Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'
That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device."
"Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity."
Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback.
The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'.
"We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security."
Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said.
After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms.
Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month.
These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets.
"The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch."
That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred."
The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience.
"We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams."
Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August.
Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks."
Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives."
Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data."
To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions."
She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless."
SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said.
The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained.
Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said.
Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats."
Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up."
For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said.
Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour.
"Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is."
"The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
2 days ago
- Techday NZ
Exclusive: How legacy systems expose firms to security and cost risks
Legacy systems are dragging down the digital ambitions of modern enterprises, making them vulnerable to security threats and inflated costs, according to David Fairman, APAC Chief Security Officer at Netskope. "A lot of it comes back to legacy architectures and the way that organisations have been built," Fairman told TechDay during a recent interview. "Unless you're talking about truly cloud native, modern companies, many organisations in sectors like healthcare and financial services have significant investments in legacy technologies, and these simply haven't adapted to the realities of hybrid or distributed workforces." The COVID-19 pandemic accelerated the shift to hybrid work, which in turn altered how and where data flows. For businesses in tightly regulated industries, this shift has brought friction, as old systems struggle to keep pace with new operating models. "Those legacy architectures just haven't really adapted," he explained. "That causes a natural friction." Crucially, Fairman believes the result is a stark trade-off: organisations must now choose between robust security and agile performance. "Maybe they start reducing their overall threat protection capabilities. More importantly, they lose visibility in that hybrid environment - knowing where data is traversing, who is using it, and whether it's being accessed by third parties," he warned. This lack of visibility puts strain on security teams. "The ability for a security team to truly have the insights they need to make fast and efficient security decisions and responses is deteriorated." Fairman also highlighted how fragmented infrastructure creates duplication, operational headaches, and rising costs. "We're trying to stitch together these disparate security capabilities that aren't integrated, that aren't a true platform solution," he said. "It creates complexity. Complexity creates cost, because now we've got multiple teams, multiple skill sets, multiple processes that we need to try and stitch together and make that work in unison. It's not efficient." In contrast, modern infrastructure designed for the cloud era offers a clear path forward. "The distributed workforce is the norm today. We need to think about how we build architectures or technology services that enable the flexibility that's demanded by that hybrid workforce," he said. However, the complexity does not stop at technology. Regulations - especially around data sovereignty - add further complications for global firms. "Different jurisdictions are driving a lot more complexity and expectation around data sovereignty, and that's very hard for a global organisation to try and work through," Fairman added. To meet these challenges, Fairman advocates for radical simplification. "I believe that we can improve security by reducing complexity. Platform simplification and tech stack simplification has always been a mantra of how I've thought about building a security capability," he said. A consolidated platform offers consistent enforcement of security policies and fewer opportunities for gaps or misalignment. "If you have one security policy, one security engine, one inspection engine, one team, one set of skill sets… that simplicity allows you to minimise the gaps that you would have in a complex organisation," he explained. By contrast, fragmented approaches only exacerbate inconsistency and cost. "You have an inconsistent application of a security policy. It becomes very costly and expensive because then you've got different teams trying to sync toolings and policy sets that don't quite match… that becomes somewhat opaque," he said. The administrative overhead is considerable. From managing multiple tools to the risk of key-person dependency, duplication affects both performance and resilience. But with consolidation, Fairman said, organisations benefit from "single processes, single skill sets and the ability to achieve multiple outcomes," such as compliance and adaptability. Fairman also argued that regulatory pressure could be turned into an advantage with the right systems in place. "If you have platforms that help you achieve [compliance] in a very clear and consistent manner, it reduces that burden and that overhead. It allows them to focus their attention where they need to focus, versus the regulatory drivers or the control drivers." Security and network operations are also undergoing a merger of their own. "The internet today is the network. We used to build networks; now it's the internet," Fairman said. This convergence, he believes, can help break down operational silos. "The consolidation has really driven a convergence of those network and security teams. It's broken down some barriers. It gives you a consistent view and helps organisations achieve their regulatory requirements in a consistent manner." With security budgets under pressure, Fairman encourages IT leaders to think lean. "How do I drive down cost? I do that by reducing some complexity," he said. But simplification isn't just technical - it requires operational reform too. "You can't run your organisation the way we used to run them yesterday; we need to transform our operating model, not just our technology. They go hand in glove." Looking ahead, Fairman anticipates more upheaval in secure networking, driven by data growth and emerging technologies. "AI is going to absolutely drive a wedge in how we're thinking about the world today," he said. "Data lineage and data control, data growth is going to expand exponentially… and of course, how can we forget post-quantum or quantum computing and the challenges that that's going to start to drive for us?"
