[{"data":1,"prerenderedAt":4397},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/fixing-secops-alert-fatigue-with-browser-telemetry":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1296,"synopsis":1297,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":3781,"content":3789,"_id":4392,"_type":4393,"_source":4394,"_file":4395,"_stem":4396,"_extension":4393},"/blog/fixing-secops-alert-fatigue-with-browser-telemetry","blog",{"id":1280,"publishedAt":1281},"6jYmU1ROpwI41mmzk7ioKd","2025-11-18T10:17:09.351Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"The alert fatigue epidemic has reached crisis proportions, fueled by an expanding attack surface and telemetry gaps. But it's not all doom and gloom: the browser presents security teams with a net-new data source that is objectively better at detecting early-stage indicators of attack. Here's what you need to know. ","text","paragraph","document","Fixing SecOps alert fatigue with browser telemetry","How browser data can improve detection fidelity and reduce alert fatigue, enabling SecOps teams to save time and detect more attacks.","2025-10-07T00:00:00.000Z","fixing-secops-alert-fatigue-with-browser-telemetry",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1307,"name":1309},{"id":1308},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1311},[1312,2305,3110],{"__typename":1313,"sys":1314,"content":1316,"title":2287,"synopsis":2288,"hashTags":118,"publishedDate":2289,"slug":2290,"tagsCollection":2291,"authorsCollection":2297},"BlogPosts",{"id":1315},"2sFCww9xnI8okIxhtOaiY1",{"json":1317},{"nodeType":1295,"data":1318,"content":1319},{},[1320,1327,1334,1341,1345,1355,1362,1369,1378,1385,1391,1413,1420,1432,1435,1443,1450,1466,1473,1485,1491,1494,1502,1511,1517,1526,1546,1555,1562,1571,1590,1599,1606,1615,1648,1657,1664,1673,1691,1697,1706,1713,1722,1765,1768,1776,1785,1805,1814,1821,1830,1863,1869,1878,1885,1891,1894,1902,1911,1918,1980,1986,1989,1997,2006,2013,2019,2022,2030,2037,2044,2114,2121,2184,2191,2194,2202,2209,2216,2222,2225,2233,2240,2247,2254],{"nodeType":1294,"data":1321,"content":1322},{},[1323],{"nodeType":1293,"value":1324,"marks":1325,"data":1326},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1294,"data":1328,"content":1329},{},[1330],{"nodeType":1293,"value":1331,"marks":1332,"data":1333},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1294,"data":1335,"content":1336},{},[1337],{"nodeType":1293,"value":1338,"marks":1339,"data":1340},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1342,"data":1343,"content":1344},"hr",{},[],{"nodeType":1346,"data":1347,"content":1348},"heading-1",{},[1349],{"nodeType":1293,"value":1350,"marks":1351,"data":1354},"How did we get here? ",[1352],{"type":1353},"bold",{},{"nodeType":1294,"data":1356,"content":1357},{},[1358],{"nodeType":1293,"value":1359,"marks":1360,"data":1361},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1294,"data":1363,"content":1364},{},[1365],{"nodeType":1293,"value":1366,"marks":1367,"data":1368},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1370,"data":1371,"content":1377},"embedded-entry-block",{"target":1372},{"sys":1373},{"id":1374,"type":1375,"linkType":1376},"1Vt269d7n6IGMzOrJs1FDx","Link","Entry",[],{"nodeType":1294,"data":1379,"content":1380},{},[1381],{"nodeType":1293,"value":1382,"marks":1383,"data":1384},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1370,"data":1386,"content":1390},{"target":1387},{"sys":1388},{"id":1389,"type":1375,"linkType":1376},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1294,"data":1392,"content":1393},{},[1394,1398,1409],{"nodeType":1293,"value":1395,"marks":1396,"data":1397},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1399,"data":1400,"content":1402},"hyperlink",{"uri":1401},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1403],{"nodeType":1293,"value":1404,"marks":1405,"data":1408},"over 1.5 billion records from 1000+ companies",[1406],{"type":1407},"underline",{},{"nodeType":1293,"value":1410,"marks":1411,"data":1412}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1294,"data":1414,"content":1415},{},[1416],{"nodeType":1293,"value":1417,"marks":1418,"data":1419},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1294,"data":1421,"content":1422},{},[1423,1427],{"nodeType":1293,"value":1424,"marks":1425,"data":1426},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1293,"value":1428,"marks":1429,"data":1431},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[1430],{"type":1353},{},{"nodeType":1342,"data":1433,"content":1434},{},[],{"nodeType":1346,"data":1436,"content":1437},{},[1438],{"nodeType":1293,"value":1439,"marks":1440,"data":1442},"2025 wasn’t a one-off",[1441],{"type":1353},{},{"nodeType":1294,"data":1444,"content":1445},{},[1446],{"nodeType":1293,"value":1447,"marks":1448,"data":1449},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1294,"data":1451,"content":1452},{},[1453,1457,1462],{"nodeType":1293,"value":1454,"marks":1455,"data":1456},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1293,"value":1458,"marks":1459,"data":1461},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[1460],{"type":1353},{},{"nodeType":1293,"value":1463,"marks":1464,"data":1465},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1294,"data":1467,"content":1468},{},[1469],{"nodeType":1293,"value":1470,"marks":1471,"data":1472},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1294,"data":1474,"content":1475},{},[1476,1480],{"nodeType":1293,"value":1477,"marks":1478,"data":1479},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1293,"value":1481,"marks":1482,"data":1484},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[1483],{"type":1353},{},{"nodeType":1370,"data":1486,"content":1490},{"target":1487},{"sys":1488},{"id":1489,"type":1375,"linkType":1376},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1342,"data":1492,"content":1493},{},[],{"nodeType":1346,"data":1495,"content":1496},{},[1497],{"nodeType":1293,"value":1498,"marks":1499,"data":1501},"TTP breakdown: Analysing the top “Scattered Lapsus$ Hunters” breaches since 2021",[1500],{"type":1353},{},{"nodeType":1503,"data":1504,"content":1505},"heading-2",{},[1506],{"nodeType":1293,"value":1507,"marks":1508,"data":1510},"Phishing and stolen credentials",[1509],{"type":1353},{},{"nodeType":1370,"data":1512,"content":1516},{"target":1513},{"sys":1514},{"id":1515,"type":1375,"linkType":1376},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1294,"data":1518,"content":1519},{},[1520],{"nodeType":1293,"value":1521,"marks":1522,"data":1525},"EA Games (2021)",[1523,1524],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1527,"content":1528},{},[1529,1533,1542],{"nodeType":1293,"value":1530,"marks":1531,"data":1532},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1399,"data":1534,"content":1536},{"uri":1535},"https://pushsecurity.com/blog/phishing-slack-persistence/",[1537],{"nodeType":1293,"value":1538,"marks":1539,"data":1541},"social engineering via Slack",[1540],{"type":1407},{},{"nodeType":1293,"value":1543,"marks":1544,"data":1545},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1294,"data":1547,"content":1548},{},[1549],{"nodeType":1293,"value":1550,"marks":1551,"data":1554},"Nvidia (2022)",[1552,1553],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1556,"content":1557},{},[1558],{"nodeType":1293,"value":1559,"marks":1560,"data":1561},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1294,"data":1563,"content":1564},{},[1565],{"nodeType":1293,"value":1566,"marks":1567,"data":1570},"Microsoft (2022)",[1568,1569],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1572,"content":1573},{},[1574,1578,1586],{"nodeType":1293,"value":1575,"marks":1576,"data":1577},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1399,"data":1579,"content":1581},{"uri":1580},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[1582],{"nodeType":1293,"value":1583,"marks":1584,"data":1585},"MFA fatigue",[],{},{"nodeType":1293,"value":1587,"marks":1588,"data":1589}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1294,"data":1591,"content":1592},{},[1593],{"nodeType":1293,"value":1594,"marks":1595,"data":1598},"T-Mobile (2022)",[1596,1597],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1600,"content":1601},{},[1602],{"nodeType":1293,"value":1603,"marks":1604,"data":1605},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1294,"data":1607,"content":1608},{},[1609],{"nodeType":1293,"value":1610,"marks":1611,"data":1614},"Snowflake (165 customers) (2024)",[1612,1613],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1616,"content":1617},{},[1618,1622,1631,1635,1644],{"nodeType":1293,"value":1619,"marks":1620,"data":1621},"Attackers targeted ",[],{},{"nodeType":1399,"data":1623,"content":1625},{"uri":1624},"https://pushsecurity.com/blog/snowflake-retro/",[1626],{"nodeType":1293,"value":1627,"marks":1628,"data":1630},"165 Snowflake customers",[1629],{"type":1407},{},{"nodeType":1293,"value":1632,"marks":1633,"data":1634}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1399,"data":1636,"content":1638},{"uri":1637},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1639],{"nodeType":1293,"value":1640,"marks":1641,"data":1643},"ghost logins",[1642],{"type":1407},{},{"nodeType":1293,"value":1645,"marks":1646,"data":1647},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1294,"data":1649,"content":1650},{},[1651],{"nodeType":1293,"value":1652,"marks":1653,"data":1656},"PowerSchool (2024)",[1654,1655],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1658,"content":1659},{},[1660],{"nodeType":1293,"value":1661,"marks":1662,"data":1663},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1294,"data":1665,"content":1666},{},[1667],{"nodeType":1293,"value":1668,"marks":1669,"data":1672},"Red Hat (2025)",[1670,1671],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1674,"content":1675},{},[1676,1680,1687],{"nodeType":1293,"value":1677,"marks":1678,"data":1679},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1399,"data":1681,"content":1682},{"uri":1637},[1683],{"nodeType":1293,"value":1640,"marks":1684,"data":1686},[1685],{"type":1407},{},{"nodeType":1293,"value":1688,"marks":1689,"data":1690}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1370,"data":1692,"content":1696},{"target":1693},{"sys":1694},{"id":1695,"type":1375,"linkType":1376},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1294,"data":1698,"content":1699},{},[1700],{"nodeType":1293,"value":1701,"marks":1702,"data":1705},"Discord (2025)",[1703,1704],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1707,"content":1708},{},[1709],{"nodeType":1293,"value":1710,"marks":1711,"data":1712},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1294,"data":1714,"content":1715},{},[1716],{"nodeType":1293,"value":1717,"marks":1718,"data":1721},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[1719,1720],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1723,"content":1724},{},[1725,1729,1737,1741,1749,1753,1761],{"nodeType":1293,"value":1726,"marks":1727,"data":1728},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1399,"data":1730,"content":1732},{"uri":1731},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[1733],{"nodeType":1293,"value":1734,"marks":1735,"data":1736},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1293,"value":1738,"marks":1739,"data":1740}," and ",[],{},{"nodeType":1399,"data":1742,"content":1744},{"uri":1743},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[1745],{"nodeType":1293,"value":1746,"marks":1747,"data":1748},"MatchGroup",[],{},{"nodeType":1293,"value":1750,"marks":1751,"data":1752}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1399,"data":1754,"content":1756},{"uri":1755},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1757],{"nodeType":1293,"value":1758,"marks":1759,"data":1760},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1293,"value":1762,"marks":1763,"data":1764}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1342,"data":1766,"content":1767},{},[],{"nodeType":1503,"data":1769,"content":1770},{},[1771],{"nodeType":1293,"value":1772,"marks":1773,"data":1775},"Vishing and help desk