Annually, the Verizon Knowledge Breach Investigations File serves as a ground-truth benchmark for the business. Its worth comes now not simply from the headline numbers however from the convergence indicators: when a couple of impartial information resources level to the similar structural shift in how attackers function, that convergence is value being attentive to.
This yr, as a contributor to the Verizon 2026 DBIR, the Stay Conscious crew had early visibility into that convergence.
This put up breaks down the particular spaces the place the 2026 DBIR information and Stay Conscious’s personal browser telemetry align — and the place browser-layer information finds what community and endpoint equipment pass over totally.
Shadow AI Has Transform a Mainstream Undertaking Possibility
Shadow AI was once known within the Verizon DBIR because the 3rd maximum commonplace non-malicious insider motion noticed in Knowledge Loss Prevention (DLP) datasets, representing a fourfold building up from the former yr.
Workers aren’t in most cases seeking to exfiltrate information; somewhat, they’re the use of the quickest to be had instrument for a job, which increasingly more way pasting inner paperwork or supply code into a non-public ChatGPT consultation sooner than their group has had time to approve and provision a ruled selection.
The dimensions of unauthorized AI utilization in undertaking environments is likely one of the record’s most important findings: 67% of customers are having access to AI services and products on company units thru non-public, non-corporate accounts, and 45% of staff are actually regarded as common AI customers.
Stay Conscious’s browser telemetry additional supplies perception into how those AI services and products are getting used. Over part of AI advised inputs are despatched to private accounts, and 23% of delicate advised uploads contain information transiting thru non-public or unverified accounts (i.e., out of doors the achieve of any company DLP coverage or logging infrastructure), conveying the actual dangers of AI utilization.
Workers are pasting and importing confidential information into ChatGPT, Gemini, and dozens of different AI equipment each day.
Stay Conscious’s unfastened AI audit displays you precisely what is leaving, and from which apps, sooner than it turns into a breach.
Get your unfastened AI audit
Credential Abuse and the Browser’s Detection Hole
The 2026 DBIR discovered that 39% of breaches concerned credential abuse. Stay Conscious’s assault information from 2025 places browser-based credential robbery as the #1 browser-based assault, accounting for about 41% of noticed risk process, implying that credential robbery within the browser will later give a contribution to a success long term breaches.
Compounding this assault vector is the truth that the majority of those assaults are invisible to standard tooling, as our information illustrates.
In Stay Conscious’s research, 63% of Microsoft-themed phishing websites weren’t flagged by way of any VirusTotal dealer on the time of worker publicity, appearing a evident detection hole in intelligence feeds and endpoint equipment.
Extra pointedly, 100% of the credential robbery makes an attempt Stay Conscious noticed handed thru present non-browser safety controls unblocked — community proxies, DNS filters, and endpoint brokers alike.
None of them stuck it. The one dependable detection level is within the browser itself, the place the web page is rendered and the consumer interplay in truth happens.
Browser Extensions: Privileged, Ungoverned, and Increasing
Upload-ons can learn, adjust, and have interaction with any web page’s content material, and exfiltrate information from inside the browser context, enabling extensions to function with a degree of browser privilege that are meant to dictate common scrutiny—but information tells a unique tale.
The 2026 DBIR flagged that the common undertaking had greater than 15% of customers with unauthorized AI extensions put in. On the other hand, the extension drawback is broader than AI tooling on my own.
Stay Conscious’s extension telemetry moreover displays that 13% of distinctive browser extensions noticed throughout our buyer base had been categorised as prime or important chance.
The extra operationally vital discovering: 93% of poor-reputation extensions had been categorised as “productiveness” equipment by way of browser marketplaces — the precise class maximum allowlisting insurance policies deal with as protected. For this risk elegance, that makes category-based allowlisting functionally needless.
ClickFix and Browser-Local Social Engineering
Each the 2026 DBIR and Stay Conscious’s State of Browser Safety File name out ClickFix as an rising methodology value monitoring.
The Verizon DBIR discovered ClickFix accounted for two.7% of browser-detected assaults—a small percentage that nevertheless indicators an evolution in browser-based social engineering.
ClickFix is a misleading social engineering tactic used to get a consumer to unknowingly execute malicious code from the browser and at the host system.
This risk starts within the browser—steadily by way of encountering compromised web pages and every now and then thru LLM chat responses—however temporarily continues at the endpoint, compromising the system with information stealers and faraway get entry to to attackers.
The endpoint bears the affect, however the browser is the social engineering medium—and the primary defensive line.
The Human Part Remains to be a (Browser) Downside
The 2026 DBIR discovered that 62% of breaches concerned the human component, with phishing beginning 16% of incidents. Stay Conscious’s browser-layer information displays phishing and social engineering accounted for 46% of browser assaults noticed throughout 2025.
The human component discovering is steadily framed as a coaching and consciousness drawback. However attackers are repeatedly evolving browser-based social engineering ways—phishing hyperlinks to benign middleman websites, redirect chains, pages that render otherwise for computerized scanners, web hosting content material on professional web pages, and silent clipboard injections.
Browser-level visibility does now not remedy the human component drawback, nevertheless it shifts the detection level to the place the human interplay is in truth going on, somewhat than on the lookout for downstream artifacts after the interplay has already been exploited.
What This Way for Safety Groups.
Shadow AI, credential robbery, malicious extensions, and browser-native social engineering ways like ClickFix percentage a commonplace feature: all of them execute within the browser, and so they all produce artifacts which are maximum visual, if now not most effective visual, on the browser layer.
Safety systems that depend solely on community, endpoint, and id telemetry will proceed to have blind spots in precisely the puts attackers have realized to function.
The browser is not simply an utility. For many undertaking customers, it’s the paintings atmosphere. Securing it’s not non-compulsory.
In case your safety stack lacks visibility into what is going down inside of browser periods, that hole is value working out sooner than attackers exploit it. Request a demo of Stay Conscious to peer what your present equipment are lacking
Stay Conscious contributed information to the Verizon 2026 Knowledge Breach Investigations File. Stay Conscious’s 2026 State of Browser Safety File is to be had right here.
Subsidized and written by way of Stay Conscious.
