1842,"content":1843},{},[1844],{"nodeType":1294,"data":1845,"content":1846},{},[1847],{"nodeType":1293,"value":1848,"marks":1849,"data":1850},"Which employees use the extension",[],{},{"nodeType":1460,"data":1852,"content":1853},{},[1854],{"nodeType":1294,"data":1855,"content":1856},{},[1857],{"nodeType":1293,"value":1858,"marks":1859,"data":1860},"Which browsers have the extension installed",[],{},{"nodeType":1460,"data":1862,"content":1863},{},[1864],{"nodeType":1294,"data":1865,"content":1866},{},[1867],{"nodeType":1293,"value":1868,"marks":1869,"data":1870},"Whether the extension is enabled or disabled",[],{},{"nodeType":1460,"data":1872,"content":1873},{},[1874],{"nodeType":1294,"data":1875,"content":1876},{},[1877],{"nodeType":1293,"value":1878,"marks":1879,"data":1880},"Useful metadata like install count, ownership history, update history, and whether the extension has been unlisted from the web store.",[],{},{"nodeType":1294,"data":1882,"content":1883},{},[1884],{"nodeType":1293,"value":1885,"marks":1886,"data":1887},"This information is critical for assessing risk, as well as providing an early warning of future malicious intent. ",[],{},{"nodeType":1294,"data":1889,"content":1890},{},[1891,1895,1900],{"nodeType":1293,"value":1892,"marks":1893,"data":1894},"You can enable browser extension visibility in the Push platform by going to ",[],{},{"nodeType":1293,"value":1896,"marks":1897,"data":1899},"Settings > Organization > Browser extension visibility",[1898],{"type":1423},{},{"nodeType":1293,"value":1901,"marks":1902,"data":1903}," and toggling on the feature.",[],{},{"nodeType":1403,"data":1905,"content":1909},{"target":1906},{"sys":1907},{"id":1908,"type":1408,"linkType":1409},"2LCwZNbSazYGIEfWHZKJRU",[],{"nodeType":1440,"data":1911,"content":1912},{},[1913],{"nodeType":1293,"value":1601,"marks":1914,"data":1916},[1915],{"type":1423},{},{"nodeType":1294,"data":1918,"content":1919},{},[1920],{"nodeType":1293,"value":1921,"marks":1922,"data":1923},"Now that you’ve built a real-time inventory, you can start to analyse the data to find risky extensions. ",[],{},{"nodeType":1294,"data":1925,"content":1926},{},[1927],{"nodeType":1293,"value":1928,"marks":1929,"data":1930},"Every extension that is running in your environment expands your potential attack surface, representing another node that can be compromised by an attacker. So it makes sense to only allow those that are absolutely necessary in order to sensibly control the risk. ",[],{},{"nodeType":1294,"data":1932,"content":1933},{},[1934],{"nodeType":1293,"value":1935,"marks":1936,"data":1937},"You can start to investigate and prune extensions based on the properties tracked in the Push platform. For example:",[],{},{"nodeType":1456,"data":1939,"content":1940},{},[1941,1951,1979,1989],{"nodeType":1460,"data":1942,"content":1943},{},[1944],{"nodeType":1294,"data":1945,"content":1946},{},[1947],{"nodeType":1293,"value":1948,"marks":1949,"data":1950},"Extensions with a low install count from an unverified publisher. ",[],{},{"nodeType":1460,"data":1952,"content":1953},{},[1954],{"nodeType":1294,"data":1955,"content":1956},{},[1957,1961,1966,1970,1975],{"nodeType":1293,"value":1958,"marks":1959,"data":1960},"Extensions that have been ",[],{},{"nodeType":1293,"value":1962,"marks":1963,"data":1965},"sideloaded",[1964],{"type":1423},{},{"nodeType":1293,"value":1967,"marks":1968,"data":1969}," (installed by software on the machine) or are ",[],{},{"nodeType":1293,"value":1971,"marks":1972,"data":1974},"development",[1973],{"type":1423},{},{"nodeType":1293,"value":1976,"marks":1977,"data":1978}," (installed from a folder off-disk when Developer mode is turned on)",[],{},{"nodeType":1460,"data":1980,"content":1981},{},[1982],{"nodeType":1294,"data":1983,"content":1984},{},[1985],{"nodeType":1293,"value":1986,"marks":1987,"data":1988},"Extensions that are used by a small number of employees for niche / non-critical functions. ",[],{},{"nodeType":1460,"data":1990,"content":1991},{},[1992],{"nodeType":1294,"data":1993,"content":1994},{},[1995],{"nodeType":1293,"value":1996,"marks":1997,"data":1998},"Extensions with risky permissions.",[],{},{"nodeType":1403,"data":2000,"content":2004},{"target":2001},{"sys":2002},{"id":2003,"type":1408,"linkType":1409},"FpGNvFgEGj6eAGihoWEUi",[],{"nodeType":1403,"data":2006,"content":2010},{"target":2007},{"sys":2008},{"id":2009,"type":1408,"linkType":1409},"5JccSPh103QIQJxIh9pk4x",[],{"nodeType":1440,"data":2012,"content":2013},{},[2014],{"nodeType":1293,"value":2015,"marks":2016,"data":2018},"Step 3: Create an allowlist to control the extensions active in your environment.",[2017],{"type":1423},{},{"nodeType":1294,"data":2020,"content":2021},{},[2022],{"nodeType":1293,"value":2023,"marks":2024,"data":2025},"Using the output of your risk assessment and the data provided by the Push platform, you can control the extensions that you allow your employees to use.",[],{},{"nodeType":1294,"data":2027,"content":2028},{},[2029],{"nodeType":1293,"value":2030,"marks":2031,"data":2032},"To do this, you need to allowlist the extensions you’re happy for employees to use (and block everything else). That way, you remove the ability for employees to add new extensions unless approved by an admin. This means you either:",[],{},{"nodeType":1456,"data":2034,"content":2035},{},[2036,2046],{"nodeType":1460,"data":2037,"content":2038},{},[2039],{"nodeType":1294,"data":2040,"content":2041},{},[2042],{"nodeType":1293,"value":2043,"marks":2044,"data":2045},"Add every extension you currently have running in your environment to an allowlist, block everything else, and then start to prune extensions from that list. ",[],{},{"nodeType":1460,"data":2047,"content":2048},{},[2049],{"nodeType":1294,"data":2050,"content":2051},{},[2052],{"nodeType":1293,"value":2053,"marks":2054,"data":2055},"Create a shortened allowlist from the outset. ",[],{},{"nodeType":1294,"data":2057,"content":2058},{},[2059],{"nodeType":1293,"value":2060,"marks":2061,"data":2062},"Both are valid ways of solving the problem, with the first option being the least potentially disruptive (i.e. you’re not switching off a load of extensions in one go). That said, this might not be a viable solution depending on your company size. ",[],{},{"nodeType":1403,"data":2064,"content":2068},{"target":2065},{"sys":2066},{"id":2067,"type":1408,"linkType":1409},"6wQW4VqLeLXMXdPPWLhQAF",[],{"nodeType":1294,"data":2070,"content":2071},{},[2072,2077,2087],{"nodeType":1293,"value":2073,"marks":2074,"data":2076},"You can do this in lots of different ways depending on the OS and browsers used across your workforce. This can get messy depending on the complexity of your environment. But you can do it in a streamlined, browser-agnostic way ",[2075],{"type":1423},{},{"nodeType":1330,"data":2078,"content":2080},{"uri":2079},"https://pushsecurity.com/help/10138/#start",[2081],{"nodeType":1293,"value":2082,"marks":2083,"data":2086},"using Push",[2084,2085],{"type":1338},{"type":1423},{},{"nodeType":1293,"value":2088,"marks":2089,"data":2091},". ",[2090],{"type":1423},{},{"nodeType":1403,"data":2093,"content":2097},{"target":2094},{"sys":2095},{"id":2096,"type":1408,"linkType":1409},"97dDukjKsRsAptpHV1kpn",[],{"nodeType":1294,"data":2099,"content":2100},{},[2101],{"nodeType":1293,"value":2102,"marks":2103,"data":2104},"Managing which extensions you’ve opted to allow is a continuous process that will change as user behavior changes and new extensions are added. It’s important that you regularly review whether your current allowlist is fit for purpose. ",[],{},{"nodeType":1440,"data":2106,"content":2107},{},[2108],{"nodeType":1293,"value":1621,"marks":2109,"data":2111},[2110],{"type":1423},{},{"nodeType":1294,"data":2113,"content":2114},{},[2115],{"nodeType":1293,"value":2116,"marks":2117,"data":2118},"Finally, once you’ve begun the process of pruning the extensions in your environment and you’ve reached a baseline you’re happy with, it’s now about reviewing and approving any new extension requests, and monitoring for risky changes. ",[],{},{"nodeType":1294,"data":2120,"content":2121},{},[2122],{"nodeType":1293,"value":2123,"marks":2124,"data":2125},"We recommend monitoring for things like:",[],{},{"nodeType":1456,"data":2127,"content":2128},{},[2129,2139,2149],{"nodeType":1460,"data":2130,"content":2131},{},[2132],{"nodeType":1294,"data":2133,"content":2134},{},[2135],{"nodeType":1293,"value":2136,"marks":2137,"data":2138},"Regularly reviewing changes in extension ownership + recent updates",[],{},{"nodeType":1460,"data":2140,"content":2141},{},[2142],{"nodeType":1294,"data":2143,"content":2144},{},[2145],{"nodeType":1293,"value":2146,"marks":2147,"data":2148},"Monitoring for updates to extensions to track risky permissions being added ",[],{},{"nodeType":1460,"data":2150,"content":2151},{},[2152],{"nodeType":1294,"data":2153,"content":2154},{},[2155],{"nodeType":1293,"value":2156,"marks":2157,"data":2158},"Monitoring for new malicious browser extension detections",[],{},{"nodeType":1294,"data":2160,"content":2161},{},[2162,2166,2175],{"nodeType":1293,"value":2163,"marks":2164,"data":2165},"It’s super simple to use Push data to create alerts and feed your detection and response workflows. ",[],{},{"nodeType":1330,"data":2167,"content":2169},{"uri":2168},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/#start",[2170],{"nodeType":1293,"value":2171,"marks":2172,"data":2174},"See how to connect Push to your SIEM/SOAR and learn more about the Push REST API and webhooks. ",[2173],{"type":1338},{},{"nodeType":1293,"value":37,"marks":2176,"data":2177},[],{},{"nodeType":1294,"data":2179,"content":2180},{},[2181],{"nodeType":1293,"value":2182,"marks":2183,"data":2184},"At this point, you can then triage and investigate further to see whether additional action is required. ",[],{},{"nodeType":2186,"data":2187,"content":2188},"blockquote",{},[2189],{"nodeType":1294,"data":2190,"content":2191},{},[2192],{"nodeType":1293,"value":2193,"marks":2194,"data":2196},"And there you have it! You’ve secured browser extension use across your organization using Push. ",[2195],{"type":1423},{},{"nodeType":1412,"data":2198,"content":2199},{},[],{"nodeType":1440,"data":2201,"content":2202},{},[2203],{"nodeType":1293,"value":2204,"marks":2205,"data":2207},"Don’t take our word for it …",[2206],{"type":1423},{},{"nodeType":1294,"data":2209,"content":2210},{},[2211],{"nodeType":1293,"value":2212,"marks":2213,"data":2214},"Our friends at GitLab echo our thoughts on browser extensions and the value of tools like Push that help them to solve this problem.",[],{},{"nodeType":1403,"data":2216,"content":2220},{"target":2217},{"sys":2218},{"id":2219,"type":1408,"linkType":1409},"1m0x2Q6MmOn7ANqCtpYptu",[],{"nodeType":1412,"data":2222,"content":2223},{},[],{"nodeType":1416,"data":2225,"content":2226},{},[2227],{"nodeType":1293,"value":2228,"marks":2229,"data":2231},"Additional tips",[2230],{"type":1423},{},{"nodeType":1440,"data":2233,"content":2234},{},[2235],{"nodeType":1293,"value":2236,"marks":2237,"data":2239},"Disable browser syncing",[2238],{"type":1423},{},{"nodeType":1294,"data":2241,"content":2242},{},[2243],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"If you’re in the early stages of your extension management process, an extra step you might want to consider is disabling browser syncing for extensions. ",[],{},{"nodeType":1294,"data":2248,"content":2249},{},[2250,2254,2263],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"When we deploy Push, we find it’s not unusual for people to sign into their work browser with a personal email profile. There’s a significant risk here — if you end up saving and syncing credentials across devices, a compromise on a (usually less secure) personal device can lead to business accounts being compromised. Notably, this was exploited in a ",[],{},{"nodeType":1330,"data":2255,"content":2257},{"uri":2256},"https://sec.okta.com/articles/harfiles/",[2258],{"nodeType":1293,"value":2259,"marks":2260,"data":2262},"2023 