scams",[1774],{"type":1353},{},{"nodeType":1294,"data":1777,"content":1778},{},[1779],{"nodeType":1293,"value":1780,"marks":1781,"data":1784},"MGM Resorts & Caesars (2023)",[1782,1783],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1786,"content":1787},{},[1788,1792,1801],{"nodeType":1293,"value":1789,"marks":1790,"data":1791},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1399,"data":1793,"content":1795},{"uri":1794},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[1796],{"nodeType":1293,"value":1797,"marks":1798,"data":1800},"inbound federation",[1799],{"type":1407},{},{"nodeType":1293,"value":1802,"marks":1803,"data":1804}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1294,"data":1806,"content":1807},{},[1808],{"nodeType":1293,"value":1809,"marks":1810,"data":1813},"Transport for London (2024)",[1811,1812],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1815,"content":1816},{},[1817],{"nodeType":1293,"value":1818,"marks":1819,"data":1820},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1294,"data":1822,"content":1823},{},[1824],{"nodeType":1293,"value":1825,"marks":1826,"data":1829},"Marks & Spencer (2025)",[1827,1828],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1831,"content":1832},{},[1833,1837,1846,1850,1859],{"nodeType":1293,"value":1834,"marks":1835,"data":1836},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1399,"data":1838,"content":1840},{"uri":1839},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[1841],{"nodeType":1293,"value":1842,"marks":1843,"data":1845},"help desk scam",[1844],{"type":1407},{},{"nodeType":1293,"value":1847,"marks":1848,"data":1849},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1399,"data":1851,"content":1853},{"uri":1852},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[1854],{"nodeType":1293,"value":1855,"marks":1856,"data":1858},"VMware admin console",[1857],{"type":1407},{},{"nodeType":1293,"value":1860,"marks":1861,"data":1862},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1370,"data":1864,"content":1868},{"target":1865},{"sys":1866},{"id":1867,"type":1375,"linkType":1376},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1294,"data":1870,"content":1871},{},[1872],{"nodeType":1293,"value":1873,"marks":1874,"data":1877},"Jaguar Land Rover (2025)",[1875,1876],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1879,"content":1880},{},[1881],{"nodeType":1293,"value":1882,"marks":1883,"data":1884},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1370,"data":1886,"content":1890},{"target":1887},{"sys":1888},{"id":1889,"type":1375,"linkType":1376},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1342,"data":1892,"content":1893},{},[],{"nodeType":1503,"data":1895,"content":1896},{},[1897],{"nodeType":1293,"value":1898,"marks":1899,"data":1901},"Malicious OAuth integrations",[1900],{"type":1353},{},{"nodeType":1294,"data":1903,"content":1904},{},[1905],{"nodeType":1293,"value":1906,"marks":1907,"data":1910},"Salesforce & Salesloft (1000+ customers) (2025)",[1908,1909],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":1912,"content":1913},{},[1914],{"nodeType":1293,"value":1915,"marks":1916,"data":1917},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1919,"data":1920,"content":1921},"unordered-list",{},[1922,1938,1953],{"nodeType":1923,"data":1924,"content":1925},"list-item",{},[1926],{"nodeType":1294,"data":1927,"content":1928},{},[1929,1934],{"nodeType":1293,"value":1930,"marks":1931,"data":1933},"Phase 1:",[1932],{"type":1353},{},{"nodeType":1293,"value":1935,"marks":1936,"data":1937}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1923,"data":1939,"content":1940},{},[1941],{"nodeType":1294,"data":1942,"content":1943},{},[1944,1949],{"nodeType":1293,"value":1945,"marks":1946,"data":1948},"Phase 2: ",[1947],{"type":1353},{},{"nodeType":1293,"value":1950,"marks":1951,"data":1952},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1923,"data":1954,"content":1955},{},[1956],{"nodeType":1294,"data":1957,"content":1958},{},[1959,1964,1968,1976],{"nodeType":1293,"value":1960,"marks":1961,"data":1963},"Phase 3:",[1962],{"type":1353},{},{"nodeType":1293,"value":1965,"marks":1966,"data":1967}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1399,"data":1969,"content":1971},{"uri":1970},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[1972],{"nodeType":1293,"value":1973,"marks":1974,"data":1975},"breach a further 285 Salesforce instances",[],{},{"nodeType":1293,"value":1977,"marks":1978,"data":1979}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1370,"data":1981,"content":1985},{"target":1982},{"sys":1983},{"id":1984,"type":1375,"linkType":1376},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1342,"data":1987,"content":1988},{},[],{"nodeType":1503,"data":1990,"content":1991},{},[1992],{"nodeType":1293,"value":1993,"marks":1994,"data":1996},"Malicious browser extensions",[1995],{"type":1353},{},{"nodeType":1294,"data":1998,"content":1999},{},[2000],{"nodeType":1293,"value":2001,"marks":2002,"data":2005},"CyberHaven (2024)",[2003,2004],{"type":1353},{"type":1407},{},{"nodeType":1294,"data":2007,"content":2008},{},[2009],{"nodeType":1293,"value":2010,"marks":2011,"data":2012},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1370,"data":2014,"content":2018},{"target":2015},{"sys":2016},{"id":2017,"type":1375,"linkType":1376},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1342,"data":2020,"content":2021},{},[],{"nodeType":1346,"data":2023,"content":2024},{},[2025],{"nodeType":1293,"value":2026,"marks":2027,"data":2029},"The bigger picture",[2028],{"type":1353},{},{"nodeType":1294,"data":2031,"content":2032},{},[2033],{"nodeType":1293,"value":2034,"marks":2035,"data":2036},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1294,"data":2038,"content":2039},{},[2040],{"nodeType":1293,"value":2041,"marks":2042,"data":2043},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1919,"data":2045,"content":2046},{},[2047,2070,2092],{"nodeType":1923,"data":2048,"content":2049},{},[2050],{"nodeType":1294,"data":2051,"content":2052},{},[2053,2057,2066],{"nodeType":1293,"value":2054,"marks":2055,"data":2056},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1399,"data":2058,"content":2060},{"uri":2059},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2061],{"nodeType":1293,"value":2062,"marks":2063,"data":2065},"Microsoft",[2064],{"type":1407},{},{"nodeType":1293,"value":2067,"marks":2068,"data":2069},")",[],{},{"nodeType":1923,"data":2071,"content":2072},{},[2073],{"nodeType":1294,"data":2074,"content":2075},{},[2076,2080,2089],{"nodeType":1293,"value":2077,"marks":2078,"data":2079},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1399,"data":2081,"content":2083},{"uri":2082},"https://www.crowdstrike.com/en-gb/global-threat-report/",[2084],{"nodeType":1293,"value":2085,"marks":2086,"data":2088},"CrowdStrike",[2087],{"type":1407},{},{"nodeType":1293,"value":2067,"marks":2090,"data":2091},[],{},{"nodeType":1923,"data":2093,"content":2094},{},[2095],{"nodeType":1294,"data":2096,"content":2097},{},[2098,2102,2111],{"nodeType":1293,"value":2099,"marks":2100,"data":2101},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1399,"data":2103,"content":2105},{"uri":2104},"https://www.verizon.com/business/resources/reports/dbir/",[2106],{"nodeType":1293,"value":2107,"marks":2108,"data":2110},"Verizon",[2109],{"type":1407},{},{"nodeType":1293,"value":2067,"marks":2112,"data":2113},[],{},{"nodeType":1294,"data":2115,"content":2116},{},[2117],{"nodeType":1293,"value":2118,"marks":2119,"data":2120},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1919,"data":2122,"content":2123},{},[2124,2139,2154,2169],{"nodeType":1923,"data":2125,"content":2126},{},[2127],{"nodeType":1294,"data":2128,"content":2129},{},[2130,2135],{"nodeType":1293,"value":2131,"marks":2132,"data":2134},"Nikkei",[2133],{"type":1353},{},{"nodeType":1293,"value":2136,"marks":2137,"data":2138},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1923,"data":2140,"content":2141},{},[2142],{"nodeType":1294,"data":2143,"content":2144},{},[2145,2150],{"nodeType":1293,"value":2146,"marks":2147,"data":2149},"Evertec",[2148],{"type":1353},{},{"nodeType":1293,"value":2151,"marks":2152,"data":2153},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1923,"data":2155,"content":2156},{},[2157],{"nodeType":1294,"data":2158,"content":2159},{},[2160,2165],{"nodeType":1293,"value":2161,"marks":2162,"data":2164},"Hy-Vee:",[2163],{"type":1353},{},{"nodeType":1293,"value":2166,"marks":2167,"data":2168}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1923,"data":2170,"content":2171},{},[2172],{"nodeType":1294,"data":2173,"content":2174},{},[2175,2180],{"nodeType":1293,"value":2176,"marks":2177,"data":2179},"Scania: ",[2178],{"type":1353},{},{"nodeType":1293,"value":2181,"marks":2182,"data":2183},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1294,"data":2185,"content":2186},{},[2187],{"nodeType":1293,"value":2188,"marks":2189,"data":2190},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1342,"data":2192,"content":2193},{},[],{"nodeType":1346,"data":2195,"content":2196},{},[2197],{"nodeType":1293,"value":2198,"marks":2199,"data":2201},"Lessons learned",[2200],{"type":1353},{},{"nodeType":1294,"data":2203,"content":2204},{},[2205],{"nodeType":1293,"value":2206,"marks":2207,"data":2208},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1294,"data":2210,"content":2211},{},[2212],{"nodeType":1293,"value":2213,"marks":2214,"data":2215},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1370,"data":2217,"content":2221},{"target":2218},{"sys":2219},{"id":2220,"type":1375,"linkType":1376},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1342,"data":2223,"content":2224},{},[],{"nodeType":1346,"data":2226,"content":2227},{},[2228],{"nodeType":1293,"value":2229,"marks":2230,"data":2232},"How Push can help",[2231],{"type":1353},{},{"nodeType":1294,"data":2234,"content":2235},{},[2236],{"nodeType":1293,"value":2237,"marks":2238,"data":2239},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1294,"data":2241,"content":2242},{},[2243],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1294,"data":2248,"content":2249},{},[2250],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1294,"data":2255,"content":2256},{},[2257,2261,2270,2274,2283],{"nodeType":1293,"value":2258,"marks":2259,"data":2260},"To learn more about Push, ",[],{},{"nodeType":1399,"data":2262,"content":2264},{"uri":2263},"https://pushsecurity.com/resources/product-brochure",[2265],{"nodeType":1293,"value":2266,"marks":2267,"data":2269},"check out our latest product overview",[2268],{"type":1407},{},{"nodeType":1293,"value":2271,"marks":2272,"data":2273}," or ",[],{},{"nodeType":1399,"data":2275,"content":2277},{"uri":2276},"https://pushsecurity.com/demo",[2278],{"nodeType":1293,"value":2279,"marks":2280,"data":2282},"book some time with one of our team for a live demo",[2281],{"type":1407},{},{"nodeType":1293,"value":2284,"marks":2285,"data":2286},".",[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":2292},[2293,2295],{"sys":2294,"name":1309},{"id":1308},{"sys":2296,"name":1305},{"id":1304},{"items":2298},[2299],{"fullName":2300,"firstName":2301,"jobTitle":2302,"profilePicture":2303},"Dan Green","Dan","Threat Research",{"url":2304},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1313,"sys":2306,"content":2308,"title":3096,"synopsis":3097,"hashTags":118,"publishedDate":3098,"slug":3099,"tagsCollection":3100,"authorsCollection":3106},{"id":2307},"31m73YMGdCyqVmjHulBwER",{"json":2309},{"nodeType":1295,"data":2310,"content":2311},{},[2312,2319,2352,2359,2365,2372,2404,2411,2417,2420,2428,2435,2442,2501,2520,2532,2539,2545,2548,2556,2572,2578,2585,2591,2598,2636,2642,2645,2653,2660,2667,2795,2801,2832,2839,2842,2850,2857,2864,2906,2934,2941,3017,3023,3026,3034,3041,3061,3064,3072,3079],{"nodeType":1294,"data":2313,"content":2314},{},[2315],{"nodeType":1293,"value":2316,"marks":2317,"data":2318},"Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent:",[],{},{"nodeType":1919,"data":2320,"content":2321},{},[2322,2332,2342],{"nodeType":1923,"data":2323,"content":2324},{},[2325],{"nodeType":1294,"data":2326,"content":2327},{},[2328],{"nodeType":1293,"value":2329,"marks":2330,"data":2331},"Compromise