This GigaOm Research Reprint Expires Aug 22, 2025

GigaOm Radar for Secure Enterprise Browsingv1.0

1. Executive Summary

Secure enterprise browsing solutions enable users to access websites and web-based resources in compliance with corporate security policies and provide security modules to protect them against cyberattacks.

These solutions sit at the intersection of user, device, and web resources to ensure secure access and enforce security policies. This position at the crossroads enables the secure browsing solution to apply multiple types of functions:

  • Protecting end users from malicious web resources
  • Protecting enterprises from malicious insiders
  • Protecting enterprises from negligent users
  • Protecting enterprises from compromised accounts

Protecting end users from malicious web resources comes in two flavors. First, the adversary can be highly technical malware attacks causing websites to execute malicious scripts or download and run malware. Second, it can be social engineering attacks that encourage users to willingly but unknowingly compromise their identities.

To achieve these protection functions, secure enterprise browsing solutions must employ different security techniques, such as endpoint protection for local detection and response to threats, network protection for securing inbound and outbound requests, and identity and access management for alignment with company-wide authentication and authorization.

Protecting enterprises from malicious insiders or compromised account attacks means that the solution can enforce zero-trust policies, detect suspicious behavior, regulate access permissions depending on risk factors, and enforce data loss prevention (DLP).

With the browser as the most commonly used application throughout the workforce and the gateway to internal and external resources, companies have the opportunity to significantly improve their security posture across the whole organization, tackling some of the most prominent and damaging types of cyberattacks of today.

This is our first time evaluating the secure enterprise browsing space in the context of our Key Criteria and Radar reports. This GigaOm Radar report examines 13 of the top secure enterprise browsing solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading secure enterprise browsing offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

2. Deployment Types

To help prospective customers find the best fit for their use case and business requirements, we assess how well secure enterprise browsing solutions are designed to serve specific deployment models (Table 1).

For this report, we recognize the following deployment models:

  • Browser client: These are full desktop clients that are used instead of consumer-oriented browsers. Organizations must deploy the browsing applications across their users’ devices.
  • Browser extension: These are plug-ins that are deployed onto the customers’ existing consumer-oriented browsers. Extensions must be compatible with major browsers such as Chrome, Safari, Edge, Firefox, and so forth.
  • Agentless browser controls: These solutions inject users’ browsing sessions with a small file to enforce security policies in the browsers without needing to deploy agents (such as clients or extensions) on the end-user device. This deployment model is typically complemented by cloud-based processing.
  • Cloud-based processing: In this model, traffic from an end-user’s browser is routed through a cloud proxy that enforces security policies. While this approach does not require agents on end-user devices, it adds another hop in the network path that can impact performance. This model can complement the other three for off-device processing requirements.

Table 1. Vendor Positioning: Deployment Model

Vendor Positioning: Deployment Model

Deployment Model

Vendor

Browser Client Browser Extension Agentless Browser Controls Cloud-Based Processing
Citrix
Conceal
Google
Island
LayerX
ManageEngine
Menlo Security
Microsoft
Palo Alto Networks (Talon)
Perception Point
Red Access
Seraphic
SURF

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

3. Decision Criteria Comparison

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Desktop client
  • Windows compatible
  • Centralized management
  • Acceptable use policy
  • Web threat intelligence

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

  • Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a secure enterprise browsing solution.
  • Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
  • Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Secure Enterprise Browsing Solutions.”

Key Features

  • Policy definition engine: Policy engines enable administrators to define security policies across their secure enterprise browsing solution deployments. Our evaluation of this key feature includes the experience of defining policies, the level of granularity available, and the ability to manage different types of policies for personnel across the organization.
  • Network security functions: In the context of secure browsing solutions, network security functions are concerned with ensuring security for inbound and outbound requests. Most organizations already have network security functions such as firewalls and access control lists, so the browser plays a role in ensuring last-mile protection for users and from compromised users.
  • Endpoint security functions: Endpoint security is concerned with protecting local processes and data. Its scope includes preventing downloaded malicious files from running on the device and making network requests, preventing malicious scripts from running on webpages, and preventing browser circumvention.
  • Data loss prevention: This key feature looks at the solution’s ability to restrict users from exfiltrating sensitive data. DLP can be defined using the solution’s policy definition engine, so we evaluate this feature based on the granularity and control it allows for preventing data leaks.
  • Identity and access management: Secure enterprise browsing solutions can integrate with customers’ existing identity and access management (IAM) solutions to create user accounts, inherit policies such as multifactor authentication and access controls, and provide seamless access with techniques such as single sign-on (SSO).
  • Off-device processing: Solutions must be able to make requests, load webpages, and download files away from the user’s device, in an isolated cloud-based environment. This capability can allow users to safely view webpages and files that are considered risky or harmful.
  • Visibility and monitoring: This refers to a solution’s capabilities for logging, storing, and reporting on events generated by end users. It includes real-time insights based on user activities, such as identification of potentially harmful extensions within the network, and admins can devise policies based on these insights.
  • User and session anomaly detection: Solutions should continuously assess the ways users behave to identify deviations from the baseline and any suspicious or unexpected activities. The result of anomaly detection is usually a risk score associated with a user or user session. It is important to distinguish between a user risk score, which indicates that a user displays malicious behavior, and a session risk score, which indicates that a safe user is the target of an attack.

Table 2. Key Features Comparison

Key Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Key Features

Vendor

Average Score

Policy Definition Engine Network Security Functions Endpoint Security Functions Data Loss Prevention Identity & Access Management Off-Device Processing Visibility & Monitoring User & Session Anomaly Detection
Citrix 3.5
Conceal 2.6
Google 3
Island 3.5
LayerX 3.8
ManageEngine 2.1
Menlo Security 3.8
Microsoft 2
Palo Alto Networks (Talon) 2.3
Perception Point 3.5
Red Access 3.6
Seraphic 2.8
SURF 3.9

Emerging Features

  • Content inspection: This emerging feature involves a solution’s capability to inspect the content associated with a webpage, such as images, logos, rendering errors, and content. Most phishing sites have imperfections that might be either intentional or unintentional, and can include elements such as low-resolution images, outdated logos, misspelled words, and misaligned or poorly scaled elements.
  • Productivity and collaboration: In addition to security functions, enterprise browsers can also offer productivity capabilities. This feature involves non-security functions that can help users manage their work activities. Productivity capabilities can help users organize their own working experience, and help organizations push relevant content to users in an organized manner.
  • Non-browser web application security: Depending on their underlying architecture, secure browsing solutions can also extend their capabilities to non-browser applications, such as email desktop clients.

