GigaOm Radar for Secure Enterprise Browsing v2

Secure enterprise browsing solutions enable users to access websites and web-based resources in compliance with corporate security policies, providing security modules to protect against cyberattacks.

These solutions sit at the intersection of user, device, and web resources to ensure secure access and enforce security policies. This position at the crossroads enables the secure browsing solution to apply multiple types of functions:

• Protecting end users from malicious web resources

• Protecting enterprises from malicious insiders

• Protecting enterprises from negligent users

• Protecting enterprises from compromised accounts

Protecting end users from malicious web resources comes in two flavors. In one, the adversary can be highly technical malware attacks causing websites to execute malicious scripts or download and run malware. In the other, it can be social engineering attacks that encourage users to willingly but unknowingly compromise their identities.

To achieve these protection functions, secure enterprise browsing solutions must employ different security techniques, such as endpoint protection for local detection and response to threats, network protection for securing inbound and outbound requests, and identity and access management for alignment with company-wide authentication and authorization.

Protecting enterprises from malicious insiders or compromised account attacks means that the solution can enforce Zero Trust policies, detect suspicious behavior, regulate access permissions depending on risk factors, and enforce data loss prevention (DLP).

With the browser as the most commonly used application throughout the workforce and the gateway to internal and external resources, companies have the opportunity to significantly improve their security posture across the whole organization, tackling some of the most prominent and damaging types of cyberattacks of today.

This is our second year evaluating the secure enterprise browsing space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 17 of the top secure enterprise browsing solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading secure enterprise browsing offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well enterprise browsing solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Regulated industries: These are organizations that work within regulatory frameworks, including the likes of financial services providers, healthcare providers, and government agencies.

• Multinational: These organizations operate across geographies and require tools that can comply with data sovereignty requirements and provide support across time zones and local language support.

• Small-to-medium business: These are lean organizations whose main requirements for these tools are easy procurement processes, transparent pricing, and easy onboarding.

• Large enterprise: These organizations have requirements for complex policy definitions and integrations with larger tech stacks. Management across large deployments and across business units is heavily weighted.

For this report, we recognize the following deployment models:

• Browser client: These are full desktop clients that are used instead of consumer-oriented browsers. Organizations must deploy the browsing applications across their users’ devices.

• Browser extension: These are plug-ins that are deployed onto the customers’ existing consumer-oriented browsers. Extensions must be compatible with major browsers such as Chrome, Safari, Edge, Firefox, and so forth.

• Agentless browser controls: These solutions inject users’ browsing sessions with a small file to enforce security policies in the browsers without needing to deploy agents (such as clients or extensions) on the end-user device. This deployment model is typically complemented by cloud-based processing.

• Cloud-based processing: In this model, traffic from an end-user’s browser is routed through a cloud proxy that enforces security policies. While this approach does not require agents on end-user devices, it adds another hop in the network path that can impact performance. This model can complement the other three for off-device processing requirements.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Desktop client

• Windows compatible

• Centralized management

• Acceptable use policy

• Web threat intelligence integrations

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a secure enterprise browsing solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Secure Enterprise Browsing Solutions.”

Key Features

• Policy definition engine: Policy engines enable administrators to define security policies across their secure enterprise browsing solution deployments. Our evaluation of this key feature includes the experience of defining policies, the level of granularity available, and the ability to manage different types of policies for personnel across the organization.

• Network security functions: In the context of secure browsing solutions, network security functions are concerned with ensuring security for inbound and outbound requests. Most organizations already have network security functions such as firewalls and access control lists, so the browser plays a role in ensuring last-mile protection for users and protection from compromised users. 

• Endpoint security functions: Endpoint security is concerned with protecting local processes and data. Its scope includes preventing downloaded malicious files from running on the device and making network requests, preventing malicious scripts from running on webpages, and preventing browser circumvention.

• Data loss prevention: This key feature looks at the solution’s ability to restrict users from exfiltrating sensitive data. DLP can be defined using the solution’s policy definition engine, so we evaluate this feature based on the granularity and control it allows for preventing data leaks. 

• Identity and access management: Secure enterprise browsing solutions can integrate with customers’ existing identity and access management (IAM) solutions to create user accounts, inherit policies such as multifactor authentication and access controls, and provide seamless access with techniques such as single sign-on (SSO). 

• Off-device processing: Solutions must be able to make requests, load webpages, and download files away from the user’s device in an isolated cloud-based environment. This capability allows users to safely view webpages and files that are considered risky or harmful.

