Web browsers have long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle (MitM), and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.
It is this last item — humans — that is the problem, and we need to be protected against ourselves. This is especially true as SaaS applications grow in usage, not to mention that every piece of hardware seems to come with a web server (and therefore a browser) to configure it. These use cases are aided and abetted by the increasing number of work-from-home staffers who depend on more browser-based apps.
This is why enterprise secure browsers have finally gotten their moment. The category, which has been mostly flying under the radar for the past six years, has seen a lot of changes. Google announced its own entry into the field in 2025. Appaegis, Talon and Perception Point were acquired by Mammoth Cyber, Palo Alto Networks and Fortinet respectively, showing how this technology has become part of a larger security context. To that end, other established security vendors have brought forth products in what Gartner is now calling the “remote browser isolation” market to complement their zero trust, secure services edge, or posture management security platforms.
Web browsers have security settings to protect your privacy and to enable you to browse sites more anonymously. This isn’t really a satisfactory solution because these settings will typically result in more user frustration. Turning up security settings will prevent your users from conducting business on many websites, either blocking pop-ups that are needed to navigate some business site, stopping forms from collecting important information, or making your browsing session miserable in some other fashion.
Brave, DuckDuckGo, RAV Online Security from ReasonLabs, Opera and others have more secure consumer-focused browsers, but these aren’t appropriate for enterprises. They are what I would call “safer” or “more private” browsers. Some vendors have taken the recommendations of the Global Privacy Control to heart and have developed their own browser extensions that help guard your individual privacy. All these browsers are better but still not good enough for business uses.
Instead, a different type of tool is needed to manage an entire browser collection. Gartner in an April 2025 report, says, “Threat actors frequently target employees with phishing attacks to steal credentials and bypass endpoint detection and response controls, necessitating an additional layer of visibility and control within the web browser.” Gartner recommends secure browsers can complement “gaps in existing controls on managed devices rather than replace existing security controls, unless you are a cloud-only, remote-work-oriented company with few physical locations to secure.”
While some enterprise security products touch on browser security such as secure web gateways, running a browser in a virtual desktop or using a managed endpoint service, they don’t focus on the total browsing experience and can’t stop many of the potential threat vectors. This is why the secure browser has become more popular and is available in a variety of configurations that can help IT managers get a better handle on stopping attackers from getting a foothold inside your networks.
Tips to evaluate secure web browsers
Before you start an evaluation, you need to understand how these browsers work and how they will be managed. Browsers require a robust and granular collection of security controls to be able to work with the widest possible collection of websites and cloud services. This needs to happen from a central management platform that can apply a collection of firewall-like rules and policies across the entire user population. This includes several broad categories:
Enable MFA at the beginning of any browser session by default.
Handle isolation controls both with respect to the user’s session and to isolate any application from cross-infection. This means controlling the movement of data between the browser, your particular endpoint and the web application or applications involved.
Control access to web destinations, either to allow or block this access.
Detect malware to block phishing, man-in-the-browser and other attacks, such as those aimed at defeating browser extensions.
Apply data loss prevention controls, which include browser settings such as ad blocking, URL and domain filtering, blocking printing, cut-and-paste operations, and screen sharing. These controls should also be able to manage your browser extensions in such a way that a user can’t override or circumvent them.
Enable a variety of logging tools to aid in remediation or reconstruction in case of attacks or data destruction.
Enable anonymous surfing for times when this is needed, such as protecting travellers when they are in more totalitarian locations.
Enable a protected and secure file storage space that can be shared among a team of collaborators.
Replace VPNs and virtual desktops as ways to deliver more secure remote and cloud services.
Any browser needs to integrate with existing security products such as identity management, cloud applications security posture, single sign-on (SSO) and VPNs. That is a lot of software to work with, and some vendors have begun offering specialized browsers as part of their security platforms. Forexample, iBoss’ and Cloudflare’s Remote Browser Isolation tools are only available as an add-on option to its larger security platforms.
GigaOm uses this rubric where the browser must come up to four different (and non-exclusive) operating modes, in various combinations:
A full desktop browser client, what we have called in the past a thick client, to replace a consumer browser and typically connects to a secure remote session.
Browser extension to existing consumer browsers, relevant to both the browser software and underlying operating system.
Agentless browser controls to enforce security policies.
Cloud-based management and proxy, which is typically used with the above three modes or with a thin client that connects to the cloud service.
For example, Google’s Chrome Enterprise browser mostly relies on the fourth mode. Other products, such as Authentic8’s Silo, Palo Alto Networks’ Prisma and Island’s browsers offer products that cover multiple modes. There is a fifth mode that Seraphic uses, building an agent that sits on top of the JavaScript engine and supplements existing browsers.
Why are these different deployment modes necessary? It is because the browser is so versatile and can operate in a variety of circumstances, ranging from controlling some SaaS-based application to viewing dynamic content from a database to managing a collection of remote servers. Having the different modes is a way to extend its utility and still provide a secure envelope in as many possible situations.
While all these products run specially crafted Chromium versions, they typically employ Linux virtual machines to provide remote isolation features. That could be an issue if you are trying to run web content that isn’t Linux friendly, such as some streaming services. The good news is that the secure browsers are close to parity with a standard desktop browser and running close to the most current Chrome versions.