Okta security breach",[2261],{"type":1338},{},{"nodeType":1293,"value":2264,"marks":2265,"data":2266},".",[],{},{"nodeType":1294,"data":2268,"content":2269},{},[2270],{"nodeType":1293,"value":2271,"marks":2272,"data":2273},"The same model applies to browser extensions. By default, any extension installed from the web store is synced across devices where a profile is logged in and syncing is enabled. ",[],{},{"nodeType":1294,"data":2275,"content":2276},{},[2277],{"nodeType":1293,"value":2278,"marks":2279,"data":2280},"As an example, you can see how to disable browser extension syncing if you manage Chrome in Google Workspace.",[],{},{"nodeType":1403,"data":2282,"content":2286},{"target":2283},{"sys":2284},{"id":2285,"type":1408,"linkType":1409},"23gbN24WiOzszvwP9zy2MM",[],{"nodeType":1294,"data":2288,"content":2289},{},[2290],{"nodeType":1293,"value":2291,"marks":2292,"data":2293},"This only applies if you haven’t yet created an allowlist for extensions in your environment, in which case any extensions not on the list will be blocked. ",[],{},{"nodeType":1294,"data":2295,"content":2296},{},[2297],{"nodeType":1293,"value":2298,"marks":2299,"data":2300},"You can also use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. ",[],{},{"nodeType":1403,"data":2302,"content":2306},{"target":2303},{"sys":2304},{"id":2305,"type":1408,"linkType":1409},"421C3CL6Sfa8gmn56X7lRI",[],{"nodeType":1412,"data":2308,"content":2309},{},[],{"nodeType":1416,"data":2311,"content":2312},{},[2313],{"nodeType":1293,"value":2314,"marks":2315,"data":2317},"Learn more about Push",[2316],{"type":1423},{},{"nodeType":1294,"data":2319,"content":2320},{},[2321,2325,2332],{"nodeType":1293,"value":2322,"marks":2323,"data":2324},"Push Security’s browser-based security platform stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking — ",[],{},{"nodeType":1330,"data":2326,"content":2327},{"uri":66},[2328],{"nodeType":1293,"value":2329,"marks":2330,"data":2331},"modern attack techniques that are the leading cause of breaches today",[],{},{"nodeType":1293,"value":2264,"marks":2333,"data":2334},[],{},{"nodeType":1294,"data":2336,"content":2337},{},[2338],{"nodeType":1293,"value":2339,"marks":2340,"data":2341},"You don’t need to wait until it all goes wrong either. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1294,"data":2343,"content":2344},{},[2345,2349,2358,2361,2370,2374,2383],{"nodeType":1293,"value":2346,"marks":2347,"data":2348},"Want to learn more about Push? ",[],{},{"nodeType":1330,"data":2350,"content":2352},{"uri":2351},"https://pushsecurity.com/resources/product-brochure",[2353],{"nodeType":1293,"value":2354,"marks":2355,"data":2357},"Check out our latest product overview",[2356],{"type":1338},{},{"nodeType":1293,"value":1341,"marks":2359,"data":2360},[],{},{"nodeType":1330,"data":2362,"content":2364},{"uri":2363},"https://pushsecurity.com/product-demo/",[2365],{"nodeType":1293,"value":2366,"marks":2367,"data":2369},"visit our demo library",[2368],{"type":1338},{},{"nodeType":1293,"value":2371,"marks":2372,"data":2373},", or ",[],{},{"nodeType":1330,"data":2375,"content":2377},{"uri":2376},"https://pushsecurity.com/demo",[2378],{"nodeType":1293,"value":2379,"marks":2380,"data":2382},"book some time with one of our team for a live demo",[2381],{"type":1338},{},{"nodeType":1293,"value":2264,"marks":2384,"data":2385},[],{},{"entries":2387},{"hyperlink":2388,"inline":2389,"block":2390},[],[],[2391,2428,2436,2450,2458,2466,2473,2487,2501,2509,2516,2523],{"sys":2392,"__typename":2393,"content":2394,"name":2427,"title":118},{"id":1407},"InsightTextBlockComponent",{"json":2395},{"data":2396,"content":2397,"nodeType":1295},{},[2398,2405],{"data":2399,"content":2400,"nodeType":1294},{},[2401],{"data":2402,"marks":2403,"value":2404,"nodeType":1293},{},[],"Imagine the scenario. There’s a small dev team responsible for a basic but widely used extension (let’s say a color picker tool) with millions of users. An attacker just needs to phish a dev (that might not even be working from a device with proper security software or controls), grab the extension code that is publicly available from the store, insert obfuscated malicious code, and upload the new version to the store. As soon as the extension updates, millions of browsers are compromised. ",{"data":2406,"content":2407,"nodeType":1294},{},[2408,2413,2423],{"data":2409,"marks":2410,"value":2412,"nodeType":1293},{},[2411],{"type":1423},"This is why we take our own security processes around extension management so seriously. ",{"data":2414,"content":2416,"nodeType":1330},{"uri":2415},"https://pushsecurity.com/blog/guide-to-secure-browser-extension-deployment/",[2417],{"data":2418,"marks":2419,"value":2422,"nodeType":1293},{},[2420,2421],{"type":1338},{"type":1423},"You can find out more about our process here",{"data":2424,"marks":2425,"value":1681,"nodeType":1293},{},[2426],{"type":1423},"Managing Extensions Guide: IB1",{"sys":2429,"__typename":2430,"title":2431,"caption":2431,"layoutMode":118,"file":2432},{"id":1643},"Image","Enabling the malicious extension detection feature in the Push platform",{"url":2433,"width":2434,"height":2435},"https://images.ctfassets.net/y1cdw1ablpvd/5DUcgBc8Fcx825yar7LX67/f18970551bfb9d59f206add2af106b89/image6.png",1337,767,{"sys":2437,"__typename":2393,"content":2438,"name":2449,"title":118},{"id":1649},{"json":2439},{"nodeType":1295,"data":2440,"content":2441},{},[2442],{"nodeType":1294,"data":2443,"content":2444},{},[2445],{"nodeType":1293,"value":2446,"marks":2447,"data":2448},"Even if you’re blocking employees from installing extensions without admin approval, an extension that was safe and approved yesterday can be malicious today. This is why it’s vital that organizations proactively block known-bad extensions — particularly when extension stores cannot be relied upon to disable extensions already installed in your employee browsers. Early intervention can mean the difference between a malicious update being deployed and browser secrets being stolen, and disabling the extension before any harm is done. ",[],{},"Managing Extensions Guide: IB2",{"sys":2451,"__typename":2430,"title":2452,"caption":2453,"layoutMode":118,"file":2454},{"id":1743},"Malicious browser extension detection event including install path","Malicious browser extension detection event",{"url":2455,"width":2456,"height":2457},"https://images.ctfassets.net/y1cdw1ablpvd/2p1cdetW36dOixy4kRIhn0/2298cef9060ae451780d359896588a39/malicious_extension_detection_slideout.png",1433,810,{"sys":2459,"__typename":2460,"type":2461,"ctaText":2462,"buttonLabel":2463,"buttonColour":2464,"buttonUrl":2465},{"id":1908},"CtaWidget","Custom","Join Push Security Field CTO Mark Orlando on the 11th March for a teardown of malicious browser extension functionality, and what security teams can do about this growing threat.","Register Now","sunny orange","https://pushsecurity.com/webinar/browser-extension-attacks",{"sys":2467,"__typename":2430,"title":2468,"caption":2468,"layoutMode":118,"file":2469},{"id":2003},"Browser extension permission filtering",{"url":2470,"width":2471,"height":2472},"https://images.ctfassets.net/y1cdw1ablpvd/297Zj9KN9kGGkSXVK6zWiG/2b4d559fe5fec1e067e602edae889be0/Browser_extension_permission_filtering__2_.gif",1280,720,{"sys":2474,"__typename":2393,"content":2475,"name":2486,"title":118},{"id":2009},{"json":2476},{"data":2477,"content":2478,"nodeType":1295},{},[2479],{"data":2480,"content":2481,"nodeType":1294},{},[2482],{"data":2483,"marks":2484,"value":2485,"nodeType":1293},{},[],"Pretty much every extension has permissions that could be considered risky and exploited by an attacker, so permissions alone are not a great benchmark for whether it should be allowed or not. But extensive permissions plus an unverified publisher or a recent change in ownership might be enough to prioritize an extension for removal.","Managing Extensions Guide: IB4",{"sys":2488,"__typename":2393,"content":2489,"name":2500,"title":118},{"id":2067},{"json":2490},{"nodeType":1295,"data":2491,"content":2492},{},[2493],{"nodeType":1294,"data":2494,"content":2495},{},[2496],{"nodeType":1293,"value":2497,"marks":2498,"data":2499},"If you plan to restrict the extensions that your employees can install and run, you’ll need to create a workflow where employees can request new extensions and the number of extensions that would need to be reviewed. This is something that you should be able to create using your ITSM tooling in the same way that any other software is requested. ",[],{},"Managing Extensions Guide: IB5",{"sys":2502,"__typename":2430,"title":2503,"caption":2504,"layoutMode":118,"file":2505},{"id":2096},"This extension is not approved for business use","Employees will see a customizable block screen when trying to use extensions that are not approved",{"url":2506,"width":2507,"height":2508},"https://images.ctfassets.net/y1cdw1ablpvd/2hFpE2X60adttS6vAtyUIO/963e14eb2899163f583e7342db3f0650/image5.png",1440,744,{"sys":2510,"__typename":2430,"title":2511,"caption":118,"layoutMode":118,"file":2512},{"id":2219},"GitLab malicious extensions quote",{"url":2513,"width":2514,"height":2515},"https://images.ctfassets.net/y1cdw1ablpvd/xod7FhG6yTK1iTePEKahw/7f30d66068fd2e36648ed9bab35920c4/image7.png",1999,1125,{"sys":2517,"__typename":2430,"title":2518,"caption":118,"layoutMode":118,"file":2519},{"id":2285},"Disable browser extension syncing in Google Workspace",{"url":2520,"width":2521,"height":2522},"https://images.ctfassets.net/y1cdw1ablpvd/5YSw6EyTZgcx36eXwwdrBQ/8b4ea60632667f07bb6d11841aa8a86c/image4.png",1256,662,{"sys":2524,"__typename":2430,"title":2525,"caption":2525,"layoutMode":118,"file":2526},{"id":2305},"See browser profile across all browsers using Push",{"url":2527,"width":2528,"height":2529},"https://images.ctfassets.net/y1cdw1ablpvd/3eWEtmkukL5JzeArcty88m/22aec4f6ce2ef0d309eab015e1efe493/image1.png",1380,465,{"items":2531},[2532,3861,4263],{"__typename":2533,"sys":2534,"content":2536,"title":3843,"synopsis":3844,"hashTags":118,"publishedDate":3845,"slug":3846,"tagsCollection":3847,"authorsCollection":3853},"BlogPosts",{"id":2535},"37KWV8V5L3aNZBSx6JMd0Z",{"json":2537},{"data":2538,"content":2539,"nodeType":1295},{},[2540,2547,2554,2619,2626,2695,2701,2708,2715,2718,2725,2732,2739,2843,2862,2869,2911,2918,2925,2932,2965,2971,3004,3010,3017,3024,3057,3077,3080,3087,3093,3124,3131,3138,3145,3151,3158,3164,3179,3222,3228,3248,3251,3258,3264,3284,3291,3324,3345,3351,3372,3379,3386,3446,3453,3459,3474,3489,3510,3516,3537,3544,3547,3554,3560,3567,3574,3595,3601,3622,3628,3635,3668,3686,3689,3696,3702,3709,3730,3736,3751,3757,3764,3771,3790,3793,3799,3806,3813],{"data":2541,"content":2542,"nodeType":1294},{},[2543],{"data":2544,"marks":2545,"value":2546,"nodeType":1293},{},[],"Looking back over the year’s headlines and trending TTPs, it’s clear that 2025 was the year that browser-based account takeover techniques made the leap into the mainstream.",{"data":2548,"content":2549,"nodeType":1294},{},[2550],{"data":2551,"marks":2552,"value":2553,"nodeType":1293},{},[],"A few stats tell the story …",{"data":2555,"content":2556,"nodeType":1456},{},[2557,2579,2598],{"data":2558,"content":2559,"nodeType":1460},{},[2560],{"data":2561,"content":2562,"nodeType":1294},{},[2563,2567,2575],{"data":2564,"marks":2565,"value":2566,"nodeType":1293},{},[],"Identity-based attacks surged by 32% over the last year, and 97% of identity attacks were password-based, driven by a combination of credential leaks and infostealer malware. (",{"data":2568,"content":2570,"nodeType":1330},{"uri":2569},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2571],{"data":2572,"marks":2573,"value":2574,"nodeType":1293},{},[],"Microsoft",{"data":2576,"marks":2577,"value":2578,"nodeType":1293},{},[],")",{"data":2580,"content":2581,"nodeType":1460},{},[2582],{"data":2583,"content":2584,"nodeType":1294},{},[2585,2589,2595],{"data":2586,"marks":2587,"value":2588,"nodeType":1293},{},[],"ClickFix