• Visibility and monitoring: This refers to a solution’s capabilities for logging, storing, and reporting on events generated by end users. It includes real-time insights based on user activities, such as identification of potentially harmful extensions within the network, and admins can devise policies based on these insights.

• User and session anomaly detection: Solutions should continuously assess the ways users behave to identify deviations from the baseline and any suspicious or unexpected activities. The result of anomaly detection is usually a risk score associated with a user or user session. It is important to distinguish between a user risk score, which indicates that a user displays malicious behavior, and a session risk score, which indicates that a safe user is the target of an attack.

Table 2. Key Features Comparison 

Emerging Features

• Content inspection: This emerging feature involves a solution's capability to inspect the content associated with a webpage, such as images, logos, rendering errors, and content. Most phishing sites have imperfections that might be either intentional or unintentional and can include elements such as low-resolution images, outdated logos, misspelled words, and misaligned or poorly scaled elements. 

• Productivity and collaboration: In addition to security functions, enterprise browsers can also offer productivity capabilities. This feature involves non-security functions that can help users manage their work activities. Productivity capabilities can help users organize their own working experience and help organizations push relevant content to users in an organized manner.

• Non-browser web application security: Depending on their underlying architecture, secure browsing solutions can also extend their capabilities to non-browser applications, such as email desktop clients.

Table 3. Emerging Features Comparison 

Business Criteria

• Zero Trust adherence: Solutions should be able to help customers enforce the primary Zero Trust principles, such as “never trust, always verify.” Such solutions require explicit user authorization and authentication and immediately alert, restrict, or terminate access to users that display compromised or malicious behavior. 

• Cost transparency: This business criterion covers solution licensing models, pricing models, and cost transparency. While it is not an indicator of how affordable or expensive a solution is, it assesses whether the solution offers predictable pricing, includes modules such as support in the base price, and can scale up as an organization grows, all to provide a cost-effective way of deploying and consuming the service. 

• Support: Here we look at a vendor’s ability to support customers pre- and post-deployment by offering onboarding and technical documentation, instructor-led training or other training programs, and professional services to help with deployment, configuration, or integrations.

• Manageability: This is a measure of how easy it is to handle management tasks and the time and resource investment required. The criterion takes into consideration deployment, user and device onboarding, update management, self-serve features for users, and policy change communications. 

• Ease of use: While manageability refers to the administrator effort involved in deploying and running the solution, this criterion involves the end user’s experience with the product, considering the solution’s capability to enforce security policies without negatively impacting employees’ conduct of their daily activities.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Secure Enterprise Browsing

As you can see in Figure 1, most vendors are located in the Maturity half of the chart, indicating that a good range of solutions in the market already offer year-on-year stability despite the relative novelty of the category. Across the Platform/Feature Play axis, vendors are equally distributed. The vendors on the Platform Play half can deliver capabilities across all of the report's key features, while the ones on the Feature Play half focus on select capabilities.

Compared to the last iteration of the report, this year’s report features four new vendors and an acquisition. Considering the different architectures and deployment models used across all these solutions, we do not expect any major advancements from the Leaders with respect to the key features defined in this iteration. For example, vendors focusing on agentless and cloud-based architectures are unlikely to deliver exceptional capabilities for the endpoint security functions key feature, for which we evaluate capabilities such as awareness and control over OS-level processes. Similarly, those that offer browser clients (often referred to as browser replacements) are unlikely to invest in off-device processing instead of focusing on the security functions locally using their client.

However, there is no lack of advancement in the space, which is why there are no Forward Movers. All vendors here have been steadily delivering on their development pipeline and are actively working to define the browser as a comprehensive tool for most endpoint security requirements.

In reviewing solutions, it’s essential to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Acium: Acium Unified Browser Security

Solution Overview
Acium Unified Browser Security enforces security policies for Chrome, Chromium, and Edge browsers, with upcoming implementations for Safari and Firefox. The solution provides real-time threat detection, centralized policy enforcement, and visibility into browser activity. Acium combines multilayered protection with flexible deployment, offering support for managed and unmanaged devices, BYOD environments, and hybrid workforces.

It is comprised of the following components: Unified Management Console, a central hub that enables organizations to define and enforce policies, view analytics, and manage access controls across browsers and devices; the Risk-Based Policy Engine, which dynamically adjusts user access and controls based on behavioral risk, device posture, and data sensitivity; Extension Risk Scoring and Control, the module that provides visibility into browser extensions across the enterprise, automatically assessing and blocking high-risk extensions; Data Loss Prevention, for preventing unauthorized access, sharing, or download of sensitive information through advanced policy enforcement; and Zero Trust Enforcement, which ensures continuous verification of users and devices, with built-in support for identity and endpoint integrations.

