Every year, the Verizon Knowledge Breach Investigations Report serves as a benchmark of fact for the trade. Its worth comes from convergence alerts, not simply headline numbers. When a number of unbiased knowledge sources present the identical structural adjustments in how attackers behave, the convergence is price noting.
This yr, the Maintain Conscious group acknowledged that convergence early as a contributor to the Verizon 2026 DBIR.
This submit reveals particular areas the place 2026 DBIR knowledge and Maintain Conscious’s proprietary browser telemetry match, in addition to areas the place community and endpoint instruments are fully lacking attributable to browser layer knowledge.
Shadow AI has turn into a mainstream danger for enterprises
Verizon DBIR recognized shadow AI because the third commonest benign insider motion noticed in knowledge loss prevention (DLP) datasets, with a 4x enhance year-over-year.
Staff often do not need to take their knowledge with them. Somewhat, they use the quickest instruments accessible for the duty. This implies pasting inner documentation or supply code into a person’s ChatGPT session earlier than the group approves and provisions the managed different.
The size of AI abuse in enterprise environments is without doubt one of the report’s most necessary findings. 67% of customers entry AI providers on company units via private non-corporate accounts, and 45% of staff are at the moment thought-about common AI customers.
Maintain Conscious browser telemetry offers additional perception into how these AI providers are getting used. Greater than half of AI immediate inputs are despatched to non-public accounts, and 23% of delicate immediate uploads contain knowledge switch via private or unverified accounts (i.e., exterior the scope of an organization’s DLP coverage or logging infrastructure), conveying the actual dangers of utilizing AI.
Every single day, staff paste or add delicate knowledge to AI instruments like ChatGPT, Gemini, and lots of others.
Maintain Conscious’s free AI audit reveals you precisely what’s leaking from which apps earlier than they turn into a breach.
Get a free AI audit
Credential abuse and the browser detection hole
The 2026 DBIR discovered that 39% of breaches concerned credential abuse. Maintain Conscious’s 2025 assault knowledge reveals that browser-based credential theft is the primary browser-based assault, accounting for about 41% of noticed risk exercise, suggesting that credential theft within the browser will contribute to future breach success.
This assault vector is additional exacerbated by the truth that knowledge reveals that almost all of those assaults are invisible to conventional instruments.
Maintain Conscious’s evaluation reveals that 63% of Microsoft-themed phishing websites will not be reported by VirusTotal distributors on the time of worker publicity, demonstrating a transparent detection hole in intelligence feeds and endpoint instruments.
Much more clearly, 100% of the credential theft makes an attempt that Maintain Conscious noticed have been in a position to bypass present non-browser safety controls (resembling community proxies, DNS filters, and endpoint brokers) that weren’t being blocked.
Nobody was caught. The one dependable detection level is contained in the browser itself, the place the web page is rendered and the consumer interplay really takes place.
Browser extensions: privileged, unmanaged, and prolonged
As a result of add-ons can learn, modify, and manipulate the content material of any web page and extract knowledge from inside the browser context, extensions can function with a stage of browser privilege that requires common scrutiny, however the knowledge tells a distinct story.
In 2026, DBIR reported that greater than 15% of the typical enterprise’s customers have unapproved AI extensions put in. Nevertheless, the issues with extensions are broader than AI instruments alone.
Moreover, Maintain Conscious’s extension telemetry reveals that 13% of distinctive browser extensions noticed throughout our buyer base have been categorized as excessive or crucial danger.
A extra operationally necessary discovering was that 93% of disreputable extensions have been categorized by browser marketplaces as “productiveness” instruments. That is the very class that almost all whitelisting insurance policies deal with as secure. For this risk class, category-based permit lists turn into functionally ineffective.
ClickFix and browser-native social engineering
Each the 2026 DBIR and Maintain Conscious State of Browser Safety Studies function ClickFix as an rising know-how price monitoring.
Verizon DBIR discovered that ClickFix accounted for two.7% of assaults detected on browsers. Nonetheless, whereas the share is small, it reveals the evolution of browser-based social engineering.
ClickFix is a misleading social engineering tactic used to trick customers into working malicious code on their browser or host machine with out their data.
This risk begins out of your browser. This usually occurs by encountering a compromised web site and typically via your browser. LLM chat responses-Nevertheless, it rapidly continues on the endpoint, compromising the machine with distant entry to data thieves and attackers.
Though the endpoint is affected, the browser is a social engineering automobile and the primary line of protection.
The human factor continues to be a (browser) difficulty
In accordance with the 2026 DBIR, 62% of breaches contain a human factor and 16% of incidents are attributable to phishing. In accordance with Maintain Conscious’s browser layer knowledge, 46% of browser assaults noticed in 2025 have been phishing and social engineering.
Discovering the human factor is usually framed as a matter of coaching and consciousness. Nevertheless, attackers are always evolving their browser-based social engineering ways, together with phishing hyperlinks to benign middleman websites, redirect chains, pages that seem otherwise to automated scanners, internet hosting content material on legit web sites, and silent clipboard injections.
Browser-level visibility would not resolve the human factor drawback, however it strikes the detection level to the place the human interplay is definitely occurring, slightly than searching for downstream artifacts after the interplay has already been exploited.
What does this imply for safety groups?
Shadow AI, credential theft, malicious extensions, and browser-native social engineering methods resembling ClickFix share widespread traits. All of them run inside the browser and produce probably the most, if not probably the most seen, artifacts on the browser layer.
Safety applications that rely solely on community, endpoint, and identification telemetry will proceed to have blind spots within the very locations the place attackers have realized easy methods to function.
Browsers are now not simply functions. For many enterprise customers, it is their work surroundings. Defending it’s now not an possibility.
In case your safety stack would not have visibility into what’s taking place inside a browser session, it is price understanding these gaps earlier than an attacker can exploit them. Request a demo of Maintain Conscious and see what your present instruments are lacking
Maintain Conscious contributed knowledge to the Verizon 2026 Knowledge Breach Investigations Report. Please watch out The 2026 State of Browser Safety report is accessible right here.
Sponsored and written by Maintain Conscious.
