‍Caleb Sima: [00:00:00] Cisco will deliver you a Cisco browser. Yeah, and the Cisco browser is what you use for anything related to your work. These browsers are effectively real estate that controls 90% of what you do in your employee workforce. If it's using the browser, if you're accessing. Salesforce SaaS apps. If you're accessing internal applications, you could run Slack or anything else inside a browser, right?

Yeah. All of these things are all run inside your browser. Your browser effectively becomes a replacement of your operating system

Ashish Rajan: Browser security would not have been the top of mind for you when you thinking about AI. In this conversation, Caleb and I go through why enterprise browser gonna be the thing that is gonna disrupt how AI agents operate and work in the future and probably even today. So in this conversation we spoke about what are enterprise browsers, the current players in this market who are disrupting this particular space, and also why is this important? And I took on the role for people who may have reserved [00:01:00] views about how browser security is important.

So you'll get to hear both sides of story for why browser security is important or should not be important. But overall, I think it's a good conversation for anyone who has not considered browser security for probably measuring how AI agents are gonna operate. Or even behave in their organization. And as always, if you know someone who's probably working in this particular space of AI on cybersecurity, definitely share this episode with them.

If you haven't listening or watching AI cybersecurity episode for some time and have been find them valuable, I would really appreciate if you drop us a follow or subscribe. If you are listening to this on Apple or Spotify or if you're watching this on YouTube or LinkedIn, definitely give us a follow subscribe there as well.

Alright, enjoy this episode and I'll talk to you soon.

Peace Hey welcome to another episode of AI Cybersecurity podcast, which I was confusing with another podcast. But today we are talking about enterprise browser, Caleb, I think, to set the scene up. So obviously you and I were talking about this last week.

We were doing the recording. And we've done some research on this as well. Maybe just to establish the context for a lot of people because this is AI Cybersecurity Podcast. [00:02:00] Why are we talking about enterprise browsers?

Caleb Sima: Why are we talking about enterprise browsers? Or browsers in general.

Yeah. Yeah. So first of all, I think we all know the basics, which is that 98% or 99% of our time is spent in a browser, right? It's almost like when you look at laptops. Why do you have so much compute power and all of these features when 99% of your time is spent in a browser anyways?

And even applications, I think if you're thinking about Mac or others, most of the applications are browser based applications. Today. And so you're, I think users or people's experience with the world is done through browser. And so when you think about AI and you think about where is the first place or the easiest place at where I think AI agents and specifically computer using agents, CUA are going to start, I think it's gonna start on [00:03:00] the browser because the browser has 99% of everything you do. Yep. It's one interface, one standard, one junction point, right? If you think about it, where you can sit, not only watch everything you do and how you do it, but use your permissions to do it. So if you wanna think about where the easiest place to stick your agent is going to be the browser, and so you can get the right plugin.

Stuck in your browser. It can watch what you do, which websites you do, how you do it, what you do, and then it can help automate it. Oh, I see that you're always checking emails, sending these kinds of emails. Then doing this with your calendar, then looking this up in Google Maps and putting that in it, that it knows, oh, I see exactly what you're doing.

I can do all of that for you. Oh, by the way, I see you're starting down this pattern of scheduling a meeting by looking up the person. Creating the [00:04:00] event in the calendar, I see that where you're going, I see you look up Google Maps to get directions and time for distance. I like I can predict, oh, this is what you're doing, I'll do it for you, and it automatically does it in the background, sticks it in your meeting.

Like that stuff I think is very obvious. Where this stuff will go. So therefore we should talk about browsers. And I think specifically what do enterprises do in this sense and this context, and where we will see it start popping up.

Ashish Rajan: Yeah, I think, just to add a few more layers to what you were referring to as well, and maybe this is rightly called enterprise browser from that perspective, most of us who work in an enterprise or some kind of a work function, we are all either working on quote unquote intranet. Which is our internal web applications that have been there, which were initially like, I think they've got I can't remember the they, they used to be things used to install with next.

But now they are on a browser, whether it's your Jira take whichever internal application you have, self hosted [00:05:00] GitLab or whatever it may be. A lot of them are browser based on the web. I think I was on a CISO event around RSA, I think it was the Palo Alto one, but essentially, one of the stats I was called out there was 60% of every employee activity in most enterprise and could be higher as well, is on a browser, whether it's on the intranet or if it's on your, going on external websites trying to get news or whether it's trying to find out, hey what extension can I add to make this snapshot so I can take, keep that one second from all the GRC work that I have to do.