Acium is positioned as a Leader and Outperformer alone in the Innovation/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Acium scored well on a number of decision criteria, including:

• Endpoint security functions: Acium’s solution supports capabilities such as file system-level extension management, prevention of developer tools usage, JavaScript controls that restrict or allow execution on a per-site basis, process isolation leveraging native browser sandbox capabilities, and a lightweight monitoring solution that detects DLL injection attempts and sandbox evasion techniques.

• Identity and access management: The solution’s IAM capabilities include inheriting MFA requirements from connected identity providers, using existing group-based access controls and permissions, and synchronizing user attributes for policy targeting, as well as supporting enterprise-ready authentication workflows with comprehensive audit logging.

• Visibility and monitoring: Acium can capture events such as web requests and responses with full URL path details, file transfers with metadata and hash information, browser session data across all contexts, extension activities such as installation, enabling and disabling, updates, permission changes, browser configuration changes, and policy enforcement actions.

Acium is classified as an Outperformer due to its developments in browser compatibility expansion, mobile device protection, and user behavior analytics.

Opportunities
Acium has room for improvement in a few decision criteria, including:

• Data loss prevention: Although the tool has good DLP capabilities, it currently lacks support for anti-keylogging capabilities and restricting access based on file type, content, or application source. Acium plans to release capabilities for features such as download alerting, monitoring for unusual data handling patterns, and watermarking.

• User and session anomaly detection: Acium currently offers the basis for anomaly detection via extension risk scoring and telemetry infrastructure; however, fully featured anomaly detection capabilities are still on the vendor’s roadmap. 

• Non-browser web application security: While the solution currently supports security policies for progressive web apps (PWAs) and isolated web apps (IWAs), it is developing features to secure electron-based applications and other non-browser applications.

Purchase Considerations
Licensing is based on a per-user and per-year pricing structure, allowing each user to access Acium's security capabilities across any number of browsers and devices. Volume-based pricing is available through direct engagement with the Acium sales team or authorized channel partners and vendors. Acium will launch a self-service portal for organizations needing fewer than 101 seats.

Use Cases
Acium supports various use cases, including securing browser activity on unmanaged or BYOD devices, enabling safe access to SaaS apps without deploying a proprietary browser, and blocking risky browser extensions across the enterprise. Additionally, it aids in protecting sensitive data from exfiltration or exposure via the browser, centralizing management and visibility across mixed browser environments, replacing legacy secure web gateway (SWG) or DLP tools for browser-centric use cases, and accelerating Zero Trust initiatives by enforcing browser-level controls based on user, device, and context.

Citrix: Citrix Secure Access with Chrome Enterprise

Solution Overview
Citrix Secure Access with Chrome Enterprise is a joint solution that combines the enterprise-grade security and manageability of Chrome Enterprise Premium with the Zero Trust access control, policy enforcement, and threat protection of Citrix Secure Private Access. 

Citrix Secure Access with Chrome Enterprise enables organizations to extend Zero Trust principles directly into the browser, enabling secure access to web, SaaS, and internal applications from both managed and unmanaged devices. The solution enforces risk-based access policies, integrated web threat protection, and data loss prevention, all while maintaining user productivity within the familiar Chrome browser experience.

The solution adheres to Zero Trust network access (ZTNA) principles, requires explicit authentication, and can immediately terminate or revoke access for a compromised account after authentication. Based on the user’s location, role, and device posture assessment, an administrator can define the way a user is authenticated and authorized to access applications. 

Citrix is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Citrix scored well on a number of decision criteria, including:

• Data loss prevention: The solution features comprehensive DLP capabilities, enabling administrators to define granular policies that can block and obfuscate screenshots and fully or partially redact or mask personally identifiable information (PII) for sensitive data, such as social security numbers, credit card numbers, and custom PII data defined by the administrator. The solution can restrict downloads and uploads by user, web app, or file type. Additionally, such restrictions can be context-based, depending on the device, user risk, network, and geographic location. 

• Network security functions: In addition to the native network security functions supported by Chrome Enterprise Premium, Citrix also includes the NetScaler WAF as part of the platform. It can support capabilities such as enforcing end-to-end TLS, URL filtering based on regex or website content such as HTML or JavaScript elements.

• Visibility and monitoring: Citrix already offers session recording, and compliance reports are available as part of the management console, which continues to be enhanced. Citrix provides detailed visibility dashboards for sanctioned apps, supports application discovery, and DLP controls applied for every user. Admins can view which rules caused a particular DLP policy to be applied to the end user.

