Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'
That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device."
"Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity."
Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback.
The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'.
"We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security."
Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said.
After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms.
Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month.
These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets.
"The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch."
That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred."
The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience.
"We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams."
Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August.
Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks."
Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives."
Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data."
To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions."
She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless."
SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said.
The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained.
Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said.
Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats."
Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up."
For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said.
Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour.
"Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is."
"The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
4 days ago
- Techday NZ
Exclusive: SAP's Ashley McGibbon on AI, data and the future of partner innovation
SAP is betting big on artificial intelligence, but only if it's built on a solid foundation of accurate data. Speaking to TechDay at the SAP NOW AI Tour in Melbourne, Chief Partner Officer for SAP Australia and New Zealand, Ashley McGibbon, said partners in the region were "pivoting to meet fast-growing demand for AI solutions". "In ANZ we have about 800 partners – from those building applications, to services partners, to those helping us sell and position our cloud solutions," she said. "The focus is no longer just on go-live. It's about continuous adoption." This vision is captured in SAP's "flywheel" model, which combines applications, data and AI to build momentum for ongoing innovation. Introduced this year, the concept draws on the physics principle where connected components generate increasing energy. For McGibbon, it's not just about clever technology – it's about feeding AI the right inputs. "We run mission-critical business processes, and those processes hold a treasure trove of business-critical data," she explained. "Our Business Data Cloud allows customers to harmonise SAP and non-SAP data, structured and unstructured, to feed AI with accurate business data." Without that accuracy, she warned, AI can go badly wrong. "If they can't trust the data feeding the AI, then the decisions will ultimately be wrong," she said. "It's far easier to achieve a harmonised platform with Business Data Cloud." McGibbon said SAP values partners who work quickly and with purpose, adopting a "minimum viable product" mindset to deliver rapid returns for customers. She noted a surge of AI interest at board level, with directors eager to explore how it can boost productivity, in line with the Australian Government's focus on data-driven efficiency. The response to Business Data Cloud since its February launch has been "the most reception to a new product" SAP has ever had in the region. The momentum is already visible in real-world deployments. SA Power Networks has built a generative AI app on SAP's Business Technology Platform that delivers mobile repair instructions directly to technicians in the field, saving the utility a million Australian dollars in its first year. Beverage company Lion built an app in just 10 days, a sign of how diverse industries are embracing AI. McGibbon pointed to Deloitte's recent CFO study, which found 80 per cent of CFOs in APAC prioritise automation through AI. "Everybody's talking about it," she said. For partners still making the shift to cloud and AI, McGibbon said enablement is key. SAP has opened its AI demo systems to partners, rolled out a new business AI certification, and launched "Joule for consultants" to speed up software build and implementation. She's also watching the market evolve through moves like DyFlex's acquisition of Bluetree, which expands into New Zealand and strengthens analytics capability. "It's a combination of a cloud-native partner with an analytics partner," she said. "I think they will bring AI strategy to life across all their existing cloud customers." Central to McGibbon's message is a change in how success is measured. "In the past we celebrated go-lives. For me, it's now go-begin – get the platform right, then continue that cycle of innovation," she said. Quarterly cloud updates mean partners must be ready to help customers adopt new capabilities quickly. "That's how we make the flywheel spin." She believes AI is also prompting customers to rethink design from the outset. "Customers are demanding we look at AI as part of the design, not just copying what was done before," she said. "This is the time to do it better." Early wins, she added, are often found in human capital management. "In SuccessFactors, you can use Joule to write your performance review and it makes you sound amazing," she said. "There's a lot of low-hanging fruit for existing customers." Her advice to organisations exploring AI in the SAP ecosystem is simple but firm: talk to your partners, identify the easy use cases, and above all, get your data strategy right. "You have to get that right first," she said. "Once you've done that, the world is your oyster."