was the most common initial point of access for adversaries in the past year, accounting for a whopping 47% of observed attacks. (",{"data":2590,"content":2591,"nodeType":1330},{"uri":2569},[2592],{"data":2593,"marks":2594,"value":2574,"nodeType":1293},{},[],{"data":2596,"marks":2597,"value":2578,"nodeType":1293},{},[],{"data":2599,"content":2600,"nodeType":1460},{},[2601],{"data":2602,"content":2603,"nodeType":1294},{},[2604,2608,2616],{"data":2605,"marks":2606,"value":2607,"nodeType":1293},{},[],"Pure malware-based attacks declined, as adversaries continued to shift from targeting endpoints to corporate identities. In the last year-plus, 79% of detections were malware-free, up from 40% in 2019. And abuse of valid accounts was responsible for more than one-third of all cloud-related incidents. (",{"data":2609,"content":2611,"nodeType":1330},{"uri":2610},"https://www.crowdstrike.com/en-gb/global-threat-report/",[2612],{"data":2613,"marks":2614,"value":2615,"nodeType":1293},{},[],"Crowdstrike",{"data":2617,"marks":2618,"value":2578,"nodeType":1293},{},[],{"data":2620,"content":2621,"nodeType":1294},{},[2622],{"data":2623,"marks":2624,"value":2625,"nodeType":1293},{},[],"… and so do the headlines from 2025:",{"data":2627,"content":2628,"nodeType":1456},{},[2629,2648,2676],{"data":2630,"content":2631,"nodeType":1460},{},[2632],{"data":2633,"content":2634,"nodeType":1294},{},[2635,2639,2644],{"data":2636,"marks":2637,"value":2638,"nodeType":1293},{},[],"Attackers stole over ",{"data":2640,"marks":2641,"value":2643,"nodeType":1293},{},[2642],{"type":1423},"1.5 billion records",{"data":2645,"marks":2646,"value":2647,"nodeType":1293},{},[]," from an estimated 1,000+ Salesforce tenants by exploiting integrations (Salesloft, Gainsight), phishing credentials, and by tricking users into installing a malicious OAuth app.",{"data":2649,"content":2650,"nodeType":1460},{},[2651],{"data":2652,"content":2653,"nodeType":1294},{},[2654,2658,2663,2667,2672],{"data":2655,"marks":2656,"value":2657,"nodeType":1293},{},[],"Marks & Spencer was hit with a help desk scam that led to a compromised Microsoft Entra account, followed by a ransomware deployment resulting in months of disruption, ",{"data":2659,"marks":2660,"value":2662,"nodeType":1293},{},[2661],{"type":1423},"$400M",{"data":2664,"marks":2665,"value":2666,"nodeType":1293},{},[]," in lost profits, and around ",{"data":2668,"marks":2669,"value":2671,"nodeType":1293},{},[2670],{"type":1423},"$1.3B",{"data":2673,"marks":2674,"value":2675,"nodeType":1293},{},[]," wiped off their stock market valuation at one stage.",{"data":2677,"content":2678,"nodeType":1460},{},[2679],{"data":2680,"content":2681,"nodeType":1294},{},[2682,2686,2691],{"data":2683,"marks":2684,"value":2685,"nodeType":1293},{},[],"Jaguar Land Rover was compromised via highly privileged admin accounts — another help desk scam targeting workforce credentials for initial access — resulting in months of disruption that led the UK government to underwrite a ",{"data":2687,"marks":2688,"value":2690,"nodeType":1293},{},[2689],{"type":1423},"$1.5B",{"data":2692,"marks":2693,"value":2694,"nodeType":1293},{},[]," loan to alleviate the supply chain impact. This was the most economically consequential cyber attack yet recorded in a G7 economy.",{"data":2696,"content":2700,"nodeType":1403},{"target":2697},{"sys":2698},{"id":2699,"type":1408,"linkType":1409},"v5YYnjP2NViOh6Ucxp2Fe",[],{"data":2702,"content":2703,"nodeType":1294},{},[2704],{"data":2705,"marks":2706,"value":2707,"nodeType":1293},{},[],"At Push, we’ve been closely tracking the evolution of browser-based attacks. Looking back at 2025, we’ve seen a notable increase in the sophistication and frequency of modern attack techniques methods like ClickFix, commodified phish kits that bypass MFA, malicious browser extensions, and many more. (Writing phish kit teardowns for the Push blog is practically a full-time job now.)",{"data":2709,"content":2710,"nodeType":1294},{},[2711],{"data":2712,"marks":2713,"value":2714,"nodeType":1293},{},[],"In this article, we’ll take a look at how real-world attacks and our own research drove the features we delivered for Push customers this year to take the fight to adversaries.",{"data":2716,"content":2717,"nodeType":1412},{},[],{"data":2719,"content":2720,"nodeType":1416},{},[2721],{"data":2722,"marks":2723,"value":2724,"nodeType":1293},{},[],"Detecting and blocking increasingly sophisticated phishing-as-a-service tools",{"data":2726,"content":2727,"nodeType":1440},{},[2728],{"data":2729,"marks":2730,"value":2731,"nodeType":1293},{},[],"What happened",{"data":2733,"content":2734,"nodeType":1294},{},[2735],{"data":2736,"marks":2737,"value":2738,"nodeType":1293},{},[],"The current state of the art for phishing centers on three core developments:",{"data":2740,"content":2741,"nodeType":1456},{},[2742,2772,2814],{"data":2743,"content":2744,"nodeType":1460},{},[2745],{"data":2746,"content":2747,"nodeType":1294},{},[2748,2753,2757,2768],{"data":2749,"marks":2750,"value":2752,"nodeType":1293},{},[2751],{"type":1423},"Detection evasion: ",{"data":2754,"marks":2755,"value":2756,"nodeType":1293},{},[],"Adversaries demonstrated a ",{"data":2758,"content":2762,"nodeType":2767},{"target":2759},{"sys":2760},{"id":2761,"type":1408,"linkType":1409},"4XZ6qCr8pjJvcD7hi09x2Y",[2763],{"data":2764,"marks":2765,"value":2766,"nodeType":1293},{},[],"creative array of approaches","entry-hyperlink",{"data":2769,"marks":2770,"value":2771,"nodeType":1293},{},[]," this year to hide their intentions from end-users and defenders, using methods such as sending phishing emails from legitimate services; serving phishing pages via malvertising and SEO poisoning; and obfuscating URLs. More sophisticated techniques used page-level obfuscation, cross-domain iframes, single-use links, and legitimate OIDC logins to evade detection and analysis from traditional tools.",{"data":2773,"content":2774,"nodeType":1460},{},[2775],{"data":2776,"content":2777,"nodeType":1294},{},[2778,2783,2787,2797,2801,2811],{"data":2779,"marks":2780,"value":2782,"nodeType":1293},{},[2781],{"type":1423},"Multi-channel delivery of lures:",{"data":2784,"marks":2785,"value":2786,"nodeType":1293},{},[]," Adversaries proved the truism of “phishing doesn’t just happen in the mailbox” this year by increasing their observed use of ",{"data":2788,"content":2792,"nodeType":2767},{"target":2789},{"sys":2790},{"id":2791,"type":1408,"linkType":1409},"72lLmy0CXnOp3LWOdcUguX",[2793],{"data":2794,"marks":2795,"value":2796,"nodeType":1293},{},[],"malvertising",{"data":2798,"marks":2799,"value":2800,"nodeType":1293},{},[]," and SEO poisoning — techniques that place malicious pages within trusted contexts like the Google search engine results page — as well as the use of social media services like LinkedIn to ",{"data":2802,"content":2806,"nodeType":2767},{"target":2803},{"sys":2804},{"id":2805,"type":1408,"linkType":1409},"2yEhB2gFC2TJDLquVP3cg2",[2807],{"data":2808,"marks":2809,"value":2810,"nodeType":1293},{},[],"deliver phishing lures",{"data":2812,"marks":2813,"value":1681,"nodeType":1293},{},[],{"data":2815,"content":2816,"nodeType":1460},{},[2817],{"data":2818,"content":2819,"nodeType":1294},{},[2820,2825,2829,2839],{"data":2821,"marks":2822,"value":2824,"nodeType":1293},{},[2823],{"type":1423},"Commodification of phishing toolkits:",{"data":2826,"marks":2827,"value":2828,"nodeType":1293},{},[]," Phishing-as-a-service (PhaaS) kits have become another SaaS with their own supply chain, including developers of malicious tooling, operators who run the campaigns, and brokers who sell stolen credentials and tokens. The incentives for attackers are clear: quick ROI from targeting workforce identities, and out-of-the-box tools that make it easier to efficiently spin up new campaigns or try new techniques. As with any SaaS offering, the customer (attackers, in this case) benefits from rapid innovations they didn’t have to build. We saw this recently with the ",{"data":2830,"content":2834,"nodeType":2767},{"target":2831},{"sys":2832},{"id":2833,"type":1408,"linkType":1409},"6QLonRmBzbj9h88Y7jD0LU",[2835],{"data":2836,"marks":2837,"value":2838,"nodeType":1293},{},[],"addition of a browser-in-the-browser (BitB) technique",{"data":2840,"marks":2841,"value":2842,"nodeType":1293},{},[]," to the phish kit Sneaky2FA — a change that makes it even more effective.",{"data":2844,"content":2845,"nodeType":1294},{},[2846,2850,2858],{"data":2847,"marks":2848,"value":2849,"nodeType":1293},{},[],"In 2025, Push researchers tracked how each of these developments expanded in scope and sophistication. Check out our ",{"data":2851,"content":2853,"nodeType":1330},{"uri":2852},"https://pushsecurity.github.io/phishing-techniques/",[2854],{"data":2855,"marks":2856,"value":2857,"nodeType":1293},{},[],"phishing detection evasion techniques matrix",{"data":2859,"marks":2860,"value":2861,"nodeType":1293},{},[]," on Github for more detail. ",{"data":2863,"content":2864,"nodeType":1294},{},[2865],{"data":2866,"marks":2867,"value":2868,"nodeType":1293},{},[],"The takeaways for security teams?",{"data":2870,"content":2871,"nodeType":1456},{},[2872,2882,2901],{"data":2873,"content":2874,"nodeType":1460},{},[2875],{"data":2876,"content":2877,"nodeType":1294},{},[2878],{"data":2879,"marks":2880,"value":2881,"nodeType":1293},{},[],"You can’t block your way to safety when adversaries are using the same legitimate apps that your employees use.",{"data":2883,"content":2884,"nodeType":1460},{},[2885],{"data":2886,"content":2887,"nodeType":1294},{},[2888,2892,2897],{"data":2889,"marks":2890,"value":2891,"nodeType":1293},{},[],"Similarly, while end-user training is important, it’s not reasonable to expect employees to know when a SharePoint document link is malicious when it looks identical to the ones they trust every day — because adversaries ",{"data":2893,"marks":2894,"value":2896,"nodeType":1293},{},[2895],{"type":312},"are using the legitimate service",{"data":2898,"marks":2899,"value":2900,"nodeType":1293},{},[],". Push researchers have observed the abuse of hundreds of legitimate services in phishing attacks this year.",{"data":2902,"content":2903,"nodeType":1460},{},[2904],{"data":2905,"content":2906,"nodeType":1294},{},[2907],{"data":2908,"marks":2909,"value":2910,"nodeType":1293},{},[],"Security solutions need to be able to analyze real-time context and behavior, not rely solely on inferences from secondary characteristics like domain reputation.",{"data":2912,"content":2913,"nodeType":1294},{},[2914],{"data":2915,"marks":2916,"value":2917,"nodeType":1293},{},[],"Here's what we built to help defend organizations.",{"data":2919,"content":2920,"nodeType":1440},{},[2921],{"data":2922,"marks":2923,"value":2924,"nodeType":1293},{},[],"What we built",{"data":2926,"content":2927,"nodeType":1294},{},[2928],{"data":2929,"marks":2930,"value":2931,"nodeType":1293},{},[],"The feature we built in 2025 that gave us unique insight into these TTPs is Push’s Detections capability. With Detections, you can:",{"data":2933,"content":2934,"nodeType":1456},{},[2935,2945,2955],{"data":2936,"content":2937,"nodeType":1460},{},[2938],{"data":2939,"content":2940,"nodeType":1294},{},[2941],{"data":2942,"marks":2943,"value":2944,"nodeType":1293},{},[],"Get alerted when Push detects a browser-based attack, and see how the Push agent responded to block the attack. The platform provides a front-end view for quick triage, and you can also pipe the detection events to your SIEM or other platform of choice.",{"data":2946,"content":2947,"nodeType":1460},{},[2948],{"data":2949,"content":2950,"nodeType":1294},{},[2951],{"data":2952,"marks":2953,"value":2954,"nodeType":1293},{},[],"Review a timeline of the incident: Where a phishing link originated; whether a user entered their credentials; what kind of phishkit was detected; and how Push responded (configurable based on your