So I go and screenshot why I, why can't I just make this, use this extension and screenshot it I think as you say that in my mind, I'm going through, oh yeah, we've got intranet. We've got literally, if we, every modern organization has about 40 SaaS applications. All those SaaS applications are gonna be on a browser as well.

Caleb Sima: They're all browser. Minus, like I would say, where's the other 40% go in that stat? Probably office.

Ashish Rajan: Most likely. Yeah. Yeah. Probably the, that's changing, right? [00:06:00] With Office 365 and G Suite. They're all trying to make that browser base as well.

Caleb Sima: It already is browser based.

The and I don't know about thick client office apps, but I would assume, out of the people that I do know and the most majority of the workforce, they do not like the online quote unquote versions of office. They, I. Oh, they all prefer using the actual software application. I can't use the web-based version of Excel.

Like I need Excel. Excel.

Ashish Rajan: Yeah. And I, I guess maybe, and to what you said as well, a lot of people who do not want a thick client of a Slack or something that's still going on web, on a website. But maybe to, to your point about the enterprise browser and why it's probably even more important in an AI world.

I love what you called out, which probably was an example that people would've seen in that operator demo that the Open AI people did where they had, I guess the operator when they gave it a task, it actually opened a browser. The very first thing it did was open a browser and search for something.

And to your point [00:07:00] that you reckon at the moment where we stand, that is gonna be the default. Because, and we are not at that stage where it's gonna just open a terminal, start writing a shell script or a Python script or whatever. It's just gonna straight emulate exactly what Caleb and I do when we log open our laptops first thing in the morning.

Caleb Sima: Yes. To go into, okay, so that's where, why in the AI cybersecurity, should we talk about enterprise browsers? The point is AI, this is where I think AI's, agent entry point will start. Therefore from an enterprise perspective you wanna start thinking about what do we do there?

And how do we manage this? And I think enterprise browsers are a segment that not a lot of people talk about, but is growing super rapidly. And so I thought what we would do is just give an overview of what is the enterprise browser, quote unquote, who are the vendors, what's its purpose, and then start talking a little bit about why are we doing this?

Because the level of [00:08:00] control that is given to the enterprise through these browsers and why it now becomes the real estate for controlling AI agents as it moves forward. And that's why I was like, okay, there's a lot around browsers that we could probably talk about.

Ashish Rajan: Maybe if you wanna define enterprise AI. Sorry, if you define enterprise browser. It's like there's so much AI in this world. It's like everything is in AI. So if you wanna, if you're maybe to kick it off then, I guess if you wanna, I guess we gave, describe what browser is.

We described why it's important and why, specifically in the AI context, you called out the operator part at the first stop where the agent is going. So would this mean the definition of enterprise browser is different now in this AI world?

Caleb Sima: Okay, so what is an enterprise browser? Enterprise browser is a variation or a private variation of chromium. And it is a fully standalone version of an application. At and in today. There are effectively two vendors [00:09:00] that quote unquote do this. There is Talon Security, which was acquired by Palo Alto, and then there's Island security, which is still independent. What does this look like for a user? This means that you will have a Island browser or just chrome, quote unquote to some extent on. And then when you use it, it will be exactly like Chrome 'cause it is Chrome. Alright. It's basically, it is a wrapper around that Chrome but it gives the enterprise mega level of control over that browser because it's not just a plugin that you install in Chrome.

It controls everything in that browser, which means what they're selling to the enterprise is what are the benefits of using an enterprise browser? Number one it gives you these sort of workforce benefits, DLP automatically built in. So I can create a policy around things like you can't take screenshots on this webpage that contains customer [00:10:00] data.

Oh. If you try to copy a social security number out of a SaaS, internal SaaS app. We won't allow you to do that. You'll get visibility of employees trying to do these things with sensitive data. In this visibility, you get zero trust capabilities. So oh, this browser will only authorize you to your internal applications or SaaS applications.

If you are coming from this location, if your device is secure, if blah, blah, blah. All these zero trust kinds of factors can then be. It automatically adds things like approved password managers into the browser. All of these policy and compliance controls in the browser automatically. So that means for an enterprise since 90 plus percent or maybe to Cisco, 60 plus percent of your work is being done inside of a browser. You get all of this level of visibility. So enterprise browsers, really are focused on this [00:11:00] DLP zero trust, and also there's a point of this sort of like BYOD aspect where they say, let's, I'll give you a prime use case example that I was in my last company who was looking at enterprise browsers for take your customer service reps or contractors.