Techday NZ
07-08-2025
- Techday NZ
SquareX launches open-source toolkits to defend browsers
SquareX has released two open-source toolkits to support security teams in simulating and defending against browser-based attacks that can evade traditional enterprise security measures. The two new toolkits, developed by SquareX security researchers, are designed to enable red and blue teams to more effectively address attack techniques that specifically target web browsers. These methods often exploit the fact that many conventional network and endpoint security solutions have limited visibility into threats that operate solely within the browser environment, such as session hijacking and data exfiltration. The prevalence of web browsers as the interface through which corporate resources are accessed and sensitive data is managed has elevated the browser as a key attack vector for threat actors. Despite this, most existing security frameworks continue to focus on more traditional points of compromise, like endpoints and networks. The toolkits aim to bridge this gap by providing practical resources for offensive (red teams) and defensive (blue teams) security teams. Red teams can leverage the tools to create simulations of browser-based attacks, while blue teams can use them to learn to detect and respond to threats that might be otherwise overlooked by standard monitoring systems. Angry Magpie toolkit One of the new toolkits, Angry Magpie, was developed by SquareX researchers Jeswin Mathai, Pankaj Sharma and Xian Xiang Chang. It focuses on simulating data exfiltration attacks using data splicing techniques that target weaknesses in data loss prevention (DLP) systems. Angry Magpie demonstrates how attackers can employ data sharding, ciphering, transcoding, and smuggling to bypass both proxy-based and endpoint DLP solutions. These attacks can be executed through everyday browser operations such as copying to clipboard, file uploads, downloads, and printing. This approach sheds light on how insider threats might launch data exfiltration campaigns from within a browser, offering security teams a means to recognise and counter similar techniques. The toolkit provides methods to reveal these vulnerabilities and can help teams develop targeted defences. Copycat toolkit The second toolkit, Copycat, was created by SquareX security researchers Dakshitaa Babu, Tejeswar S Reddy, Pankaj Sharma and Albin Antony. Copycat is designed to simulate identity and authentication attacks that are initiated through malicious or compromised browser extensions. The toolkit contains ten modules, each illustrating a distinct technique for carrying out identity compromise at the browser level, such as silent account hijacking, credential theft, two-factor authentication interception, and manipulation of OAuth flows. The toolkit demonstrates how even browser extensions with minimal permissions - such as widely-used colour picker extensions with tabs and scripting access - can be used by attackers to compromise user identities and gain control over authenticated sessions. Recent campaigns by threat actor groups like Scattered Spider and Muddled Libra have utilised similar browser-based techniques as an entry point into enterprises. "Enterprise security solutions are struggling to keep pace with modern attack techniques that operate entirely within web browsers. While organizations have invested heavily in endpoint detection and network security, these traditional defenses have limited visibility into browser-based threats - particularly identity attacks and data exfiltration that occur within authenticated sessions." The release of Angry Magpie and Copycat toolkits highlights the need for enhanced collective understanding and preparedness. They intend to give security professionals both concrete attack examples and the detection mechanisms necessary for enterprise environments. This effort is part of SquareX's broader strategy, which previously saw the introduction of a browser detection and response solution designed to deliver visibility and control within browser sessions. The company's security researchers emphasise that providing these tools to the wider community can help teams stay informed about the latest attack vectors and develop appropriate strategies in response. "Through these toolkits, SquareX extends its impact beyond pioneering the Browser Detection and Response solution to enabling the entire security industry - ensuring teams understand actively exploited attack techniques and can build appropriate defenses." The toolkits are open-source and available to security teams for direct use and adaptation in enterprise environments. Live demonstrations of Angry Magpie and Copycat are being held at DEF CON, offering a practical showcase of how the tools can be integrated into existing security frameworks.