environment).",{"data":2956,"content":2957,"nodeType":1460},{},[2958],{"data":2959,"content":2960,"nodeType":1294},{},[2961],{"data":2962,"marks":2963,"value":2964,"nodeType":1293},{},[],"Get actionable telemetry and metadata about an incident, including a screenshot of the malicious page to see exactly what the user saw; intel about the involved domains, including when they were registered and if they’ve been scanned by urlscan before; and the blast radius of an attack, including other apps that shared a password with the potentially compromised account",{"data":2966,"content":2970,"nodeType":1403},{"target":2967},{"sys":2968},{"id":2969,"type":1408,"linkType":1409},"5dygPaG3Gfw4Yeicffv6tV",[],{"data":2972,"content":2973,"nodeType":1294},{},[2974,2978,2983,2986,2991,2995,3000],{"data":2975,"marks":2976,"value":2977,"nodeType":1293},{},[],"This telemetry — combined with Push’s out-of-the-box controls like ",{"data":2979,"marks":2980,"value":2982,"nodeType":1293},{},[2981],{"type":1423},"Phishing tool detection",{"data":2984,"marks":2985,"value":1341,"nodeType":1293},{},[],{"data":2987,"marks":2988,"value":2990,"nodeType":1293},{},[2989],{"type":1423},"Cloned login page detection",{"data":2992,"marks":2993,"value":2994,"nodeType":1293},{},[],", and ",{"data":2996,"marks":2997,"value":2999,"nodeType":1293},{},[2998],{"type":1423},"Malicious copy and paste detection",{"data":3001,"marks":3002,"value":3003,"nodeType":1293},{},[]," (aka ClickFix detection) — give you a seat on the user’s side of the equation, capturing real-time information about what users did and the TTPs of an attack so you can investigate and respond efficiently and confidently.",{"data":3005,"content":3009,"nodeType":1403},{"target":3006},{"sys":3007},{"id":3008,"type":1408,"linkType":1409},"563fJFSgoLDOwSXSQ9Y0MM",[],{"data":3011,"content":3012,"nodeType":1294},{},[3013],{"data":3014,"marks":3015,"value":3016,"nodeType":1293},{},[],"With the visibility provided by this telemetry across Push’s install base, our R&D and Product teams have rapidly iterated all year on our detections to increase coverage and respond quickly to newly identified attack types.",{"data":3018,"content":3019,"nodeType":1294},{},[3020],{"data":3021,"marks":3022,"value":3023,"nodeType":1293},{},[],"This year, we also released:",{"data":3025,"content":3026,"nodeType":1456},{},[3027,3037,3047],{"data":3028,"content":3029,"nodeType":1460},{},[3030],{"data":3031,"content":3032,"nodeType":1294},{},[3033],{"data":3034,"marks":3035,"value":3036,"nodeType":1293},{},[],"Detections for new variants of cloned login pages and AiTM phish kits.",{"data":3038,"content":3039,"nodeType":1460},{},[3040],{"data":3041,"content":3042,"nodeType":1294},{},[3043],{"data":3044,"marks":3045,"value":3046,"nodeType":1293},{},[],"12+ pre-release detections focused on flagging emerging attacker techniques.",{"data":3048,"content":3049,"nodeType":1460},{},[3050],{"data":3051,"content":3052,"nodeType":1294},{},[3053],{"data":3054,"marks":3055,"value":3056,"nodeType":1293},{},[],"7+ first-class SIEM and SOAR integrations, to make it simpler to ingest Push telemetry and operationalize it.",{"data":3058,"content":3059,"nodeType":1294},{},[3060,3064,3074],{"data":3061,"marks":3062,"value":3063,"nodeType":1293},{},[],"Learn more about Push’s detections features in our ",{"data":3065,"content":3069,"nodeType":2767},{"target":3066},{"sys":3067},{"id":3068,"type":1408,"linkType":1409},"6OFdfAsoPUECeRAetWvedp",[3070],{"data":3071,"marks":3072,"value":3073,"nodeType":1293},{},[],"blog article",{"data":3075,"marks":3076,"value":2264,"nodeType":1293},{},[],{"data":3078,"content":3079,"nodeType":1412},{},[],{"data":3081,"content":3082,"nodeType":1416},{},[3083],{"data":3084,"marks":3085,"value":3086,"nodeType":1293},{},[],"Detecting and blocking ClickFix-style malicious copy and paste attacks",{"data":3088,"content":3089,"nodeType":1440},{},[3090],{"data":3091,"marks":3092,"value":2731,"nodeType":1293},{},[],{"data":3094,"content":3095,"nodeType":1294},{},[3096,3100,3108,3112,3120],{"data":3097,"marks":3098,"value":3099,"nodeType":1293},{},[],"ClickFix-style attacks left their mark in 2025, quickly becoming one of the most prevalent attack techniques — with ",{"data":3101,"content":3103,"nodeType":1330},{"uri":3102},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[3104],{"data":3105,"marks":3106,"value":3107,"nodeType":1293},{},[],"estimates",{"data":3109,"marks":3110,"value":3111,"nodeType":1293},{},[]," of a 400 percent year-over-year increase, and another ",{"data":3113,"content":3115,"nodeType":1330},{"uri":3114},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[3116],{"data":3117,"marks":3118,"value":3119,"nodeType":1293},{},[],"report",{"data":3121,"marks":3122,"value":3123,"nodeType":1293},{},[]," documenting a 517 percent growth in just the last 6 months of the year.",{"data":3125,"content":3126,"nodeType":1294},{},[3127],{"data":3128,"marks":3129,"value":3130,"nodeType":1293},{},[],"What is ClickFix? This attack technique prompts the user to solve some kind of problem or troubleshooting step in the browser — often presented as a CAPTCHA challenge. The key aspect of the attack is that it tricks users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (The copy typically occurs  automatically via the page itself, but can also be performed manually by the user.)",{"data":3132,"content":3133,"nodeType":1294},{},[3134],{"data":3135,"marks":3136,"value":3137,"nodeType":1293},{},[],"These malicious copy and paste attacks are often used to deliver infostealer malware or remote access software, with the attacker’s end goal being stealing session cookies and credentials to facilitate attacks on business apps.",{"data":3139,"content":3140,"nodeType":1294},{},[3141],{"data":3142,"marks":3143,"value":3144,"nodeType":1293},{},[],"What’s especially challenging about this attack type is that it usually can only be detected after the fact — when a machine is already compromised, or malicious code attempts to execute (if EDR catches it). Even if it is detected, security teams are left flying blind when they try to determine the initial vector for the attack, and which other users might have been targeted.",{"data":3146,"content":3147,"nodeType":1440},{},[3148],{"data":3149,"marks":3150,"value":2924,"nodeType":1293},{},[],{"data":3152,"content":3153,"nodeType":1294},{},[3154],{"data":3155,"marks":3156,"value":3157,"nodeType":1293},{},[],"Because of our position in the browser, Push is uniquely positioned to detect and block browser-native attacks like ClickFix and other forms of malicious copy and paste techniques. So that’s what we built.",{"data":3159,"content":3163,"nodeType":1403},{"target":3160},{"sys":3161},{"id":3162,"type":1408,"linkType":1409},"56jVT7dbNqUGiSRTfTCQw2",[],{"data":3165,"content":3166,"nodeType":1294},{},[3167,3171,3175],{"data":3168,"marks":3169,"value":3170,"nodeType":1293},{},[],"With our ",{"data":3172,"marks":3173,"value":2999,"nodeType":1293},{},[3174],{"type":1423},{"data":3176,"marks":3177,"value":3178,"nodeType":1293},{},[],", you can:",{"data":3180,"content":3181,"nodeType":1456},{},[3182,3192,3202,3212],{"data":3183,"content":3184,"nodeType":1460},{},[3185],{"data":3186,"content":3187,"nodeType":1294},{},[3188],{"data":3189,"marks":3190,"value":3191,"nodeType":1293},{},[],"Detect ClickFix-style attacks as soon as they target end-users, regardless of the delivery channel for the lure, or the specifics of the malware type and execution.",{"data":3193,"content":3194,"nodeType":1460},{},[3195],{"data":3196,"content":3197,"nodeType":1294},{},[3198],{"data":3199,"marks":3200,"value":3201,"nodeType":1293},{},[],"Block these attacks before the malicious code is copied to the clipboard.",{"data":3203,"content":3204,"nodeType":1460},{},[3205],{"data":3206,"content":3207,"nodeType":1294},{},[3208],{"data":3209,"marks":3210,"value":3211,"nodeType":1293},{},[],"Safely collect the payload for further investigation by your security team, and replace the clipboard contents with safe text as part of the blocking action.",{"data":3213,"content":3214,"nodeType":1460},{},[3215],{"data":3216,"content":3217,"nodeType":1294},{},[3218],{"data":3219,"marks":3220,"value":3221,"nodeType":1293},{},[],"Capture a detailed timeline of events to see how users were targeted and how the attack unfolded.",{"data":3223,"content":3227,"nodeType":1403},{"target":3224},{"sys":3225},{"id":3226,"type":1408,"linkType":1409},"sALkMt8UbTZ2f34hKvGLj",[],{"data":3229,"content":3230,"nodeType":1294},{},[3231,3235,3245],{"data":3232,"marks":3233,"value":3234,"nodeType":1293},{},[],"Learn more about ClickFix detection in our ",{"data":3236,"content":3240,"nodeType":2767},{"target":3237},{"sys":3238},{"id":3239,"type":1408,"linkType":1409},"7jygmadjoz0asAHv7e5PuK",[3241],{"data":3242,"marks":3243,"value":3244,"nodeType":1293},{},[],"documentation",{"data":3246,"marks":3247,"value":2264,"nodeType":1293},{},[],{"data":3249,"content":3250,"nodeType":1412},{},[],{"data":3252,"content":3253,"nodeType":1416},{},[3254],{"data":3255,"marks":3256,"value":3257,"nodeType":1293},{},[],"Getting ahead of breaches tied to stolen credentials and ghost logins",{"data":3259,"content":3260,"nodeType":1440},{},[3261],{"data":3262,"marks":3263,"value":2731,"nodeType":1293},{},[],{"data":3265,"content":3266,"nodeType":1294},{},[3267,3271,3281],{"data":3268,"marks":3269,"value":3270,"nodeType":1293},{},[],"Starting in November 2024 and continuing through July 2025, adversaries linked to the HELLCAT threat group compromised Jira tenants belonging to 10 organizations using ",{"data":3272,"content":3276,"nodeType":2767},{"target":3273},{"sys":3274},{"id":3275,"type":1408,"linkType":1409},"gANCbeL9AnxmbGAE5HhyG",[3277],{"data":3278,"marks":3279,"value":3280,"nodeType":1293},{},[],"stolen credentials",{"data":3282,"marks":3283,"value":1681,"nodeType":1293},{},[],{"data":3285,"content":3286,"nodeType":1294},{},[3287],{"data":3288,"marks":3289,"value":3290,"nodeType":1293},{},[],"Business-critical applications like Jira are prime targets for attackers, who in this case dumped valuable data and then held it for ransom (or sold it on criminal marketplaces). Of course, this isn’t just a problem for Jira — data from Push’s initial deployment into customer environments shows that lots of critical apps lack basic controls like strong passwords and MFA.",{"data":3292,"content":3293,"nodeType":1294},{},[3294,3298,3308,3312,3320],{"data":3295,"marks":3296,"value":3297,"nodeType":1293},{},[],"The evolving threat group known as ",{"data":3299,"content":3303,"nodeType":2767},{"target":3300},{"sys":3301},{"id":3302,"type":1408,"linkType":1409},"2sFCww9xnI8okIxhtOaiY1",[3304],{"data":3305,"marks":3306,"value":3307,"nodeType":1293},{},[],"Scattered Lapsus$ Hunters",{"data":3309,"marks":3310,"value":3311,"nodeType":1293},{},[]," has also embraced the use of stolen creds, session cookies, and unprotected local account logins — aka ",{"data":3313,"content":3315,"nodeType":1330},{"uri":3314},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3316],{"data":3317,"marks":3318,"value":3319,"nodeType":1293},{},[],"ghost logins",{"data":3321,"marks":3322,"value":3323,"nodeType":1293},{},[]," — to compromise large organizations.",{"data":3325,"content":3326,"nodeType":1294},{},[3327,3331,3341],{"data":3328,"marks":3329,"value":3330,"nodeType":1293},{},[],"In 2025, Red Hat’s GitLab instance was compromised due to a local account that essentially provided a backdoor to an otherwise secure and SSO-connected account — an attack reminiscent of the ",{"data":3332,"content":3336,"nodeType":2767},{"target":3333},{"sys":3334},{"id":3335,"type":1408,"linkType":1409},"PAPJPr3CIB6J20udYyy1r",[3337],{"data":3338,"marks":3339,"value":3340,"nodeType":1293},{},[],"2024 Snowflake breach",{"data":3342,"marks":3343,"value":3344,"nodeType":1293},{},[],", which targeted local logins that lacked