Techday NZ
30-06-2025
- Techday NZ
Browser AI agents seen as bigger security risk than employees
SquareX's latest research suggests that Browser AI Agents now pose a greater security risk to organisations than employees. Browser AI Agents are software programs that perform browser-based tasks for users, including booking flights, scheduling meetings, and conducting research. Their usage has seen considerable growth, with a PWC survey indicating that 79% of organisations have already adopted some form of browser agent. These agents offer measurable productivity gains, but SquareX's analysis found that their security awareness is limited compared to that of human employees. Unlike people, Browser AI Agents do not participate in regular security training and lack the ability to detect common warning signs found in malicious websites, such as suspicious URLs or unnecessary permission requests. The company's research highlights that even fundamental security practices can be missed by Browser AI Agents. For example, while a human might notice and avoid a dubious website or application, agents are more likely to proceed, often exposing sensitive company data. SquareX pointed out the additional challenge that writing prompts to manage security risks for every agent task can undermine productivity gains, and most users are unlikely to have the expertise to do so effectively. To demonstrate these risks, SquareX conducted an experiment using the widely adopted open-source Browser Use framework. In this scenario, the Browser AI Agent was asked to find and register for a file-sharing tool. During the process, the agent fell victim to an OAuth attack, inadvertently granting a malicious application full access to the user's email account. This occurred despite several signals — such as requests for irrelevant permissions, unfamiliar branding, and suspicious URLs — that would likely have caused a human operator to hesitate. SquareX's team warned that similar scenarios could see agents unknowingly expose sensitive information, such as credit card data during online purchases or responding to phishing emails with confidential details. The inability of traditional security tools and browsers to distinguish between human and agent actions exacerbates this risk, as malicious instructions can be executed without intervention. Industry perspective Vivek Ramachandran, Founder & CEO of SquareX, commented on the findings, explaining the shift in security risk within organisations: "The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows." Security professionals are being advised to introduce browser-integrated protections and to treat the actions of Browser AI Agents with the same scrutiny as those of human users. Technical implications With traditional security tools unable to identify whether actions in the browser stem from a human or an AI agent, the potential for undetected compromise rises. The need for browser-native threat detection and response tools, capable of safeguarding both employees and automated agents, is therefore becoming more pressing. SquareX's findings further suggest that as the use of Browser AI Agents becomes more common, identity and access management systems will need to evolve. These systems must recognise and regulate AI agents to ensure that access privileges and security policies can be applied accurately to all entities operating within an organisation's digital infrastructure. The company recommends that organisations take a proactive approach, reviewing and updating their browser security frameworks in line with these developments. Without new guardrails, the delegation of routine tasks to Browser AI Agents may inadvertently increase the attack surface for cybercriminals targeting enterprises.
