SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

#
Cybersecurity
#
Online Safety
#
Browser extensions

Exclusive: John Carse on why the browser is the new cyber battleground

Fri, 31st Oct 2025
Author image
By Jake MacAndrew, Editor

In today's evolving digital landscape, SquareX believes that defence at the network layer is not enough to combat modern attacks.

Over the past two decades, enterprise security has undergone a dramatic transformation. The evolution from locked-down data centres and on-premise servers to a sprawling world of cloud, SaaS, and web-based workflows can make them easy targets for attackers. Yet amid this shift, one element has quietly become the new frontline for cyber threats: the browser.

John Carse, SquareX's Field CISO, says his experience in cybersecurity, including his time with the US Military and as CISO for Dyson, Rakuten, and Expedia, has exposed a persistent blind spot. Traditional browser defences, such as Endpoint Detection and Response (EDR), secure web gateways, and proxies, increasingly fail to detect threats that assemble inside encrypted browser sessions. 

"The tools that I thought I had, the EDR tools and the proxy tools weren't able to see them," he said, describing a security posture undermined by the move to cloud and SaaS. As organisations migrated functionality to web apps, he says, browsers have become incredibly versatile. Still, they're also on everyone's desktop, creating a point of entry where attackers can mount more sophisticated campaigns.

This visibility gap has opened the door to a new generation of attacks. One such category, which SquareX has been studying and demonstrating publicly, is the 'last mile reassembly attack' - a method where small, seemingly harmless data fragments travel across encrypted channels and only combine into malicious code once they reach the victim's browser.

"It's like snapping Lego blocks together at the endpoint," Carse says. "You can't really see it  from the EDR perspective or the SWG perspective because they never see a complete complete file."

SquareX showcased its defences against such attacks at DEF CON 32 earlier this year. The company's approach involves monitoring and stopping malicious activity at the point of assembly, inside the browser itself.

Following the conference, Palo Alto Networks later validated the risk of encrypted invasive attacks that assemble inside browsers, in a September 2025 statement. Carse says Palo Alto Networks' recognition of the threat model has helped accelerate industry awareness. Adding that browser defences are no longer optional.

Beyond last-mile attacks, enterprises are facing other browser-level risks that have become increasingly prevalent as SaaS adoption accelerates. These include identity-based compromises using OAuth permissions, malicious browser extensions, and uncontrolled use of unsanctioned SaaS tools - often referred to as shadow IT or shadow SaaS. Each of these vectors leverages the autonomy granted to users within their browsers and the limited oversight available to IT teams.

OAuth-based attacks exploit the mechanism that allows users to sign in with a single identity provider, such as Google or Microsoft, and grant access permissions to third-party apps. Overly broad or deceptive permission requests can give malicious applications access to corporate data without any credential theft or malware delivery.

SquareX's response has focused on detecting and preventing attacks at the point of assembly inside the browser. Rather than build a proprietary secure browser, the company takes an extension-based approach to protection. The browser has become the new go-to operating system of modern work.

"It's really hard to get everyone to kind of lift and shift their entire operations from one product to another product, and then browsers feel so personal," Carse explains. "If they were using Firefox, they continue to use Firefox, but now it's a secure experience."

The convergence of browser-based work, encrypted data flows and decentralised identity systems is now defining a new stage of enterprise security. Carse argues that traditional perimeters have dissolved, and the browser has become the main point where user intent, corporate data and external services intersect.

"What we're seeing is that attackers have moved on from some of these traditional phishing attacks like sending a PDF to to somebody's inbox, and they're moving to web based attacks. Because of  SaaS being so available today in so many places, we're seeing those shifting into the browser."

Related stories
CrowdStrike & CoreWeave unite to secure advanced AI cloud workloads
CrowdStrike expands Falcon with mission-ready agents for AI security
SquareX wins SINET16 Innovator Award for browser security
CrowdStrike unveils Falcon XIoT for unified OT & IoT security
Seven ChatGPT flaws expose user data to attack, Tenable warns

Top stories

Check Point scores 99.59% in top firewall security report by NSS
Fortinet unveils Secure AI Data Centre to boost AI security & speed
Retailers hit by ransomware face higher USD $2 million demands
Contrast Security integrates with Microsoft Sentinel for real-time app defence
Cloud breaches driven by identity failures & process flaws