Techday NZ
04-08-2025
- Techday NZ
SquareX to unveil browser, passkey flaws at Black Hat, DEF CON
SquareX researchers are set to present a series of vulnerability disclosures relating to browser security at two major security events in August. During Black Hat USA and DEF CON 33, SquareX will reveal a number of architectural vulnerabilities impacting passkey authentication systems, enterprise data loss prevention solutions, and browser extensions. The company's researchers plan to deliver multiple talks that aim to detail new techniques attackers may use to circumvent existing security measures. Browser-first world At Black Hat USA, the presentation titled "Browser-Native Security in a Browser First World" will be delivered by Vivek Ramachandran, Founder of SquareX. This talk is expected to cover the growing dependency enterprises have on web browsers and the resulting security challenges. With staff reportedly spending up to 80% of their device usage time within browsers, defending against browser-based threats has become a critical concern. Ramachandran's talk will highlight current tactics, techniques, and procedures (TTPs) that enable attackers to bypass technologies such as Secure Access Service Edge (SASE), endpoint detection and response (EDR), and endpoint data loss prevention (DLP) tools. Passkey vulnerabilities DEF CON 33 will feature Shourya Pratap Singh, Jonathan Lin and Daniel Seetoh presenting research under the session title "Passkeys Pwned: Turning WebAuthn Against Itself." This discussion will focus on a new technique designed to subvert passkey authentication. Passkeys, which have seen significant uptake among major technology providers such as Apple, Google, and Microsoft, are promoted as a more secure alternative to traditional passwords. Despite this positioning, SquareX's research asserts that vulnerabilities still exist. "Over the past year, we have been releasing bleeding edge research on architectural browser vulnerabilities as part of the Year of Browser Bugs project. We believe that deeply understanding the attacker mindset is the only way to defend against the newest threat vectors, and we believe that it is critical to share these findings at industry leading conferences like Black Hat and DEF CON. This year's research demonstrates critical gaps that traditional security solutions simply cannot address - everything from passkey to browser extension vulnerabilities. We will also be sharing multiple open source browser-native security tools that enterprises need to plug the browser security gap," said Vivek Ramachandran, Founder of SquareX. Browser extension threats In addition to the mainstage talks, Nishant Sharma and Shourya Pratap Singh will present "Plug and Prey: Scanning and Scoring Browser Extensions" at Recon Village. Their session introduces ExtHuntr, an open-source tool developed to scan for installed browser extensions, analyse their permissions and behaviour, and generate risk scores. ExtHuntr aims to provide security teams with greater visibility into potential risks posed by browser extensions. SquareX will also run a demonstration called "Copycat: Identity Stealer Extension" and a session titled "Angry Magpie: DLP Bypass Simulator" at DEF CON 33 Demo Labs, underscoring the firm's focus on practical, real-world attack simulation tools related to browser security. Cloud security workshop Nishant Sharma, Head of Security Research at SquareX, is scheduled to conduct a workshop at Cloud Village, titled "Serverless but Not Defenceless: A Security Deep Dive into Cloud Run." The workshop will provide attendees with detailed guidance on how to deploy and manage services on Google Cloud Run securely, using principles drawn from DevSecOps and related practices. Security field manual Audrey Adeline, a SquareX researcher, will participate in "The Trailblazer's Guide to Cybersecurity" discussion at Black Hat USA. Topics will include the experiences of professionals who are first-generation entrants to the cybersecurity sector. Adeline will also share information about the release of The Browser Security Field Manual, a book written in collaboration with chief information security officers (CISOs) from Fortune 500 companies and major technology firms. The manual addresses contemporary attacks targeting employees via browsers and provides guidance on defensive techniques. Event schedule In addition to the headline talks, SquareX researchers will lead several demonstration sessions and workshops at both Black Hat USA and DEF CON 33. These include practical labs showing browser-based identity theft and DLP bypass scenarios, as well as further engagements focusing on serverless security and browser-native security tools. The presentations are designed to highlight what SquareX claims are critical gaps in existing security technology, particularly where traditional solutions may not adequately address emerging attack vectors related to browsers, passkeys, and extensions.