The biggest issue to implement these browsers will be staffing and support. This starts with integration into your other security products and onboarding and training your users how to browse the web under the newer and hopefully more secure regime. This will be a significant load on your own internal support resources to handle the various helpline calls from confused or frustrated users when they encounter unexpected results from their browsing experience.
Finally, there is the price. For decades browsers have been free or bundled with the endpoint operating system. Secure browsers will cost something, and even a few dollars a month per user can add up over time and across an entire enterprise population. Gartner said in its report: “Free browsers are ubiquitous, to the point that organizations must have specific use cases to justify the purchase of a separate browser.” It remains to be seen if security is that compelling use case. Expect to pay somewhere around $10/month/user for subscription options, with quantity discounts available.
Secure web browsers compared
Authentic8 has been in the secure browser business for more than a decade and continues to enhance its product and widen its services offerings. Silo can provide two-way full isolation and integrate it into your existing workflows and provide a wide collection of security policies that offer fine-grained control over protecting your apps and your data. It has a main dashboard that looks a lot like an SSO tool to launch your protected web applications.
Silo offers two different client downloads: Windows and Mac thick clients and a thin client. Both can be managed centrally and via an API connection, all of which kick off Linux-based sessions. While the vendor did not reveal pricing specifics, two plans are available: on a per user or per hourly consumption basis. It also provides custom browsers based on a customer’s API collection.
Ermes Browser Security offers a variety of security features including phishing protection, cybersquatting, extension monitoring, and URL filtering. It uses a browser extension and has separate mobile apps.
Fortinet acquired Perception Point’s secure browser extension and integrated it into this product Fortinet Remote Browser Isolation. It integrates with other protective features such as securing cloud apps and offers any browser real-time protection with other dynamic security features through a browser extension. The product is sold with various quantity discounts, with typical pricing at $55/user/year.
Google’s own enterprise product uses the Chrome Enterprise Core as its foundation, which is also the free version. The Premium version adds most of its protective features. Both versions have a very complex setup to enable their managed browser service, part of its complexity is that it has numerous fine-grained security controls, such as numerous steps to add encryption, as well as using specialized OS-specific installation such as mobile management software with more than a dozen steps. The other products make this a bit easier, but there is still a lot of trial and error with Google’s software to ensure that the security isn’t blocking legitimate browsing uses, sites, or corporate applications. It is available for all Google Workspace customers and will cost an additional $72/user/year, with a free 30-day trial period that includes 50 user licenses.
Island’s enterprise browser comes both as a browser extension and a thick replacement client for Linux, Windows, Mac, Android, iOS and Chromebooks. It has extensions for Chrome, Edge, Safari and Firefox. It has robust network management and protective functions to complement its browser security.
LayerX Security enterprise browser has both an extension and a thick browser client which integrates with a number of identity protection platforms and offers extension monitoring, DLP, traffic filtering and other features.
Mammoth acquired Appaegis’ secure browser and offers a thick managed client that includes browser session recording, copy-paste blocking, watermarking, screen-share prevention, and data masking. It supports Windows, Mac, iOS and Android devices. The Android version is the most recent and doesn’t have complete feature parity with the other OS versions.
ManageEngine Browser Security Plus is a thick Windows and Mac browser called Ulaa. It comes in a free edition for up to 25 computers and professional edition with additional security features, including DLP, threat prevention, web filtering and phishing protection.
Menlo Security Secure Enterprise Browser is a cloud-based software part of a collection of other products that offer file security, ZTNA and other protective features.
Palo Alto Networks Prisma Access Browser is a result of the acquisition of Talon’s browser technology and offer thick clients for Windows, Mac, Linux, Android and iOS and browser extensions. It uses a cloud-based management service from Strata. It has a full managed feature set that includes data loss prevention features, extensive logging, and plenty of policies and rule sets. Like some of the others, you can set up a main login like an SSO tool to launch your apps. It will examine the endpoint posture to ensure that it is running the latest OS version and identify risky browser extensions or restricted URLs that you can specify. It comes with a detailed implementation guide and existing Prisma platform customers are eligible for free browser licenses.
Seraphic Enterprise Browser Security has a unique mode of operations with an agent that works on top of the browser’s JavaScript engine. It supports both managed and unmanaged browsers including generative AI-based Atlas and works with a series of protective modules including ZTNA, DLP, traffic filtering, remote connection management, identity security and other security features. There are also thick clients for both Android and iOS devices. It has competitive per-user pricing (each user can install on up to four devices) with quantity discounts.
Surf Security Zero Trust Enterprise Browser offers both a thick browser replacement client and browser extension with a variety of protective features, including DLP and ZTNA support, and integration into Okta’s SSO platform.
SquareX Enterprise offers a browser extension that includes DLP, generative AI protection and threat hunting features, and can isolate and remove malicious code. It supports the three major desktop OSs and major browser vendors, including AI-based browsers from Perplexity and Atlas. It integrates with various identity, SIEM and SSO providers and supports Okta’s Shared Signal Framework.
No Responses