I don't wanna ship them a laptop that has all these controls on it. I'd rather just say, you use your own hardware as long as you use my enterprise browser. Then my enterprise browser will prevent all of the other kinds of things that I need to know in a untrusted environment. So it prevents screenshots, prevents copy, paste, looks at the environment and makes sure that it's, in the right state, it's connected to the right network.

All of those kinds of things are in

Ashish Rajan: place. I think that's a good point. How different would that to be? What was it workspaces that concept that people were talking about during COVID people virtual desktops and [00:12:00] virtual yes. Where does that go? Yes.

Caleb Sima: Yeah. This is effectively their pitch, especially I think more Talon is, their pitch is you don't need heavy virtual instances since for example, our customer service reps, a hundred percent of their work was done in a browser. You just need a secure browser that both gives us visibility, control and prevents against malware, right? And so all of that is just delivered via that route.

Ashish Rajan: Yeah. So it sounds like a lightweight version of that workspace that used to be, but also, but with the controls you want rather than people being frustrated.

'cause I think the example that you called out where remote workforce, but contractors. But at the same time, I love the identity part as well because I think we've been talking about it on the podcast for a long time, how our identity or machine user identity is gonna be a key factor in deciding, Hey, who made the change?

Whether it was the actual Ashish or the machine Ashish. Yes that [00:13:00] definitely, I. Makes it really interesting. But we, you didn't mention Internet Explorer, Firefox. Brave. What are all these other people doing?

Caleb Sima: It's only, it's, it is only ba like basically me saying, I can give you a, here Cisco will deliver you a Cisco browser.

Yeah. And the Cisco browser is what you use for anything related to your work. So anyways, these browsers are effectively real estate that controls 90% of what you do in your employee workforce. If it's using the browser. If you're accessing a. Salesforce SaaS apps. If you're accessing internal applications, you could run Slack or anything else inside a browser, right?

Yeah. All of these things are all run inside your browser, and so your browser effectively becomes a replacement of your operating system. Which is what obviously Chromebooks and other kinds of things have been trying to do for years. Is replace your operating system.

Ashish Rajan: Oh, yeah. Because that's why, I haven't used a Chromebook, but that's why people are saying Chromebook just [00:14:00] comes with a chrome browser and you just do everything in it. All the apps are in it, correct. Browsing is in it, mail

Caleb Sima: everything. Everything pretty much is you can use inside of Chrome because it is an operating system in this sense. So a lot, like you said, anything that's online, Office 365's online, Slack is online.

All of these things are all web based. You can access all of them through the web and through your Chrome instance. So you'll have apps and icons just like an operating system

Ashish Rajan: to, to your point. Then none of the other browsers. So the reason these two people like the Talon acquired by Palo Alto and Ireland have worked on chromium a I imagine, because Internet Explorer doesn't have any open source version

Caleb Sima: as well available.

TBD as to why they decided. My guess, I wasn't in these meetings, but my guess is clearly chromium is the number one most used browser. Number two, it is open source and available so you can download and alter it in any way that you want, which gives [00:15:00] unlimited flexibility for an enterprise control level.

Factor of it.

Ashish Rajan: Because I imagine a lot of people who will be listening or watching this, a lot of them are obviously office e office license, I don't know, E seven, E five, whatever license they would've had, they're all in that ecosystem of Windows. Yes. So if there is no version, which is interesting that Internet Explorer chose not to have an quote unquote enterprise browser in an AI first world.

For people who are listening to this and I guess to what you called out as well. At the moment at least the way I understand this and the way you're sharing this as well moving forward, as we move into this AI world even more where hey, I'm using Open AI or Claude or whatever on a browser. I'm copy pasting information into it, whether instead of relying on a proxy or whatever or a DNS at the end, at the edge to stop me, I stop Ashish right there on the browser to prevent the, like the shift left, the true shift left as you talk about.

In this case for both technical and non-technical people who are trying to [00:16:00] just do the regular jobs. In terms of, where does this fit in, because I don't think a lot of people even consider a browser security as a budget item, so why?

Caleb Sima: Which is why I think this is be, this is, when you start thinking about where AI is going to inject itself the browser is a phenomenally obvious place to go do this at scale.

Like for example, you have Claude Apps and you have these separate applications that are now being run. But when you think about the power and the context of what you would get if you were just in the browser itself, and you could talk in the browser just like your chat, but it had all the context of everything you're doing inside of a browser.

For example, there are startup companies that are starting to go down this road. Like there's quite a few. One called Ventrilo. There's a few of these that are like saying, I'm gonna inject myself [00:17:00] into the browser. I'm gonna get all the context of everything you do in the browser, from tab to tab.