Table 3. Emerging Features Comparison

Emerging Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Emerging Features

Vendor

Average Score

Content Inspection Productivity & Collaboration Non-Browser Web Application Security
Citrix 1.3
Conceal 1.7
Google 1.7
Island 2.3
LayerX 1.3
ManageEngine 0.7
Menlo Security 2
Microsoft 1.7
Palo Alto Networks (Talon)
Perception Point 2
Red Access 2.7
Seraphic 2
SURF 1.3

Business Criteria

  • Zero-trust adherence: Solutions should be able to help customers enforce the primary zero-trust principles, such as “never trust, always verify.” Such solutions require explicit user authorization and authentication and immediately alert, restrict, or terminate access to users that display compromised or malicious behavior.
  • Cost and licensing: This business criterion covers solution licensing models, pricing models, and cost transparency. While it is not an indicator of how affordable or expensive a solution is, it assesses whether the solution offers predictable pricing, includes modules such as support in the base price, and can scale up as an organization grows, all to provide a cost-effective way of deploying and consuming the service.
  • Support: Here we look at a vendor’s ability to support customers pre- and post-deployment by offering onboarding and technical documentation, instructor-led training or other training programs, and professional services to help with deployment, configuration, or integrations.
  • Manageability: This is a measure of how easy it is to handle management tasks and the time and resource investment required. The criterion takes into consideration deployment, user and device onboarding, update management, self-serve features for users, policy change communications, and the like.
  • Ease of use: While manageability refers to the administrator effort involved in deploying and running the solution, this criterion involves the end-user’s experience with the product, considering the solution’s capability to enforce security policies without negatively impacting employees’ conduct of their daily activities.

Table 4. Business Criteria Comparison

Business Criteria Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Business Criteria

Vendor

Average Score

Zero-Trust Adherence Cost & Licensing Support Manageability Ease of Use
Citrix 3.4
Conceal 3.6
Google 3.4
Island 4.2
LayerX 2.8
ManageEngine 3.8
Menlo Security 3.8
Microsoft 4
Palo Alto Networks (Talon) 2.4
Perception Point 4.2
Red Access 3.8
Seraphic 3.8
SURF 3.4

4. GigaOm Radar

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Secure Enterprise Browsing

As you can see in the Radar chart in Figure 1, most vendors are positioned on the Platform side of the chart, equally distributed between the Innovation and Maturity quadrants. The distribution is based on their product portfolio and associated deployment models.

Vendors in the Maturity/Platform Play quadrant—Citrix, Island, ManageEngine, Microsoft, Palo Alto Networks, and SURF Security—offer both browser clients and extensions. Google, in the Maturity/Feature Play quadrant, offers browser clients, but does not offer extensions or any other mechanism for securing non-proprietary browsers.

In the Innovation half, vendors do not offer a proprietary browser client, but rather use extensions, cloud-based processing, and agentless browser controls to deliver their capabilities. Red Access, the sole vendor in the Innovation/Feature Play quadrant, offers only agentless browser controls to secure any type of browser. All remaining vendors—Conceal, LayerX, Menlo, Perception Point, and Seraphic—which are positioned in the Innovation/Platform Play quadrant, offer browser extensions that are usually paired with cloud-based processing and/or agentless browser controls.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

5. Solution Insights

Citrix: Citrix Enterprise Browser

Solution Overview
Citrix Enterprise Browser is a managed web browser that enables users to securely access web and SaaS applications. Citrix Enterprise Browser ensures users on managed and unmanaged devices have a secure user interface when accessing web or SaaS applications and that they are able to stay productive while corporate applications and data are protected.

Citrix Enterprise Browser is a Chromium-based browser that provides zero-trust network access (ZTNA) for VPN-less access to web and SaaS applications. It includes SSO capabilities for optimal user experience, last-mile data leakage protection by enforcing restrictions directly on the endpoint, and integrated web threat protection that enables content control and data security while safeguarding the user’s device.

Citrix Enterprise Browser is part of the Citrix platform, which is built with a zero-trust architecture and includes integrated solutions for app and desktop virtualization, application delivery and security, and observability. Citrix Enterprise Browser, along with Citrix Secure Private Access—a ZTNA product for non-browser-based applications —provides a comprehensive solution for secure remote access. Citrix Enterprise Browser ensures last-mile security and user productivity, allowing users to access all of their approved applications in one place via a unified portal, including web and SaaS applications as well as virtualized applications.

Strengths
The solution has very comprehensive DLP capabilities, allowing administrators to define granular policies that can block and obfuscate screenshots and fully or partially redact or mask personally identifiable information (PII) for sensitive data like social security numbers, credit card numbers, and custom PII data defined by the admin. The solution can restrict downloads and uploads by user, web app, or file type. In addition, such restrictions can be contextual, based on device, user risk, network, and geo-location. Other DLP features include contextual user download encryption, watermarking, clipboard isolation, and restricting access to microphones, webcams, and printers.

Citrix Enterprise Browser provides support for various IAM providers, including IDPs like AAD and Okta, as well as for SAML-based providers, and even legacy Kerberos authentication. The browser can enforce MFA policies as provided by a customer’s IDPs, and provides SSO to all web and SaaS applications.

The solution follows ZTNA principles, requires explicit authentication, and can immediately terminate or revoke access for a compromised account post-authentication.

Based on the user’s location, role, and device posture assessment, an admin can define the way a user is authenticated and authorized to access applications. Citrix’s endpoint analysis feature, which is also part of the Citrix platform, provides a comprehensive device posture scan that evaluates the device certificate, domain name, MAC address, processes, OS information, presence of firewall, registry key, and presence of third party software like antivirus, anti-phishing, or desktop sharing.

Challenges
While the solution displays good overall capabilities, the secure browser is part of a wider platform, so customers can’t buy just the secure browsing component. Citrix’s score for this report thus includes capabilities from additional products that are part of the Citrix platform, including Citrix Device Posture service and Citrix Endpoint Analysis capabilities.

Purchase Considerations
Citrix Enterprise Browser is part of the Citrix platform and sold through the Citrix Platform license. Pricing for the platform license varies based on customer deployment and can be calculated per user or enterprise-wide.

Citrix Enterprise Browser can deliver on a wide range of use cases, which includes helping an organization adhere to zero-trust principles and providing last-mile DLP and security controls, threat insights and incident response, visibility and governance, and triage and troubleshooting, which consists of end-to-end session troubleshooting.

