As AI reshapes enterprise computing, the browser remains one of the most overlooked and most vulnerable components of the security stack. While organizations race to adopt AI, attackers are increasingly exploiting the browser, search engines, and human behavior to bypass traditional defenses. At the same time, AI agents are beginning to operate much like human users, introducing an entirely new class of security risks.
At Infosec Europe, Tom McVey, senior sales engineer at Menlo, explained to Tech Channels why browser security remains foundational, how AI is changing both offensive and defensive cybersecurity, and why organizations should take a measured, risk-based approach to AI adoption rather than simply following industry hype.
Q. Why is browser security still one of the biggest cybersecurity challenges?
A. The browser is still the most vulnerable piece of software on any company. That's the same for militaries, for charities, for retail, for banks, for any vertical of any size you can imagine. It's where the internet is accessed and that's where threats come from. People spend about 75 percent of their workday in the browser and you can do everything there now.
It makes perfect sense that when people are spending most of their time in one application, attackers are going to develop and create threats that attack the place that people are.
Q. How is AI changing the cyber threat landscape?
A. Ransomware, hacking as a service and obviously the whole rise of AI is making it easier for threat actors. The barrier to entry is lower, there are more attacks. That doesn't necessarily mean there are a lot more advanced attacks. But the top end are still delivering particularly advanced evasive attacks.
Q. How are attackers using search and online behavior to target victims?
A. We've been seeing a lot of targeted SEO poisoning attacks. If you're attacking a particular company, you'll perhaps research an individual. You'll find their social media. Or even just guesstimate. You buy Google or Bing ad space. You estimate the kind of questions these people are going to be asking. And the first link that appears on Google is the attack. It's no longer really good enough to protect from scanning links coming in through emails and SMS.
If they really want to target someone there, the attack's going to be the first link in Google.
Q. How is AI changing browser security?
A. We've been protecting humans on the browser from doing gullible things. Now we're going to get a whole new set of workers and users who are not human—robots, AI agents. They're even more gullible than humans. They don't have experience. They don't have background skepticism and they read exactly what they read. But a lot of our experience and technology around protecting humans does also apply to agents. They really do behave and operate a lot like people on the web, opening tabs and browsing the way we do. A lot of the protections we have in place to stop humans getting breached also work for AI.
Q. How do you differentiate real AI security from industry hype?
A. There are a lot of AI security companies coming out of nowhere and a lot of hype around AI security. There's a lot of noise because of that hype. It's nice to know we have technology that was already developed for many, many years. And it just so happens that it works. It's very useful for AI agents. But there are a lot of brand-new products being created. And it's tricky from our point of view. How do we get that across without appearing like yet another company saying, “We've got an AI tool? This one's real and legit." It's tricky to set the right tone.
Q. Why is it important to discuss both the benefits and the risks of AI?
A. Often, it's very top down and like AI Kool-Aid. You hear, “We're going to use AI to do this and it’s going to make everything better so keep using AI, keep using AI, keep using AI.” But there aren’t too many voices in the industry saying, “Look, AI's got a lot of risks as well."
We're cybersecurity experts. We're not meant to look at technology and say, “Here's the benefits." We say “What are the risks?" I've got a lot of skepticism about the capabilities of AI and there are a lot of risks. It's not this all-powerful, omniscient, capable tool.
I think that perspective has had some success. It puts you back on the sort of level that most people are at. Instead of parroting this kind of “just use AI” corporate voice."
Q: What challenges do organizations face as AI security tools proliferate?
A. So many little tools. It's very hard to differentiate what's legitimate. I think we do have a good AI security product. If we'd just come out with a brand-new coded product from scratch, I would be skeptical myself. It is reassuring that we haven't just come out with this AI security product out of the blue. It's based on the fact that AI operates a lot like people when they access the web. It's kind of like a lucky accident that our product is actually very capable of helping AI as well.
Q. Do you think quantum computing will have an impact?
A. I would be controversial saying no... probably. I've heard a lot about quantum for many years. Qubits are interesting, though. The baseline of how computing works with binary is so fundamental. There's so much more that makes up computing than bits and binary. Perhaps having qubits could make a big jump in computer processing and performance. For it to have a fundamental impact on the world, it would need to increase the power of general computing by many, many factors. It better be a thousand times faster for it to actually change everything.
While AI is transforming cybersecurity, it does not change the fundamental realities of how attackers operate or where organizations remain most vulnerable. The browser continues to be the primary gateway to enterprise applications and data, making it a persistent target for increasingly sophisticated attacks. As AI agents become active participants in enterprise environments, security strategies developed to protect human users will become equally important for protecting autonomous systems.
At the same time, it’s important to remember that organizations should approach AI with both optimism and skepticism. Rather than chasing every new AI security product or embracing AI uncritically, enterprises should focus on proven technologies, understand the risks alongside the benefits, and avoid adding unnecessary complexity to an already crowded security landscape. As AI continues to evolve, thoughtful, risk-based adoption—not hype—will ultimately determine which organizations are best positioned to secure the future.