an endpoint via software exploit, or social engineering a user to run malware on their device; ",[],{},{"nodeType":1923,"data":2333,"content":2334},{},[2335],{"nodeType":1294,"data":2336,"content":2337},{},[2338],{"nodeType":1293,"value":2339,"marks":2340,"data":2341},"Find ways to move laterally inside the network and compromise privileged identities;",[],{},{"nodeType":1923,"data":2343,"content":2344},{},[2345],{"nodeType":1294,"data":2346,"content":2347},{},[2348],{"nodeType":1293,"value":2349,"marks":2350,"data":2351},"Repeat as needed until you can execute your desired attack — usually stealing data from file shares, deploying ransomware, or both. ",[],{},{"nodeType":1294,"data":2353,"content":2354},{},[2355],{"nodeType":1293,"value":2356,"marks":2357,"data":2358},"But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren’t locally deployed and centrally managed in the way they used to be. Instead, they’re logged into over the internet, via a web browser.",[],{},{"nodeType":1370,"data":2360,"content":2364},{"target":2361},{"sys":2362},{"id":2363,"type":1375,"linkType":1376},"4h4hUYAghbZavOwjRTnBe2",[],{"nodeType":1294,"data":2366,"content":2367},{},[2368],{"nodeType":1293,"value":2369,"marks":2370,"data":2371},"Under the shared responsibility model, the part that’s left to the business consuming a SaaS service is mostly constrained to how they manage identities — the vehicle by which the app is accessed and used by the workforce. It’s no surprise that this has become the soft underbelly in the crosshairs of attackers. ",[],{},{"nodeType":1294,"data":2373,"content":2374},{},[2375,2379,2387,2391,2400],{"nodeType":1293,"value":2376,"marks":2377,"data":2378},"We’ve seen this time and again in the biggest breaches of recent years, with the highlights including the massive ",[],{},{"nodeType":1399,"data":2380,"content":2381},{"uri":1624},[2382],{"nodeType":1293,"value":2383,"marks":2384,"data":2386},"Snowflake campaign in 2024",[2385],{"type":1407},{},{"nodeType":1293,"value":2388,"marks":2389,"data":2390}," and the ",[],{},{"nodeType":1399,"data":2392,"content":2394},{"uri":2393},"https://pushsecurity.com/blog/key-takeaways-from-the-scattered-spider-attacks-on-insurance-firms/",[2395],{"nodeType":1293,"value":2396,"marks":2397,"data":2399},"2025 crime wave attributed to Scattered Spider",[2398],{"type":1407},{},{"nodeType":1293,"value":2401,"marks":2402,"data":2403},".   ",[],{},{"nodeType":1294,"data":2405,"content":2406},{},[2407],{"nodeType":1293,"value":2408,"marks":2409,"data":2410},"These attacks are so successful because while attackers have moved with the changes to enterprise IT, security hasn’t really kept up. ",[],{},{"nodeType":1370,"data":2412,"content":2416},{"target":2413},{"sys":2414},{"id":2415,"type":1375,"linkType":1376},"xH0ZqgKQXCRRZGYVs6xt6",[],{"nodeType":1342,"data":2418,"content":2419},{},[],{"nodeType":1346,"data":2421,"content":2422},{},[2423],{"nodeType":1293,"value":2424,"marks":2425,"data":2427},"The browser is the new battleground — and a security blind spot",[2426],{"type":1353},{},{"nodeType":1294,"data":2429,"content":2430},{},[2431],{"nodeType":1293,"value":2432,"marks":2433,"data":2434},"Taking over workforce identities is the first objective for attackers looking to target an organization, and the browser is the place where the attacks against users happen. This is because it’s where these digital identities are created and used — and their credentials and sessions live. This is what the attacker wants to get their hands on. ",[],{},{"nodeType":1294,"data":2436,"content":2437},{},[2438],{"nodeType":1293,"value":2439,"marks":2440,"data":2441},"Stolen credentials can be used as part of targeted attacks or in broader credential stuffing (cycling known username and credential pairs against various apps and platforms), while stolen session tokens can be used to log in directly to an active session, bypassing the authentication process. ",[],{},{"nodeType":1294,"data":2443,"content":2444},{},[2445,2449,2454,2458,2463,2467,2472,2475,2480,2483,2488,2492,2497],{"nodeType":1293,"value":2446,"marks":2447,"data":2448},"There are a few different techniques that attackers can use to get access to these identities. Attackers harvest stolen credentials from various places — ",[],{},{"nodeType":1293,"value":2450,"marks":2451,"data":2453},"data breach dumps",[2452],{"type":1353},{},{"nodeType":1293,"value":2455,"marks":2456,"data":2457},", ",[],{},{"nodeType":1293,"value":2459,"marks":2460,"data":2462},"mass",[2461],{"type":1353},{},{"nodeType":1293,"value":2464,"marks":2465,"data":2466}," ",[],{},{"nodeType":1293,"value":2468,"marks":2469,"data":2471},"credential",[2470],{"type":1353},{},{"nodeType":1293,"value":2464,"marks":2473,"data":2474},[],{},{"nodeType":1293,"value":2476,"marks":2477,"data":2479},"phishing campaigns,",[2478],{"type":1353},{},{"nodeType":1293,"value":2464,"marks":2481,"data":2482},[],{},{"nodeType":1293,"value":2484,"marks":2485,"data":2487},"infostealer logs",[2486],{"type":1353},{},{"nodeType":1293,"value":2489,"marks":2490,"data":2491},", even ",[],{},{"nodeType":1293,"value":2493,"marks":2494,"data":2496},"malicious browser extensions",[2495],{"type":1353},{},{"nodeType":1293,"value":2498,"marks":2499,"data":2500}," that they’ve tricked an employee into installing. In fact, the cyber crime ecosystem itself has shifted on its axis to cater to this, with hackers specifically taking on the role of harvesting credentials and establishing account access for others to exploit. ",[],{},{"nodeType":1294,"data":2502,"content":2503},{},[2504,2508,2516],{"nodeType":1293,"value":2505,"marks":2506,"data":2507},"The high-profile ",[],{},{"nodeType":1399,"data":2509,"content":2510},{"uri":1624},[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2515},"Snowflake",[2514],{"type":1407},{},{"nodeType":1293,"value":2517,"marks":2518,"data":2519}," breaches in 2024 signalled a watershed moment in the shift to identity-driven breaches, where attackers logged into accounts across hundreds of customer tenants using stolen credentials. One of the primary sources of the stolen credentials used in the attacks were infostealer logs dating back to 2020 — breached passwords that hadn’t been rotated or mitigated with MFA. ",[],{},{"nodeType":1294,"data":2521,"content":2522},{},[2523,2527],{"nodeType":1293,"value":2524,"marks":2525,"data":2526},"Infostealers are notable because they’re an endpoint malware attack designed to harvest credentials and session tokens (often from the browser) to enable the attacker to then log into those services… through their own web browser. ",[],{},{"nodeType":1293,"value":2528,"marks":2529,"data":2531},"So, even today’s endpoint attacks are seeing the attacker pivot back into the browser in order to get to identities — the key to the online apps and services where exploitable data and functionality now resides. ",[2530],{"type":1353},{},{"nodeType":1294,"data":2533,"content":2534},{},[2535],{"nodeType":1293,"value":2536,"marks":2537,"data":2538},"The problem here is that this is a blind spot for the security tools we’re currently reliant upon — which don’t have the fine-grained visibility required. This is very similar to the challenge that the industry faced prior to the introduction of EDR in the 2010s — the main sources of data are looking from the outside-in, lacking the process-level visibility and context to be able to detect and stop attacks as they happen.",[],{},{"nodeType":1370,"data":2540,"content":2544},{"target":2541},{"sys":2542},{"id":2543,"type":1375,"linkType":1376},"2qoMH6qCNJc7it7sTuKl4F",[],{"nodeType":1342,"data":2546,"content":2547},{},[],{"nodeType":1346,"data":2549,"content":2550},{},[2551],{"nodeType":1293,"value":2552,"marks":2553,"data":2555},"Identity is the prize, browser is the platform — and phishing is the weapon of choice",[2554],{"type":1353},{},{"nodeType":1294,"data":2557,"content":2558},{},[2559,2563,2568],{"nodeType":1293,"value":2560,"marks":2561,"data":2562},"But the technique that’s STILL driving the most impactful identity-driven breaches? ",[],{},{"nodeType":1293,"value":2564,"marks":2565,"data":2567},"It’s phishing",[2566],{"type":1353},{},{"nodeType":1293,"value":2569,"marks":2570,"data":2571},". Phishing for credentials, sessions, OAuth consent, authorization codes. Phishing via email, instant messenger, social media, malicious Google ads… it all happens in, or leads to, the browser. ",[],{},{"nodeType":1370,"data":2573,"content":2577},{"target":2574},{"sys":2575},{"id":2576,"type":1375,"linkType":1376},"6Gsd3G0sOibNxgVLimb2wV",[],{"nodeType":1294,"data":2579,"content":2580},{},[2581],{"nodeType":1293,"value":2582,"marks":2583,"data":2584},"And modern phishing attacks are more effective than ever. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques to block email and network security tools from intercepting them. Probably the most common example today is the use of bot protection (think CAPTCHA or Cloudflare Turnstile), using legitimate anti-spam features to block security tools. ",[],{},{"nodeType":1370,"data":2586,"content":2590},{"target":2587},{"sys":2588},{"id":2589,"type":1375,"linkType":1376},"6M1My4lSKItu6Qdv4hO1RA",[],{"nodeType":1294,"data":2592,"content":2593},{},[2594],{"nodeType":1293,"value":2595,"marks":2596,"data":2597},"The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom CAPTCHA, and using runtime anti-analysis features, making them increasingly difficult to detect. The ways in which links are delivered has also increased in sophistication, with more delivery channels (as we showed above) and the use of legitimate SaaS services for camouflage. ",[],{},{"nodeType":1294,"data":2599,"content":2600},{},[2601,2605,2610,2614,2619,2623,2632],{"nodeType":1293,"value":2602,"marks":2603,"data":2604},"And the latest trends indicate that attackers are responding to increasingly hardened IdP/SSO configuration by exploiting alternative phishing techniques that ",[],{},{"nodeType":1293,"value":2606,"marks":2607,"data":2609},"circumvent MFA and passkeys",[2608],{"type":1353},{},{"nodeType":1293,"value":2611,"marks":2612,"data":2613},", most commonly by ",[],{},{"nodeType":1293,"value":2615,"marks":2616,"data":2618},"downgrading to a phishable backup authentication method",[2617],{"type":1353},{},{"nodeType":1293,"value":2620,"marks":2621,"data":2622}," — which you can see in action below, and ",[],{},{"nodeType":1399,"data":2624,"content":2626},{"uri":2625},"https://pushsecurity.com/blog/mfa-downgrade-attacks/",[2627],{"nodeType":1293,"value":2628,"marks":2629,"data":2631},"read more about here",[2630],{"type":1407},{},{"nodeType":1293,"value":2633,"marks":2634,"data":2635},".  ",[],{},{"nodeType":1370,"data":2637,"content":2641},{"target":2638},{"sys":2639},{"id":2640,"type":1375,"linkType":1376},"54I3YQ2gK26a8FIocQ3WYT",[],{"nodeType":1342,"data":2643,"content":2644},{},[],{"nodeType":1346,"data":2646,"content":2647},{},[2648],{"nodeType":1293,"value":2649,"marks":2650,"data":2652},"Identities are the lowest-hanging fruit for attackers to aim for",[2651],{"type":1353},{},{"nodeType":1294,"data":2654,"content":2655},{},[2656],{"nodeType":1293,"value":2657,"marks":2658,"data":2659},"The goal of the modern attacker, and the easiest way into your business’s digital environment, is to compromise identities. Whether you’re dealing with phishing attacks, malicious browser extensions, or infostealer malware, the objective remains the same — account takeover. ",[],{},{"nodeType":1294,"data":2661,"content":2662},{},[2663],{"nodeType":1293,"value":2664,"marks":2665,"data":2666},"Organizations are dealing with a vast and vulnerable attack surface consisting of:",[],{},{"nodeType":1919,"data":2668,"content":2669},{},[2670,2692,2713,2735],{"nodeType":1923,"data":2671,"content":2672},{},[2673],{"nodeType":1294,"data":2674,"content":2675},{},[2676,2679,2688],{"nodeType":1293,"value":37,"marks":2677,"data":2678},[],{},{"nodeType":1399,"data":2680,"content":2682},{"uri":2681},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[2683],{"nodeType":1293,"value":2684,"marks":2685,"data":2687},"Hundreds of applications, with thousands of accounts",[2686],{"type":1407},{},{"nodeType":1293,"value":2689,"marks":2690,"data":2691}," spread across the app estate.",[],{},{"nodeType":1923,"data":2693,"content":2694},{},[2695],{"nodeType":1294,"data":2696,"content":2697},{},[2698,2702,2710],{"nodeType":1293,"value":2699,"marks":2700,"data":2701},"Accounts vulnerable to MFA-bypass phishing kits, because they are using a login method that is not phishing-resistant, or because ",[],{},{"nodeType":1399,"data":2703,"content":2704},{"uri":2625},[2705],{"nodeType":1293,"value":2706,"marks":2707,"data":2709},"the login method can be downgraded",[2708],{"type":1407},{},{"nodeType":1293,"value":2284,"marks":2711,"data":2712},[],{},{"nodeType":1923,"data":2714,"content":2715},{},[2716],{"nodeType":1294,"data":2717,"content":2718},{},[2719,2723,2731],{"nodeType":1293,"value":2720,"marks":2721,"data":2722},"Accounts with a weak, reused, or breached password and no MFA altogether (usually the result of a forgotten-about ",[],{},{"nodeType":1399,"data":2724,"content":2725},{"uri":1637},[2726],{"nodeType":1293,"value":2727,"marks":2728,"data":2730},"ghost login",[2729],{"type":1407},{},{"nodeType":1293,"value":2732,"marks":2733,"data":2734},").",[],{},{"nodeType":1923,"data":2736,"content":2737},{},[2738],{"nodeType":1294,"data":2739,"content":2740},{},[2741,2745,2754,2757,2766,2770,2779,2782,2791],{"nodeType":1293,"value":2742,"marks":2743,"data":2744},"Bypassing the authentication process entirely to evade otherwise phishing-resistant authentication methods, by abusing features like ",[],{},{"nodeType":1399,"data":2746,"content":2748},{"uri":2747},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[2749],{"nodeType":1293,"value":2750,"marks":2751,"data":2753},"API key creation",[2752],{"type":1407},{},{"nodeType":1293,"value":2455,"marks":2755,"data":2756},[],{},{"nodeType":1399,"data":2758,"content":2760},{"uri":2759},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/app_specific_password_phishing/description.md",[2761],{"nodeType":1293,"value":2762,"marks":2763,"data":2765},"app-specific passwords",[2764],{"type":1407},{},{"nodeType":1293,"value":2767,"marks":2768,"data":2769},", OAuth ",[],{},{"nodeType":1399,"data":2771,"content":2773},{"uri":2772},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[2774],{"nodeType":1293,"value":2775,"marks":2776,"data":2778},"consent phishing",[2777],{"type":1407},{},{"nodeType":1293,"value":2455,"marks":2780,"data":2781},[],{},{"nodeType":1399,"data":2783,"content":2785},{"uri":2784},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/cross-idp_impersonation/description.md",[2786],{"nodeType":1293,"value":2787,"marks":2788,"data":2790},"cross-IdP impersonation",[2789],{"type":1407},{},{"nodeType":1293,"value":2792,"marks":2793,"data":2794},", and more.  ",[],{},{"nodeType":1370,"data":2796,"content":2800},{"target":2797},{"sys":2798},{"id":2799,"type":1375,"linkType":1376},"3WFzina1t5j6bDlTlGQA0l",[],{"nodeType":1294,"data":2802,"content":2803},{},[2804,2808,2817,2821,2828],{"nodeType":1293,"value":2805,"marks":2806,"data":2807},"A key driver of identity vulnerability is the ",[],{},{"nodeType":1399,"data":2809,"content":2811},{"uri":2810},"https://pushsecurity.com/blog/minimum-viable-identity-security/",[2812],{"nodeType":1293,"value":2813,"marks":2814,"data":2816},"huge variance in the configurability of accounts per application",[2815],{"type":1407},{},{"nodeType":1293,"value":2818,"marks":2819,"data":2820},", with different levels of centralized visibility and security control of identities provided — for example, while one app can be locked down to only accept SSO logins via SAML and automatically remove any unused passwords, another provides no control or visibility of login method or MFA status (another big driver of the ",[],{},{"nodeType":1399,"data":2822,"content":2823},{"uri":1624},[2824],{"nodeType":1293,"value":2512,"marks":2825,"data":2827},[2826],{"type":1407},{},{"nodeType":1293,"value":2829,"marks":2830,"data":2831}," breaches last year). Unfortunately, as a by-product of product-led growth and something that is compounded by every new SaaS startup that hits the market, this situation doesn’t look like it’s going to change anytime soon. ",[],{},{"nodeType":1294,"data":2833,"content":2834},{},[2835],{"nodeType":1293,"value":2836,"marks":2837,"data":2838},"The end result is that identities are misconfigured, invisible to the security team, and routinely exploited by commodity attacker tooling. It’s no surprise that they’re the primary target for attackers today. ",[],{},{"nodeType":1342,"data":2840,"content":2841},{},[],{"nodeType":1346,"data":2843,"content":2844},{},[2845],{"nodeType":1293,"value":2846,"marks":2847,"data":2849},"The solution: The browser as a telemetry source and control point",[2848],{"type":1353},{},{"nodeType":1294,"data":2851,"content":2852},{},[2853],{"nodeType":1293,"value":2854,"marks":2855,"data":2856},"Because identity attacks play out in the browser, it’s the perfect place for security teams to observe, intercept, and shut down these attacks. ",[],{},{"nodeType":1294,"data":2858,"content":2859},{},[2860],{"nodeType":1293,"value":2861,"marks":2862,"data":2863},"The browser has a number of advantages over the different places where identity can be observed and protected, because:",[],{},{"nodeType":1919,"data":2865,"content":2866},{},[2867,2877,2887],{"nodeType":1923,"data":2868,"content":2869},{},[2870],{"nodeType":1294,"data":2871,"content":2872},{},[2873],{"nodeType":1293,"value":2874,"marks":2875,"data":2876},"You aren’t limited to the apps and identities directly connected to your IdP (a fraction of your workforce identity sprawl). ",[],{},{"nodeType":1923,"data":2878,"content":2879},{},[2880],{"nodeType":1294,"data":2881,"content":2882},{},[2883],{"nodeType":1293,"value":2884,"marks":2885,"data":2886},"You aren’t limited to the apps that you know about and manage centrally — you can observe every login that passes through the browser.",[],{},{"nodeType":1923,"data":2888,"content":2889},{},[2890],{"nodeType":1294,"data":2891,"content":2892},{},[2893,2897,2902],{"nodeType":1293,"value":2894,"marks":2895,"data":2896},"You can observe all the properties of a login, including the login method, MFA method, etc. You’d otherwise need API access to ",[],{},{"nodeType":1293,"value":2898,"marks":2899,"data":2901},"maybe",[2900],{"type":312},{},{"nodeType":1293,"value":2903,"marks":2904,"data":2905}," get this information (depending on whether an API is provided and whether this specific data can be interrogated, also not standard for many apps). ",[],{},{"nodeType":1294,"data":2907,"content":2908},{},[2909,2913,2918,2922,2930],{"nodeType":1293,"value":2910,"marks":2911,"data":2912},"It’s obvious with all that we’ve covered so far that fixing every identity vulnerability is an ominous task — the SaaS ecosystem itself is working against you. ",[],{},{"nodeType":1293,"value":2914,"marks":2915,"data":2917},"This is why detecting and responding to identity attacks is essential. ",[2916],{"type":1353},{},{"nodeType":1293,"value":2919,"marks":2920,"data":2921},"Because identity compromise almost always involves phishing or social engineering a user to perform an action in their browser (with some exceptions — like the ",[],{},{"nodeType":1399,"data":2923,"content":2924},{"uri":1839},[2925],{"nodeType":1293,"value":2926,"marks":2927,"data":2929},"Scattered Spider-related help desk attacks",[2928],{"type":1407},{},{"nodeType":1293,"value":2931,"marks":2932,"data":2933}," seen recently), it’s also the perfect place to monitor for and intercept attacks. ",[],{},{"nodeType":1294,"data":2935,"content":2936},{},[2937],{"nodeType":1293,"value":2938,"marks":2939,"data":2940},"In the browser, you gather deep, contextualized information about page behavior and user inputs that can be used to detect and shut down risky scenarios in real time. Take the example of phishing pages. Because Push operates in the browser, it sees everything:",[],{},{"nodeType":1919,"data":2942,"content":2943},{},[2944,2954,2964,2974,2997,3007],{"nodeType":1923,"data":2945,"content":2946},{},[2947],{"nodeType":1294,"data":2948,"content":2949},{},[2950],{"nodeType":1293,"value":2951,"marks":2952,"data":2953},"The page layout.",[],{},{"nodeType":1923,"data":2955,"content":2956},{},[2957],{"nodeType":1294,"data":2958,"content":2959},{},[2960],{"nodeType":1293,"value":2961,"marks":2962,"data":2963},"Where the user came from (through the whole redirect chain).",[],{},{"nodeType":1923,"data":2965,"content":2966},{},[2967],{"nodeType":1294,"data":2968,"content":2969},{},[2970],{"nodeType":1293,"value":2971,"marks":2972,"data":2973},"Page interaction events — e.g. tabs opened and closed, popup windows, forms submitted, etc.",[],{},{"nodeType":1923,"data":2975,"content":2976},{},[2977],{"nodeType":1294,"data":2978,"content":2979},{},[2980,2984,2993],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"The password they enter ",[],{},{"nodeType":1399,"data":2985,"content":2987},{"uri":2986},"https://pushsecurity.com/help/10043/#how-push-securely-analyzes-passwords",[2988],{"nodeType":1293,"value":2989,"marks":2990,"data":2992},"(as a salted, abbreviated hash)",[2991],{"type":1407},{},{"nodeType":1293,"value":2994,"marks":2995,"data":2996},", and whether a password was typed or copied, and where from.",[],{},{"nodeType":1923,"data":2998,"content":2999},{},[3000],{"nodeType":1294,"data":3001,"content":3002},{},[3003],{"nodeType":1293,"value":3004,"marks":3005,"data":3006},"What scripts are running on the page and whether they are potentially malicious.",[],{},{"nodeType":1923,"data":3008,"content":3009},{},[3010],{"nodeType":1294,"data":3011,"content":3012},{},[3013],{"nodeType":1293,"value":3014,"marks":3015,"data":3016},"Where credentials are being sent.",[],{},{"nodeType":1370,"data":3018,"content":3022},{"target":3019},{"sys":3020},{"id":3021,"type":1375,"linkType":1376},"6kQejVS63FQ6Oy8nIm6UlV",[],{"nodeType":1342,"data":3024,"content":3025},{},[],{"nodeType":1346,"data":3027,"content":3028},{},[3029],{"nodeType":1293,"value":3030,"marks":3031,"data":3033},"Conclusion",[3032],{"type":1353},{},{"nodeType":1294,"data":3035,"content":3036},{},[3037],{"nodeType":1293,"value":3038,"marks":3039,"data":3040},"Identity attacks are the biggest unsolved problem facing security teams today and the leading cause of security breaches. At the same time, the browser presents security teams with all the tools they need to prevent, detect, and respond to identity-based attacks — proactively by finding and fixing identity vulnerabilities, and reactively by detecting and blocking attacks against users in real time. ",[],{},{"nodeType":1294,"data":3042,"content":3043},{},[3044,3048,3057],{"nodeType":1293,"value":3045,"marks":3046,"data":3047},"Organizations need to move past the old ways of doing identity security — relying on MFA attestations, identity management dashboards, and ",[],{},{"nodeType":1399,"data":3049,"content":3051},{"uri":3050},"https://pushsecurity.com/blog/three-reasons-why-browser-is-best-for-stopping-phishing-attacks/",[3052],{"nodeType":1293,"value":3053,"marks":3054,"data":3056},"legacy email and network anti-phishing tools",[3055],{"type":1407},{},{"nodeType":1293,"value":3058,"marks":3059,"data":3060},". And there’s no better place to stop these attacks than in the browser. ",[],{},{"nodeType":1342,"data":3062,"content":3063},{},[],{"nodeType":1346,"data":3065,"content":3066},{},[3067],{"nodeType":1293,"value":3068,"marks":3069,"data":3071},"Find out more",[3070],{"type":1353},{},{"nodeType":1294,"data":3073,"content":3074},{},[3075],{"nodeType":1293,"value":3076,"marks":3077,"data":3078},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks identity attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more.",[],{},{"nodeType":1294,"data":3080,"content":3081},{},[3082,3086,3093],{"nodeType":1293,"value":3083,"marks":3084,"data":3085},"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",[],{},{"nodeType":1399,"data":3087,"content":3088},{"uri":2276},[3089],{"nodeType":1293,"value":2279,"marks":3090,"data":3092},[3091],{"type":1407},{},{"nodeType":1293,"value":2284,"marks":3094,"data":3095},[],{},"How the browser became the main cyber battleground","How attacks have moved away