MFA.",{"data":3346,"content":3347,"nodeType":1440},{},[3348],{"data":3349,"marks":3350,"value":2924,"nodeType":1293},{},[],{"data":3352,"content":3353,"nodeType":1294},{},[3354,3358,3368],{"data":3355,"marks":3356,"value":3357,"nodeType":1293},{},[],"Push already provided the ability to detect stolen credentials being actively used by employees in your organization with our ",{"data":3359,"content":3363,"nodeType":2767},{"target":3360},{"sys":3361},{"id":3362,"type":1408,"linkType":1409},"6vCr4d3R1XA1E8dU883l7N",[3364],{"data":3365,"marks":3366,"value":3367,"nodeType":1293},{},[],"Stolen credential detection control",{"data":3369,"marks":3370,"value":3371,"nodeType":1293},{},[],". This provides an early-warning signal when Push finds a match between credentials for sale on criminal forums with those still being used by your employees, reducing some 99.5% of false positives we usually see with TI feed data.",{"data":3373,"content":3374,"nodeType":1294},{},[3375],{"data":3376,"marks":3377,"value":3378,"nodeType":1293},{},[],"With Push, you can also identify where employees are logging in with passwords on apps that otherwise should be using SAML, OIDC, or some other federated mechanism — aka the ghost login vulnerability.",{"data":3380,"content":3381,"nodeType":1294},{},[3382],{"data":3383,"marks":3384,"value":3385,"nodeType":1293},{},[],"This year, we made it easier for security teams to enforce two security fundamentals that help harden accounts and reduce the risk of ATO, even on unmanaged apps:",{"data":3387,"content":3388,"nodeType":1456},{},[3389,3418],{"data":3390,"content":3391,"nodeType":1460},{},[3392],{"data":3393,"content":3394,"nodeType":1294},{},[3395,3400,3404,3414],{"data":3396,"marks":3397,"value":3399,"nodeType":1293},{},[3398],{"type":1423},"Strong password enforcement:",{"data":3401,"marks":3402,"value":3403,"nodeType":1293},{},[]," With this control, you can prompt end-users to ",{"data":3405,"content":3409,"nodeType":2767},{"target":3406},{"sys":3407},{"id":3408,"type":1408,"linkType":1409},"5aB5x5VXrMv7PDmH0iiK0c",[3410],{"data":3411,"marks":3412,"value":3413,"nodeType":1293},{},[],"fix an insecure password",{"data":3415,"marks":3416,"value":3417,"nodeType":1293},{},[]," on all your workforce apps, even the ones you don’t centrally manage. ",{"data":3419,"content":3420,"nodeType":1460},{},[3421],{"data":3422,"content":3423,"nodeType":1294},{},[3424,3429,3432,3442],{"data":3425,"marks":3426,"value":3428,"nodeType":1293},{},[3427],{"type":1423},"MFA enforcement:",{"data":3430,"marks":3431,"value":3403,"nodeType":1293},{},[],{"data":3433,"content":3437,"nodeType":2767},{"target":3434},{"sys":3435},{"id":3436,"type":1408,"linkType":1409},"wikyVxlHwKUOKM9xo19eP",[3438],{"data":3439,"marks":3440,"value":3441,"nodeType":1293},{},[],"register for MFA",{"data":3443,"marks":3444,"value":3445,"nodeType":1293},{},[]," where Push detects it’s missing — again, even on unmanaged apps.",{"data":3447,"content":3448,"nodeType":1294},{},[3449],{"data":3450,"marks":3451,"value":3452,"nodeType":1293},{},[],"Both of these controls use in-browser banners to provide point-in-time guidance to users when they’re most likely to see it and act on it.",{"data":3454,"content":3458,"nodeType":1403},{"target":3455},{"sys":3456},{"id":3457,"type":1408,"linkType":1409},"3XH0hnnhcZNI47PhdiD4q0",[],{"data":3460,"content":3461,"nodeType":1294},{},[3462,3466,3471],{"data":3463,"marks":3464,"value":3465,"nodeType":1293},{},[],"To address the pattern of adversaries moving from targeting hardened core apps such as identity providers to the likes of GitLab, Postman, Jira, and others containing valuable corporate data, we also expanded one of the Push platform’s core security controls called ",{"data":3467,"marks":3468,"value":3470,"nodeType":1293},{},[3469],{"type":1423},"Password protection",{"data":3472,"marks":3473,"value":2264,"nodeType":1293},{},[],{"data":3475,"content":3476,"nodeType":1294},{},[3477,3481,3485],{"data":3478,"marks":3479,"value":3480,"nodeType":1293},{},[],"The ",{"data":3482,"marks":3483,"value":3470,"nodeType":1293},{},[3484],{"type":1423},{"data":3486,"marks":3487,"value":3488,"nodeType":1293},{},[]," control previously could be applied only to IdP passwords, allowing you to essentially “pin” the credential for those systems so that it could never be entered on a phishing page or reused on any other app. ",{"data":3490,"content":3491,"nodeType":1294},{},[3492,3496,3506],{"data":3493,"marks":3494,"value":3495,"nodeType":1293},{},[],"We expanded that control to allow you to ",{"data":3497,"content":3501,"nodeType":2767},{"target":3498},{"sys":3499},{"id":3500,"type":1408,"linkType":1409},"6FYHbkcRUrtznPo7RarRsz",[3502],{"data":3503,"marks":3504,"value":3505,"nodeType":1293},{},[],"protect passwords on any valuable app",{"data":3507,"marks":3508,"value":3509,"nodeType":1293},{},[],", preventing account takeover through phished creds and reducing the blast radius of attacks when a compromised account has been reusing passwords on multiple applications.",{"data":3511,"content":3515,"nodeType":1403},{"target":3512},{"sys":3513},{"id":3514,"type":1408,"linkType":1409},"74l82HIeaumFX4u9AMjj79",[],{"data":3517,"content":3518,"nodeType":1294},{},[3519,3523,3533],{"data":3520,"marks":3521,"value":3522,"nodeType":1293},{},[],"Push also now gives you visibility into where employees are ",{"data":3524,"content":3528,"nodeType":2767},{"target":3525},{"sys":3526},{"id":3527,"type":1408,"linkType":1409},"7uLeQ9twNl5RyNaWkkJNjd",[3529],{"data":3530,"marks":3531,"value":3532,"nodeType":1293},{},[],"syncing their corporate browser profile",{"data":3534,"marks":3535,"value":3536,"nodeType":1293},{},[]," to a personal profile, raising the risk of syncing corporate passwords to unmanaged devices — another vector for credential harvesting if those endpoints become compromised.",{"data":3538,"content":3539,"nodeType":1294},{},[3540],{"data":3541,"marks":3542,"value":3543,"nodeType":1293},{},[],"And of course, underlying all these features is the foundational visibility of all your apps, accounts, account vulnerabilities, and login methods that Push provides.",{"data":3545,"content":3546,"nodeType":1412},{},[],{"data":3548,"content":3549,"nodeType":1416},{},[3550],{"data":3551,"marks":3552,"value":3553,"nodeType":1293},{},[],"Blocking malicious browser extensions",{"data":3555,"content":3556,"nodeType":1440},{},[3557],{"data":3558,"marks":3559,"value":2731,"nodeType":1293},{},[],{"data":3561,"content":3562,"nodeType":1294},{},[3563],{"data":3564,"marks":3565,"value":3566,"nodeType":1293},{},[],"Getting visibility and control over all the browser extensions used across your workforce has long been a thorny problem for security teams. ",{"data":3568,"content":3569,"nodeType":1294},{},[3570],{"data":3571,"marks":3572,"value":3573,"nodeType":1293},{},[],"The possible solutions haven’t been great, either. Teams could either apply a blunt-force block for most or all extensions, or spend painstaking time trying to understand what was installed, why, and by whom, across all the browsers in the environment.",{"data":3575,"content":3576,"nodeType":1294},{},[3577,3581,3591],{"data":3578,"marks":3579,"value":3580,"nodeType":1293},{},[],"The urgency of solving this problem increased for many organizations this year after the December 2024 compromise of at least 35 Google Chrome extensions in a ",{"data":3582,"content":3586,"nodeType":2767},{"target":3583},{"sys":3584},{"id":3585,"type":1408,"linkType":1409},"6sprbTRpfnTJsP3mGR2gKa",[3587],{"data":3588,"marks":3589,"value":3590,"nodeType":1293},{},[],"campaign targeting browser extension developers",{"data":3592,"marks":3593,"value":3594,"nodeType":1293},{},[],". Cyberhaven’s extension was one of these, and the campaign inherited their name.",{"data":3596,"content":3597,"nodeType":1440},{},[3598],{"data":3599,"marks":3600,"value":2924,"nodeType":1293},{},[],{"data":3602,"content":3603,"nodeType":1294},{},[3604,3608,3618],{"data":3605,"marks":3606,"value":3607,"nodeType":1293},{},[],"With Push, you can now get visibility across ",{"data":3609,"content":3613,"nodeType":2767},{"target":3610},{"sys":3611},{"id":3612,"type":1408,"linkType":1409},"3ibVBa6u0XfcXXDVtON5th",[3614],{"data":3615,"marks":3616,"value":3617,"nodeType":1293},{},[],"all the browser extensions",{"data":3619,"marks":3620,"value":3621,"nodeType":1293},{},[]," installed on employee browsers in your environment, and block the ones you don’t want.",{"data":3623,"content":3627,"nodeType":1403},{"target":3624},{"sys":3625},{"id":3626,"type":1408,"linkType":1409},"5J5jdmwugy7yU8GGwxe7iH",[],{"data":3629,"content":3630,"nodeType":1294},{},[3631],{"data":3632,"marks":3633,"value":3634,"nodeType":1293},{},[],"You can also:",{"data":3636,"content":3637,"nodeType":1456},{},[3638,3648,3658],{"data":3639,"content":3640,"nodeType":1460},{},[3641],{"data":3642,"content":3643,"nodeType":1294},{},[3644],{"data":3645,"marks":3646,"value":3647,"nodeType":1293},{},[],"Review extensions with risky permissions.",{"data":3649,"content":3650,"nodeType":1460},{},[3651],{"data":3652,"content":3653,"nodeType":1294},{},[3654],{"data":3655,"marks":3656,"value":3657,"nodeType":1293},{},[],"Identify extensions with potentially suspicious installation methods, such as sideloaded or manually installed.",{"data":3659,"content":3660,"nodeType":1460},{},[3661],{"data":3662,"content":3663,"nodeType":1294},{},[3664],{"data":3665,"marks":3666,"value":3667,"nodeType":1293},{},[],"Block extensions based on user groups and browser profiles (e.g. profiles logged in with a company domain).",{"data":3669,"content":3670,"nodeType":1294},{},[3671,3675,3683],{"data":3672,"marks":3673,"value":3674,"nodeType":1293},{},[],"Learn more about extension visibility and management in our ",{"data":3676,"content":3679,"nodeType":2767},{"target":3677},{"sys":3678},{"id":3612,"type":1408,"linkType":1409},[3680],{"data":3681,"marks":3682,"value":3244,"nodeType":1293},{},[],{"data":3684,"marks":3685,"value":2264,"nodeType":1293},{},[],{"data":3687,"content":3688,"nodeType":1412},{},[],{"data":3690,"content":3691,"nodeType":1416},{},[3692],{"data":3693,"marks":3694,"value":3695,"nodeType":1293},{},[],"Adding a layer of protection against help desk scams",{"data":3697,"content":3698,"nodeType":1440},{},[3699],{"data":3700,"marks":3701,"value":2731,"nodeType":1293},{},[],{"data":3703,"content":3704,"nodeType":1294},{},[3705],{"data":3706,"marks":3707,"value":3708,"nodeType":1293},{},[],"Finally, another big theme in this year’s TTPs was the use of help desk social engineering to compromise organizations. ",{"data":3710,"content":3711,"nodeType":1294},{},[3712,3716,3726],{"data":3713,"marks":3714,"value":3715,"nodeType":1293},{},[],"Attackers like ",{"data":3717,"content":3721,"nodeType":2767},{"target":3718},{"sys":3719},{"id":3720,"type":1408,"linkType":1409},"wgpdyHDn9NcpIJNr7jnFp",[3722],{"data":3723,"marks":3724,"value":3725,"nodeType":1293},{},[],"Scattered Spider",{"data":3727,"marks":3728,"value":3729,"nodeType":1293},{},[]," — now known as part of the evolving cybercriminal group Scattered Lapsus$ Hunters — have targeted organizations including MGM Resorts and Marks & Spencer by convincing help desk staff to help them bypass MFA or reset credentials for accounts they then use to access corporate systems. ",{"data":3731,"content":3732,"nodeType":1440},{},[3733],{"data":3734,"marks":3735,"value":2924,"nodeType":1293},{},[],{"data":3737,"content":3738,"nodeType":1294},{},[3739,3743,3748],{"data":3740,"marks":3741,"value":3742,"nodeType":1293},{},[],"To provide an additional layer of security when verifying employee identities during help desk interactions, Push introduced ",{"data":3744,"marks":3745,"value":3747,"nodeType":1293},{},[3746],{"type":1423},"Employee verification codes",{"data":3749,"marks":3750,"value":2264,"nodeType":1293},{},[],{"data":3752,"content":3756,"nodeType":1403},{"target":3753},{"sys":3754},{"id":3755,"type":1408,"linkType":1409},"19Baqh5QwbonzsR0EcaDS8",[],{"data":3758,"content":3759,"nodeType":1294},{},[3760],{"data":3761,"marks":3762,"value":3763,"nodeType":1293},{},[],"These are a rotating 6-digit verification code accessible via the Push Security extension dropdown. When an employee contacts your help desk, staff can use this code to help verify their identity before performing any sensitive account changes.",{"data":3765,"content":3766,"nodeType":1294},{},[3767],{"data":3768,"marks":3769,"value":3770,"nodeType":1293},{},[],"Employee verification codes are lightweight, rotate every 24 hours, and don’t require any additional apps or devices.",{"data":3772,"content":3773,"nodeType":1294},{},[3774,3778,3787],{"data":3775,"marks":3776,"value":3777,"nodeType":1293},{},[],"Learn more about verification codes in our ",{"data":3779,"content":3783,"nodeType":2767},{"target":3780},{"sys":3781},{"id":3782,"type":1408,"linkType":1409},"4rLP8wr6HnvBG2OzqYYKpF",[3784],{"data":3785,"marks":3786,"value":3073,"nodeType":1293},{},[],{"data":3788,"marks":3789,"value":2264,"nodeType":1293},{},[],{"data":3791,"content":3792,"nodeType":1412},{},[],{"data":3794,"content":3795,"nodeType":1416},{},[3796],{"data":3797,"marks":3798,"value":2314,"nodeType":1293},{},[],{"data":3800,"content":3801,"nodeType":1294},{},[3802],{"data":3803,"marks":3804,"value":3805,"nodeType":1293},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. ",{"data":3807,"content":3808,"nodeType":1294},{},[3809],{"data":3810,"marks":3811,"value":3812,"nodeType":1293},{},[],"You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":3814,"content":3815,"nodeType":1294},{},[3816,3820,3828,3832,3840],{"data":3817,"marks":3818,"value":3819,"nodeType":1293},{},[],"To learn more about Push, check out our latest ",{"data":3821,"content":3823,"nodeType":1330},{"uri":3822},"/resources/product-brochure",[3824],{"data":3825,"marks":3826,"value":3827,"nodeType":1293},{},[],"product overview",{"data":3829,"marks":3830,"value":3831,"nodeType":1293},{},[]," or book some time with one of our team for a ",{"data":3833,"content":3835,"nodeType":1330},{"uri":3834},"/demo",[3836],{"data":3837,"marks":3838,"value":3839,"nodeType":1293},{},[],"live demo",{"data":3841,"marks":3842,"value":2264,"nodeType":1293},{},[],"Taking the fight to attackers: Push’s top features of 2025","Here’s how real-world attacks and our own R&D informed what we built for Push customers over the last year.","2025-12-17T00:00:00.000Z","taking-the-fight-to-attackers-top-features-of-2025",{"items":3848},[3849,3851],{"sys":3850,"name":1309},{"id":1308},{"sys":3852,"name":1305},{"id":1304},{"items":3854},[3855],{"fullName":3856,"firstName":3857,"jobTitle":3858,"profilePicture":3859},"Kelly Davenport","Kelly","Product Team",{"url":3860},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":2533,"sys":3862,"content":3864,"title":4246,"synopsis":4247,"hashTags":118,"publishedDate":4248,"slug":4249,"tagsCollection":4250,"authorsCollection":4256},{"id":3863},"6YWYKGESlyUKQxvhKmBzeH",{"json":3865},{"data":3866,"content":3867,"nodeType":1295},{},[3868,3876,3883,3890,3902,3914,3922,3929,3936,3943,3949,3952,3960,3967,3974,3986,3993,4000,4008,4015,4063,4079,4086,4094,4101,4128,4135,4143,4191,4198,4234,4240],{"data":3869,"content":3870,"nodeType":1416},{},[3871],{"data":3872,"marks":3873,"value":3875,"nodeType":1293},{},[3874],{"type":1423},"EDR is still the best tool for attacks that touch the endpoint",{"data":3877,"content":3878,"nodeType":1294},{},[3879],{"data":3880,"marks":3881,"value":3882,"nodeType":1293},{},[],"Endpoint Detection and Response (EDR) tooling is fundamental to modern security. It earned its place as a foundational control by moving defense away from static, known-bad indicators and toward deep, real-time detection, investigation, and response based on behavior observed in a live environment. ",{"data":3884,"content":3885,"nodeType":1294},{},[3886],{"data":3887,"marks":3888,"value":3889,"nodeType":1293},{},[],"By running an agent inside the operating system, EDR gave defenders something they never had before: visibility into what was actually happening on the host as it happened, and the ability to act on it.",{"data":3891,"content":3892,"nodeType":1294},{},[3893,3897],{"data":3894,"marks":3895,"value":3896,"nodeType":1293},{},[],"That agent-level visibility is still incredibly powerful. File system changes, process execution, memory behavior, or registry modifications is the kind of telemetry that enables threat hunting, exposes fileless attacks, and allows teams to contain incidents by isolating a device or killing a malicious process. ",{"data":3898,"marks":3899,"value":3901,"nodeType":1293},{},[3900],{"type":1423},"For anything that touches the endpoint, EDR remains the right tool.",{"data":3903,"content":3904,"nodeType":1294},{},[3905,3909],{"data":3906,"marks":3907,"value":3908,"nodeType":1293},{},[],"But that’s the key constraint: ",{"data":3910,"marks":3911,"value":3913,"nodeType":1293},{},[3912],{"type":312},"for anything that touches the endpoint.",{"data":3915,"content":3916,"nodeType":1440},{},[3917],{"data":3918,"marks":3919,"value":3921,"nodeType":1293},{},[3920],{"type":1423},"But modern attacks have moved beyond the endpoint",{"data":3923,"content":3924,"nodeType":1294},{},[3925],{"data":3926,"marks":3927,"value":3928,"nodeType":1293},{},[],"The reality of how work gets done has shifted. Most applications are now SaaS-based and accessed entirely through a browser. Employees authenticate, move data, administer systems, and interact with customers inside a browser window. And attackers have followed them there.",{"data":3930,"content":3931,"nodeType":1294},{},[3932],{"data":3933,"marks":3934,"value":3935,"nodeType":1293},{},[],"When attacks play out in the browser, endpoint-level signals often never appear. From the operating system’s perspective, there’s just a browser process behaving normally. The EDR agent is doing exactly what it was designed to do, but the activity that matters is happening within the browser itself.",{"data":3937,"content":3938,"nodeType":1294},{},[3939],{"data":3940,"marks":3941,"value":3942,"nodeType":1293},{},[],"That’s the gap teams are running into. EDR protects the integrity of the host, but it has no visibility into the live application session inside the browser. And as attackers consciously avoid the endpoint entirely, that blind spot is becoming harder to ignore.",{"data":3944,"content":3948,"nodeType":1403},{"target":3945},{"sys":3946},{"id":3947,"type":1408,"linkType":1409},"7aVTgi4Btxl6PpzQl8kipW",[],{"data":3950,"content":3951,"nodeType":1412},{},[],{"data":3953,"content":3954,"nodeType":1416},{},[3955],{"data":3956,"marks":3957,"value":3959,"nodeType":1293},{},[3958],{"type":1423},"Attackers are consciously evading EDR",{"data":3961,"content":3962,"nodeType":1294},{},[3963],{"data":3964,"marks":3965,"value":3966,"nodeType":1293},{},[],"The gap endpoint teams are running into isn’t accidental. It’s the result of attackers adapting to where defenders are strongest (and weakest).",{"data":3968,"content":3969,"nodeType":1294},{},[3970],{"data":3971,"marks":3972,"value":3973,"nodeType":1293},{},[],"Modern EDR has made compromising the host operating system expensive and noisy. Deep telemetry and constant monitoring mean that even when an attacker manages to execute code on a device, that action is quickly under scrutiny. From there, progress is slow. After all, lateral movement and persistence take time, and all of it carries risk and generates signals defenders are good at catching.",{"data":3975,"content":3976,"nodeType":1294},{},[3977,3982],{"data":3978,"marks":3979,"value":3981,"nodeType":1293},{},[3980],{"type":1423},"So attackers take a different route. ",{"data":3983,"marks":3984,"value":3985,"nodeType":1293},{},[],"Instead of targeting the OS, they operate inside the browser session, abusing legitimate access paths to cloud applications directly over the internet. The endpoint just sees a browser session, not the malicious activity that's happening inside it. ",{"data":3987,"content":3988,"nodeType":1294},{},[3989],{"data":3990,"marks":3991,"value":3992,"nodeType":1293},{},[],"EDR agents are extremely good at protecting the operating system, but their visibility largely stops at the browser boundary. They can see that a browser process is running. They can’t see what a user is actually interacting with inside a specific tab, or what code is executing within the browser.",{"data":3994,"content":3995,"nodeType":1294},{},[3996],{"data":3997,"marks":3998,"value":3999,"nodeType":1293},{},[],"This is the shift security teams are feeling. Attacks don’t trigger endpoint alerts because they aren’t endpoint attacks. They unfold inside the browser, over standard web sessions, using legitimate accounts. To EDR, the host is unaffected. To the business, the damage is already underway.",{"data":4001,"content":4002,"nodeType":1440},{},[4003],{"data":4004,"marks":4005,"value":4007,"nodeType":1293},{},[4006],{"type":1423},"How modern attacks circumvent EDR",{"data":4009,"content":4010,"nodeType":1294},{},[4011],{"data":4012,"marks":4013,"value":4014,"nodeType":1293},{},[],"Examples of modern attacks that are consciously evading EDR by staying off the endpoint include:",{"data":4016,"content":4017,"nodeType":1456},{},[4018,4033,4048],{"data":4019,"content":4020,"nodeType":1460},{},[4021],{"data":4022,"content":4023,"nodeType":1294},{},[4024,4029],{"data":4025,"marks":4026,"value":4028,"nodeType":1293},{},[4027],{"type":1423},"AiTM phishing: ",{"data":4030,"marks":4031,"value":4032,"nodeType":1293},{},[],"Sophisticated attacker-in-the-middle phishing kits render convincing login pages directly in the browser and proxy authentication in real time, stealing credentials or MFA tokens as the user enters them. From the OS perspective, nothing appears unusual; EDR can’t see the page structure or scripts running inside the tab.",{"data":4034,"content":4035,"nodeType":1460},{},[4036],{"data":4037,"content":4038,"nodeType":1294},{},[4039,4044],{"data":4040,"marks":4041,"value":4043,"nodeType":1293},{},[4042],{"type":1423},"Session hijacking:",{"data":4045,"marks":4046,"value":4047,"nodeType":1293},{},[]," When attackers obtain a valid session token, they gain persistent access to an account without needing a password at all. Once in use, the session typically blends into normal browser activity, generating no endpoint data. ",{"data":4049,"content":4050,"nodeType":1460},{},[4051],{"data":4052,"content":4053,"nodeType":1294},{},[4054,4059],{"data":4055,"marks":4056,"value":4058,"nodeType":1293},{},[4057],{"type":1423},"Malicious browser extensions:",{"data":4060,"marks":4061,"value":4062,"nodeType":1293},{},[]," Malicious extensions (either made by attackers or hijacked by them) can read page content, intercept credentials, or siphon session tokens. Because extensions operate inside the browser’s execution model, their behavior is largely invisible to endpoint tooling focused on OS-level activity.",{"data":4064,"content":4065,"nodeType":1294},{},[4066,4070,4075],{"data":4067,"marks":4068,"value":4069,"nodeType":1293},{},[],"Even attacks that nominally involve the endpoint often stay outside EDR’s strongest visibility. ",{"data":4071,"marks":4072,"value":4074,"nodeType":1293},{},[4073],{"type":1423},"ClickFix-style social engineering",{"data":4076,"marks":4077,"value":4078,"nodeType":1293},{},[]," is a good example. Attackers manipulate users into taking risky actions that look legitimate, the most prominent example being executing malicious commands on the host that are deliberately obfuscated or broken into benign-looking steps. While EDR may catch the code execution (and any malware the execution attempts to install), these techniques are designed to stay ambiguous enough to avoid reliable detection.",{"data":4080,"content":4081,"nodeType":1294},{},[4082],{"data":4083,"marks":4084,"value":4085,"nodeType":1293},{},[],"All of these attacks succeed for the same reason: the activity unfolds inside the browser. And because EDR was never designed to observe or control what happens