Use that to then help you be more productive. This is an obvious place that you're I'm, my bet is you're gonna see this on fire in the next three to six months. Everyone's gonna start going here. Because the power is phenomenal. You get your automation, the ability to automate your tasks in the browser.

You don't have to log in, you don't need state, you don't need any sort of access it. It has all the access already. It sees what you're doing already. It will just automate it. It will give you, ev everything you need in your context to go do this stuff. And so you're gonna, it starts with these plugins.

But my bet is it's gonna go straight towards operating system in the browser variations. And so as an enterprise, how do you prevent this? How do you enable this? How do you get visibility of this? How do you use AI? So when you start thinking about AI security [00:18:00] products or products that go into AI.

Will you start seeing those also appear in the browser?

Ashish Rajan: It's an interesting proposition and maybe something that I'm noticing across AI, other AI spaces and, 'cause the more I hear it, the more it sounds like corporate security and not the, maybe it is application security. It's a, it's one of those overlap places where I have all the internal applications that are AI enabled.

That my entire workforce is accessing, using AI, but I've also got my staff that needs to regularly use a new browser or whatever. Is this one of those the reason I asked about it, this is a budget item for this, is a lot of times a lot of the conversations that I'm having about say AI machine users in others, it's being classified under, it's an internal threat, so it's a much lower priority.

Would you say this is at a stage where if people have started using AI agents in their organization, then it's a now problem, versus if they are building towards an AI agent [00:19:00] future, this was gonna get real for them really quickly. In terms of 'cause I'm, where I'm also coming from, is this a few layers to this?

There's Hey, I already have a firewall, I have a proxy. But are we saying that this is a better approach than relying on your firewall?

Caleb Sima: So remember that what started this conversation, so in our previous episode that we did, what started this was around what is the more urgent threats, either AI agents or what I was saying is there are urgent threats that you have right now in your enterprise that you don't even pay much attention to, like your Chrome plugins.

Ashish Rajan: I remember that

Caleb Sima: plugins. For most organizations, the only thing they do is blacklist them, right? Yeah. Only more mature organizations even whitelist them. These are an enormous hole into everything your employees do, but nobody pays attention to them. Nobody [00:20:00] spends money on them. Yet these things are a much, much bigger threat than some system installed agent on someone's endpoint.

But yet everyone wants to throw money and budget at this lower risk, but more relevant in terms of buzzword problem than the actual browser, which is a massive area of exposure and risk that somehow enterprises think not really a big spending budget problem or an area that we can focus on later.

Yet they will flip out because we have, an MCP server, in your Claude app. And that is a bigger risk.

Ashish Rajan: But I think maybe that's where I was coming from as well. 'cause I think I kept thinking in terms of every time I tried raising awareness for it, I am always been told, oh, it's an internal threat.

We have all these other controls for it. No one ever mentioned a [00:21:00] browser and but to what you spoke about and what I heard at that CISO event, pretty much the same thing, that everyone's using a browser, everyone's doing most of their work in a browser, and yet, even till today, I don't know how many people actually have the quote unquote enterprise browser that you described even before the AI became thing became a problem.

I don't know how many people have that apart from the control that. Or or I remember, I can't remember which company was it. It was a telecom company I was part of where Internet Explorer had some kind of access policy thing outside of that. But the way you're describing this, we spend a lot of time in companies where security awareness of phishing, Hey, make sure your email doesn't or you download a malware, we install a malware.

Even before AI, those kind of things would be resolved by enterprise browser as well is I think that's where you're going. Yeah.

Caleb Sima: Yeah. All of these things would've would be very much resolved in the sense that, oh, I know which AI plugins send what to what ai, right? Yeah. All of this [00:22:00] capability is already there.

Yeah. I know which plugins are accessing, say the Gmail, if you're using Gmail interface in your browser. The calendar, if you're using calendar interface, all of these things are all easy to figure out and to monitor for. It's effectively an operating system that the most of us use that is largely being quote unquote ignored from a security perspective, and yet somehow is belittled down to more minor risks, even though it's absolutely, it has everything.

Ashish Rajan: I guess is that because we had the whole BYOD, people wanna bring their own device, people want to bring their own, like there's a whole, there's another layer to this where I think I, I almost look at this as a Blackberry versus an iPhone thing, where Blackberry was that default phone In most organizations and in this case, internet, explore the default browser.

And suddenly Apple became the new cool kid. That Cool Kid Chrome became popular the same way in terms of securely deploying with AI agents, which are primarily gonna be browser based, at least in the [00:23:00] initial stages. Have you got some thoughts on that as well in terms of challenges around BYOD?

Your I guess governance features around this.

Caleb Sima: What's the that's what I'm saying is there really is no governance features around this minus enterprise browsing controls. And so we are, there is a very small amount of capabilities when you think about, okay, now if agents in AI start figuring out the browser is the best place to go here. In fact, actually, wasn't it just, it was just a week or two ago that OpenAI was there was discussion in the news about OpenAI bidding for Chrome, right? Yeah. Yep. Yeah, but you know why? Because of this, right? It makes so much sense to own a browser because it is the operating system and the capabilities that you can have if you're embedded [00:24:00] inside of a browser from an AI perspective is phenomenal. And the amount of ability and features you can add are phenomenal. And so that market size and segment and the capabilities are enormous. But there are very little people focused on this. Everyone is looking at LLM firewalls. Everyone's looking at, secure development lifecycle around AI and machine learning.

Everyone is looking at, testing and red teaming models, but when you think about where is the best place for AI to integrate, to gain the information it needs, and to automate and use agents on behalf of people and or employees per se, the browser is a phenomenally empty place. This is what I'm saying.

This is like, when you think about in the next year or two my prediction here is browser becomes a massive focus for [00:25:00] AI.

Ashish Rajan: I'm playing a devil's advocate here, so I appreciate you being patient with me. Yeah. Always always because, 'cause I definitely find that. You know how as you said that, the first thing that came to mind was, all these OWASP top 10.

We talk about always, we've been talking about 20 years where for 10 plus years we've been talking about all the XSS, CSRF, session hijacking, all of that. I feel like if there's an enterprise browser 10 years ago. Probably would not be talking about any of this right now. There's no need for DevSecOps.

There's no need for any of that stuff. If technically if the browser is already stopping, isolating your people from downloading a malware. It's isolating people from accessing from undisclosed location, which are suddenly changing. Credential theft, there's I, phishing

Caleb Sima: I would argue a little, I wouldn't say that's a little bit of a broad blanket okay. Because take DevSecOps for example, like DevSecOps is also about protecting and securing the product at which you produce. Oh yeah, of course. Yes. Yeah. Yes. And so that is much less [00:26:00] relevant. Quote unquote, to protecting your workforce or enabling your workforce there. You could say things like, is cross site scripting able to be prevented at that browser?

Perhaps there, there's definitely a lot of mitigations that can be applied that way, although I think it would be very difficult to make a sound argument that. Client side protection could ultimately do a hundred percent proof against cross site scripting because the problem with cross site scripting is you don't know.

What is truly given to me by the server versus given to me by a malicious attacker. By via the server.

Ashish Rajan: Yeah. No, you're right. Yeah. But I think they're coming from the example of extensions that you gave earlier, or in fact people downloading malicious software, being able to prevent that based on a threat intelligence list.

You may have DLP, the example that you gave earlier as well. It's not that DLP was not a problem before AI. It was always been a problem before AI. [00:27:00] And I guess where I'm going with this is that. In spite of knowing all of this, one would've thought people would've, someone somewhere would've assumed.

Browser is the one place even pre AI world, we didn't resolve this in the pre AI world. What can we tell people today that maybe changes their perspective of at least giving the browser same importance as it should have deserved before AI, that it probably needs even more today, now that we are moving towards a very AI first world.

Caleb Sima: There was a a, I've now seen a couple startups that have built browser extensions that are now doing full on based agents. And you're browser extension. And so what you can do is you can, there's a prompt and you can do things that say, Hey, search my email for the last place I sent flowers to my mom.

On Mother's Day, I want you to find the exact same thing. Go ahead and order it and have it shipped to [00:28:00] her. It will go through your Gmail account, find the flowers that you sent, find the receipt. Go look up. The place that you ordered fill in the form used even can go and access like your credit card if you give it access to the right place, and then it will pull it, order it, and then submit it.

And that's all done within Chrome, right? Yeah. And so like when you think about everything you do or what you do inside of your browser, this is all now added context. For any AI agent, so they know how much time you spend in what browsers on, what websites, and what areas they know, what topics that you're interested versus what time of day that you normally go and look at what versus the other.

Like they can say, oh, Ashish, I know generally speaking, after five, you're usually reading Reddit. And you usually really like these topics, it will go and automatically summarize and bring up to you the most relevant and pre-open your tabs [00:29:00] for you at that time. Like it's these kinds of things that it's, and it's, here's the thing about it, it doesn't require installing software.

It doesn't require doing anything except clicking or installing exte, an ex extension. And so now these agents and by every single person knows how to install an extension in Chrome. And these agents are gonna down now forcing because I can get access to so much information. I don't need permissions, quote unquote per se, if I have the right access I can use your existing permission sets if I can do this properly.