from endpoints and internal networks to the browser — a blind spot for traditional security tools.","2025-08-15T00:00:00.000Z","how-the-browser-became-the-main-cyber-battleground",{"items":3101},[3102,3104],{"sys":3103,"name":1305},{"id":1304},{"sys":3105,"name":1309},{"id":1308},{"items":3107},[3108],{"fullName":2300,"firstName":2301,"jobTitle":2302,"profilePicture":3109},{"url":2304},{"__typename":1313,"sys":3111,"content":3113,"title":3767,"synopsis":3768,"hashTags":118,"publishedDate":3769,"slug":3770,"tagsCollection":3771,"authorsCollection":3777},{"id":3112},"1qegIy4rMdm5XZXnIEoKpE",{"json":3114},{"nodeType":1295,"data":3115,"content":3116},{},[3117,3124,3131,3156,3162,3169,3176,3179,3186,3206,3212,3219,3262,3269,3276,3283,3290,3297,3304,3323,3331,3334,3341,3348,3355,3362,3369,3376,3383,3431,3438,3445,3452,3472,3479,3486,3493,3500,3507,3514,3521,3539,3557,3600,3607,3614,3680,3687,3690,3697,3713,3732,3739,3745,3751,3754,3760],{"nodeType":1294,"data":3118,"content":3119},{},[3120],{"nodeType":1293,"value":3121,"marks":3122,"data":3123},"The field of threat detection and security monitoring has changed significantly over the last decade. Security tools and product categories have been added and replaced, specialist disciplines established, and methodologies created. ",[],{},{"nodeType":1294,"data":3125,"content":3126},{},[3127],{"nodeType":1293,"value":3128,"marks":3129,"data":3130},"Naturally, defenders have had to mature their approach because of the changing nature of the threat facing organizations. Attackers have always looked for new ways to target their victims, and naturally, defenders have had to adapt, forcing attackers to change things up… it’s a cat and mouse game. ",[],{},{"nodeType":1294,"data":3132,"content":3133},{},[3134,3138,3147,3151],{"nodeType":1293,"value":3135,"marks":3136,"data":3137},"Blue teamers have used the concept of the ",[],{},{"nodeType":1399,"data":3139,"content":3141},{"uri":3140},"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html",[3142],{"nodeType":1293,"value":3143,"marks":3144,"data":3146},"Pyramid of Pain",[3145],{"type":1407},{},{"nodeType":1293,"value":3148,"marks":3149,"data":3150}," for over a decade. The logic is simple: ",[],{},{"nodeType":1293,"value":3152,"marks":3153,"data":3155},"Focus on detecting and responding to indicators that are hard for attackers to change. ",[3154],{"type":1353},{},{"nodeType":1370,"data":3157,"content":3161},{"target":3158},{"sys":3159},{"id":3160,"type":1375,"linkType":1376},"6cG2fx3AikwptyEyXKrYCK",[],{"nodeType":1294,"data":3163,"content":3164},{},[3165],{"nodeType":1293,"value":3166,"marks":3167,"data":3168},"If an attacker only has to tweak a variable to get around your detection rule, like adding a space to change a hash value, it’s probably not a very good detection. It’s not going to remain effective for long and you’re always going to be one step behind the attacker – waiting for them to make their next move so you can react. This usually ends up meaning that attackers enjoy at least some success before they can be shut out again. ",[],{},{"nodeType":1294,"data":3170,"content":3171},{},[3172],{"nodeType":1293,"value":3173,"marks":3174,"data":3175},"The Pyramid of Pain – and the goal of implementing hard-to-bypass detections that hit attackers where it hurts – is central to our design philosophy. But before we get into how we apply this approach, and the types of controls we’ve created as a result, it’s useful to look at how IT and security have changed since the Pyramid was created more than a decade ago. ",[],{},{"nodeType":1342,"data":3177,"content":3178},{},[],{"nodeType":1346,"data":3180,"content":3181},{},[3182],{"nodeType":1293,"value":3183,"marks":3184,"data":3185},"A new era for cyber security",[],{},{"nodeType":1294,"data":3187,"content":3188},{},[3189,3193,3202],{"nodeType":1293,"value":3190,"marks":3191,"data":3192},"We’ve spoken a lot about how we’re in the midst of a new era in cybersecurity, in which identity is now the outermost digital perimeter for security teams to defend. (",[],{},{"nodeType":1399,"data":3194,"content":3196},{"uri":3195},"https://pushsecurity.com/resources/video/the-new-saas-cyber-kill-chain-so-con-2024/",[3197],{"nodeType":1293,"value":3198,"marks":3199,"data":3201},"You’ll be familiar with this if you’ve seen any of Luke’s talks on the New SaaS Cyber Kill Chain.",[3200],{"type":1407},{},{"nodeType":1293,"value":3203,"marks":3204,"data":3205},") ",[],{},{"nodeType":1370,"data":3207,"content":3211},{"target":3208},{"sys":3209},{"id":3210,"type":1375,"linkType":1376},"6nYSZAYpsbj78jKm0q75zs",[],{"nodeType":1294,"data":3213,"content":3214},{},[3215],{"nodeType":1293,"value":3216,"marks":3217,"data":3218},"This is primarily because modern working is no longer contained to a heavily centralized corporate network, and instead happens primarily in applications accessed over the internet via web browser.",[],{},{"nodeType":1294,"data":3220,"content":3221},{},[3222,3226,3234,3238,3246,3250,3258],{"nodeType":1293,"value":3223,"marks":3224,"data":3225},"In this new world, attacks don’t even have to touch the old perimeters, because all the data and functionality they could want exists on the public internet. As a result, we’re seeing more and more ",[],{},{"nodeType":1399,"data":3227,"content":3229},{"uri":3228},"https://pushsecurity.com/blog/saas-attack-techniques/",[3230],{"nodeType":1293,"value":3231,"marks":3232,"data":3233},"attacks targeting SaaS apps",[],{},{"nodeType":1293,"value":3235,"marks":3236,"data":3237},", with the entire attack chain being concluded outside customer networks, not touching any traditional endpoints or networks. The ",[],{},{"nodeType":1399,"data":3239,"content":3241},{"uri":3240},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[3242],{"nodeType":1293,"value":3243,"marks":3244,"data":3245},"recent attacks on Snowflake customers",[],{},{"nodeType":1293,"value":3247,"marks":3248,"data":3249},", hailed ",[],{},{"nodeType":1399,"data":3251,"content":3253},{"uri":3252},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[3254],{"nodeType":1293,"value":3255,"marks":3256,"data":3257},"one of the biggest breaches in history",[],{},{"nodeType":1293,"value":3259,"marks":3260,"data":3261},", demonstrate this risk all too well. ",[],{},{"nodeType":1294,"data":3263,"content":3264},{},[3265],{"nodeType":1293,"value":3266,"marks":3267,"data":3268},"This creates a problem for security teams looking to detect and respond to these attacks. ",[],{},{"nodeType":1503,"data":3270,"content":3271},{},[3272],{"nodeType":1293,"value":3273,"marks":3274,"data":3275},"Attacks today are shorter and faster, but just as dangerous",[],{},{"nodeType":1294,"data":3277,"content":3278},{},[3279],{"nodeType":1293,"value":3280,"marks":3281,"data":3282},"Detecting and responding to identity attacks – phishing, credential stuffing, etc. – used to be just one possible method of initial access in quite a lengthy Kill Chain that stretched from the compromise of the user device, pivoting to internal network resources, escalating privileges, moving laterally, and finally achieving their objectives.",[],{},{"nodeType":1294,"data":3284,"content":3285},{},[3286],{"nodeType":1293,"value":3287,"marks":3288,"data":3289},"This meant that defenders could adopt an assumed compromise mentality and build layered detections, as well as proactively hunting for threats across these various stages and layers of the network. The more actions an attacker has to perform, the more opportunities for detection, and the higher the likelihood that they’ll be caught in the act before any real, lasting damage can be caused. ",[],{},{"nodeType":1294,"data":3291,"content":3292},{},[3293],{"nodeType":1293,"value":3294,"marks":3295,"data":3296},"Today, attackers have a lot of opportunities to cause significant damage for much less effort than before. For example, if the goal is to compromise an app like Snowflake and dump the data from it, the Kill Chain is way shorter than a traditional network-based attack. And all the great tools and security products you have, like EDR, don’t come into play. ",[],{},{"nodeType":1294,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3303},"This means that the initial layer of anti-account takeover controls are much more important in this context. But, the historical detections in this space – email gateway security products, analyzing web pages for malicious content, and URL blocklisting – are either less relevant, or built upon easy to bypass detections toward the bottom of the Pyramid of Pain. ",[],{},{"nodeType":1294,"data":3305,"content":3306},{},[3307,3311,3319],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"As an example, ",[],{},{"nodeType":1399,"data":3312,"content":3314},{"uri":3313},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/",[3315],{"nodeType":1293,"value":3316,"marks":3317,"data":3318},"we recently published an article on all the ways that AitM phishing sites are evading detection",[],{},{"nodeType":1293,"value":3320,"marks":3321,"data":3322},". TL;DR – there are a lot, and they seem to be quite effective. But this is partly because the majority of the detections they're trying to avoid are built on shaky ground.   ",[],{},{"nodeType":1294,"data":3324,"content":3325},{},[3326],{"nodeType":1293,"value":3327,"marks":3328,"data":3330},"So what? Well, it’s clear that the controls that the industry has relied on in the past to stop identity attacks are too easy to bypass, and are no longer sufficient. ",[3329],{"type":1353},{},{"nodeType":1342,"data":3332,"content":3333},{},[],{"nodeType":1346,"data":3335,"content":3336},{},[3337],{"nodeType":1293,"value":3338,"marks":3339,"data":3340},"Building effective identity threat detection controls",[],{},{"nodeType":1294,"data":3342,"content":3343},{},[3344],{"nodeType":1293,"value":3345,"marks":3346,"data":3347},"Now we’ve covered the problem that we set out to solve, let’s look at what we’re doing differently. ",[],{},{"nodeType":1294,"data":3349,"content":3350},{},[3351],{"nodeType":1293,"value":3352,"marks":3353,"data":3354},"In order to climb the Pyramid toward the apex, you need to find ways to detect increasingly generic parts of an attack technique. So you want to avoid things like what a specific malware’s code looks like, or where it connects back to. But what the malware does, or what happens when it runs, is more generic, and therefore more interesting to us.  ",[],{},{"nodeType":1294,"data":3356,"content":3357},{},[3358],{"nodeType":1293,"value":3359,"marks":3360,"data":3361},"The shift from static code signatures and fuzzy hashes to dynamic analysis of what code does on a live system is at the heart of why EDR killed antivirus a decade ago. It proved at-scale the value of moving detections up the pyramid.",[],{},{"nodeType":1294,"data":3363,"content":3364},{},[3365],{"nodeType":1293,"value":3366,"marks":3367,"data":3368},"We’re always on the lookout for ways to move our detections up the pyramid as well. It’s easiest to explain how we’ve applied this by looking at an example. ",[],{},{"nodeType":1503,"data":3370,"content":3371},{},[3372],{"nodeType":1293,"value":3373,"marks":3374,"data":3375},"Scenario: Detecting a web-based phishing attack",[],{},{"nodeType":1294,"data":3377,"content":3378},{},[3379],{"nodeType":1293,"value":3380,"marks":3381,"data":3382},"Let’s break down the stages of a web-based phishing attack as an example. For a user to be successfully phished:",[],{},{"nodeType":1919,"data":3384,"content":3385},{},[3386,3401,3416],{"nodeType":1923,"data":3387,"content":3388},{},[3389],{"nodeType":1294,"data":3390,"content":3391},{},[3392,3397],{"nodeType":1293,"value":3393,"marks":3394,"data":3396},"Stage 1:",[3395],{"type":1353},{},{"nodeType":1293,"value":3398,"marks":3399,"data":3400}," The victim must be lured to visit a website.",[],{},{"nodeType":1923,"data":3402,"content":3403},{},[3404],{"nodeType":1294,"data":3405,"content":3406},{},[3407,3412],{"nodeType":1293,"value":3408,"marks":3409,"data":3411},"Stage 2:",[3410],{"type":1353},{},{"nodeType":1293,"value":3413,"marks":3414,"data":3415}," The website must somehow trick or convince the user that it’s legitimate and trustworthy, for example by mimicking a legitimate site.",[],{},{"nodeType":1923,"data":3417,"content":3418},{},[3419],{"nodeType":1294,"data":3420,"content":3421},{},[3422,3427],{"nodeType":1293,"value":3423,"marks":3424,"data":3426},"Stage 3:",[3425],{"type":1353},{},{"nodeType":1293,"value":3428,"marks":3429,"data":3430}," The user must enter their actual credentials into that website.",[],{},{"nodeType":1294,"data":3432,"content":3433},{},[3434],{"nodeType":1293,"value":3435,"marks":3436,"data":3437},"So, how might you go about detecting this attack? Let’s start from the bottom of the pyramid and work our way up.",[],{},{"nodeType":1503,"data":3439,"content":3440},{},[3441],{"nodeType":1293,"value":3442,"marks":3443,"data":3444},"Stage 1: Determining if a URL, IP, or domain is bad",[],{},{"nodeType":1294,"data":3446,"content":3447},{},[3448],{"nodeType":1293,"value":3449,"marks":3450,"data":3451},"You might start by looking for the lure – historically an email. You could look for links in emails, or links in attachments in an email and then check if they are bad (which is essentially what email security products do). You could look for known-bad URLs in emails, but these change for every phishing campaign. In modern attacks, every target can receive a unique email and link. Even just using a URL shortener can bypass this. It’s equivalent to a malware hash – trivial to change, and therefore not a great thing to pin your detections on. ",[],{},{"nodeType":1294,"data":3453,"content":3454},{},[3455,3459,3468],{"nodeType":1293,"value":3456,"marks":3457,"data":3458},"You could look at which IP address the user connects to, but these days it’s very simple for attackers to add a new IP to their cloud-hosted server. If a domain is flagged as known-bad, the attacker only has to register a new domain, or compromise a WordPress server on an already trusted domain. Both of these things are ",[],{},{"nodeType":1399,"data":3460,"content":3462},{"uri":3461},"https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/",[3463],{"nodeType":1293,"value":3464,"marks":3465,"data":3467},"happening on a massive scale",[3466],{"type":1407},{},{"nodeType":1293,"value":3469,"marks":3470,"data":3471}," as attackers pre-plan for the fact that their domains will be burned at some point. Attackers are more than happy to spend $10-$20 per new domain in the grand scheme of the potential proceeds of crime. ",[],{},{"nodeType":1294,"data":3473,"content":3474},{},[3475],{"nodeType":1293,"value":3476,"marks":3477,"data":3478},"But there’s a more fundamental flaw here – for defenders to know that a URL, IP, or domain name is bad, it needs to be reported first. When are things reported? Typically after being used in an attack – so unfortunately, someone always gets hurt.  ",[],{},{"nodeType":1503,"data":3480,"content":3481},{},[3482],{"nodeType":1293,"value":3483,"marks":3484,"data":3485},"Stage 2: Determining if a site is legitimate",[],{},{"nodeType":1294,"data":3487,"content":3488},{},[3489],{"nodeType":1293,"value":3490,"marks":3491,"data":3492},"So how can we detect a phishing website, on day-zero, the first time anyone runs into it? Well we can look at the second step – does the URL resemble a real website, does the HTML code for a page look similar to a legitimate login page for a known website, is it loading the same image files? This is not trivial to detect, but with the right fuzzy matches and image analysis it can be automated.",[],{},{"nodeType":1294,"data":3494,"content":3495},{},[3496],{"nodeType":1293,"value":3497,"marks":3498,"data":3499},"We’ve now moved up a level on the Pyramid – we’re detecting website artifacts. If we see a legitimate looking website on an unknown domain, it’s likely to be a malicious clone.",[],{},{"nodeType":1294,"data":3501,"content":3502},{},[3503],{"nodeType":1293,"value":3504,"marks":3505,"data":3506},"Unfortunately, the attacker’s website doesn’t need to send each visitor to the same website. It can change dynamically based on where the visitor is coming from – or even randomly, so that not all visitors are served the phishing page. This means that tools which resolve where the links in emails go to be able to analyze them (such as email security appliances) don’t necessarily see the same site the user is actually visiting – a fact that is commonly abused by attackers to bypass detection. It’s critical that detection happens on the actual web page that the victim sees.",[],{},{"nodeType":1503,"data":3508,"content":3509},{},[3510],{"nodeType":1293,"value":3511,"marks":3512,"data":3513},"Stage 3: Detecting the user entering their credentials",[],{},{"nodeType":1294,"data":3515,"content":3516},{},[3517],{"nodeType":1293,"value":3518,"marks":3519,"data":3520},"For a phishing attack to succeed, the victim must enter their actual credentials into the webpage. If you can stop the user entering their real password, there’s no attack. There’s no getting around it. ",[],{},{"nodeType":1294,"data":3522,"content":3523},{},[3524,3528,3536],{"nodeType":1293,"value":3525,"marks":3526,"data":3527},"So, this is exactly what we did: Earlier this year, we released a control which ",[],{},{"nodeType":1399,"data":3529,"content":3531},{"uri":3530},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[3532],{"nodeType":1293,"value":3533,"marks":3534,"data":3535},"stops users from entering their password belonging to a particular login page anywhere else",[],{},{"nodeType":1293,"value":2284,"marks":3537,"data":3538},[],{},{"nodeType":1294,"data":3540,"content":3541},{},[3542,3546,3553],{"nodeType":1293,"value":3543,"marks":3544,"data":3545},"Seems simple, right? By focusing on this generic action, that always has to happen, you can essentially stop your users being phished altogether. This means, it doesn’t matter ",[],{},{"nodeType":1399,"data":3547,"content":3548},{"uri":3313},[3549],{"nodeType":1293,"value":3550,"marks":3551,"data":3552},"what the attacker does before that point",[],{},{"nodeType":1293,"value":3554,"marks":3555,"data":3556},":",[],{},{"nodeType":1919,"data":3558,"content":3559},{},[3560,3570,3580,3590],{"nodeType":1923,"data":3561,"content":3562},{},[3563],{"nodeType":1294,"data":3564,"content":3565},{},[3566],{"nodeType":1293,"value":3567,"marks":3568,"data":3569},"It doesn't matter if they run the site using Cloudflare Workers to block automatic analysis.",[],{},{"nodeType":1923,"data":3571,"content":3572},{},[3573],{"nodeType":1294,"data":3574,"content":3575},{},[3576],{"nodeType":1293,"value":3577,"marks":3578,"data":3579},"It doesn’t matter if they hack a WordPress blog to get a reputable domain.",[],{},{"nodeType":1923,"data":3581,"content":3582},{},[3583],{"nodeType":1294,"data":3584,"content":3585},{},[3586],{"nodeType":1293,"value":3587,"marks":3588,"data":3589},"It doesn’t matter if they use clever redirects and rotate the URLs delivered to the user.",[],{},{"nodeType":1923,"data":3591,"content":3592},{},[3593],{"nodeType":1294,"data":3594,"content":3595},{},[3596],{"nodeType":1293,"value":3597,"marks":3598,"data":3599},"It doesn’t matter if they randomize the HTML title for the web page. ",[],{},{"nodeType":1294,"data":3601,"content":3602},{},[3603],{"nodeType":1293,"value":3604,"marks":3605,"data":3606},"They can’t avoid the fact that a user is required to enter their credentials on the page for the attack to succeed. ",[],{},{"nodeType":1294,"data":3608,"content":3609},{},[3610],{"nodeType":1293,"value":3611,"marks":3612,"data":3613},"So, when you apply the Pyramid of Pain to some of the controls we’ve shipped this year, we get a clear feel for the value, from highest to lowest:",[],{},{"nodeType":1919,"data":3615,"content":3616},{},[3617,3638,3659],{"nodeType":1923,"data":3618,"content":3619},{},[3620],{"nodeType":1294,"data":3621,"content":3622},{},[3623,3627,3634],{"nodeType":1293,"value":3624,"marks":3625,"data":3626},"User Behavior: ",[],{},{"nodeType":1399,"data":3628,"content":3629},{"uri":3530},[3630],{"nodeType":1293,"value":3631,"marks":3632,"data":3633},"Detecting and blocking the user behavior of entering their password into any site that the password doesn’t belong to",[],{},{"nodeType":1293,"value":3635,"marks":3636,"data":3637},". ",[],{},{"nodeType":1923,"data":3639,"content":3640},{},[3641],{"nodeType":1294,"data":3642,"content":3643},{},[3644,3648,3656],{"nodeType":1293,"value":3645,"marks":3646,"data":3647},"Tool Behavior: ",[],{},{"nodeType":1399,"data":3649,"content":3651},{"uri":3650},"https://pushsecurity.com/blog/introducing-cloned-login-page-detection/",[3652],{"nodeType":1293,"value":3653,"marks":3654,"data":3655},"Detecting when a login page that you access is cloned from a legitimate page.",[],{},{"nodeType":1293,"value":37,"marks":3657,"data":3658},[],{},{"nodeType":1923,"data":3660,"content":3661},{},[3662],{"nodeType":1294,"data":3663,"content":3664},{},[3665,3669,3677],{"nodeType":1293,"value":3666,"marks":3667,"data":3668},"Tool Signature: ",[],{},{"nodeType":1399,"data":3670,"content":3672},{"uri":3671},"https://pushsecurity.com/blog/introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser/",[3673],{"nodeType":1293,"value":3674,"marks":3675,"data":3676},"Detecting and blocking access to a page with a known phishing kit signature present on the page",[],{},{"nodeType":1293,"value":3635,"marks":3678,"data":3679},[],{},{"nodeType":1294,"data":3681,"content":3682},{},[3683],{"nodeType":1293,"value":3684,"marks":3685,"data":3686},"Naturally, we want to continue focusing on the apex of the Pyramid – at TTPs and Tools – to ensure that the controls we build are as robust as possible, and can’t be bypassed by attackers. ",[],{},{"nodeType":1342,"data":3688,"content":3689},{},[],{"nodeType":1346,"data":3691,"content":3692},{},[3693],{"nodeType":1293,"value":3694,"marks":3695,"data":3696},"The power of the Push browser agent",[],{},{"nodeType":1294,"data":3698,"content":3699},{},[3700,3704,3709],{"nodeType":1293,"value":3701,"marks":3702,"data":3703},"You might ask: ",[],{},{"nodeType":1293,"value":3705,"marks":3706,"data":3708},"If it’s so simple, why hasn’t this been done yet?",[3707],{"type":1353},{},{"nodeType":1293,"value":3710,"marks":3711,"data":3712}," Well, before now, there was no good way of doing it! Teams simply didn’t have tools in the right place to be able to capture the level of data needed, or respond effectively (i.e. automatically, at the point of impact). ",[],{},{"nodeType":1294,"data":3714,"content":3715},{},[3716,3720,3728],{"nodeType":1293,"value":3717,"marks":3718,"data":3719},"This is where being in the browser comes into play. The browser is a great place to observe the behavior of a page in real time, without needing to reconstruct decrypted HTTP data post-TLS termination and try to guess what the rendered page in all its Javascript-infused glory actually does, ",[],{},{"nodeType":1399,"data":3721,"content":3723},{"uri":3722},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[3724],{"nodeType":1293,"value":3725,"marks":3726,"data":3727},"as we’ve blogged about previously",[],{},{"nodeType":1293,"value":3729,"marks":3730,"data":3731},". As we’ve seen through the ability to not only detect but prevent phishing attacks, it’s also a great control enforcement point, as you’re able to intercept the user at the point of impact, and you sit as closely as possible to where their work typically happens – in the browser. ",[],{},{"nodeType":1294,"data":3733,"content":3734},{},[3735],{"nodeType":1293,"value":3736,"marks":3737,"data":3738},"To illustrate how crucial the browser is to implementing controls that sit at the apex of the Pyramid of Pain, we created a modified version designed specifically for identity attacks. ",[],{},{"nodeType":1370,"data":3740,"content":3744},{"target":3741},{"sys":3742},{"id":3743,"type":1375,"linkType":1376},"HrK2xQak6KfjInDbeSgv8",[],{"nodeType":1370,"data":3746,"content":3750},{"target":3747},{"sys":3748},{"id":3749,"type":1375,"linkType":1376},"7kLilJ8Y08smUI9ttM3BSO",[],{"nodeType":1342,"data":3752,"content":3753},{},[],{"nodeType":1346,"data":3755,"content":3756},{},[3757],{"nodeType":1293,"value":3030,"marks":3758,"data":3759},[],{},{"nodeType":1294,"data":3761,"content":3762},{},[3763],{"nodeType":1293,"value":3764,"marks":3765,"data":3766},"Hopefully, this