Radar Chart Overview
Citrix is positioned in the Maturity/Platform Play quadrant. Its secure browsing solution is delivered via a browser client and cloud-based processing, which are part of the broader Citrix platform. The vendor has a good development pipeline, making it a Fast Mover. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

Conceal: ConcealBrowse

Solution Overview
ConcealBrowse is a lightweight, easy-to-deploy AI-powered browser extension that detects and protects users against phishing, credential theft, and other web-based attacks. It consists of an extension, a cloud management console, and an isolation environment. The ConcealBrowse extension can be installed into any Chromium-based browser such as Chrome and Edge, or Firefox on Windows or macOS devices, performing analysis, risk scoring, and enforcement to detect and intervene when users visit suspicious or malicious sites or those that are not allowed by policy.

The extension authenticates with the Conceal service to update policy and acts as a sensor in the browser, performing local analysis and reporting back site metadata to Conceal servers for further analysis as needed.

The ConcealBrowse Console is a cloud-delivered, multitenant console that supports SSO and MFA login, and lets administrators manage and control their extension deployment. Its multitenant capabilities provide MSPs and large organizations with the flexibility to manage different customers or groups in a single hierarchy. The console also offers a helpful overview dashboard, enables user and device management, and provides extension installation packages and how-to guides, policy management, reports, and other product settings.

Strengths
The ConcealBrowse isolation environment supports remote browsing sessions for users who visit suspicious sites. When the extension analysis scores at or above a risk threshold, users are presented with a page that informs them of the risk but allows them to continue to the site in a safe isolation mode. This mode air gaps their local device from potentially malicious content on the site, prevents them from entering credentials, and enforces clipboard and file upload/download controls set by the administrator. If a site is blocked early, ConcealBrowse will provide as much context as possible as to why it was blocked.

The solution’s visibility and monitoring capabilities enable it to report on blocking via an isolation dashboard, including any sessions in progress, and all interventions for all isolation and block events, filtered by user or device. For each isolation or block event, the report shows the URL, how many times it happened, what action was taken, and when the event occurred. The solution can also produce similar reports on desktop clients, as well as on top isolated URLs and entitles, and generate an activity summary report for users and devices showing last check-in, URLs scanned, and an isolated session count.

ConcealBrowse inspects all sites visited by the browser and produces a risk score using proprietary heuristics. When a new tab is opened, the solution keeps track of all URL changes, requests, redirects, and tab updates.

ConcealBrowse is event driven—if something changes, the tool reacts. As data is collected, it is processed through an asynchronous analysis to evaluate policy compliance, suspicious site characteristics observed as the site is loaded, threat intelligence checks, and download scans.

Challenges
At the time of writing, the solution does not offer Active Directory integration or role-based access controls (RBACs), though both are due to be released in 2024. The solution’s policy definition engine should be further developed to support use cases such as SaaS Application Access controls to allow users to apply access policy based on the application.

Purchase Considerations
ConcealBrowse offers a simple subscription-based model that is calculated per endpoint per year and includes all of its features, with no additional add-ons or premium services available. MSPs can purchase consumption-based pricing that can scale up and down depending on usage, which is measured by a snapshot taken on the last business day of the month.

ConcealBrowse can be used to provide protection against web-based threats such as phishing and credential theft, and for enforcing web filtering policies based on URL classification for acceptable use policy. It can also selectively isolate risky sites for protecting the endpoint.

Radar Chart Overview
Conceal is positioned in the Innovation/Platform Play quadrant because it offers a browser extension and cloud-based processing for delivering its secure browsing solution. The vendor has a good development pipeline, making it a Fast Mover. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

Google: Chrome Enterprise

Solution Overview
Google Chrome is the world’s most-used consumer-oriented browser, and its security capabilities can be further enhanced through the Chrome Enterprise service. Google is the main contributor to the Chromium open source project, on top of which the Chrome browser is built.

Chrome Enterprise has been designed for enterprise needs, providing additional security controls, visibility, and a centralized management platform. The Chrome Enterprise browser can apply security policies for DLP, limit password reuse, and defend against malware and phishing attacks. It checks downloaded files against a list of potentially dangerous file types such as executables and commonly abused document types. If the safety of the file can’t be verified locally, Chrome sends information to Google servers to determine whether the file is safe.

Strengths
Given the popularity of the consumer version, Google Chrome has some distinct advantages. Users are familiar with the Chrome interface and experience, and other browsers built on the Chromium project share some of the same security and optimization features. Chrome is also deeply integrated with the rest of the Google portfolio suite, including Workspace. Unlike with other vendors in the report, organizations can operate their businesses on top of Google services, so using Chrome Enterprise can provide additional security features without introducing additional vendors or products.

Chrome Enterprise Core allows administrators to quickly create and deploy hundreds of policies related to security, extensions, accessibility, content, display, authentication, legacy browser support, network settings, password management, reporting, and many other topics. Chrome Enterprise’s central management features offer over 300 out-of-the-box browser policies and enable administrators to define them based on business rules to define and control user permissions, set sign-in restrictions, establish proxies, and more.

The solution can integrate with Active Directory to granularly manage browser policies at the user level through existing management tools. Chrome browsers can be enrolled via Windows Group Policy or the Preference file on Macs. Enrollment can also be completed by running a file directly on the machine. Policies can be applied based on user roles defined in Active Directory, and browsers can be managed in groups based on location, device type, and other factors.

Chrome Browser Cloud Management leverages existing security and management solutions. It has an extensive partner ecosystem, with integrations for services such as VMware Workspace One, Intune, and JAMF, as well as with security information and event management (SIEM) systems and other security tools.

Challenges
While Google’s browser is widely adopted and sets the industry standard with the Chromium project, its secure enterprise browsing solution does not currently offer user and session anomaly detection features, and its capabilities for off-device processing can be further improved.

Purchase Considerations
Chrome Enterprise comes in two licensing tiers, core and premium. Core is the free version, which offers capabilities such as malware and phishing protection, extension management, and third-party integrations. Premium uses a monthly subscription-based charge per number of users and offers more advanced features, such as malware deep scanning, URL filtering, DLP, and context-aware access to SaaS, Google Cloud apps, and private applications. This report evaluates the full capabilities available with the premium license.

The solution can deliver on use cases such as secure access for hybrid and remote workforces, and can serve companies that employ bring-your-own-device policies. It can secure user web sessions from phishing and malware attacks, prevent data loss and exfiltration, and enforce access controls over applications and documents based on user roles and permissions.

Chrome can also be used for productivity use cases because it integrates with Google Workspace to allow user services such as Drive to connect files with Workspace apps, centralizing data access and collaboration.

Radar Chart Overview
Google is positioned in the Maturity/Platform Play quadrant as the vendor offers a browser client and cloud-based processing, but does not offer an extension, or agentless browser controls. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

Island

Solution Overview
Island’s secure enterprise browsing solution consists of a Chromium-based browser replacement and a browser extension that enable organizations to define security policies for their workforce and third parties’ web activities.

The Island Enterprise Browser is available on major operating systems such as Windows, macOS, Linux distros, and Chromebook, while the browser extension works on the major consumer-oriented browsers.

Strengths
For visibility and monitoring, Island offers forensic audit records of all activities with control over the depth of what is captured by user, device type, application, and location. Island can capture events and insights as granular as copy/paste, screen captures, printing, saving, and custom information, which can be easily viewed using built-in dashboards and reports, or exported to your current aggregation platform. The solution can anonymize all data to help meet regulatory requirements and stay in compliance.

Island enables customers to add robotic process automation (RPA) modules into the presentation layer of the browser itself, allowing them to define workflows within a SaaS or internal web application. This enables users to redact sensitive data, auto-populate fields from a corporate dictionary, insert two-factor authentication to a legacy application, govern time for hourly contractors, or restrict the time an end user can spend on a particular site.

For identity and access management, the solution can integrate with providers such as Okta and Entra ID to retrieve information about users and associated user details. Following that integration, the solution supports SSO and MFA, and it can leverage user identity, group memberships, device context, geolocation, and other factors to define access policies.

The Island Enterprise Browser provides security capabilities such as malware inspection, site categorization, web isolation, and anti-exploitation and credential harvesting protection. It enables visibility into encrypted SSL/TLS traffic and other novel protocols such as QUIC. It can scan downloaded and uploaded files and filter web traffic. It blocks access to malicious or risky websites based on admin-defined policies.

Challenges
Island’s secure enterprise browsing solution does not currently offer capabilities such as user and session anomaly detection, and scores low for the off-device processing key feature.

Purchase Considerations
Island does not publicly declare its pricing and licensing options, though the solution is sold in a subscription model scaled by the number of users. Customers can purchase the solution directly from the company or through channel partners.

The Island Enterprise Browser can deliver on use cases such as protecting access to SaaS applications and internal web applications, securely provisioning third parties and contractors, supporting bring-your-own-device policies, and governance of privileged user accounts. It can help to replace or reduce reliance on virtual desktop infrastructure or remote browsing isolation technologies.

Radar Chart Overview
Island is positioned in the Maturity/Platform Play quadrant. It offers a browser client and extension for delivering its secure browsing solution, meaning it provides multiple deployment options for customers. It has a higher aggregate score in the decision criteria we evaluated, making it a Leader in this report.

LayerX

Solution Overview
LayerX Enterprise offers a browser extension that natively integrates with customers’ existing browsers to enforce security policies with little to no impact on the user experience. The LayerX solution can safeguard devices, identities, data, and SaaS apps from web threats and browsing risks. These include data leakage over the web, SaaS apps and genAI tools, credential theft via phishing, account takeovers, malicious browser extensions, shadow SaaS, and more.

The LayerX Browser Extension is installed on endpoints and monitors, alerts, or enforces secure browsing based on policies defined in its platform management console. It employs two correlating risk engines, one in the browser extension and the other in the cloud.

Strengths
The solution’s visibility and monitoring features include compliance reports and administrator dashboards, along with the ability to record user sessions, and track URLs accessed by users, downloads and uploads by user, and private sessions. The solution can also discover shadow SaaS applications and provide visibility into user account security posture.

The solution offers a cloud-based environment to execute processes away from the user’s machine. It acts as a proxy to load webpages and download files for analysis before they are loaded on a user’s machine, or to load a webpage in the cloud and stream a sanitized version to the end user.

The policy definition engine allows administrators to define policies both at a global level and for individual users. Administrators can create user groups for role-specific policies. Policies can be defined using a graphical user interface, and administrators can quickstart their deployment using out-of-the-box policy templates. LayerX can suggest policies based on real-world user behavior and define step-up authentication or manager approval workflows.

Challenges
LayerX does not yet implement any of the emerging technologies. The solution also scores lower on business criteria such as support and cost and licensing.

Purchase Considerations
The solution is licensed on a per-user, per-year model. LayerX offers pay-as-you-go and pay-as-you-grow models, so customers can scale up or down based on usage. Support is included in the base price on a follow-the-sun model and is available via ticketing system, phone, chat, and community forum. Onboarding and technical documentation are available, as are training and professional services for deploying the solution or defining policies.

LayerX’s enterprise browsing solution can deliver on a wide range of use cases, which include DLP, safe browsing, secure access, and identity security posture management. The solution can act as a replacement for remote browser isolation and virtual desktop infrastructure solutions. It is suitable for securing remote worker access and bring-your-own device policies, as well as third-party or contractor access to corporate resources.

Radar Chart Overview
LayerX is positioned in the Innovation/Platform Play quadrant. The vendor offers a browser extension and cloud-based processing for delivering its secure browsing solution. The vendor has a good development pipeline, making LayerX a Fast Mover. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

ManageEngine: Browser Security Plus

Solution Overview
ManageEngine’s Browser Security Plus consists of a proprietary enterprise browser, Ulaa, and capabilities for provisioning, baselining, managing, and securing consumer browsers such as Google Chrome and Mozilla Firefox. ManageEngine also offers a unified endpoint management (UEM) product for devices on which these browsers reside and can be comprehensively managed and secured by its Endpoint Central suite.

Ulaa provides a browsing experience that puts user privacy first and has multiple containerized modes that enhance productivity. With Ulaa, there is end-to-end encryption during the sync process so users can safely and privately synchronize their data and browser preferences across devices with mode-specific sync passphrases. Ulaa has built-in data and activity blockers to protect against user tracking, cryptomining, and social media tracking, and it can also be used to address secure access to unmanaged devices.

ManageEngine also offers Endpoint Central, a unified endpoint management and security (UEMS) solution that enhances the Browser Security Plus product.

Strengths
ManageEngine facilitates device-based policies that can be distributed globally or tailored regionally across an organization’s devices. It organizes devices, servers, teams, and departments based on the organization’s hierarchy through directory integrations, or by creating a hierarchy using the product’s grouping capabilities. Policies can be tailored to these specific device groups based on various criteria such as department, location, and roles, ensuring that policies and access controls are customized to align with the roles and responsibilities of each user or group. Even when a user undergoes department or location changes, these policies can be automatically applied to devices through these dynamic custom groups. For additional flexibility, the company also provides custom scripts that can be used to create a group following criteria the organization requires. In addition, the solution offers a low-code/no-code visual policy builder with a user-friendly graphical interface, as well as out-of-the-box templates to define security levels across specific browsers.

