Surface vs. Seraphic: Sovereign On-Prem Browser Security
Surface vs. Seraphic
Browser security that stays yours to run.
Seraphic built a genuinely clever exploit-prevention engine, and in January 2026 CrowdStrike agreed to fold it into the cloud-native Falcon platform. That settles where your browser telemetry goes: into a US-based cloud Endpoint Detection and Response (EDR) platform. Surface answers differently — detection on the device, control plane on your infrastructure, data never leaving your perimeter.
Seraphic is no longer a standalone, browser-agnostic vendor
On January 13, 2026, CrowdStrike announced a definitive agreement to acquire Seraphic, reportedly for around $400–420 million (terms not officially disclosed), with the deal expected to close in CrowdStrike's fiscal Q1 2027. The stated plan is to extend the Falcon platform into the browser and correlate in-session browser telemetry with endpoint signals in the CrowdStrike cloud. For organizations whose security model depends on keeping data inside their own perimeter, that changes the calculus.
Sources: CrowdStrike's January 13, 2026 acquisition announcement, with deal-value figures from SecurityWeek and Calcalist reporting.
Same goal. Different center of gravity.
Both secure the browser the employee already uses, with no forked Chromium to roll out. The difference is what sits in the data path and who operates the control plane.
In-engine agent, cloud-managed console
A JavaScript security agent runs in the page context; policy and telemetry live in a vendor-hosted software-as-a-service (SaaS) console — consolidating onto Falcon.
In-browser detection, on-prem control plane
A managed extension runs detection on the device. The platform you manage holds policy, telemetry, models, and keys. No vendor cloud in the path.
Where each platform is structurally stronger
An honest read. Seraphic's differentiator is exploit prevention deep inside the JavaScript engine. Surface's is adaptive, sovereign detection of the attacks that actually reach your users every day — phishing, data loss, and AI misuse. They are not the same problem.
Moving Target Defense in the JS engine
Seraphic's patented engine randomizes the browser's JavaScript runtime — an in-browser analog of Address Space Layout Randomization (ASLR) — to break the assumptions memory-corruption exploits depend on. An extension cannot reach that layer, and we say so plainly.
- Runtime randomization aimed at zero-day and n-day browser exploits.
- Operates below the Document Object Model (DOM) and extension APIs, at the execution and memory layer.
- Prevention by construction, without needing a detection signature.
Fair caveat: the exploit-immunization claims are the vendor's own; we know of no independent benchmark validating them. The capability is a genuine architectural strength nonetheless.
Adaptive Surface Vision, on-device and sovereign
Memory-corruption exploits are rare and expensive. Phishing, credential theft, data loss, and AI misuse are daily. Surface Vision fingerprints every rendered page — layout, code, pixels, intent — and the models keep learning on your own traffic, locally, inside your perimeter.
- Catches net-new phishing kits with no pre-existing Indicator of Compromise (IoC) or threat feed.
- Learns the legitimate look of your apps and adapts signatures to your environment.
- Visually reads rendered structure and runs Optical Character Recognition (OCR) on the page, not just static attributes.
“Signature-free” is doing a lot of work in the category. Seraphic, like Push and others, still matches static page attributes — links, strings, titles. Surface reads those too, then adapts signatures to your environment and visually reads the rendered page to catch what static checks miss.
A verdict at render time, with 0 bytes egressed
An honest capability comparison
Seraphic wins where an in-engine exploit-prevention agent is built to win. Surface wins on sovereignty, adaptive detection, and independence from a cloud EDR platform. Several rows are a genuine tie — we mark those honestly.
| Feature | Sovereign on-prem Surface Security In-browser detection, on-prem control plane | Seraphic In-engine agent, cloud SaaS (now CrowdStrike) |
|---|---|---|
| On-premises and air-gapped deployment (customer-hosted control plane) | Fully supported | Not supported |
| Full data sovereignty — telemetry never leaves your perimeter | Fully supported | Not supported |
| Independent of a cloud EDR platform (no Falcon tie-in) | Fully supported | Not supported |
| Real-time page analysis without URL feeds or site classification | Fully supported | Fully supported |
| Per-environment adaptive detection — signatures learned and tuned to your deployment | Fully supported | Not supported |
| Visual and semantic page reading (rendered structure + OCR), not just static attributes | Fully supported | Partial or limited |
| In-engine memory-corruption / exploit prevention (Moving Target Defense) | Not supported | Fully supported |
| Works on the browser the employee already runs (no forked browser) | Fully supported | Fully supported |
| Coverage for unmanaged / BYOD / personal devices | Partial or limited | Fully supported |
| Browser-native Data Loss Prevention (DLP) on paste, upload, screenshot, and generative AI (GenAI) input | Fully supported | Fully supported |
| Agentic AI controls (prompt injection, agent scope, exfiltration) | Fully supported | Partial or limited |
| Multi-plane deception (decoy sessions) against token theft | Fully supported | Not supported |
| Customer controls detection logic, patch cadence, and retention | Fully supported | Partial or limited |
Architectural capabilities. Exploit-prevention credit to Seraphic reflects its patented in-engine Moving Target Defense. Sovereignty, adaptive detection, and independence credits to Surface reflect a customer-hosted control plane. Deployment characterization is based on publicly available information as of mid-2026.
When Seraphic is the right call
Seraphic did real engineering, and there are environments where it is the better fit. We say so on the record.
Exploit-prevention priority
If memory-corruption and zero-day browser exploits are at the top of your threat model, in-engine Moving Target Defense is a capability an extension does not replicate.
All-in on CrowdStrike Falcon
If you are already a Falcon shop and want browser telemetry correlated in the same cloud, the post-acquisition integration is a natural extension of that stack.
Cloud-first, unmanaged-device estates
For organizations comfortable with vendor-hosted management and large unmanaged, personal, or bring-your-own-device (BYOD) populations, a cloud SaaS console is a clean operating model.
The mistake is treating cloud-managed browser security as the default for everyone. For the regulated, sovereign, transparency-first team that already keeps SIEM and EDR data inside its own perimeter, the browser security platform should follow the same rule.
Keep your browser.
Keep your perimeter.
Surface deploys as a managed extension on Chrome, Edge, or Firefox, with a control plane that runs entirely on your infrastructure. See it running against your real traffic, alongside whatever you already have in production.