Opportunities
Citrix has room for improvement in a few decision criteria, including:

• Policy definition engine: While Citrix’s policy engine allows administrators to define policies using a graphical user interface and to validate policies post-definition, it can further improve by offering out-of-the-box policy templates, tiered policies, guided policies, natural-language-based policy definition, and automatic generation of policies based on observed traffic or behavior patterns.

• Endpoint security functions: While Citrix’s solution evaluates the device certificate, domain name, MAC address, processes, OS information, and presence of firewall, it does not currently block malicious DLLs from being injected into the browser processes, block JavaScript for the entire browser or on a per-web-app level, or scan local files for protection against file-based malware. 

• Identity and access management: Even though Citrix Secure Access with Chrome Enterprise provides support for various IAM providers and can enforce MFA policies as provided by a customer’s IDPs, it does not currently inherit policies defined by the customers in their IAM solutions, including device posture and other relevant security configurations.

Purchase Considerations
Citrix Secure Access with Chrome Enterprise is part of the Citrix platform and sold through the Citrix Platform license. Pricing for the platform license varies based on customer deployment and can be calculated on a per-user or enterprise-wide basis. 

While the solution displays good overall capabilities, the secure browser is part of a wider platform, so customers can’t buy just the secure browsing component. Citrix’s score for this report thus includes capabilities from additional products that are part of the Citrix platform, including Citrix Device Posture service and Citrix Endpoint Analysis capabilities.

Use Cases
Citrix Secure Access with Chrome Enterprise can deliver on a wide range of use cases, including helping an organization adhere to Zero Trust principles and providing last-mile DLP and security controls, threat insights, incident response, visibility and governance, and triage and troubleshooting, which encompasses end-to-end session troubleshooting.

Conceal: ConcealBrowse Browser-Native SSE

Solution Overview
ConcealBrowse is a lightweight, easy-to-deploy AI-powered browser extension that detects and protects users against phishing, credential theft, and other web-based attacks. It consists of an extension, a cloud management console, and an isolation environment. The ConcealBrowse extension can be installed on Windows or macOS devices in any Chromium-based browser, such as Chrome and Edge, as well as Firefox. It performs analyses, risk scoring, and enforcement to detect and intervene when users visit suspicious or malicious sites or those not allowed by policy.

The extension authenticates with the Conceal service to update policies and acts as a sensor in the browser, performing local analyses and reporting site metadata back to Conceal servers for further study as needed. 

The ConcealBrowse Console is a cloud-delivered, multitenant console that supports SSO and MFA login, allowing administrators to manage and control their extension deployments. Its multitenant capabilities provide MSPs and large organizations with the flexibility to manage different customers or groups in a single hierarchy. The console also offers a helpful overview dashboard, enables user and device management, and provides extension installation packages, how-to guides, policy management, reporting, and other product settings. 

Conceal is positioned as a Challenger and Outperformer in the Maturity/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Conceal scored well on a number of decision criteria, including:

• Visibility and monitoring: The solution’s visibility and monitoring capabilities enable it to report blocking activity via an isolation dashboard, including sessions in progress and all interventions for isolation and block events, with filters by user or device. For each isolation or block event, the report displays the URL, the frequency of occurrence, the action taken, and the date and time the event occurred. 

• User and session anomaly detection: ConcealBrowse inspects all sites visited by the browser and produces a risk score using proprietary heuristics. When a new tab is opened, the solution keeps track of all URL changes, requests, redirects, and tab updates. As data is collected, it is processed through an asynchronous analysis to evaluate policy compliance, suspicious site characteristics observed as the site is loaded, threat intelligence checks, and download scans.

• Off-device processing: The ConcealBrowse isolation environment supports remote browsing sessions for users who visit suspicious websites. When the extension analysis scores at or above a risk threshold, users are presented with a page that informs them of the risk but allows them to continue to the site in a safe isolation mode. This mode air gaps their local device from potentially malicious content on the site, prevents them from entering credentials, and enforces clipboard and file upload and download controls set by the administrator. 

Conceal is classified as an Outperformer due to its comprehensive near-term development pipeline and planned feature releases

Opportunities
Conceal has room for improvement in a few decision criteria, including:

• Network security functions: Conceal can inspect web destinations and filter based on categories, domains, and fully qualified domain names (FQDNs), but it does not currently block websites based on regular expressions, keywords, or other patterns in the website content (such as certain HTML or JavaScript elements), nor can it filter rich media such as images, videos, or documents.

• Endpoint security functions: While Conceal integrates with endpoint detection and response (EDR) solutions such as CrowdStrike’s and SentinelOne’s, it does not currently offer these capabilities natively. 