blog post has shone a light on why we do things the way we do here at Push. The goal of building generic detections that are difficult, painful, and costly for attackers to bypass is a key part of our design strategy, and we look forward to sharing many more controls with you that demonstrate this in the future.",[],{},"Our design philosophy: Detecting what matters","This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection. ","2024-08-05T00:00:00.000Z","our-design-philosophy-detecting-what-matters",{"items":3772},[3773,3775],{"sys":3774,"name":1305},{"id":1304},{"sys":3776,"name":1309},{"id":1308},{"items":3778},[3779],{"fullName":2300,"firstName":2301,"jobTitle":2302,"profilePicture":3780},{"url":2304},{"items":3782},[3783],{"fullName":3784,"firstName":3785,"jobTitle":3786,"profilePicture":3787},"Mark Orlando","Mark","Field CTO",{"url":3788},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"json":3790,"links":4276},{"nodeType":1295,"data":3791,"content":3792},{},[3793,3800,3807,3810,3817,3851,3863,3888,3895,3898,3905,3912,3919,3925,3932,3962,3968,3975,3995,4001,4008,4014,4017,4024,4061,4068,4111,4118,4124,4131,4138,4141,4148,4155,4162,4182,4188,4195,4202,4209,4215,4222,4228,4231,4238,4245,4252],{"nodeType":1294,"data":3794,"content":3795},{},[3796],{"nodeType":1293,"value":3797,"marks":3798,"data":3799},"After more than two decades in cybersecurity, I’ve witnessed the evolution (and at times, devolution) of detection and response capabilities. I’ve sat in countless SOCs watching analysts drown in a sea of alerts, spent hours chasing false positives, and seen talented security professionals burn out from the relentless noise of low-fidelity detection systems. ",[],{},{"nodeType":1294,"data":3801,"content":3802},{},[3803],{"nodeType":1293,"value":3804,"marks":3805,"data":3806},"It’s a problem that’s reached crisis proportions, and it’s exactly why our approach to browser security represents not just a technological shift, but a philosophical one.",[],{},{"nodeType":1342,"data":3808,"content":3809},{},[],{"nodeType":1346,"data":3811,"content":3812},{},[3813],{"nodeType":1293,"value":3814,"marks":3815,"data":3816},"The alert fatigue epidemic",[],{},{"nodeType":1294,"data":3818,"content":3819},{},[3820,3824,3829,3833,3838,3842,3847],{"nodeType":1293,"value":3821,"marks":3822,"data":3823},"Early in my career, getting ",[],{},{"nodeType":1293,"value":3825,"marks":3826,"data":3828},"any",[3827],{"type":312},{},{"nodeType":1293,"value":3830,"marks":3831,"data":3832}," alert felt like a victory. We were flying blind outside of our small windows of network traffic. But as the industry matured, something troubling happened: we began equating ",[],{},{"nodeType":1293,"value":3834,"marks":3835,"data":3837},"volume",[3836],{"type":1353},{},{"nodeType":1293,"value":3839,"marks":3840,"data":3841}," with ",[],{},{"nodeType":1293,"value":3843,"marks":3844,"data":3846},"value",[3845],{"type":1353},{},{"nodeType":1293,"value":3848,"marks":3849,"data":3850},". Vendors started competing on how many alerts they could generate, how much data they could collect, and how comprehensive their “visibility” could be. ",[],{},{"nodeType":1294,"data":3852,"content":3853},{},[3854,3858],{"nodeType":1293,"value":3855,"marks":3856,"data":3857},"Security teams followed suit with operational metrics that captured how many alerts they’d resolved, how many “attacks” they’d stopped, and how many tickets they’d opened and closed in a given work cycle. But as many teams have now realized, ",[],{},{"nodeType":1293,"value":3859,"marks":3860,"data":3862},"volume is a vanity metric; fidelity is what keeps you safe.",[3861],{"type":1353},{},{"nodeType":1294,"data":3864,"content":3865},{},[3866,3870,3879,3883],{"nodeType":1293,"value":3867,"marks":3868,"data":3869},"In my course on ",[],{},{"nodeType":1399,"data":3871,"content":3873},{"uri":3872},"https://www.sans.org/cyber-security-courses/building-leading-security-operations-centers",[3874],{"nodeType":1293,"value":3875,"marks":3876,"data":3878},"Building and Leading Security Operations teams",[3877],{"type":1407},{},{"nodeType":1293,"value":3880,"marks":3881,"data":3882},", we discuss the importance of analytic outcomes and addressing ineffective alerts to continuously improve fidelity. My students often find it hard to believe how much time and effort it takes to audit alert quality and implement continuous improvements on a large scale. This isn’t just an operational problem — it’s an existential threat to effective security. ",[],{},{"nodeType":1293,"value":3884,"marks":3885,"data":3887},"When everything is an alert, nothing is. ",[3886],{"type":1353},{},{"nodeType":1294,"data":3889,"content":3890},{},[3891],{"nodeType":1293,"value":3892,"marks":3893,"data":3894},"And while we have been busy focusing on more (and occasionally, better) detections at the endpoint and network layers, attackers have shifted to infrastructure that isn’t as well-instrumented: SaaS and the browser.",[],{},{"nodeType":1342,"data":3896,"content":3897},{},[],{"nodeType":1346,"data":3899,"content":3900},{},[3901],{"nodeType":1293,"value":3902,"marks":3903,"data":3904},"The browser: a new frontier in detection and response",[],{},{"nodeType":1294,"data":3906,"content":3907},{},[3908],{"nodeType":1293,"value":3909,"marks":3910,"data":3911},"Today, the browser is the place where most cyber attacks happen. It’s where users interact with the applications that your business runs on, handle sensitive data, and unfortunately, where they encounter sophisticated phishing campaigns, credential harvesting attacks, and malicious downloads. ",[],{},{"nodeType":1294,"data":3913,"content":3914},{},[3915],{"nodeType":1293,"value":3916,"marks":3917,"data":3918},"Yet for most security teams, the browser remains a black box, obscured from the view from the network and the endpoint. Even worse, attack models often applied to detection engineering for endpoint or network-centric threats don’t really apply; modern identity attacks skip entire phases of the attack chain, eliminating many detection opportunities along the way. The modern attack path doesn’t need to touch the endpoint or your network at all — it can happen entirely over the internet. ",[],{},{"nodeType":1370,"data":3920,"content":3924},{"target":3921},{"sys":3922},{"id":3923,"type":1375,"linkType":1376},"4wYYgbKmmVAZTF7niXJEGc",[],{"nodeType":1503,"data":3926,"content":3927},{},[3928],{"nodeType":1293,"value":3929,"marks":3930,"data":3931},"Attackers are exploiting the detection gap",[],{},{"nodeType":1294,"data":3933,"content":3934},{},[3935,3939,3946,3950,3958],{"nodeType":1293,"value":3936,"marks":3937,"data":3938},"You only need to look at in-the-wild breaches such as last year’s ",[],{},{"nodeType":1399,"data":3940,"content":3941},{"uri":1624},[3942],{"nodeType":1293,"value":2512,"marks":3943,"data":3945},[3944],{"type":1407},{},{"nodeType":1293,"value":3947,"marks":3948,"data":3949}," attacks, or the recent ",[],{},{"nodeType":1399,"data":3951,"content":3952},{"uri":1401},[3953],{"nodeType":1293,"value":3954,"marks":3955,"data":3957},"Salesforce",[3956],{"type":1407},{},{"nodeType":1293,"value":3959,"marks":3960,"data":3961}," breaches to see the impact that attackers can have by executing attacks entirely over the internet, without touching traditional network devices or user endpoints. ",[],{},{"nodeType":1370,"data":3963,"content":3967},{"target":3964},{"sys":3965},{"id":3966,"type":1375,"linkType":1376},"VfTps3SGKJDlhFcmh42d9",[],{"nodeType":1294,"data":3969,"content":3970},{},[3971],{"nodeType":1293,"value":3972,"marks":3973,"data":3974},"But even in the context of more “conventional” attacks (e.g. the classic route of compromising an endpoint, moving laterally through an environment, taking control of a domain, and deploying ransomware), most of the time, these attacks begin in the browser with identities and cloud apps rather than exploit-driven initial access — such as with the recent attacks on Marks & Spencer, Co-op, and Jaguar Land Rover. ",[],{},{"nodeType":1294,"data":3976,"content":3977},{},[3978,3982,3991],{"nodeType":1293,"value":3979,"marks":3980,"data":3981},"While the ",[],{},{"nodeType":1399,"data":3983,"content":3985},{"uri":3984},"https://cloud.google.com/security/resources/insights/targeted-attack-lifecycle",[3986],{"nodeType":1293,"value":3987,"marks":3988,"data":3990},"attack cycle",[3989],{"type":1407},{},{"nodeType":1293,"value":3992,"marks":3993,"data":3994}," and similar mental models are valuable for planning in-depth detections of sophisticated, multi-stage attacks, focusing too heavily on them can lead to overlooked scenarios. These high-profile incidents have demonstrated the opportunity cost of neglecting visibility into attacks that don't perfectly align with these models. ",[],{},{"nodeType":1370,"data":3996,"content":4000},{"target":3997},{"sys":3998},{"id":3999,"type":1375,"linkType":1376},"3TsKtoWuxQMFl1xd3w1j86",[],{"nodeType":1294,"data":4002,"content":4003},{},[4004],{"nodeType":1293,"value":4005,"marks":4006,"data":4007},"Just as endpoint detection and response revolutionized host-based security by providing visibility and control directly at the point of attack, browser-based security platforms can do the same for web-borne threats. It’s an important addition to the detection and response stack that illuminates a “missing middle” in modern attack investigations, and intervenes in real time, much like traditional EDR did for the endpoint years ago.",[],{},{"nodeType":1370,"data":4009,"content":4013},{"target":4010},{"sys":4011},{"id":4012,"type":1375,"linkType":1376},"1eCXGC6U6SdzHmOH1gv24O",[],{"nodeType":1342,"data":4015,"content":4016},{},[],{"nodeType":1346,"data":4018,"content":4019},{},[4020],{"nodeType":1293,"value":4021,"marks":4022,"data":4023},"High-fidelity detection: quality over quantity",[],{},{"nodeType":1294,"data":4025,"content":4026},{},[4027,4031,4039,4043,4048,4052,4057],{"nodeType":1293,"value":4028,"marks":4029,"data":4030},"Our ",[],{},{"nodeType":1399,"data":4032,"content":4034},{"uri":4033},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[4035],{"nodeType":1293,"value":4036,"marks":4037,"data":4038},"design philosophy",[],{},{"nodeType":1293,"value":4040,"marks":4041,"data":4042}," centers on a principle often overlooked in the security industry: prioritizing actionable problems for security teams. This involves differentiating between \"",[],{},{"nodeType":1293,"value":4044,"marks":4045,"data":4047},"events",[4046],{"type":1353},{},{"nodeType":1293,"value":4049,"marks":4050,"data":4051},"\" – environment data that may or may not be useful – and \"",[],{},{"nodeType":1293,"value":4053,"marks":4054,"data":4056},"detections",[4055],{"type":1353},{},{"nodeType":1293,"value":4058,"marks":4059,"data":4060},"\" – high-fidelity, actionable signals with a negligible false positive rate. We also empower our customers with the ability to intervene in real-time when there are high-confidence indicators of an attack. We focus on detecting not atomic indicators, but on attacker tooling and behaviors.",[],{},{"nodeType":1294,"data":4062,"content":4063},{},[4064],{"nodeType":1293,"value":4065,"marks":4066,"data":4067},"Compare this to traditional approaches that might generate alerts for:",[],{},{"nodeType":1919,"data":4069,"content":4070},{},[4071,4081,4091,4101],{"nodeType":1923,"data":4072,"content":4073},{},[4074],{"nodeType":1294,"data":4075,"content":4076},{},[4077],{"nodeType":1293,"value":4078,"marks":4079,"data":4080},"Visiting domains with low reputation scores (but not necessarily malicious)",[],{},{"nodeType":1923,"data":4082,"content":4083},{},[4084],{"nodeType":1294,"data":4085,"content":4086},{},[4087],{"nodeType":1293,"value":4088,"marks":4089,"data":4090},"Downloading files that match certain heuristics (but may be legitimate)",[],{},{"nodeType":1923,"data":4092,"content":4093},{},[4094],{"nodeType":1294,"data":4095,"content":4096},{},[4097],{"nodeType":1293,"value":4098,"marks":4099,"data":4100},"Accessing new web applications (that may be approved, or tacitly allowed, shadow