Surface vs. Seraphic: Sovereign On-Prem Browser Security

Surface vs. Seraphic

Browser security that stays yours to run.

Seraphic built a genuinely clever exploit-prevention engine, and in January 2026 CrowdStrike agreed to fold it into the cloud-native Falcon platform. That settles where your browser telemetry goes: into a US-based cloud Endpoint Detection and Response (EDR) platform. Surface answers differently — detection on the device, control plane on your infrastructure, data never leaving your perimeter.

Sovereignty
On-prem and air-gapped. Telemetry stays inside your perimeter.
Phishing
Surface Vision: adaptive, on-device, learns on your own traffic.
Independence
No cloud EDR tie-in. Your platform, your keys, your roadmap.
What changed in January 2026Seraphic is being acquired by CrowdStrike

Seraphic is no longer a standalone, browser-agnostic vendor

On January 13, 2026, CrowdStrike announced a definitive agreement to acquire Seraphic, reportedly for around $400–420 million (terms not officially disclosed), with the deal expected to close in CrowdStrike's fiscal Q1 2027. The stated plan is to extend the Falcon platform into the browser and correlate in-session browser telemetry with endpoint signals in the CrowdStrike cloud. For organizations whose security model depends on keeping data inside their own perimeter, that changes the calculus.

Jan 13, 2026
Acquisition announced. Expected to close CrowdStrike fiscal Q1 FY27.
~$400–420M
Reported deal value, predominantly cash. Terms not officially disclosed by CrowdStrike.
Falcon cloud
Browser telemetry is slated to flow into CrowdStrike's cloud-native platform.

Sources: CrowdStrike's January 13, 2026 acquisition announcement, with deal-value figures from SecurityWeek and Calcalist reporting.

Two architectures

Same goal. Different center of gravity.

Both secure the browser the employee already uses, with no forked Chromium to roll out. The difference is what sits in the data path and who operates the control plane.

Seraphic / CrowdStrike

In-engine agent, cloud-managed console

A JavaScript security agent runs in the page context; policy and telemetry live in a vendor-hosted software-as-a-service (SaaS) console — consolidating onto Falcon.

JavaScript security agent
Injected into the browser's JS engine. Enforces locally and emits in-session telemetry.
Cloud management console
Policy, dashboards, and telemetry aggregation are vendor-hosted.
CrowdStrike Falcon cloud
Post-acquisition, browser telemetry is correlated with endpoint signals in the Falcon cloud.
Where data lands
In-session telemetry flows to a vendor cloud (Falcon)
Surface

In-browser detection, on-prem control plane

A managed extension runs detection on the device. The platform you manage holds policy, telemetry, models, and keys. No vendor cloud in the path.

Managed extension
Runs in the Chrome, Edge, or Firefox employees already use. Detection executes on-device.
Customer-hosted control plane
Docker, Kubernetes, virtual machines (VMs), bare metal, or air-gapped. Policy and investigation run on your infrastructure.
Your analyst stack
Events feed your Security Information and Event Management (SIEM) — Splunk, Sentinel, or XSOAR — inside your perimeter. Retention is governed by you.
Where data lands
Telemetry stays inside the customer perimeter
Two engines, two jobs

Where each platform is structurally stronger

An honest read. Seraphic's differentiator is exploit prevention deep inside the JavaScript engine. Surface's is adaptive, sovereign detection of the attacks that actually reach your users every day — phishing, data loss, and AI misuse. They are not the same problem.

Seraphic's edge

Moving Target Defense in the JS engine

Seraphic's patented engine randomizes the browser's JavaScript runtime — an in-browser analog of Address Space Layout Randomization (ASLR) — to break the assumptions memory-corruption exploits depend on. An extension cannot reach that layer, and we say so plainly.

  • Runtime randomization aimed at zero-day and n-day browser exploits.
  • Operates below the Document Object Model (DOM) and extension APIs, at the execution and memory layer.
  • Prevention by construction, without needing a detection signature.

Fair caveat: the exploit-immunization claims are the vendor's own; we know of no independent benchmark validating them. The capability is a genuine architectural strength nonetheless.