• Data loss prevention: ConcealBrowse can define DLP policies for clipboard use and file uploads and downloads, but it does not currently block, obfuscate, or watermark screenshots, nor does it obfuscate PII or sensitive data. 

Purchase Considerations
Conceal offers a simple subscription-based model that is calculated per endpoint per year and includes all of its features, with no additional add-ons or premium services available. MSPs can purchase consumption-based pricing that scales up and down depending on usage, which is measured by a snapshot taken on the last business day of each month.

Use Cases
ConcealBrowse can be used to protect against web-based threats, such as phishing and credential theft, and enforce web filtering policies based on URL classification for an acceptable use policy. It can also selectively isolate risky sites for protecting the endpoint.

Fortinet: Advanced Browser Security

Solution Overview
Fortinet’s solution, based on its acquisition of Perception Point in December 2024, comprises a browser extension that adds enterprise-grade security to standard browsers (including Chrome, Edge, Firefox, Safari, and other Chromium-based browsers) by fusing multilayered advanced threat detection with browser-level governance and DLP controls. The solution can be provided either as a standalone product or in combination with email and collaboration security solutions. 

Fortinet has integrated Perception Point into its Fortinet Security Fabric to enhance security capabilities for user-facing use cases, including broadening protections across diverse communication channels such as collaboration applications, cloud storage applications, messaging platforms, and social networks.

The lightweight browser extension can be deployed across any browser, with multiple deployment options available to accommodate varying IT requirements, including unattended or silent deployment (via UEM, IdP integration) and script-based, manual, or automated email invitations.

The solution ensures safe access to websites and SaaS applications, detects phishing sites, malware, ransomware, and zero-day exploits, and protects against the extraction of sensitive data, securing the organization from both external and internal threats.

Fortinet is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Fortinet scored well on a number of decision criteria, including:

• Network security functions: The solution can allow or block access or warn users about websites based on domains, domain wildcards, and categories. It can also block websites using a sophisticated rules engine that is based on a variety of parameters, including FQDN, regular expressions, keywords, and other patterns in the website content (such as websites containing specific HTML and JavaScript elements). The browser extension intercepts all browser traffic after the browser decrypts it and therefore doesn’t need to add any certificates or perform TLS inspection. Any website accessed via the browser and any file downloaded from the browser can be inspected by the extension. 

• Endpoint security functions: The solution prevents malicious files, documents, executables, and installers from running by inspecting every downloaded file with multiple detection engines. It uses advanced anti-phishing and XSS engines to block malicious websites from being accessed through dynamic inspection of those websites. It can also block unwanted or risky websites by category. 

• Visibility and monitoring: Fortinet offers visibility into end-user activities, recording file operations, browsing history, logins, and copy and paste actions. This data can be used for compliance reports, which can be sent periodically to customers, detailing detected incidents and identifying top attacked individuals. Administrators can view detailed dashboards that show URLs accessed by users and track both downloads and uploads.

Opportunities
Fortinet has room for improvement in a few decision criteria, including:

• Identity and access management: Fortinet can be integrated with IAM solutions such as EntraID and Okta, but it can improve on this metric by enforcing authentication for end users or inheriting security policies defined in the customer’s IAM solutions, such as enforcing MFA or RBAC as described in the IAM tool.

• User and session anomaly detection: While the solution can detect and alert on certain metrics, such as an abnormal number of downloads of sensitive files, it can be further expanded by implementing response capabilities, including enforcing DLP and requiring step-up authentication and incorporating additional behavioral signals.

• Policy definition engine: The solution has a good policy definition engine, but it can be further improved by implementing automatic policy generation based on observed traffic patterns and the ability to define policies in natural language.

Purchase Considerations
The solution is sold as an annual subscription, priced per user per month. Different prices are available based on the number of seats. Support is included in the base price and is available 24/7 through a support email address, chat in the dashboard, and a phone number that will be provided to the client. 

Use Cases
Fortinet’s solution can deliver on use cases such as phishing and malware protection, zero-day prevention, enforcing safe access to SaaS and web apps, and stopping both deliberate and accidental data leaks, as well as blocking malicious insiders and third-party threats. The solution’s extensive visibility and monitoring features can also help ensure compliance.

Google: Chrome Enterprise*⁺

Solution Overview
Google Chrome is the world’s most widely used consumer-oriented browser, and its security capabilities can be further enhanced through the Chrome Enterprise service. Google is the primary contributor to the Chromium open source project, from which the Chrome browser is built. 

Chrome Enterprise has been designed for enterprise needs, offering enhanced security controls, increased visibility, and a centralized management platform. The Chrome Enterprise browser can apply security policies for DLP, limit password reuse, and defend against malware and phishing attacks. It checks downloaded files against a list of potentially dangerous file types, such as executables and commonly abused document types. If the safety of the file can’t be verified locally, Chrome sends information to Google servers to determine whether the file is safe.

Given the popularity of the consumer version, Google Chrome has some distinct advantages. Users are familiar with the Chrome interface and experience, and other browsers built on the Chromium project share some of the same security and optimization features. Chrome is also deeply integrated with the rest of the Google portfolio suite, including Workspace. Unlike other vendors in the report, organizations can operate their businesses on top of Google services, allowing them to use Chrome Enterprise and benefit from additional security features without introducing new vendors or products.

The Chrome Browser Cloud Management feature leverages existing security and management solutions. It has an extensive partner ecosystem, with integrations for services such as VMware Workspace One, Intune, and JAMF, along with security information and event management (SIEM) systems and other security tools.

Google is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Google scored well on a number of decision criteria, including:

• Policy definition engine: The solution allows administrators to quickly create and deploy hundreds of policies related to security, extensions, accessibility, content, display, authentication, legacy browser support, network settings, password management, reporting, and many other topics. Chrome Enterprise’s central management features offer more than 300 out-of-the-box browser policies, enabling administrators to define them based on business rules, define and control user permissions, set sign-in restrictions, establish proxies, and more.

• Identity and access management: The solution can integrate with Active Directory to granularly manage browser policies at the user level through existing management tools. Chrome browsers can be enrolled via Windows Group Policy or the Preference file on Mac. Enrollment can also be completed by running a file directly on the machine. Policies can be applied based on user roles defined in Active Directory, and browsers can be managed in groups according to location, device type, and other relevant factors. 

• Endpoint security functions: Google Chrome Enterprise can be used to create allowlists and blocklists for extensions or to implement a permissions-based approach to security. Sandboxing prevents malicious pages from installing malware, and site isolation stops malicious sites from stealing data from other sites. 

Opportunities
Google has room for improvement in a few decision criteria, including:

• Data loss prevention: In Chrome Enterprise, administrators can block any app or extension that requests specific permissions, such as permission to access printers or USB ports, write to the clipboard, capture audio or video, or make web requests. However, Chrome does not offer any policy options to prevent uploading files, watermarking screenshots, or preventing users from saving passwords or exporting bookmarks.

• Off-device processing: Chrome Enterprise scans files before download, and if the file's safety cannot be verified, Chrome sends information to Google servers to determine whether the file is safe. However, it does not offer other features, such as the monitoring of running processes, executing processes like rendering in a local sandbox, or integrating with solutions like Crowdstrike and SentinelOne EDR to enable mutual customers to ingest events and correlate them with malicious processes.

• Visibility and monitoring: While Chrome Enterprise can offer a view into browser inventory, policies, device information, versions running, and extensions installed, it does not currently record sessions or store instances of data cut, copy, or paste, whether they occurred via the UI or keyboard and whether they were allowed or blocked.

Purchase Considerations
Chrome Enterprise is available in two licensing tiers: Core and Premium. Core is the free version, which offers capabilities such as malware and phishing protection, extension management, and third-party integrations. Premium offers a monthly subscription-based charge per number of users. It provides more advanced features, including malware deep scanning, URL filtering, DLP, and context-aware access to SaaS, Google Cloud apps, and private applications. This report evaluates the full capabilities available with the premium license. 

Use Cases
The solution can deliver on use cases such as secure access for hybrid and remote workforces and can serve companies that employ bring-your-own-device policies. It can secure user web sessions from phishing and malware attacks, prevent data loss and exfiltration, and enforce access controls over applications and documents based on user roles and permissions.

Chrome can also be used for productivity use cases because it integrates with Google Workspace, allowing user services such as Drive to connect files with Workspace apps, thereby centralizing data access and collaboration.

_{(+) Note: The analysis of Google in this report was based on a product version available through desk research. After publication, Google shared new documentation for its Chrome Enterprise Premium offering (launched in April 2024), which introduces significant capabilities not reflected in this evaluation. To reflect this, Google has been removed from the 2025 Radar graphic and all tables . GigaOm stands by its assessment of the product as it existed at the time of research}.

Island: Enterprise Browser

Solution Overview
Island’s secure enterprise browsing solution consists of a Chromium-based browser replacement and a browser extension that enables organizations to define security policies for their workforce and third parties’ web activities. 

The Island Enterprise Browser is available on major operating systems, including Windows, macOS, Linux distributions, and Chromebooks, while the browser extension works with the major consumer-oriented browsers. 

The Island Enterprise Browser offers security capabilities, including malware inspection, site categorization, web isolation, and protection against anti-exploitation and credential harvesting. It enables visibility into encrypted SSL/TLS traffic and other novel protocols such as QUIC. It can scan downloaded and uploaded files and filter web traffic. It blocks access to malicious or risky websites based on admin-defined policies. 

Island is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Island scored well on a number of decision criteria, including:

• Visibility and monitoring: Island provides forensic audit records of all activities, with control over the depth of what is captured, including user, device type, application, and location. Island can capture events and insights as granular as copy and paste, screen captures, printing, saving, and custom information, which can be easily viewed using built-in dashboards and reports or exported to a current aggregation platform. 

• Productivity and collaboration: Island enables customers to integrate robotic process automation (RPA) modules directly into the presentation layer of the browser, allowing them to define workflows within a SaaS or internal web application. This enables users to redact sensitive data, auto-populate fields from a corporate dictionary, integrate two-factor authentication into a legacy application, track time for hourly contractors, or limit the time an end user can spend on a particular site.  

• Network security functions: Island offers comprehensive network security functions, the ability to enforce end-to-end TLS 1.2/1.3 or WireGuard encryption, filter URLs, block or allow, rate-limit, or alert on URLs based on categories, protect against phishing, block websites based on regular expressions, keywords, and other patterns in the website content (such as certain HTML or JavaScript elements), and inspect TLS traffic and decryption of HTTPS sessions.

Island is classified as an Outperformer due to strong release cadence and extensive development pipeline.

Opportunities
Island has room for improvement in a few decision criteria, including:

• User and session anomaly detection: Island currently does not create risk scores for users or sessions. However, Lighthouse, Island’s insight engine, provides a series of insights that can be fed into SOC toolsets for analytics.

• Content inspection: While Island employs optical character recognition (OCR) for DLP policies, it does not currently analyze web page content to detect typosquatting or other inconsistencies indicative of phishing.

• Identity and access management: Island has extensive IAM integrations with major IdP solutions and can initiate an MFA challenge based on policy within any application engagement for step-up authentication. However, it does not currently inherit policies defined in the IAM solutions to apply to the user base.

Purchase Considerations
Island does not publicly declare its pricing and licensing options, though the solution is sold in a subscription model scaled by the number of users. Customers can purchase the solution directly from the company or through channel partners. 

Use Cases
The Island Enterprise Browser can deliver on use cases such as protecting access to SaaS applications and internal web applications, securely provisioning third parties and contractors, and supporting bring-your-own-device policies and governance of privileged user accounts. It can help to replace or reduce reliance on virtual desktop infrastructure or remote browsing isolation technologies. 

Keep Aware: Keep Aware Browser Security

Solution Overview
Keep Aware is a browser-native enterprise security platform that enforces security into end users’ preferred browsers. It provides real-time protection against phishing, credential theft, zero-day threats, and data leakage, with zero disruption to employee work. 

The Keep Aware Browser Security solution comprises a lightweight browser extension that provides visibility into browser activity, extension usage, and employee risk. It is compatible with Chrome, Edge, Firefox, Safari, and other Chromium browsers, as well as iOS mobile browsers. The solution delivers browser detection and response, extension protection, SaaS and GenAI activity protection, browser control and content filtering, a pattern engine and definition system, and browser-based DLP.

Keep Aware is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Keep Aware scored well on a number of decision criteria, including:

• Policy definition engine: Keep Aware’s Policy Editor offers a web-based graphical user interface (GUI) for defining policies using dropdowns, toggles, and rule builders, eliminating the need for code. The interface supports visual rule creation. Admins can leverage out-of-the-box pattern templates for everyday use cases such as phishing detection or DLP. Policies can be applied globally, by group, or to individual users. The query builder and templates guide admins in building compelling detection logic, and policies can be created using analytics and observed behaviors.

• Network security functions: Keep Aware enforces HTTPS page visits through advanced browser-level detections, supporting URL, domain, and keyword filtering with policy actions such as blocking or issuing warnings. It categorizes web content for policy enforcement at the FQDN and category levels. It inspects web activity at the application layer without requiring the decryption of sessions and detects and analyzes content. 

• Data loss prevention: Keep Aware detects and tags keylogging patterns in browser extensions, allowing for policy enforcement based on these detections. It restricts file upload and download actions based on MIME type, content, and source and destination domains, and can filter downloads using patterns based on file types or sensitive keywords. Sensitive input detection triggers safeguards, and watermarking can visually obfuscate sensitive content. Keep Aware can detect and block uploads to unauthorized domains like Dropbox and Box.

