Back to Blog
companymanifestobrowser-securitysovereignphishing

The Surface Security Manifesto

May 26, 2026Grant, Co-Founder

In 2023, my wife got a text from USPS. A missed package, a link, a form. She entered her card details before she realized none of it was real.

It wasn't a sophisticated attack. It didn't need to be. It happened in a browser tab, on an ordinary day, the way millions of them happen every hour.

I do this for a living. Disney's red team, DEF CON, years on the offensive side of security. And it still landed in my own house.

So I went after the group behind it. I reverse-engineered their kit, exploited it, and exposed the operation. That work helped recover more than 400,000 stolen credit cards and ended up in the Financial Times, WIRED, and The Atlantic.

The headlines weren't the point. The point was simpler, and worse: the attack worked because nothing was watching the place it happened.

The blind spot

Here is what nearly every security team has. An email gateway on one side. EDR on the endpoint on the other. Both are mature, well-funded, well-understood.

And between them, a gap.

Email gateways stop at the inbox. EDR stops at the OS. Everything in between happens in a tab no one can see.

The credential typed into a fake login. The redirect chain. The malicious extension. The file pasted into a shadow AI tool. All of it happens in the browser session, the one layer no one is watching.

That tab is where work happens now. Around 80% of enterprise tasks run through web apps. 70% of malware is browser-based. And fewer than 10% of organizations defend the browser at all. The battleground moved. The defenses didn't.

Three things we believe that most of the industry hasn't caught up to

Surface exists because of three convictions. We will defend each one, even when it costs us.

The browser is the perimeter now. Not the inbox, not the laptop. The tab. Defending everything around the browser while leaving the browser itself dark is the central blind spot of modern security.

AI broke the old way of catching attacks. Phishing is now generated, personalized, and thrown away faster than any blocklist, signature, or hash can keep up. By the time a URL is known-bad, the damage is done. Detection has to read the page the way a trained analyst would, in real time, not match it against a list of yesterday's threats.

Sovereignty is the precondition, not the upsell. Security that demands you ship your browsing data to someone else's cloud, or rip out the browser your people already use, is a non-starter for the organizations that need it most: banks, hospitals, defense, critical infrastructure. For them, data control isn't a feature request. It's the condition for saying yes.

Who we are

We met at Virginia Tech, in the cybersecurity club. We scattered into the parts of this field most people never see: DoD cyber operations, DISA, red teams, adversary simulation, AI and machine learning. We built and led security companies. We served as cyber warfare officers.

Then we came back together to build the thing we kept wishing existed while we were on the inside, watching attacks slip through.

What we build, and what we refuse to

Surface is the security analyst inside every browser.

Not a new browser. Not a proxy that routes your traffic through us. Not another cloud that holds your data. A lightweight agent that deploys into the browsers your people and your AI agents already use, and watches the session the way an analyst would: phishing, credential theft, session hijacking, shadow AI, data exposure, malicious extensions. It stops them before they become incidents.

It runs inside your environment. Your browsing telemetry never leaves your infrastructure. Ever.

We've made choices that will cost us customers, on purpose. We won't move your data to our cloud to make our lives easier. We won't make you replace the tools your people know. If sovereignty doesn't matter to you, we're probably not your vendor, and that's fine. We are building for the organizations that can't compromise on it.

The only test that matters

Every feature we ship exists because one of us watched the threat it stops land on a real network. Not what's fundable. Not what demos well. What actually stops the attack.

Millions of attacks will hit the browser in the time it took to read this. We built Surface to see them, and to stop them, in the one place no one else is looking.

After the click.