Inside the Tab
The Tab That Knew Too Much. Illustrated by DALL·E
It’s strange how intimate a browser tab is. It knows what I search for, what I second-guess, the half-finished prompts I never send.
It’s the quiet place where decisions begin — and, increasingly, where risks unfold.
During SquareX’s session at Security Field Day 14, that intimacy took on a different weight. As Shourya Pratap Singh explained,
“Inferring all application-based attacks is simply not possible at a network layer… with binary files living and dying within the browser.”
I wrote that line down fast. Because it named something I’d been circling for a while — that our digital lives have quietly migrated into the same space our defences overlook.
Seeing What Really Happens
SquareX calls its approach Browser Detection and Response — an EDR inside the browser.
Instead of forcing users onto a new enterprise browser, it layers protection into the ones we already use.
The extension watches what really happens between intent and action: a file assembled from harmless fragments, a consent window that isn’t what it seems, or a script that hides in plain sight.
Their Attack Graph traces how a user arrived at a page; Attack Vision reconstructs what they actually saw, down to DOM changes and mouse movements. It’s not surveillance — it’s context. A way to see cause and consequence in the same frame.
🛠️ Architectural View: Where the Controls Live
SquareX’s architecture has two main parts — a browser extension and a web policy platform. The extension sits inside any browser, enforcing policies the moment a download/upload triggers or a page function is invoked (e.g., fullscreen).
The platform defines those rules and syncs them to users. Because enforcement happens within the browser runtime, threats are stopped at the last mile — before files touch the endpoint or network filters respond.
🛠️ Architectural View: From Events to Context
A background service worker inside the extension captures download triggers, page events, and structural DOM changes.
Those signals feed the Attack Graph, which maps how a user reached a page, and Attack Vision, which reconstructs what appeared on screen by replaying those DOM changes.
The outcome is true context-based visibility — showing the full sequence of an event rather than isolated alerts.
From Control to Understanding
What I found compelling wasn’t just the tooling, but the shift in mindset. For years, security has been obsessed with control — endpoints, gateways, rules.
SquareX’s model suggests something better: understanding.
Policies can be written in plain language or in code, then enforced at the exact moment a browser action occurs.
“Protection, not policing.”
🛠️ Architectural View: Policy as Code
SquareX’s policy engine supports three paths — a visual builder, an AI text generator, and client-side Lua scripting.
Once saved, policies apply immediately within the browser extension, blocking malicious downloads, stripping macros, or halting risky consent prompts in real time.
"It’s security expressed as code and enforced where the interaction occurs — inside the tab."
Closing Reflections
I left the session thinking less about browsers and more about people. The browser isn’t just another endpoint — it’s the workspace where attention, curiosity, and risk coexist.
Maybe the next evolution of cybersecurity won’t come from chasing threats across the network, but from learning to see what’s happening inside the tab — that narrow space where intent meets the internet, and trust is decided in milliseconds.
🔍 Links for Further Reference
Watch the full Security Field Day 14 sessions:
