NordLayer surveyed 405 US cybersecurity professionals and found 82 percent of their organisations experienced a web-based security incident in the past year; 73 percent describe their organisation as well prepared. Both figures can be true, and that is precisely the problem.
The gap between incident rate and confidence is the central finding of NordLayer's Why Browser Security Can't Wait report, released today. Half of the organisations that experienced a web-based incident described the impact as moderate or severe, yet concern about preparation sits only marginally lower than concern about the threats themselves.
The structural explanation is in the tooling data. Data loss prevention tools lead browser security adoption at 53 percent coverage. Other browser-specific controls trail below that. Meanwhile, 98 percent of respondents say they are concerned about web-based threats and 81 percent expect attacks to become more sophisticated over the next few years. Organisations are worried about the right things; they are not necessarily deploying the right tools.
Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.
Part of the problem is where work now lives. NordLayer analysed 504 highly-rated work applications listed on Gartner Peer Insights and found that 78.8 percent were browser-only — not applications that can run in a browser, but applications with no meaningful alternative to it. When the browser is the workspace, it is also the attack surface.
Infostealers are exploiting that shift methodically. NordLayer and NordStellar's analysis of infostealer data from Telegram channels shows the malware harvested approximately 1.8 million credentials and nearly 68.8 billion cookies between January 2024 and February 2026, with activity peaking in November. Cookies are particularly valuable because a stolen session token can bypass authentication entirely, making it possible to enter a SaaS environment without triggering a login alert.
Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organizations secure the browser as a critical boundary.
The report recommends three defensive priorities: visibility into what SaaS tools and browser extensions employees are using; DNS filtering and DLP to block access to malicious content; and zero-trust network segmentation applied at the browser layer to restrict lateral movement if a session is compromised.