IT)",[],{},{"nodeType":1923,"data":4102,"content":4103},{},[4104],{"nodeType":1294,"data":4105,"content":4106},{},[4107],{"nodeType":1293,"value":4108,"marks":4109,"data":4110},"Employee usernames, passwords, and email addresses for sale on the dark web (which may no longer be valid)",[],{},{"nodeType":1294,"data":4112,"content":4113},{},[4114],{"nodeType":1293,"value":4115,"marks":4116,"data":4117},"These low-fidelity alerts create work without providing solutions. They force analysts to become investigators rather than responders, spending precious time determining whether an alert represents a genuine threat rather than focusing on mitigation and recovery. ",[],{},{"nodeType":1370,"data":4119,"content":4123},{"target":4120},{"sys":4121},{"id":4122,"type":1375,"linkType":1376},"4MydcqvHnWsziCOPUNC3YS",[],{"nodeType":1294,"data":4125,"content":4126},{},[4127],{"nodeType":1293,"value":4128,"marks":4129,"data":4130},"Poor quality detections also present an easy opportunity for security teams to commit a cardinal sin: disrupting users and business processes without a clear justification for doing so. User trust and support should always be treated as a finite resource, and every account locked, website blocked, and laptop reimaged chips away at that resource. ",[],{},{"nodeType":1294,"data":4132,"content":4133},{},[4134],{"nodeType":1293,"value":4135,"marks":4136,"data":4137},"Likewise, the more disruptive, the more likely users will look for ways around said controls. If your users are actively working against you, and feel you are preventing them from doing their jobs, they’ll always find new and unexpected ways around security blocks. ",[],{},{"nodeType":1342,"data":4139,"content":4140},{},[],{"nodeType":1346,"data":4142,"content":4143},{},[4144],{"nodeType":1293,"value":4145,"marks":4146,"data":4147},"The SOC analyst's perspective",[],{},{"nodeType":1294,"data":4149,"content":4150},{},[4151],{"nodeType":1293,"value":4152,"marks":4153,"data":4154},"The most successful SOC analysts share a common trait: they’re extraordinarily good at quickly distinguishing signal from noise. But this skill shouldn’t be required! It’s a failure of our detection systems that we’re forcing human analysts to perform pattern matching that our technology should handle. ",[],{},{"nodeType":1294,"data":4156,"content":4157},{},[4158],{"nodeType":1293,"value":4159,"marks":4160,"data":4161},"But even for the most skilled analyst, it’s a tall order to ask your security team to also be experts in every cloud app your business relies on, making it even harder than normal to build context-driven alerts. Most of the time, the information required simply doesn't exist, with logs simply not available (generally, or at your product tier) or the work required to extract the logs and turn them into context-driven alerts hasn’t happened yet. If your team is under-resourced and drowning in low-fidelity alerts already, then realistically it might never happen. ",[],{},{"nodeType":1294,"data":4163,"content":4164},{},[4165,4169,4178],{"nodeType":1293,"value":4166,"marks":4167,"data":4168},"Effective browser security changes this dynamic. Instead of presenting analysts with hundreds of “suspicious web activity” alerts that require investigation, ",[],{},{"nodeType":1399,"data":4170,"content":4172},{"uri":4171},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[4173],{"nodeType":1293,"value":4174,"marks":4175,"data":4177},"our platform focuses on high-reliability indicators",[4176],{"type":1407},{},{"nodeType":1293,"value":4179,"marks":4180,"data":4181}," like whether a phishing kit was observed running on the page, or whether the page was cloned from a legitimate site. We even detect user behaviors that could indicate a risk in the context of a phishing attack, like when a user attempts to authenticate with credentials that have been previously used on another page — either a sign of credential reuse (bad) or a phishing attack (even worse) — at which point Push can be set to block the attack in real time. ",[],{},{"nodeType":1370,"data":4183,"content":4187},{"target":4184},{"sys":4185},{"id":4186,"type":1375,"linkType":1376},"3998Iy2kp9MW0HFeqmo900",[],{"nodeType":1503,"data":4189,"content":4190},{},[4191],{"nodeType":1293,"value":4192,"marks":4193,"data":4194},"Browser security provides a new layer of protection, reducing the risk of breach",[],{},{"nodeType":1294,"data":4196,"content":4197},{},[4198],{"nodeType":1293,"value":4199,"marks":4200,"data":4201},"Attack detection has always been a cat-and-mouse game. For years, attackers have grappled with endpoint and network security vendors. And sometimes, the attackers win. The fact is that a lot of attacker innovation has gone into sandbox aware malware, breaking detection signatures, disabling security tools, and so on.    ",[],{},{"nodeType":1294,"data":4203,"content":4204},{},[4205],{"nodeType":1293,"value":4206,"marks":4207,"data":4208},"But with so many attacks now passing through the browser, defending it enables badness to be filtered out before it reaches the endpoint or network controls that attackers are looking to consciously evade. By preventing malware being delivered, or identities from being compromised, attacks otherwise crafted to evade traditional security controls can be intercepted early — making the crucial difference in whether a breach happens or not.",[],{},{"nodeType":1370,"data":4210,"content":4214},{"target":4211},{"sys":4212},{"id":4213,"type":1375,"linkType":1376},"4Bh7uOkeguNJFmJ1XUQ317",[],{"nodeType":1294,"data":4216,"content":4217},{},[4218],{"nodeType":1293,"value":4219,"marks":4220,"data":4221},"And when it comes to the cloud-centric attacks that attackers are finding so much success with today, this is in effect a net new capability. ",[],{},{"nodeType":1370,"data":4223,"content":4227},{"target":4224},{"sys":4225},{"id":4226,"type":1375,"linkType":1376},"4JdaY8I3f6Ub2Kifc9Rsj9",[],{"nodeType":1342,"data":4229,"content":4230},{},[],{"nodeType":1346,"data":4232,"content":4233},{},[4234],{"nodeType":1293,"value":4235,"marks":4236,"data":4237},"Learn more about Push Security",[],{},{"nodeType":1294,"data":4239,"content":4240},{},[4241],{"nodeType":1293,"value":4242,"marks":4243,"data":4244},"The browser represents one of the most significant opportunities in cybersecurity today. As we continue to expand our browser-based security capabilities, we remain committed to this high-fidelity approach. We’re building features that not only detect and prevent attacks but also provide security teams with the rich telemetry they need to develop custom queries and detections.",[],{},{"nodeType":1294,"data":4246,"content":4247},{},[4248],{"nodeType":1293,"value":4249,"marks":4250,"data":4251},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":4253,"content":4254},{},[4255,4258,4264,4267,4273],{"nodeType":1293,"value":2258,"marks":4256,"data":4257},[],{},{"nodeType":1399,"data":4259,"content":4260},{"uri":2263},[4261],{"nodeType":1293,"value":2266,"marks":4262,"data":4263},[],{},{"nodeType":1293,"value":2271,"marks":4265,"data":4266},[],{},{"nodeType":1399,"data":4268,"content":4269},{"uri":2276},[4270],{"nodeType":1293,"value":2279,"marks":4271,"data":4272},[],{},{"nodeType":1293,"value":2284,"marks":4274,"data":4275},[],{},{"entries":4277},{"hyperlink":4278,"inline":4279,"block":4280},[],[],[4281,4290,4298,4305,4320,4365,4371,4378],{"sys":4282,"__typename":4283,"title":4284,"caption":4285,"layoutMode":118,"file":4286},{"id":3923},"Image","Account takeover on third-party web app","Modern attack paths usually involve direct in-app compromise following account takeover, skipping several phases (and detection opportunities) in traditional “attack chain” models.",{"url":4287,"width":4288,"height":4289},"https://images.ctfassets.net/y1cdw1ablpvd/3DOQd2fcWYdjMSVBZZvHHU/2cd487cb316aef8acd77e14a1960c391/SaaS_attack_path.png",1362,458,{"sys":4291,"__typename":4292,"type":4293,"ctaText":4294,"buttonLabel":4295,"buttonColour":4296,"buttonUrl":4297},{"id":3966},"CtaWidget","Custom","Read about \"Scattered Lapsus$ Hunters\", the cybercrime supergroup behind the biggest breaches since 2021. ","Read More","sunny orange","https://pushsecurity.com/blog/scattered-lapsus-hunters/",{"sys":4299,"__typename":4283,"title":4300,"caption":4300,"layoutMode":118,"file":4301},{"id":3999},"Modern attacks start in the browser, and can traverse multiple environments/domains, simultaneously. Not every attack takes the same, linear route through your environment. ",{"url":4302,"width":4303,"height":4304},"https://images.ctfassets.net/y1cdw1ablpvd/5EFB28UzL8aSaZJ18pJKSa/cb7375e4e3ecc7bd7eb5b422fa9cdcd5/image5.png",1999,1102,{"sys":4306,"__typename":4307,"content":4308,"name":4319,"title":118},{"id":4012},"InsightTextBlockComponent",{"json":4309},{"nodeType":1295,"data":4310,"content":4311},{},[4312],{"nodeType":1294,"data":4313,"content":4314},{},[4315],{"nodeType":1293,"value":4316,"marks":4317,"data":4318},"To tackle attacks that are designed to evade traditional detection surfaces and take place mostly over the internet, we must integrate browser telemetry into our detection and response framework, and expand detection engineering and threat hunting processes to incorporate this new dataset. ",[],{},"Fixing SecOps alert fatigue insight box 1",{"sys":4321,"__typename":4307,"content":4322,"name":4364,"title":118},{"id":4122},{"json":4323},{"nodeType":1295,"data":4324,"content":4325},{},[4326],{"nodeType":1294,"data":4327,"content":4328},{},[4329,4332,4341,4345,4350,4354,4360],{"nodeType":1293,"value":37,"marks":4330,"data":4331},[],{},{"nodeType":1399,"data":4333,"content":4335},{"uri":4334},"https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856",[4336],{"nodeType":1293,"value":4337,"marks":4338,"data":4340},"This is what Ryan McGeehan called",[4339],{"type":1407},{},{"nodeType":1293,"value":4342,"marks":4343,"data":4344}," the “Law of the Lever” several years ago, and it still holds true today: The time spent creating a poor quality detection rule will likely create a significant amount of work for someone responding to the follow up alert. ",[],{},{"nodeType":1293,"value":4346,"marks":4347,"data":4349},"This doesn’t mean that only high fidelity analytics have value",[4348],{"type":1353},{},{"nodeType":1293,"value":4351,"marks":4352,"data":4353},"; we still need general environment telemetry to test investigative hypotheses and identify new use cases. But we can’t allocate sufficient resources to those tasks while ",[],{},{"nodeType":1293,"value":4355,"marks":4356,"data":4359},"also",[4357,4358],{"type":1353},{"type":1407},{},{"nodeType":1293,"value":4361,"marks":4362,"data":4363}," dealing with low quality alerts.",[],{},"secops article insight box 2",{"sys":4366,"__typename":4283,"title":4367,"caption":4367,"layoutMode":118,"file":4368},{"id":4186},"Being in the browser provides new opportunities to detect and block attacks like phishing.",{"url":4369,"width":4303,"height":4370},"https://images.ctfassets.net/y1cdw1ablpvd/7jo4A0IFI3Z3mLqDki64zz/fb13af5af1443e71a7d113022eda2a62/image4.png",1469,{"sys":4372,"__typename":4283,"title":4373,"caption":4374,"layoutMode":118,"file":4375},{"id":4213},"Defending the browser reduces the risk of breach","Defending the browser reduces the risk of breach by tackling the earliest indicators of attack.",{"url":4376,"width":4303,"height":4377},"https://images.ctfassets.net/y1cdw1ablpvd/2ryvgEISjcNDDvcPEptdzy/ce1bfaf82f09684515fa0e9ecd86f6c3/image1.png",1209,{"sys":4379,"__typename":4307,"content":4380,"name":4391,"title":118},{"id":4226},{"json":4381},{"nodeType":1295,"data":4382,"content":4383},{},[4384],{"nodeType":1294,"data":4385,"content":4386},{},[4387],{"nodeType":1293,"value":4388,"marks":4389,"data":4390},"The psychological impact of this shift cannot be overstated. When analysts know that every alert represents a genuine threat that was successfully mitigated, their job satisfaction increases, burnout decreases, and the overall security posture improves dramatically.",[],{},"secops article insight box 3","content:blog:fixing-secops-alert-fatigue-with-browser-telemetry.json","json","content","blog/fixing-secops-alert-fatigue-with-browser-telemetry.json","blog/fixing-secops-alert-fatigue-with-browser-telemetry",1776359983132]