Techday NZ
20-06-2025
- Techday NZ
Exclusive: Logistics firms face rising OT cyber threats amid global tensions
Cyber attackers are increasingly targeting logistics and supply chain networks, aiming to destabilise nations and gain strategic leverage without ever crossing a border. According to Leon Poggioli, ANZ Regional Director at Claroty, the recent cyber espionage affecting logistics firms supporting Ukraine is not an isolated trend but part of a broader pattern. "There's two key reasons nation states do this," he explained during a recent interview with TechDay. "One is to disrupt the other nation's defences, and the other is to put political pressure on the general public by interfering with their supply chains." These attacks frequently target operational technology (OT) systems - the core infrastructure behind physical processes in logistics, energy, manufacturing and healthcare. Poggioli said attackers exploit connectivity in these environments to carry out sabotage remotely. "A lot of these environments have some kind of external connectivity, so that gives an attacker an ability to remotely trigger a cyber attack and disrupt those supply chains." In some cases, tactics have extended to disrupting weapons infrastructure, such as drones. "When one nation uses drones, the other will defend itself by trying to jam signals and disrupt that infrastructure," he explained. Compared to IT systems, OT vulnerabilities can be far more complex and risky to remediate. Poggioli noted that in OT, even small changes can impact safety and operations. "In the IT world, it's easy to push patches out," he said. "In OT, even a minor change can disrupt operations, so remediation needs to be more targeted." Claroty's platform is built to help organisations quickly cut through large volumes of vulnerability data to find what really matters. "A site may have 1,000 vulnerabilities, but we can whittle that down to the five that make the most impact," he said. "That becomes a manageable number that a cyber leader and OT asset manager can act on within weeks." Recent data from Claroty's global survey of cybersecurity professionals reinforces the growing financial and operational risks posed by cyber attacks on cyber-physical systems (CPS). Nearly half of respondents (45%) reported financial impacts of $500,000 USD or more from such attacks in the past year, with over a quarter suffering losses of at least $1 million. These costs were largely driven by lost revenue, recovery expenses, and employee overtime. "It's a growing concern across multiple sectors, particularly in chemical manufacturing, energy, and mining – more than half of organisations in those sectors reported losses over half a million dollars," Poggioli said. Ransomware remains a major burden, especially in sectors like healthcare where 78% of organisations reported paying over $500,000 to regain access to encrypted systems. "These are real costs, not theoretical risks," he added. "And they're rising." Operational downtime is also widespread. Nearly half of global respondents experienced more than 12 hours of downtime following an attack, with one-third suffering outages lasting a full day or more. "When operations halt, the financial and reputational damage mounts quickly," Poggioli said. He added that one of the most pressing vulnerabilities is the level of remote access in these environments. "We're seeing around 45% of CPS assets connected to the internet," he said. "Most of that is done through VPNs that were never built for OT security." Third-party access is another growing concern, with 82% of respondents saying at least one cyber attack in the past year came through a supplier. Nearly half said five or more attacks stemmed from third-party connections, yet 63% admit they don't fully understand how these third parties are connected to their CPS environment. Poggioli pointed to this as a critical blind spot. "Legacy access methods and poor visibility are allowing attackers in through the back door," he said. Even more concerning is the risk from insiders. "You want to be able to trust your team, but someone with inside knowledge can do more damage than an external attacker," Poggioli said. "Even air-gapped environments need constant monitoring." A cyber attack on Denmark's power grid in 2023 served as a wake-up call. "One operator didn't even know they had the vulnerable firewall in their system," he said. "That's why visibility is so important. You can't secure what you don't know exists." While preparedness across the logistics sector varies, Poggioli believes the industry is slowly recognising the strategic value of cybersecurity. "It's going to become a point of competitive advantage," he said. "Customers are going to start asking serious questions about cyber security and supply chain integrity." He drew a sharp distinction between cyber criminals and state-backed actors. "Cyber criminals want fast financial gain, but nation states are more focused on political objectives," he said. "They have better resources and longer timelines. That changes the game." Poggioli warned that just because no incident has occurred doesn't mean attackers aren't already embedded in critical networks. "There's growing evidence of adversaries nesting in these systems," he said. "My hypothesis is they're preparing for future conflict. If war breaks out, they're already in position to strike." For logistics firms looking to strengthen their defences, Poggioli said the first step is basic visibility. "Most people I speak to admit they don't know 100% what's out there or how it's connected," he said. "Start with an asset inventory. Once you have that, you can start risk modelling and reduce exposure." There are signs that resilience strategies are making a difference. According to the Claroty report, 56% of professionals now feel more confident in their CPS systems' ability to withstand cyber attacks than they did a year ago, and 72% expect measurable improvements in the next 12 months. Still, Poggioli said complacency is not an option. "If you don't know how big the problem is, you won't know how to solve it," he said. "Once you understand the risks, you can act to protect your operations and show the business the value of cyber security."