And that means you don't have to log in, you don't have to do integrations, you don't have to do any of that. It's fantastic.

Ashish Rajan: Yeah. I'm with you. I think what I'm hoping for is at least listening after, at least listening to this conversation or watching this conversation, people finally give the enterprise browser the love it deserves.

'cause I guess to what you said. It definitely lowers a bar quite a bit for what an what in an AI agent could be a [00:30:00] tactical thing people could get onto straight away for respective of how big the problem that they're looking at from an AI perspective at least. And most people would have an identity attached to their browser, so it looks after the identity access management problem to an extent as well.

In my role. Lemme give you an example.

Caleb Sima: Okay. Let's make the as assumption here of a couple things. Let's assume this is where things go. It's all about AI and browser. Yeah. Okay. Agents, actions, automation, whole nine yards is all now in browser. What startup, what cybersecurity startups do you think are gonna start announcing, being announced?

I think with browser based ones, I would imagine. Yeah, exactly. What do you think?

What give yeah. I'm gonna, I'm gonna test you as a entrepreneur and founder. You're now gonna go and market at RSA 2026. What is, what's your buzzwordy way of a new AI protection product?

Ashish Rajan: Ooh, it sounds like browser first. If that became the thing where AI [00:31:00] agents are basically being driven primarily by browsers, if I go down that path, and I, unfortunately, my bias is coming from the whole SSPM world where it was similar thing where the stats were all in front of everyone that, Hey, every organization has over 40 plus SaaS applications they use where there's Ashish spread across all 40 of them with different kind of privileges. They have access to sensitive data, they do all of this amazing thing. And a lot of that conversation just boiled down to, I. It's great, but I have a contract with the SaaS person, so technically they cannot if they were to do something, I can sue them or whatever, and I truly believe I wanna get behind this if I were that startup in 2026, I have to talk about, Hey, browser security is gonna be the thing.

I just would be skeptical only because I know, and I'm probably scarred from the, from my lessons from the past of SSPM and nothing, again, in my mind, by the way, as practitioner a hundred percent makes sense. If I put the lens of don't care about the budget, don't care about any of [00:32:00] that a hundred percent, I'm like, that's why I was thinking about, oh, we could have solved OWASP Top 10 ages ago.

We could have done all this before. I'm just coming from a perspective where I definitely find that if AI agent became the default through browser. I wonder if people would be smart enough and this kind one of those Sam Altman moment where he said, when AGI comes in, it would just be, it would not be a blip in the radar for most people that they would not even realize how the world has changed and in front of them, and they'll still just use 4o model as Hey, this is ai, or so cool.

I think that's where I'm coming from where I wonder if people will just look at it, give it a few seconds and go, oh, actually it's pretty awesome. I'm just coming more from a perspective where I genuinely believe browser security is important, but I don't know if the other side, and I'm, unfortunately I'm not anymore on that side, so maybe I'm, I may not be painting the right picture here, but I definitely find, I'm curious about the future, where this goes. 'Cause the enterprise security or the corporate security has been thrown, SSPM before they've been thrown zero trust before. [00:33:00] They've been thrown.

But where I'm coming from is that I wonder, and again, this is just me being the playing devil's advocate as a practitioner. I love the browser capability where it can go. And I think my skepticism for whether people are buying, I, it's a good one for me to put out as a poll as well for people who are listening or watching this, if you feel the browser security space is, and I do, I should add this as well at the CISO event that I went to, everyone loved browser security.

Everyone who I spoke to, they all, 'cause I'm like, why are we talking about browser security so much? Which is why when you suggested the topic I was like, yes, we should talk about it. 'cause I'm trying to figure out why is it so important. And there is a lot of people who believe this, but as a founder who's gonna go to RSA 2026 and pitch a enterprise browser.

I would like to know if there's actually money being put behind this as well, apart from being an interesting problem. Would that be fair?

Caleb Sima: There, there is. But let me give you, let me give you something I think not a lot of people understand about enterprise browsers. Sure [00:34:00] it's not just about DLP and it's not just about protecting from malicious BYOD kind of things.

In fact, the number one benefit of an enterprise browser is the ability to inject features into your browser. Let me give you an example. I'm going to create a fictional company. Let's say customer service reps. They use an internal. CSRM application to look up support tickets and interact with your customers, right?

In that application. For all of us who work in cybersecurity that know this, that internal application is custom made. Generally it's a combination of duct tape between Salesforce, some other custom app that you made and who Oracle, right? And it's all shoveled and duct taped to together and inside this application, your customer service reps can see your customer's [00:35:00] information.

