Cloud security company Zscaler has announced the acquisition of SquareX, a Singapore-based browser detection and response (BDR) technology startup. The deal will enable Zscaler to extend its Zero Trust Exchange capabilities directly into standard web browsers, across both managed and unmanaged devices.
With Zscaler Private Access (ZPA), the company has been assisting enterprises adopt zero trust architecture using a lightweight agent. The SquareX acquisition is expected to further strengthen Zscaler’s ability to deliver security directly within commonly used browsers through lightweight extensions, eliminating the need for a separate enterprise browser.
The acquisition will assist in enabling posture-like security and protection against advanced spear-phishing and identity-based attacks right into the user’s existing workflow, stated Jay Chaudhry, CEO, chairman, and founder of Zscaler, in his LinkedIn post.
Browsers, the new frontier for attacks
Traditionally treated as a mere gateway to the internet, web browsers are now at the center of enterprise activity, being widely used for SaaS applications, cloud services, and increasingly for generative AI tools. As employees upload, copy, and share sensitive data through browser sessions, this growing reliance has also opened new avenues for security risks.
“Most security stacks protect either the application, the endpoint, or the network. The browser is, unfortunately, the blind spot in between. There are traditional ways of dealing with the issue, but often at too great a risk, or as a result of too limiting an approach,” said Devroop Dhar, co-founder and MD at Primus Partners.
SquareX assists by allowing any browser on any device to function more like a secure enterprise browser using a lightweight, extension-based approach. “This extension becomes a kind of runtime enforcement agent, offering session-specific controls such as browser-based DLP, dynamic content isolation, real-time monitoring of user behaviour, and targeted security enforcement depending on risk levels and session context,” said Sanchit Vir Gogia, CEO and chief analyst at Greyhound Research.
SquareX’s approach also blocks sensitive data from being pasted into public AI tools, flags suspicious prompts, or limits interactions based on user role and data sensitivity, Dhar said. This is so important because AI misuse is rarely malicious, it is accidental. Browser-native security is better suited to prevent mistakes before they turn into incidents.
SquareX extension-based security can be integrated with most commonly used web browsers, including Chrome, Edge, Firefox and Safari, allowing employees to continue using their preferred browser without requiring enterprises to deploy or manage yet another dedicated security tool.
A win-win for customers?
Zscaler has acknowledged that browser runtime behaviour was a missing piece in its zero-trust security, and having SquareX solution in its portfolio can help fill the gap, noted Gogia.
For Zscaler customers, this acquisition would mean browser security is no longer an afterthought or a separate tool to evaluate but a native part of the platform.
“It reduces reliance on legacy access methods like VPN and VDI, especially for external users. It also gives Zscaler the ability to unify policy enforcement across network access, app usage, and now browser behaviour. Zscaler customers will be able to apply in-session controls to activities that were previously invisible, such as clipboard actions, extension behaviour, or AI prompt submission. They also gain options for session isolation, file download inspection, and least-privilege app access via browser,” added Gogia.
On the other hand, for SquareX customers, this means scale and integration. Vivek Ramachandran, founder and CEO of SquareX, confirmed in a blog post that customer deployments and investments will be protected, and over time, they will benefit from tighter integration with Zscaler services, expanded analytics, and more robust, risk-based controls across managed and unmanaged devices.
In both instances, the customer benefits from improved alignment between access, behaviour, and enforcement approaches, stated Dhar.
Different roads to browser security
Of late, leading cybersecurity companies have been strengthening their product portfolios by investing in and acquiring specialized browser security firms. This is an indication that they now see browser-native security as strategic rather than optional. For instance, in January this year, CrowdStrike acquired Israel-based Seraphic Security, a browser runtime security company, which it plans to integrate into the Falcon platform.
For CISOs, the concern has shifted from the security of the browser to where the security of the browser should be located. Dhar explained in the case of Zscaler’s move with SquareX, the strategy is to integrate browser controls with its access component of Zscaler zero trust. That’s security beyond granting access. However, in the case of the acquisition by CrowdStrike involving Seraphic, the strategy falls under endpoint security as they extend the visibility of EDR solutions to include the browser.
No Responses