ManageEngine also provides web filter policies to block or regulate access to specific web domains and websites, ensuring users avoid malicious websites and enhancing productivity. The enterprise browser prioritizes privacy and offers transit encryption capabilities to protect sensitive data as it travels across networks using industry-standard protocols like TLS 1.2/1.3.

The solution integrates with leading IAM providers including Azure, Okta, Ping Identity, Microsoft Azure Active Directory, and ManageEngine’s proprietary Zoho Directory. MFA is available through various channels including email and authenticator apps such as Zoho OneAuth, Google Authenticator, Microsoft Auth, and DUO Auth. Seamless SSO that uses SAML-based authentication is offered for both devices and SaaS applications. Moreover, SSO is also supported for enterprise applications based on Kerberos, requiring no extra integration effort.

Challenges
ManageEngine should improve the solution’s zero-trust capabilities. It is currently working on enabling dynamic authentication and authorization based on user identity, device security posture, location, and behavior patterns within the platform, and developing capabilities for exporting data from the solution to security tools such as SIEM.

Considering that some capabilities evaluated in the report require the UEM agent, the vendor should natively improve the enterprise browser to offer enhanced sandboxing and endpoint protection capabilities.

Purchase Considerations
Browser Security Plus solution is offered in two editions: a free edition, supporting up to 25 computers, and a professional edition, which includes the full feature set. Support and maintenance are included in the base price with the subscription licensing model, and as an add-on for the perpetual licensing model. Customers can choose from monthly, annual, multiyear, and perpetual licenses. NGOs, charities, and educational institutions can benefit from free licenses or significant discounts. ManageEngine offers a 30-day free trial with complete access to features for unlimited devices, and a free edition for up to 25 devices.

ManageEngine’s secure browsing solution can deliver standardized and consistent browsing, data security and DLP, compliance with regulatory standards, and secure access to internal resources. It can secure third-party contractors, bring-your-own-devices, and remote or hybrid workers.

Radar Chart Overview
ManageEngine is positioned in the Maturity/Feature Play quadrant. It offers only a browser client for delivering its secure browsing solution, which means that customers have only one deployment option. The vendor has an extensive development pipeline, making ManageEngine an Outperformer. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

Menlo Security: Secure Enterprise Browser (powered by the Menlo Secure Cloud Browser)

Solution Overview
Menlo Security delivers secure enterprise browser capabilities through the Menlo Cloud, consisting of a broad range of steering mechanisms, including the Menlo Enterprise Extension and the Menlo Secure Cloud Browser. Secure Cloud Browser provides visibility into browser behavior, JavaScript execution, and other web session telemetry. The extension enables users to access web applications with zero trust policy enforcement for public SaaS and private web applications. Applications display as “tiles” within the extension user interface and can also be directed to the Secure Cloud Browser by policy when entered in the browser location field. This is ideal for contractors and other third parties or remote hybrid workers.

Further capabilities become available with Menlo’s Browsing Forensics and Menlo Security Client modules. Browsing Forensics replaces the work of deciphering packet captures and endpoint logs with forensically accurate session recordings. During threat hunting and alert investigations, analysts simply “click play” to view sessions and the associated browser content and user inputs. Select session data is captured and stored within a secure location that the customer controls, and the data is never captured from or stored within the local endpoint.

The Menlo Client is an optional agent that extends zero trust access beyond the browser to traditional applications, allowing users to add security posture to the policy. Menlo Secure Application Access encompasses web applications and legacy applications such as SSH and RDP, continuously assessing and enforcing a conditional access policy. With support for least-privilege access that protects the browser, the user, and the applications, Menlo provides an ideal platform for knowledge work and IT work, even when it requires a client-server app.

Strengths
Menlo Security can define policies at a single user, user group, or global level using conditions such as geolocation, IP, file type, and file size. Policies are declared and manipulated within an intuitive visual interface that includes robust predefined templates. The Menlo Secure Enterprise Browser solution supports role-based access controls for users and policies can be defined differently for personal internet sessions and hybrid-work web application sessions..

The Menlo Security architecture is fully cloud-based and the Secure Cloud Browser is immediately instantiated for each user’s session. The browser interprets and inspects all traffic in the user’s session, including document object model (DOM). As a cloud service, Menlo offers many options for traffic ingress to the Secure Cloud Browser, including endpoint-based steering from the enterprise extension, cloud-based primary proxying, URL prepend or redirection, and network firewall forwarding.

For environments with no access to public clouds, Menlo can also support private cloud deployment that runs within a customer’s estate.

Challenges
Menlo should continue expanding OS support, such as adding client support for mobile iOS and Android. Menlo’s offering is more complex than other solutions, and will also have to be differentiated from traditional remote browser isolation technologies.

Purchase Considerations
Menlo‘s pricing is per user, per year, which is subject to volume discounts and selective application of controls. The forensics module must be purchased separately as an add-on.

Customers can get quotes and ROI calculators from Menlo representatives and reseller partners who can help them choose a suitable feature set. Basic support is provided with all Menlo offerings, while premium support comes as part of some packages and is also available for purchase.

Menlo’s secure browsing solution can deliver on a wide range of use cases, which include zero-hour phishing session hijacking protection, hybrid and remote access to internal web and native applications, and reducing the risk of IP and PII leakage with policy-driven DLP capabilities. Menlo’s solution can be deployed as an alternative to virtual desktop infrastructure products.

Radar Chart Overview
Menlo is positioned in the Innovation/Platform Play quadrant, and it offers a browser extension and cloud-based processing, which is part of its wider product portfolio, for delivering its secure browsing solution. The vendor has a good development pipeline, making it a Fast Mover. It has a higher aggregate score in the decision criteria we evaluated, making it a Leader in this report.

Microsoft: Edge for Business

Solution Overview
Microsoft Edge for Business is an enterprise browser with built-in security capabilities and native support for security features employed by other Microsoft technologies across various Microsoft products. Microsoft Edge for Business is not a new browser, but rather uses existing Edge deployments. It is automatically activated by signing in with Microsoft Entra ID, offers a distinct work environment separate from personal browsing, and is available across all supported platforms, including mobile devices. Microsoft offers a Chrome extension—Microsoft Defender Browser Protection—that applies some of these features to the Google Chrome browser.

Microsoft Edge is built on top of the Chromium open source project, inheriting the Chromium security features, but also incorporating proprietary protection features on top of Chromium. It also supports Microsoft Security solutions from Microsoft Defender, Microsoft Entra, and Microsoft Purview. It has built-in defenses against phishing and malware and natively supports hardware isolation on Windows, achieved with no additional software.