inside a live browser session, attackers can operate there with far less resistance.",{"data":4087,"content":4088,"nodeType":1440},{},[4089],{"data":4090,"marks":4091,"value":4093,"nodeType":1293},{},[4092],{"type":1423},"Extending detection and response to the browser",{"data":4095,"content":4096,"nodeType":1294},{},[4097],{"data":4098,"marks":4099,"value":4100,"nodeType":1293},{},[],"Defenders need to meet attackers where they actually operate. That means establishing real detection and response capabilities inside the browser itself.",{"data":4102,"content":4103,"nodeType":1294},{},[4104,4108,4113,4117,4125],{"data":4105,"marks":4106,"value":4107,"nodeType":1293},{},[],"When endpoint security evolved, it did so by putting an agent on the host to observe behavior, collect telemetry, and act at the source — ",{"data":4109,"marks":4110,"value":4112,"nodeType":1293},{},[4111],{"type":1423},"getting inside the data stream",{"data":4114,"marks":4115,"value":4116,"nodeType":1293},{},[],". The same logic applies here. If the browser is where credentials are entered, sessions are established, and attacks unfold, then it needs to be treated as a security surface in its own right. ",{"data":4118,"content":4120,"nodeType":1330},{"uri":4119},"https://pushsecurity.com/blog/push-plus-network-security",[4121],{"data":4122,"marks":4123,"value":4124,"nodeType":1293},{},[],"That doesn't mean just looking at web traffic, but examining client-side browser processes and activity that are the best, earliest indicators of bad activity. ",{"data":4126,"marks":4127,"value":37,"nodeType":1293},{},[],{"data":4129,"content":4130,"nodeType":1294},{},[4131],{"data":4132,"marks":4133,"value":4134,"nodeType":1293},{},[],"This doesn’t replace EDR. EDR secures the host. Identity tools govern authentication. But the browser, the layer that connects users to everything else, is a blind spot. Extending detection and response into that layer fills the gap while complementing the controls that already work.",{"data":4136,"content":4137,"nodeType":1440},{},[4138],{"data":4139,"marks":4140,"value":4142,"nodeType":1293},{},[4141],{"type":1423},"Your browser detection and response checklist",{"data":4144,"content":4145,"nodeType":1456},{},[4146,4161,4176],{"data":4147,"content":4148,"nodeType":1460},{},[4149],{"data":4150,"content":4151,"nodeType":1294},{},[4152,4157],{"data":4153,"marks":4154,"value":4156,"nodeType":1293},{},[4155],{"type":1423},"Browser-native protection: ",{"data":4158,"marks":4159,"value":4160,"nodeType":1293},{},[],"Running inside the browser is the only way you can see what page a user is interacting with, what scripts are running, and how the session is behaving in real time. It’s also the only place you can reliably distinguish between normal user activity and attacker-driven manipulation.",{"data":4162,"content":4163,"nodeType":1460},{},[4164],{"data":4165,"content":4166,"nodeType":1294},{},[4167,4172],{"data":4168,"marks":4169,"value":4171,"nodeType":1293},{},[4170],{"type":1423},"Behavioral detection:",{"data":4173,"marks":4174,"value":4175,"nodeType":1293},{},[]," Detection can’t rely on static indicators. It has to be based on behaviors — like how pages render, how credentials are submitted, and how sessions are established and abused. ",{"data":4177,"content":4178,"nodeType":1460},{},[4179],{"data":4180,"content":4181,"nodeType":1294},{},[4182,4187],{"data":4183,"marks":4184,"value":4186,"nodeType":1293},{},[4185],{"type":1423},"Real-time interception:",{"data":4188,"marks":4189,"value":4190,"nodeType":1293},{},[]," Response has to be immediate. Blocking credential submission, interrupting a malicious action, capturing high-fidelity context, all of that needs to happen at the point of interaction — before an account is compromised.",{"data":4192,"content":4193,"nodeType":1294},{},[4194],{"data":4195,"marks":4196,"value":4197,"nodeType":1293},{},[],"This is what it means to extend detection and response to the browser: not another tool bolted onto the stack, but a necessary evolution in how modern attacks are actually stopped.",{"data":4199,"content":4200,"nodeType":2186},{},[4201],{"data":4202,"content":4203,"nodeType":1294},{},[4204,4207,4213,4216,4222,4225,4231],{"data":4205,"marks":4206,"value":2346,"nodeType":1293},{},[],{"data":4208,"content":4209,"nodeType":1330},{"uri":2351},[4210],{"data":4211,"marks":4212,"value":2354,"nodeType":1293},{},[],{"data":4214,"marks":4215,"value":1341,"nodeType":1293},{},[],{"data":4217,"content":4218,"nodeType":1330},{"uri":2363},[4219],{"data":4220,"marks":4221,"value":2366,"nodeType":1293},{},[],{"data":4223,"marks":4224,"value":2371,"nodeType":1293},{},[],{"data":4226,"content":4227,"nodeType":1330},{"uri":2376},[4228],{"data":4229,"marks":4230,"value":2379,"nodeType":1293},{},[],{"data":4232,"marks":4233,"value":2264,"nodeType":1293},{},[],{"data":4235,"content":4239,"nodeType":1403},{"target":4236},{"sys":4237},{"id":4238,"type":1408,"linkType":1409},"1doMkOu2ZuGqMp2VJgV5pb",[],{"data":4241,"content":4242,"nodeType":1294},{},[4243],{"data":4244,"marks":4245,"value":37,"nodeType":1293},{},[],"Push + Endpoint Security: Extending detection and response to the browser","Why extending detection and response into the browser is crucial in the face of modern attacks that consciously evade the network and endpoint. ","2026-01-30T00:00:00.000Z","push-plus-endpoint-security",{"items":4251},[4252,4254],{"sys":4253,"name":1305},{"id":1304},{"sys":4255,"name":1309},{"id":1308},{"items":4257},[4258],{"fullName":4259,"firstName":4260,"jobTitle":3858,"profilePicture":4261},"Peyton Padfield","Peyton",{"url":4262},"https://images.ctfassets.net/y1cdw1ablpvd/1GU01HXElmc07nwi89qP3b/3188050420106c62e9df2ed4e4893b7f/1677005177901__1_.jpeg",{"__typename":2533,"sys":4264,"content":4266,"title":4762,"synopsis":4763,"hashTags":118,"publishedDate":4248,"slug":4764,"tagsCollection":4765,"authorsCollection":4771},{"id":4265},"5caCcGCqMMPm5KlwUv0sbz",{"json":4267},{"data":4268,"content":4269,"nodeType":1295},{},[4270,4278,4285,4292,4304,4312,4319,4326,4333,4341,4344,4352,4359,4366,4373,4392,4398,4405,4424,4432,4554,4557,4565,4572,4584,4591,4597,4604,4611,4619,4626,4634,4641,4648,4655,4703,4715,4751,4756],{"data":4271,"content":4272,"nodeType":1416},{},[4273],{"data":4274,"marks":4275,"value":4277,"nodeType":1293},{},[4276],{"type":1423},"Defense used to start at the network perimeter",{"data":4279,"content":4280,"nodeType":1294},{},[4281],{"data":4282,"marks":4283,"value":4284,"nodeType":1293},{},[],"If you've been working in security for any length of time, you know where defense starts: the network. Long before cloud-first or SaaS-first became default, the perimeter was where defenders had leverage: visibility, enforcement, and control over traffic moving in and out of the organization.",{"data":4286,"content":4287,"nodeType":1294},{},[4288],{"data":4289,"marks":4290,"value":4291,"nodeType":1293},{},[],"That mental model hasn’t disappeared. Secure Web Gateways, Cloud Access Security Brokers, and the converged Security Service Edge architecture exist because the problem they solve is still real. Organizations generate an enormous volume of web traffic, and someone has to monitor it, filter it, and enforce policy at scale. These tools sit inline, log metadata, apply categorization, and block what’s already known to be dangerous. Without them, the environment quickly becomes unmanageable and extremely difficult to secure.",{"data":4293,"content":4294,"nodeType":1294},{},[4295,4299],{"data":4296,"marks":4297,"value":4298,"nodeType":1293},{},[],"They are very good at what they were designed to do: securing the wire. ",{"data":4300,"marks":4301,"value":4303,"nodeType":1293},{},[4302],{"type":1423},"But what happens over the wire is not the full picture. ",{"data":4305,"content":4306,"nodeType":1440},{},[4307],{"data":4308,"marks":4309,"value":4311,"nodeType":1293},{},[4310],{"type":1423},"Traffic isn't the whole picture anymore",{"data":4313,"content":4314,"nodeType":1294},{},[4315],{"data":4316,"marks":4317,"value":4318,"nodeType":1293},{},[],"A significant amount of activity happens locally, inside the browser, beyond the visibility of network controls. Modern webpages are effectively complicated web apps that are rendered client-side via JavaScript — and not everything that happens on the page is traffic-generating. ",{"data":4320,"content":4321,"nodeType":1294},{},[4322],{"data":4323,"marks":4324,"value":4325,"nodeType":1293},{},[],"That distinction matters more than it used to. Authentication, data access, administrative actions, almost all of it now happens inside a browser tab. As a result, the browser has become a central point of both productivity and risk.",{"data":4327,"content":4328,"nodeType":1294},{},[4329],{"data":4330,"marks":4331,"value":4332,"nodeType":1293},{},[],"Network tools still see the pipeline of traffic moving back and forth. But attackers have adapted to operate within that pipeline rather than around it. They don’t need to break the connection or trigger obvious anomalies. They target the content rendered inside the browser and the user interacting with it.",{"data":4334,"content":4335,"nodeType":1294},{},[4336],{"data":4337,"marks":4338,"value":4340,"nodeType":1293},{},[4339],{"type":1423},"That leaves security teams with noisy traffic visibility and very little insight into the actual attack unfolding inside the browser session.",{"data":4342,"content":4343,"nodeType":1412},{},[],{"data":4345,"content":4346,"nodeType":1416},{},[4347],{"data":4348,"marks":4349,"value":4351,"nodeType":1293},{},[4350],{"type":1423},"Traffic visibility vs. in-browser context",{"data":4353,"content":4354,"nodeType":1294},{},[4355],{"data":4356,"marks":4357,"value":4358,"nodeType":1293},{},[],"The modern attacker's playbook is built on a simple idea: stay inside the network’s line of sight without triggering detections or enforcement. Containing operations to the browser layer provides attackers with an easy bypass of many traditional network controls without ever needing to break or evade them outright.",{"data":4360,"content":4361,"nodeType":1294},{},[4362],{"data":4363,"marks":4364,"value":4365,"nodeType":1293},{},[],"They do this by staying ahead of known-bad detection models, constantly rotating domains and URLs, using anti-analysis techniques, and delivering phishing lures through channels that bypass traditional network ingress points like the email gateway (like social media or SMS). In many cases, the link is never evaluated by perimeter controls at all.",{"data":4367,"content":4368,"nodeType":1294},{},[4369],{"data":4370,"marks":4371,"value":4372,"nodeType":1293},{},[],"This creates a fundamental visibility gap. Network security tools can see a request going to a legitimate-looking destination, but they can’t observe what happens once the page executes client-side in the browser. Malicious scripts and phishing elements often don’t appear until after the page loads and a user interacts with it, leaving nothing obviously known-bad for network controls to detect.",{"data":4374,"content":4375,"nodeType":1294},{},[4376,4380,4388],{"data":4377,"marks":4378,"value":4379,"nodeType":1293},{},[],"Blocklists don’t help much here either. Domains rotate constantly, and the window between a phishing site going live and being categorized as malicious is more than enough time for an attacker to succeed. Until that happens, the traffic appears benign and the user is free to interact with the page. And to make matters worse, attackers are leveraging ",{"data":4381,"content":4383,"nodeType":1330},{"uri":4382},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[4384],{"data":4385,"marks":4386,"value":4387,"nodeType":1293},{},[],"detection evasion techniques",{"data":4389,"marks":4390,"value":4391,"nodeType":1293},{},[]," designed to frustrate these detections — meaning most bad pages aren't spotted until it's way too