Surface's edge

Adaptive Surface Vision, on-device and sovereign

Memory-corruption exploits are rare and expensive. Phishing, credential theft, data loss, and AI misuse are daily. Surface Vision fingerprints every rendered page — layout, code, pixels, intent — and the models keep learning on your own traffic, locally, inside your perimeter.

  • Catches net-new phishing kits with no pre-existing Indicator of Compromise (IoC) or threat feed.
  • Learns the legitimate look of your apps and adapts signatures to your environment.
  • Visually reads rendered structure and runs Optical Character Recognition (OCR) on the page, not just static attributes.

“Signature-free” is doing a lot of work in the category. Seraphic, like Push and others, still matches static page attributes — links, strings, titles. Surface reads those too, then adapts signatures to your environment and visually reads the rendered page to catch what static checks miss.

Dynamic phishing protection

A verdict at render time, with 0 bytes egressed

Surface Vision · On-Device Verdict
Verdict: Phishing Kit
Known IoC / signaturenone
pHash + favicon match0.94
Brand OCRMicrosoft
Redirect lineage4 hops
Adaptive model score0.97
ActionBLOCK
Data leaving devicenone
vision.engine new_kit_detected: cluster=adaptive-c19e · processed on-device · 0 bytes egressed
0-day
Kit detection with no feed
On-prem
Model stays in perimeter
<1s
Verdict at render time
Side by side

An honest capability comparison

Seraphic wins where an in-engine exploit-prevention agent is built to win. Surface wins on sovereignty, adaptive detection, and independence from a cloud EDR platform. Several rows are a genuine tie — we mark those honestly.

Feature
Sovereign on-prem
Surface Security
Surface Security
In-browser detection, on-prem control plane
Seraphic
In-engine agent, cloud SaaS (now CrowdStrike)
On-premises and air-gapped deployment (customer-hosted control plane)
Fully supported
Not supported
Full data sovereignty — telemetry never leaves your perimeter
Fully supported
Not supported
Independent of a cloud EDR platform (no Falcon tie-in)
Fully supported
Not supported
Real-time page analysis without URL feeds or site classification
Fully supported
Fully supported
Per-environment adaptive detection — signatures learned and tuned to your deployment
Fully supported
Not supported
Visual and semantic page reading (rendered structure + OCR), not just static attributes
Fully supported
Partial or limited
In-engine memory-corruption / exploit prevention (Moving Target Defense)
Not supported
Fully supported
Works on the browser the employee already runs (no forked browser)
Fully supported
Fully supported
Coverage for unmanaged / BYOD / personal devices
Partial or limited
Fully supported
Browser-native Data Loss Prevention (DLP) on paste, upload, screenshot, and generative AI (GenAI) input
Fully supported
Fully supported
Agentic AI controls (prompt injection, agent scope, exfiltration)
Fully supported
Partial or limited
Multi-plane deception (decoy sessions) against token theft
Fully supported
Not supported
Customer controls detection logic, patch cadence, and retention
Fully supported
Partial or limited
Fully supported
Partial or limited
Not supported

Architectural capabilities. Exploit-prevention credit to Seraphic reflects its patented in-engine Moving Target Defense. Sovereignty, adaptive detection, and independence credits to Surface reflect a customer-hosted control plane. Deployment characterization is based on publicly available information as of mid-2026.

Fair to the category

When Seraphic is the right call

Seraphic did real engineering, and there are environments where it is the better fit. We say so on the record.

Exploit-prevention priority

If memory-corruption and zero-day browser exploits are at the top of your threat model, in-engine Moving Target Defense is a capability an extension does not replicate.

All-in on CrowdStrike Falcon

If you are already a Falcon shop and want browser telemetry correlated in the same cloud, the post-acquisition integration is a natural extension of that stack.

Cloud-first, unmanaged-device estates

For organizations comfortable with vendor-hosted management and large unmanaged, personal, or bring-your-own-device (BYOD) populations, a cloud SaaS console is a clean operating model.

The mistake is treating cloud-managed browser security as the default for everyone. For the regulated, sovereign, transparency-first team that already keeps SIEM and EDR data inside its own perimeter, the browser security platform should follow the same rule.

Surface Security

Keep your browser.
Keep your perimeter.

Surface deploys as a managed extension on Chrome, Edge, or Firefox, with a control plane that runs entirely on your infrastructure. See it running against your real traffic, alongside whatever you already have in production.