Things like mailing address, PII, maybe credit card, maybe even social security number. A lot of these things are all fully available to the customer service rep at which has access to your record. Yeah. Now, we all know best practices would be that customer service rep should only have access to that record at the time at which they are dealing with you, but that generally never happens.

They usually have access to most customer service, most customers rep accounts and records. So now as a security, what do you do? You have to say hey, listen, we don't want PII information being shown right away to a customer service rep because 98% of most support tickets we have to handle don't require that information.

Yeah. But let's say 2% of those tickets do require access to that information. In the name of lease privilege, we should not allow that to occur for customer service reps. They should not get access to a customer's [00:36:00] social security number. So then what? What happens internally? What happens internally is you have to submit a dev ticket to the engineering team.

Someone has to go figure out how to put it into a feature request, and then maybe three, four months later you might get a feature that says, oh, this social security number will not be revealed unless you click this button, and then it will then require someone to approve. Yeah, that you are allowed to see this thing, which by the way, if you get that done in three to six months, it would probably amaze most people in enterprise backend, because most of the time they'll probably come back to you and say, oh, that will require a restructuring.

And that's just too complicated to do. So guess what? You can use an enterprise browser to do that immediately with zero coding. And without going to your enterprise backend team to go get that done in your enterprise browser, it can recognize things like a social security number [00:37:00] can automatically mask that, can apply a button in the interface that says require 2FA.

So then if they click that button, it will automatically post to the employees either push notification, YubiKey touch. Whatever it may happen to be is, say, reveal this. And then they can click that button. It will reveal that it can fire off an event for the statistic to show this customer service rep revealed this social security number, and then they can only access it at the time they do that.

All of that can be done in an enterprise browser with zero dev. And so when you start thinking about the power of being able to inject feature capabilities, modify permissions manage those permissions without any backend dev work, all through the enterprise browser perspective, it becomes very powerful.

And we, I wanted to implement enterprise browsers specifically more for that kind of purpose because of the capability it gives [00:38:00] without requiring dev work.

Ashish Rajan: Actually, that's a good point as well. And maybe i'll add another layer to the AI comment you were making earlier as well, because at the moment we, and this is going off the past few episodes as well, with MCP security still being developed, A2A security is still being developed.

And if agents are primarily being driven by a browser in that future that we were talk, talking about, you need something to know what the agent is doing as well. And if it's all browser based, how the hell do you even know what it's doing? What calls making what? The whole API security thing as well, actually, isn't this fair kind of how Burp Suite made its own made itself very popular. It was actually be that person between inspecting the traffic and identifying for you. Yeah. It's a man in the middle. Yeah. Yeah. So this is like a man in the middle, but essentially for the AI agents that at the moment are unstructured, you're sending a prompt.

You're getting something else in response that you probably would not even understand what that is. And connectivity is, I feel like that's another feature maybe see that I would get behind at RSA and go Hey [00:39:00] actually, 'cause that would sell I in my mind.

Caleb Sima: Another reflect

Ashish Rajan: is out a bit.

Caleb Sima: So again here's the prediction for the, for those that listen to this podcast, RSA 2026, how many cybersecurity companies, startups, are gonna be pitching in browser security for AI agents or AI.

Is going to like, let's do a count next year RSA 2026.

Ashish Rajan: Yeah, I think it's, that'll be good. We can definitely revisit this episode at that point in time. 'cause I think to you, to what you said, and then how many of those startups got that idea from this podcast? That would be, and can get incubated as well.

That would be pretty awesome because I think you hit the nail on there. And I think the one silver lining that I'm taking from this is at least we have the capability to do this today. If people are serious about it, they can start working on it today before it becomes like a bigger problem to deal with.

And then we are, again, retrofitting things instead of trying to be proactive about it, but at least sounds like a future where an AI [00:40:00] agent is driven primarily by a browser where your concerns are beyond just phishing and DLP and perhaps, or even identity access management as well. An enterprise browser is solution you'd probably look forward to, but at the same time being able to have an activity monitor for what your AI agent is doing across the board or what it can or cannot do, and based on the permission it basically inherited from its actual user. I think that would be very powerful. 'cause at the moment, we are just flying in the blind for what is the AI doing.

Caleb Sima: So I'm gonna give two, there's two real big benefits here. The first, I'm gonna just say is a consumer benefit. What made Cursor so popular is the fact that it took visual Studio and basically made its own AI visual Studio who has done that for the browser, who has made the AI version of Chrome similar to how Cursor made the AI version of Visual Studio that need, that's going to happen.

