Insights & Updates
The latest on browser security, attack surface management, and building defenses for the modern enterprise.
The Surface Security Manifesto
Why Surface Security exists, in our founder's words: a phishing text that hit home, the blind spot between inbox and endpoint, and the convictions we won't compromise.
How Can I Control Shadow AI Usage on Employee Browsers?
Shadow AI is the unsanctioned use of AI tools that never went through procurement: an employee opens a tab, pastes in some data, and gets to work. You cannot govern what you cannot see. Here is a practical, four-step way to bring shadow AI under control at the place it actually happens, the browser, without banning the tools people rely on.
Why Are Browser Extensions a Security Risk for My Business?
Browser extensions run on the pages your employees visit, can read what they type, and update silently in the background. A tool you vetted last year can turn malicious after an update or a quiet change of ownership. Here is why extensions are a real attack surface, the three ways they go bad, and what it takes to manage the risk instead of hoping for the best.
What Is an Enterprise Browser and Do I Actually Need One?
An enterprise browser is a managed, usually Chromium-forked browser a company deploys in place of Chrome or Edge. It is one way to get visibility and control over the browser session, but it is not the only way. Here is what the category actually is, the problems it solves, and how to decide whether you need a new browser or just the outcomes it promises.
The Blob URL Phishing Gap That Most Browser Extensions Can't See
A new wave of credential-theft kits delivers phishing pages by assembling them client-side as a Blob and navigating to the resulting blob: URL. The page never traverses the network, and most browser security extensions cannot inject content scripts into the document the victim actually sees.
Citrix Just Unbundled Enterprise Browser. That Is Your Re-Evaluation Window.
Starting with Citrix Workspace app 2511, Citrix Enterprise Browser is no longer included in the Workspace installer. For Citrix-heavy regulated organizations, that turns a routine update into a forced re-deploy and a strategic decision moment. Here is how to think about it.
EU Cloud III, SEAL, and the Coming Reckoning for Cloud-Rendered Browser Security
The European Commission's Cloud III procurement and its SEAL sovereignty framework now grade vendors on technology stack control, not just data residency. Every cloud-rendered browser security product is structurally on the wrong side of that line. Here is why, and what the on-prem extension model gets right.
Your AI Agents Belong Inside Your Perimeter
Menlo, Palo Alto, Island, and the newly-acquired LayerX are all pitching the same future: let AI agents run in our cloud, governed by our platform. For defense, intelligence, finance, healthcare, and regulated EU buyers, that architecture is backwards. Here is the case for the opposite.
Surface vs. Enterprise Browsers
Enterprise browsers replace Chrome with a forked Chromium. That choice has hidden costs: migration friction, lost extension support, mandatory cloud telemetry, and a patch cadence problem that the May 7 Chromium 148.0.7778.96 security release made unusually visible. Here is how Surface compares.
What Is Enterprise Browser Security?
Enterprise browser security is the discipline of defending the browser session itself: the post-click space between the email gateway and the endpoint where most modern attacks now land. Here is what it covers, how the major architectures differ, and what to ask before you buy.
Claude Mythos, Phishing, and the Agentic Threshold
Anthropic's unreleased Mythos model finds thousands of zero-days and runs multi-step attacks end to end. Here is what it changes for phishing, for AI browser agents, and for the defenders in between.
Agentic AI Security: Protecting Your AI-Powered Browser Agents
AI browser agents navigate pages, submit credentials, and interact with sensitive systems autonomously. They also trust everything they read. Here is how attackers exploit that, and how Surface Security defends against it.
How to Reduce Security Overhead and Increase Automation in the Age of AI
AI adoption is creating more security work than most teams can absorb. Browser-level automation helps you discover AI tools, enforce policy, and investigate incidents without adding more manual overhead.
Why Does Surface Security Exist?
Modern attacks move too fast for signatures, fragment across identity, data, and action, and increasingly run inside the browser. Surface exists because no other tool covers the full surface from inside your perimeter.
What If We Got Hacked? How We Protect Our Update Pipeline
Security vendors distribute software to your most sensitive systems. We designed our update architecture so that even a full compromise of our infrastructure can't push malicious code to your network.
ClickFix Attacks: What They Are and How to Stop Them
ClickFix attacks surged 517% in six months, tricking users into running malicious commands through fake CAPTCHAs and error dialogs. Here's how the technique works, how it evolved, and how browser-level security stops it.
Welcome to the Surface Security Blog
Introducing our blog where we share insights on browser security, enterprise attack surface management, and building defenses for the modern enterprise.