Strengths
Microsoft’s main advantage in the secure enterprise browsing space revolves around incumbency and the strong Microsoft product ecosystem. Microsoft Edge for Business benefits from native integration with a wide range of Microsoft security products.

To support zero-trust principles, Microsoft Edge for Business offers features such as Microsoft Purview Data Loss Prevention, Microsoft Defender SmartScreen, enhanced security mode, website typo protection, native support for Microsoft Entra Conditional Access, a password monitor and a password generator, Microsoft Edge management service (EMS), and unmanaged device support with Microsoft Intune Mobile Application Management (MAM).

Microsoft Purview Data Loss Prevention is built into Microsoft Edge and uses the sensitive service domains feature. This enforces admin-configured policies for sensitive files and records audit events for non-compliant activities. A number of user activities can be audited and managed on devices, including printing, cut and copy actions, downloading and saving, uploading or dragging and dropping a sensitive file to an excluded website, or pasting sensitive data into an excluded website.

Challenges
Despite the browser being available with all Windows deployments at no additional cost, enterprise security features are delivered through additional Microsoft products, which means that customers must buy into the wider ecosystem to get the security benefits of the Edge for Business product.

Purchase Considerations
While there are no additional costs associated with Microsoft Edge for Business compared with Microsoft Edge, the product relies on additional Microsoft products to deliver some of its advanced capabilities.

Microsoft Edge for Business can deliver on a variety of use cases, such as secure web and application access for remote and hybrid workers, and for third-party contractors and bring-your-own-device policies. It can protect end users from web-based attacks and social engineering by providing phishing and malware protection, and can also be used to prevent data loss and data exfiltration, and block malicious scripts from running on web pages or accessing other browser resources.

Radar Chart Overview
Microsoft is positioned in the Maturity/Platform Play quadrant. The vendor offers a browser client and extension, which are part of Microsoft’s wider security portfolio, for delivering its secure browsing solution. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

Palo Alto Networks (Talon)*

Solution Overview
Acquired in late December 2023 by Palo Alto Networks, Talon Cyber Security developed the Talon Enterprise Browser, a secure browser replacement built on the open source Chromium project to offer security, visibility, and control over SaaS and web applications. Talon Enterprise Browser offers a familiar browsing experience to users of Chrome and Edge, and its capabilities include DLP, threat protection, zero-trust enforcement, visibility, and reporting.

Palo Alto Networks’ strategy is to integrate the Talon Enterprise Browser with Prisma SASE to provide a unified security solution for users and applications, from any device or location. The company plans to extend the browser technology to qualified SASE AI customers at no additional cost.

The solution consists of the following components, all managed through the same central console:

  • Talon Enterprise Browser: A Chromium-based browser replacement with additional security capabilities for protecting web applications and hybrid workforces.
  • Talon Extension: A browser extension for adding advanced security capabilities to consumer-oriented web browsers, enabling a safe browsing experience across SaaS solutions, private web apps, and websites.
  • Talon Mobile: An enterprise browser for mobile devices designed for use cases such as frontline workers in the insurance, manufacturing, transportation, construction, healthcare, professional services, and retail industries who need secure access to special-purpose applications, communications solutions, and core business tools from iOS and Android devices.

Strengths
The Talon solutions are centrally managed with a unified console that offers administrators visibility and control over the browser activity of all Talon Enterprise Browser, Talon Extension, and Talon Mobile users. The solution can capture audit trails and session recordings for forensics investigations and compliance and integrate with third-party SIEM solutions and extended detection and response (XDR) platforms.

Through the centralized management, administrators can define security and access control policies that span devices, including DLP policies. DLP features include file encryption to prevent sensitive files from being shared externally or stored on endpoints, and clipboard, printing, and screenshot restrictions.

For endpoint security functions, Talon inherits Chromium’s capabilities for site isolation, and it can filter web traffic by resourcing access to malicious domains, URLs, and phishing websites. Talon Enterprise can scan uploaded and downloaded files for malware.

Talon Enterprise can help customers adopt zero-trust by validating an endpoint’s security posture, such as the underlying OS, patch version, and installed security software. It can also continuously authenticate and authorize users and endpoints accessing enterprise resources.

The solution can integrate with customers’ existing identity providers or Active Directory Federation Service groups for consistent, secure user sign-on. It can synchronize profiles across managed, unmanaged, and mobile devices.

Challenges
Talon’s current capabilities do not include features such as off-device processing or user and session anomaly detection. Considering its recent acquisition, these features may be integrated from Palo Alto’s existing portfolio or developed natively in the product.

Purchase Considerations
Following the Palo Alto Networks acquisition, Talon’s pricing and licensing model may change, especially given the integration with Prisma SASE. Palo Alto Networks confirmed that the Talon solution will be made available to qualifying SASE customers at no additional cost.

Talon’s secure browsing solutions can deliver on a variety of use cases, which include secure access for contractors and third parties, for organizations with bring-your-own-device policies, for frontline and remote workers, and for managed employee devices. It can be used to replace solutions such as virtual desktop infrastructure, desktop-as-a-service, remote browser isolation, and virtual private networks, and to provide zero-trust access to web applications during mergers and acquisitions.

Radar Chart Overview
Palo Alto Networks (Talon) is positioned in the Maturity/Platform Play quadrant. The vendor offers a browser client and extension for delivering its secure browsing solution, which will be integrated into Palo Alto’s wider product portfolio. It has a lower aggregate score in the decision criteria we evaluated, making it an Entrant in this report.

Perception Point: Advanced Browser Security

Solution Overview
Perception Point’s Advanced Browser Security is a browser extension that adds enterprise-grade security to standard browsers such as Chrome, Edge, Firefox, Safari, and other Chromium-based browsers, fusing multilayered advanced threat detection with browser-level governance and DLP controls. The solution can be provided either as a standalone product or in combination with email and collaboration security solutions.

The lightweight browser extension can be deployed across any browser, with multiple deployment options available to comply with varying IT requirements, such as unattended or silent deployment via UEM, IdP integration, and script-based, manual, or automated email invites.

The solution ensures safe access to websites and SaaS apps, detects phishing websites, malware, ransomware, and hidden file zero-day exploits, and protects against the extraction of sensitive data, securing the organization from both external and internal threats.

Strengths
For network security functions, the solution can allow or block access or warn users about websites based on domains, domain wildcards, and categories. It can also block websites using a sophisticated rules engine that can be based on a variety of parameters, including FQDN, regular expressions, keywords, and other patterns in the website content (such as websites containing certain HTML and JavaScript elements). The browser extension sees all browser traffic after the browser decrypts it and therefore doesn’t need to add any certificates or do any TLS inspection. Any website accessed via the browser and any file downloaded from the browser can be inspected by the extension.