I [00:41:00] don't know who has, because I don't know of anyone who's done it, but that is going happen.

Ashish Rajan: Isn't Perplexity trying to do that?

Caleb Sima: No. Perplexity is more of Google replacement. It's Google search replacement. Oh, but no one's made a AI version of Chrome. No one's done the what Cursor did to Visual Studio who does to Chrome.

And by the way, that's that. There's a lot of power in that. And so there are, that's the first thing is I predict that this is, there's gonna be a move there. Yeah. The second thing is you're gonna need security in that, because there's gonna be a big push as, oh wow. You could do a lot with AI in a browser, and there were only two technically three players, but really two private players that play in the cybersecurity space of browser, Talon and Island. Yeah. And not only is they own the real estate in that, but they also could offer the same capability as the first value prop. Yeah. Talon and Island could also offer AI [00:42:00] capabilities in their version of the route since building that is actually quote unquote difficult to do.

Ashish Rajan: Yeah. In the long run. And so I think in you mind, what would that look like? An AI enabled browser? That should just be a,

Caleb Sima: I don't know. I have ideas idea. I don't wanna give away all my secrets on this podcast.

Ashish Rajan: Okay. In my little mind, I think it'd just be like a, literally like a Google, you know how when you go on Google, it's a search bar?

I just feel it would just be that, but then you almost. If you can personalize, goes back to what we were saying in the last episode about an AI agent, which is a personal one or a work one, but there's a mixed one like your to the chief of staff you were hiring, which is got a mix of your personal and professional or a work one.

Caleb Sima: Yeah. Your browser by and large is both your personal and your professional. So it definitely fits our category as well. Yes and by the way, that's a nice plug for the hire of my chief of staff. And Chief operating officer of my life. So if anyone knows anyone that's good for that, please send them my way.[00:43:00]

Ashish Rajan: Definitely. So I, it's funny, I think as you can, as we have explored this, you also feel we are also in this category where a lot of personal and professional has already mixed and has been mixed for a long time. Yeah. I remember even with the policies. A lot of people in my organization that I will see so far.

We were still had people log into Gmail. We still had people who were either in personal Gmail doing Amazon orders 'cause the marketing didn't required access to Amazon. And depending on the organization, it may be a requirement or it may not be a requirement, but there are, it is a very fine line between what is technically personal, our professional in a lot of organizations in terms of browsing history these days.

'cause you could just be researching, I don't know, for your next holiday as you're sitting in a, or I've got a free minute. I'm gonna, on my lunch break, I'm just gonna browse the holiday destination that I want to go for. Yes. I mean it, it's probably even more intertwined on browsing history. For most people, they don't use their personal phone for it, they just use a [00:44:00] laptop 'cause they wanna see in the full whatever screen is.

So your future is, there will be an AI enabled browser, and then there'll be hopefully more security companies coming out apart from the top two that exist? Yeah. Or the only two that exist.

Caleb Sima: AI agent extensions. Yeah. AI enabled browser, right? And the cybersecurity gap here. And what are the startups that people are going to use in order to then get control of these capabilities inside of browsers and extensions?

I think as

Ashish Rajan: those are those sound pretty solid. I think in a browser first AI world. I definitely find it's funny, I think if, because, and to your point, Open AI did try and bid for Chrome, so it makes it almost clearly there's a play happening on a very top level. And hopefully this conversation helps people this see that in terms of how important browser is gonna be in the come in the times to come.

Both from an internal security as well as from an external security perspective. Final thought before we wrap it up, man, I think that's most we wanted to [00:45:00] cover, right? I never really have a lot of final thoughts, so Fair. We look I guess the only final thought we have now is we look forward to RSA 2026 and how browser is helping people manage their AI agent security.

Awesome. I. Yeah. Awesome. All right thanks everyone for tuning in and do let us know what you think, if you believe this is where the future is, or are we just drinking our own Kool-Aid. Let alone I'll see you guys soon. Thanks everyone. Thank you so much for listening and watching this episode of AI Cybersecurity Podcast.

If you want to hear more episodes like these or watch them, you can definitely find them on a YouTube for AI Cybersecurity Podcast or also on our website. www.aicybersecuritypodcast.com. And if you are interested in cloud, which is also our sister podcast called Cloud Security Podcast, where on a weekly basis we talk to cloud security practitioners, leaders who are trying to solve different kinds of cloud security challenges at scale across the three most popular cloud providers.

You can find more information about Cloud Security Podcast on www.cloudsecuritypodcast.tv. Thank you so again for supporting us. We'll see you next time. [00:46:00] Peace.

‍