late. ",{"data":4393,"content":4397,"nodeType":1403},{"target":4394},{"sys":4395},{"id":4396,"type":1408,"linkType":1409},"38X1De97xJ8B6GNXTHW6Y5",[],{"data":4399,"content":4400,"nodeType":1294},{},[4401],{"data":4402,"marks":4403,"value":4404,"nodeType":1293},{},[],"Consider attacker-in-the-middle phishing. From the proxy’s perspective, everything looks clean: user → reputable domain → “standard” web traffic. The phishing infrastructure is often hidden behind redirects or conditional logic designed to screen out proxies and scanners. Inside the browser session, however, credentials are intercepted, session tokens are harvested, and MFA is bypassed in real time.",{"data":4406,"content":4407,"nodeType":1294},{},[4408,4412,4420],{"data":4409,"marks":4410,"value":4411,"nodeType":1293},{},[],"For ",{"data":4413,"content":4415,"nodeType":1330},{"uri":4414},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[4416],{"data":4417,"marks":4418,"value":4419,"nodeType":1293},{},[],"modern threat groups",{"data":4421,"marks":4422,"value":4423,"nodeType":1293},{},[],", these obscured attack vectors lead directly to initial access and account takeover. The network is no longer the control point where the most consequential attacks can be reliably stopped.",{"data":4425,"content":4426,"nodeType":1294},{},[4427],{"data":4428,"marks":4429,"value":4431,"nodeType":1293},{},[4430],{"type":312},"Browser telemetry is key to detecting and blocking malicious content in real-time, rather than relying on blocklists using known-bad indicators like domains and IPs that go out of date as quickly as new entries appear.",{"data":4433,"content":4434,"nodeType":4553},{},[4435,4460,4484,4507,4530],{"data":4436,"content":4437,"nodeType":4459},{},[4438,4449],{"data":4439,"content":4440,"nodeType":4448},{},[4441],{"data":4442,"content":4443,"nodeType":1294},{},[4444],{"data":4445,"marks":4446,"value":4447,"nodeType":1293},{},[],"What you see with traffic analysis","table-header-cell",{"data":4450,"content":4451,"nodeType":4448},{},[4452],{"data":4453,"content":4454,"nodeType":1294},{},[4455],{"data":4456,"marks":4457,"value":4458,"nodeType":1293},{},[],"What you can see with browser telemetry","table-row",{"data":4461,"content":4462,"nodeType":4459},{},[4463,4474],{"data":4464,"content":4465,"nodeType":4473},{},[4466],{"data":4467,"content":4468,"nodeType":1294},{},[4469],{"data":4470,"marks":4471,"value":4472,"nodeType":1293},{},[],"HTTP request/response bodies ","table-cell",{"data":4475,"content":4476,"nodeType":4473},{},[4477],{"data":4478,"content":4479,"nodeType":1294},{},[4480],{"data":4481,"marks":4482,"value":4483,"nodeType":1293},{},[],"DOM structure fingerprints",{"data":4485,"content":4486,"nodeType":4459},{},[4487,4497],{"data":4488,"content":4489,"nodeType":4473},{},[4490],{"data":4491,"content":4492,"nodeType":1294},{},[4493],{"data":4494,"marks":4495,"value":4496,"nodeType":1293},{},[],"URLs and headers",{"data":4498,"content":4499,"nodeType":4473},{},[4500],{"data":4501,"content":4502,"nodeType":1294},{},[4503],{"data":4504,"marks":4505,"value":4506,"nodeType":1293},{},[],"User interaction metadata ",{"data":4508,"content":4509,"nodeType":4459},{},[4510,4520],{"data":4511,"content":4512,"nodeType":4473},{},[4513],{"data":4514,"content":4515,"nodeType":1294},{},[4516],{"data":4517,"marks":4518,"value":4519,"nodeType":1293},{},[],"Cookie values in transit",{"data":4521,"content":4522,"nodeType":4473},{},[4523],{"data":4524,"content":4525,"nodeType":1294},{},[4526],{"data":4527,"marks":4528,"value":4529,"nodeType":1293},{},[],"Cookie names and attributes",{"data":4531,"content":4532,"nodeType":4459},{},[4533,4543],{"data":4534,"content":4535,"nodeType":4473},{},[4536],{"data":4537,"content":4538,"nodeType":1294},{},[4539],{"data":4540,"marks":4541,"value":4542,"nodeType":1293},{},[],"Static JS code",{"data":4544,"content":4545,"nodeType":4473},{},[4546],{"data":4547,"content":4548,"nodeType":1294},{},[4549],{"data":4550,"marks":4551,"value":4552,"nodeType":1293},{},[],"Script execution patterns and dynamic JS analysis","table",{"data":4555,"content":4556,"nodeType":1412},{},[],{"data":4558,"content":4559,"nodeType":1416},{},[4560],{"data":4561,"marks":4562,"value":4564,"nodeType":1293},{},[4563],{"type":1423},"Securing the browser session is key to stopping modern threats",{"data":4566,"content":4567,"nodeType":1294},{},[4568],{"data":4569,"marks":4570,"value":4571,"nodeType":1293},{},[],"If the browser is where users actually work, and where attackers actually operate, then that’s the layer that defenders need to understand and control.",{"data":4573,"content":4574,"nodeType":1294},{},[4575,4579],{"data":4576,"marks":4577,"value":4578,"nodeType":1293},{},[],"Modern web-based attacks don’t succeed because traffic goes uninspected. They succeed because network inspection can’t follow the interaction far enough. Traffic shows where data went, not what the user actually saw or did, ",{"data":4580,"marks":4581,"value":4583,"nodeType":1293},{},[4582],{"type":1423},"and in today’s attacks, that distinction matters.",{"data":4585,"content":4586,"nodeType":1294},{},[4587],{"data":4588,"marks":4589,"value":4590,"nodeType":1293},{},[],"To stop these threats, you have to see what the user is actually interacting with. Things like what scripts are loading, how the DOM is being manipulated, or whether the login form a user is using is legitimate or being proxied. Those are page-level signals, and they only exist inside the browser tab.",{"data":4592,"content":4596,"nodeType":1403},{"target":4593},{"sys":4594},{"id":4595,"type":1408,"linkType":1409},"6qMaivxhJ3xT9DkwXGcCSJ",[],{"data":4598,"content":4599,"nodeType":1294},{},[4600],{"data":4601,"marks":4602,"value":4603,"nodeType":1293},{},[],"That same shift applies to control. Destination-based blocking breaks down when the destination itself appears legitimate. Effective intervention requires decisions based on behavior as it unfolds so teams can stop risky or malicious activity that would compromise an account.",{"data":4605,"content":4606,"nodeType":1294},{},[4607],{"data":4608,"marks":4609,"value":4610,"nodeType":1293},{},[],"And visibility can’t stop at centrally managed applications. Shadow SaaS breaks any assumption that access patterns are uniform or fully governed by the IdP. Local accounts, duplicate identities, and password-only logins don’t show up clearly in network telemetry, but they materially expand the attack surface. Seeing every login, across every app, directly from the browser is the only way to build an accurate picture of who has access to what.",{"data":4612,"content":4613,"nodeType":1440},{},[4614],{"data":4615,"marks":4616,"value":4618,"nodeType":1293},{},[4617],{"type":1423},"Push provides the missing context for network security",{"data":4620,"content":4621,"nodeType":1294},{},[4622],{"data":4623,"marks":4624,"value":4625,"nodeType":1293},{},[],"At this point, the gap should be clear. Network security gives you strong control over traffic, but very little insight into what actually happens once that traffic lands in a user’s browser.",{"data":4627,"content":4628,"nodeType":1294},{},[4629],{"data":4630,"marks":4631,"value":4633,"nodeType":1293},{},[4632],{"type":1423},"This is where Push can help.",{"data":4635,"content":4636,"nodeType":1294},{},[4637],{"data":4638,"marks":4639,"value":4640,"nodeType":1293},{},[],"The Push browser agent extends monitoring into the browser itself, providing the visibility and control that perimeter-based tools can’t deliver. It doesn’t replace SSE, SWG, or CASB. Those tools remain the right way to manage traffic and enforce policy at the edge. Push complements them by operating in the one place they can’t: inside the live browser session.",{"data":4642,"content":4643,"nodeType":1294},{},[4644],{"data":4645,"marks":4646,"value":4647,"nodeType":1293},{},[],"Push does this by deploying a browser-native agent, similar in spirit to how EDR works at the host level. That agent gives defenders direct insight into what the network can’t see like the page being rendered, how the user is interacting with it, and the attack techniques that play out entirely within the tab.",{"data":4649,"content":4650,"nodeType":1294},{},[4651],{"data":4652,"marks":4653,"value":4654,"nodeType":1293},{},[],"With Push deployed, teams gain:",{"data":4656,"content":4657,"nodeType":1456},{},[4658,4673,4688],{"data":4659,"content":4660,"nodeType":1460},{},[4661],{"data":4662,"content":4663,"nodeType":1294},{},[4664,4669],{"data":4665,"marks":4666,"value":4668,"nodeType":1293},{},[4667],{"type":1423},"Real-time, in-browser threat detection:",{"data":4670,"marks":4671,"value":4672,"nodeType":1293},{},[]," Detect and stop attacks like AiTM phishing and session hijacking based on what’s actually happening in the browser. Instead of relying on blocklists or downstream signals, Push identifies attacker behavior as it unfolds and can intervene before credentials or session tokens are stolen.",{"data":4674,"content":4675,"nodeType":1460},{},[4676],{"data":4677,"content":4678,"nodeType":1294},{},[4679,4684],{"data":4680,"marks":4681,"value":4683,"nodeType":1293},{},[4682],{"type":1423},"Complete visibility into SaaS access: ",{"data":4685,"marks":4686,"value":4687,"nodeType":1293},{},[],"Build a true inventory of user identities and authentication methods across every application in use, including shadow SaaS. Push fills the gaps left by network and IdP logs, giving teams a real picture of where access exists and how it’s being granted.",{"data":4689,"content":4690,"nodeType":1460},{},[4691],{"data":4692,"content":4693,"nodeType":1294},{},[4694,4699],{"data":4695,"marks":4696,"value":4698,"nodeType":1293},{},[4697],{"type":1423},"Streamlined hardening at the point of access:",{"data":4700,"marks":4701,"value":4702,"nodeType":1293},{},[]," Use the browser as a control point to enforce secure login behavior everywhere it matters. Mandate MFA, steer users toward SSO, and block risky credentials on unmanaged apps, shifting from reactive cleanup to continuous, preventative hardening.",{"data":4704,"content":4705,"nodeType":1294},{},[4706,4710],{"data":4707,"marks":4708,"value":4709,"nodeType":1293},{},[],"The result is a unified model and real defense in depth. ",{"data":4711,"marks":4712,"value":4714,"nodeType":1293},{},[4713],{"type":1423},"Network tools secure the pipeline, and Push secures the user moving through it.",{"data":4716,"content":4717,"nodeType":2186},{},[4718],{"data":4719,"content":4720,"nodeType":1294},{},[4721,4724,4730,4733,4739,4742,4748],{"data":4722,"marks":4723,"value":2346,"nodeType":1293},{},[],{"data":4725,"content":4726,"nodeType":1330},{"uri":2351},[4727],{"data":4728,"marks":4729,"value":2354,"nodeType":1293},{},[],{"data":4731,"marks":4732,"value":1341,"nodeType":1293},{},[],{"data":4734,"content":4735,"nodeType":1330},{"uri":2363},[4736],{"data":4737,"marks":4738,"value":2366,"nodeType":1293},{},[],{"data":4740,"marks":4741,"value":2371,"nodeType":1293},{},[],{"data":4743,"content":4744,"nodeType":1330},{"uri":2376},[4745],{"data":4746,"marks":4747,"value":2379,"nodeType":1293},{},[],{"data":4749,"marks":4750,"value":2264,"nodeType":1293},{},[],{"data":4752,"content":4755,"nodeType":1403},{"target":4753},{"sys":4754},{"id":4238,"type":1408,"linkType":1409},[],{"data":4757,"content":4758,"nodeType":1294},{},[4759],{"data":4760,"marks":4761,"value":37,"nodeType":1293},{},[],"Push + Network Security: The gap between seeing the packet and securing the session","Why network and web traffic only gives you part of the picture when it comes to modern browser-based attacks. ","push-plus-network-security",{"items":4766},[4767,4769],{"sys":4768,"name":1305},{"id":1304},{"sys":4770,"name":1309},{"id":1308},{"items":4772},[4773],{"fullName":4259,"firstName":4260,"jobTitle":3858,"profilePicture":4774},{"url":4262},"content:blog:browser-extension-management-guide.json","json","content","blog/browser-extension-management-guide.json","blog/browser-extension-management-guide",1776359981735]