Perception Point’s browser extension offers IDS and IPS features that inspect every website and every file downloaded or uploaded. It can unpack files, running them in its proprietary CPU-level hardware-assisted platform (HAP), a cloud-based, hardware-backed sandbox, to detect zero-day exploits, malware, ransomware, and C2 network traffic. It can also scan static code and script files to detect malicious scripts, macros in Office files, and so forth.

The solution prevents malicious files, documents, executables, and installers from running by inspecting every downloaded file with multiple detection engines. It uses advanced anti-phishing and XSS engines to block malicious websites from being accessed based on dynamic inspection of those websites, and can also block unwanted or risky websites by category.

Challenges
Perception Point’s solution should improve its capabilities for endpoint security functions because it does not currently support browser isolation capabilities, meaning that it can’t isolate websites, extensions, or tabs into separate processes and restrict the ability of processes to access each other and other resources on the system.

Purchase Considerations
The solution is sold as an annual subscription, priced per user, per month. Different prices are available based on the number of seats. Support is included in the base price and is available 24/7, through a support email address, chat in the dashboard, and a phone number that will be provided to the client. Perception Point also provides professional managed incident response services as an integrated part of the solution, free of charge. Pay-as-you-go and pay-as-you-grow models are available for managed services providers. Non-MSP customers have a 10% tolerance for the number of seats available in a contract period; for example, if they contract for 100 seats, they can have between 90 and 110.

Perception Point’s solution can deliver on use cases such as phishing and malware protection, zero-day prevention, enforcing safe access to SaaS and web apps, and stopping both deliberate and accidental data leaks as well as blocking malicious insiders and third-party threats. The solution’s extensive visibility and monitoring features can also help to ensure compliance.

Radar Chart Overview
With a browser extension and cloud-based processing for delivering its secure browsing solution, Perception Point is positioned in the Maturity/Platform Play quadrant. The vendor has a good development pipeline, making it a Fast Mover. It has a higher aggregate score in the decision criteria we evaluated, making it a Leader in this report.

Red Access

Solution Overview
Red Access offers an agentless secure web browsing solution that is delivered via a proxy. It works by injecting a small JavaScript-based file in the user browsing session to enforce security controls in accordance with the organization’s defined policies. It can secure any browser, does not require an agent or extension, and provides a range of services, which include DNS filtering, URL categorization, file scanning, DLP, and more.

Red Access is compatible with and can be delivered via industry-standard mobile device management solutions.

Strengths
For network security functions, the solution can filter ingress traffic using controls such as allowing, blocking, rate limiting, and alerting. It can filter rich media such as images, videos, and documents, block traffic from specific countries by using regular expressions, keywords, and binary patterns, filter by URL and URL categories, and can require a fully qualified domain name (FQDN). The solution can operate at Layer 7 for context-aware filtering of protocols such as HTTP and FTP.

Red Access offers extensive DLP features, including blocking copy and cut functions, blocking and obfuscating screenshots, preventing sensitive data from being downloaded locally or uploaded to third-party servers, and masking PII or other sensitive data.

The solution can integrate with major IAM providers such as Active Directory, Okta, and Ping Identity, and can inherit security policies defined in the IAM solutions. It supports MFA and SSO.

Challenges
While not inherently a challenge, Red Access is the only vendor featured in the report with a fully agentless solution; the rest also offer a browser client or browser extension. This means that Red Access can’t deliver some endpoint security function capabilities, such as blocking malicious processes on the end-user device or enforcing OS-level controls.

Purchase Considerations
Red Access offers a free trial of its product, but pricing and licensing details are not publicly available. The solution has different licensing tiers and is priced on a yearly subscription basis per seat. It is sold as one platform with no additional add-on modules. It is worth noting that customers do not need to make any changes to their existing browsing solutions to deploy the Red Access solution.

The solution can be deployed as an alternative to virtual desktop infrastructure and virtual private network deployments. It can cater to various use cases, which include safe browsing for internal employees and conditional access for companies with BYOD policies. It secures on both managed and unmanaged devices across remote and hybrid workers, contractors, third parties, and consultants.

Radar Chart Overview
Red Access is the only vendor positioned in the Innovation/Feature Play quadrant. The vendor delivers its secure browsing solution only through an agentless browser method, without offering a client or extension. Its good development pipeline makes Red Access a Fast Mover. It has a high aggregate score in the decision criteria we evaluated, making it a Leader in this report.

Seraphic

Solution Overview
Seraphic delivers enterprise secure browsing via its patented technology—JavaScript Layout Randomization (JSLR)—which equips all browsers such as Chrome, Safari, Edge, and Firefox with enterprise-grade security mechanisms.

Seraphic is deployed to managed (employee) browsers as well as unmanaged (contractor/BYOD) browsers to prevent breaches and phishing attacks that bypass all other existing defenses. It simplifies zero-trust access to private web applications by third-party contractor and employee BYOD devices, and protects against data loss and identity theft from users accessing web/SaaS applications.

Seraphic offers multiple modules depending on the customer’s needs and the device that needs to be protected:

  • Seraphic Protect is a browser agent that provides safe browsing, DLP, and governance for any standard browser.
  • Seraphic Connect is a solution that provides ZTNA connectivity for web apps, VDI apps, SaaS, and private clouds.
  • Seraphic Collaborate offers governance and DLP across applications such as Slack, Teams, WhatsApp, and Microsoft 365 apps.

Strengths
Over the past year, Seraphic has been releasing new product features that include browsing extensions; device posture assessment; and file, session, and clipboard encryption. It has extended its integrations with technologies such as identity providers, sandboxes, malware scanners, and SIEM solutions. Seraphic’s network security functions include ingress traffic filtering to allow, block, rate limit, and alert on traffic; the ability to filter rich media such as images, videos, and documents; blocking traffic from specific countries; and using regular expressions, keywords, and binary patterns to filter. Seraphic inspects the data before encryption to identify risks like data exfiltration, C2 traffic, or other risks within the browser.

It supports URL filtering categories, custom domain blocking, and FQDN filtering. On the endpoint, Seraphic blocks malicious processes and scripts running on web pages,

Seraphic can protect accounts from being compromised in a number of ways, such as detecting the use of compromised or weak passwords or reused credentials, and by encrypting session cookies.

For DLP, the solution can block copy and cut functions, block or obfuscate screenshots, prevent sensitive data from being downloaded locally or uploaded to third-party services, and mask or redact PII and sensitive data. Seraphic can prevent sensitive data from being downloaded or encrypt it when it is being downloaded. It also has browser tools such as view source and dev tools and can control printing functions.

Seraphic enforces the principle of least privilege by providing access only based on explicit trust. Access is continuously assessed based on different parameters, like user identity, device posture, and network context. Seraphic can use browser versions and OS versions, as well as running processes, installed applications, EDRs, and so forth as part of these parameters, and it can be used to identify all parameters of the devices to verify that they are legitimate.

Challenges
Seraphic does not currently offer user and session anomaly detection, which entails continuously assessing how users behave to identify deviations from the baseline, including suspicious or unexpected activities.

Purchase Considerations
Customers can purchase Seraphic’s solution from certified partners and get basic support included with premium services available at an additional price. Pricing is subscription-based per user, per year and customers can choose their preferred security modules. MSSPs also have a pay-as-you-go option. Technical support is available 24/7 and is subject to an SLA with the customer.

The solution can deliver on a wide range of use cases, including safe browsing, DLP, browser extension management, support for BYOD policies, managing organizational application access and secure remote access. It can be used to replace technologies such as virtual private networks, secure web gateway, virtual desktop infrastructure, and remote browsing isolation.

Radar Chart Overview
Seraphic is positioned in the Innovation/Platform Play quadrant. The vendor offers a browser extension, cloud-based processing, and agentless browser controls for delivering its secure browsing solution; these are part of a wider platform. The vendor has an extensive development pipeline, making it an Outperformer. It has an average aggregate score in the decision criteria we evaluated, making it a Challenger in this report.

SURF Security

Solution Overview
SURF Security’s secure enterprise browsing solution consists of a browser client for unmanaged devices and a browser extension for managed devices. The SURF solution is built using the open source Chromium engine, providing compatibility with Chromium-based browsers and leveraging their features and performance optimizations.

The SURF solution enforces security controls for all entities that interact with the browser, which include users, data, corporate assets, applications, and development activities. It offers a compelling alternative to technologies that are hard to manage or introduce friction, such as virtual desktop infrastructure, virtual private networks, and remote browser isolation.

Strengths
For network security functions, SURF can perform traffic filtering, including allows, blocks, rate limits, and alerts. It can filter rich media such as images, videos, and documents, block traffic from specific countries, and filter using regular expressions, keywords, and binary patterns. SURF offers category-based filtering using its engine, and the ability to block specific domains and filter by FQDN. For HTTP/S, SURF provides direct connectivity from the browser to any application. Traffic is inspected before leaving the browser, with policies controlling navigation by domain, URL, contents, and keywords. SURF has full visibility and control over network traffic without breaking TLS encryption, and it inspects every packet before encryption. This allows content filtering and alerting based on policies, and identifying C2 traffic, obfuscated traffic, or data exfiltration in encrypted TLS or SSH traffic.

The solution can be configured to monitor running processes. If configured to run in an allowed mode, SURF will terminate any process not whitelisted. SURF scans every frame and script and if it encounters a script considered malicious by the SURF engine, that script will be removed from the page. SURF can scan every download using multiple engines and executes the rendering process in a sandbox. Additionally, every browser API call (network, disk) is executed in a sandbox to enhance security.

SURF scores high on the zero-trust adherence business criterion. It requires users to authenticate using either the SURF IDP or any integrated IDP, such as Azure AD, Okta, or any SAML-based solution. Permissions are granted upon authentication depending on the administrator’s configuration. If an account is considered compromised, SURF offers the option to kill the session and revoke user access. It can direct any download into a sandbox for inspection and analysis, ensuring malicious content is isolated and does not affect the endpoint. SURF calculates trust scores based on device posture scanning, which assesses various security parameters and compliance status. This score helps administrators to make informed access-control decisions based on the trustworthiness of the user’s device.

Challenges
SURF offers a browser client and extension, so the solution focuses more on local processing rather than off-device processing. While this isn’t inherently a challenge, it means that the solution does not support features such as opening and viewing documents (such as macro-enabled Word or Excel files) without the need to download files to the endpoint.

Purchase Considerations
The solution offers different licensing tiers based on factors such as user count and additional requirements such as storage and cloud traffic. Support is included for all customers, regardless of their size or the cost of their subscription. While SURF charges annually, customers can scale up or down based on their requirements by contacting the company and making a request. Pricing is per user, per year based on identity, with an unlimited number of devices per user.

The solution’s browser and extension solution can cater to a range of use cases, which include securing BYOD and contractor devices, protecting distributed workforces and endpoints, safeguarding against social engineering, and supporting compliance with industry regulations. The solution can be used to replace virtual desktop infrastructure, remote browser isolation, and VPNs.

Radar Chart Overview
SURF is positioned in the Maturity/Platform Play quadrant. The vendor offers a browser client and extension for delivering its secure browsing solution. SURF has a good development pipeline, making it a Fast Mover. It has a higher aggregate score in the decision criteria we evaluated, making it a Leader in this report.

6. Analyst’s Outlook

Secure enterprise browsing solutions can considerably improve security posture while also simplifying the technology stack. Injecting security functions in the most used application means that end users do not experience additional friction introduced by other security products. This is an appealing proposition, so we expect that the adoption of enterprise browsers will very likely increase considerably over the next few years.

This form of secure browsing solutions emerged in the early 2020s, and while it is still early days for the market, it’s likely that secure browsing solutions will become the standard for enterprise workers. With more real-world deployments, new use cases, and edge cases, the market will amass more information to crystallize into a standardized and stable space. This can take multiple forms.

One possibility is that the current incumbents will add enough security functions out of the box that the secure browser will become the new standard. This will depend heavily on incumbent vendors’ choices for pricing and licensing. Free options that come pre-deployed and pre-integrated will be the most obvious choice for most enterprises. The main licensing decision will revolve around whether solutions offer a centralized management function that’s free of charge or chargeable.

Another potential scenario entails a diversified market with enough product differentiation that customers can select the solution that best serves their particular use cases. This describes how the market currently stands, and it is likely to maintain this form over the next few years.

Acquisitions, such as Palo Alto buying Talon, are also an important factor. Players such as Microsoft and Google may simply buy out the competition or intend to integrate their technology, such as that provided by browser extension vendors.

Any such disruptions in secure enterprise browsing will only be growing pains for a technology that will be able to mitigate some of today’s most important attack vectors.

To learn about related topics in this space, check out the following GigaOm Radar reports:

7. Methodology

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Andrew Green

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today’s technology landscape, and his research covers networking and security.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "GigaOm Radar for Secure Enterprise Browsing" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Interested in more content like this? Check out GigaOm Research Reports Subscribe Now