Opportunities
Keep Aware has room for improvement in a few decision criteria, including:

• Endpoint security functions: While Keep Aware can block, allow, or force the uninstallation of browser extensions, it does not monitor OS-level processes, scan local files, or block malicious DLLs from being injected into browser processes.  

• Off-device processing: The solution can monitor and control file download behavior; however, it does not offer remote document rendering or safe viewing containers, remote document viewing without endpoint download, or file scanning for malware before download.

• User and session anomaly detection: Keep Aware doesn't currently detect developer tools or inspect element usage, nor does it evaluate impossible travel scenarios.

Purchase Considerations
Keep Aware employs a per-user licensing model, and licensing tiers may be feature-based depending on deployment size and use case. Support for major incidents, workshops, deployment, and detection engineering is included in all licensing options.

Use Cases
Keep Aware supports use cases related to threat detection and response, including zero-day phishing detection and prevention, malicious extension scanning and protection, drive-by download protection, browser incident response, and browser telemetry for SIEM and SOAR. It also addresses corporate risk and policy by offering malicious website and traffic protection, granular web content policy control, browser extension management, cloud and SaaS instance visibility and control, GenAI visibility and DLP, clipboard DLP for sensitive copy and paste, data loss prevention for uploads and data-in-motion, and employee risk analysis and reporting.

LayerX Security: LayerX Enterprise Browser Extension

Solution Overview
LayerX Security offers a browser extension that natively integrates with customers’ existing browsers to enforce security policies with minimal impact on the user experience. The solution can safeguard devices, identities, data, and SaaS apps from web threats and browsing risks. These include data leakage over the web and from SaaS apps and GenAI tools, credential theft via phishing, account takeovers, malicious browser extensions, shadow SaaS, and more.

The LayerX Enterprise Browser Extension is installed on endpoints and can monitor, alert, or enforce secure browsing based on an AI-based threat analysis engine built into the product. Customers can then define their own specific policies for DLP use cases. It employs two correlating risk engines, one in the browser extension and the other in the cloud.

LayerX Security is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
LayerX Security scored well on a number of decision criteria, including:

• Network security functions: The solution can perform traffic filtering, including allowing, blocking, rate limiting, and generating alerts. It can filter rich media such as images, videos, and documents, block traffic from specific countries, and filter using regular expressions, keywords, and binary patterns. It also offers category-based filtering using its engine and has the ability to block specific domains and filter by FQDN. 

• Policy definition engine: The policy definition engine enables administrators to define policies at both global and individual user levels. Administrators can create user groups for role-specific policies. Policies can be described using a graphical user interface, and administrators can quickstart their deployment using out-of-the-box policy templates. The engine can suggest policies based on real-world user behavior and define step-up authentication or manager approval workflows.

• Data loss prevention: The solution features comprehensive DLP capabilities, enabling administrators to define granular policies that can block and obfuscate screenshots and fully or partially redact or mask personally identifiable information (PII) for sensitive data (such as social security numbers, credit card numbers, and custom data defined by the administrator). The solution can restrict downloads and uploads by user, web app, or file type. Additionally, such restrictions can be context-based depending on the device, user risk, network, and geographic location.

Opportunities
LayerX Security has room for improvement in a few decision criteria, including:

• Visibility and monitoring: While the solution’s visibility and monitoring features include compliance reports and administrator dashboards, they do not offer the recording of user sessions. This capability is on LayerX’s roadmap.

• Off-device processing: The solution can scan files before downloading and steer traffic to sandboxes, but it does not currently execute web content away from the endpoint using a browser with a similar configuration and version.

• User and session anomaly detection: Currently, LayerX Security automatically assesses session risk based on page and website parameters and policy rules to determine whether it is risky. User anomaly detection is expected in Q4 of 2025.

Purchase Considerations
The solution is licensed on a per-user per-year model. LayerX Security offers pay-as-you-go and pay-as-you-grow models, allowing customers to scale up or down based on their usage. Support is included in the base price on a follow-the-sun model and is available via a ticketing system, phone, chat, and community forum. Onboarding and technical documentation are available, along with training and professional services for deploying the solution or defining policies.

Use Cases
The solution can deliver on a wide range of use cases, which include DLP, safe browsing, secure access, and identity security posture management. It can act as a replacement for remote browser isolation and virtual desktop infrastructure solutions. It is suitable for securing remote worker access, bring-your-own-device policies, and third-party or contractor access to corporate resources. 

Mammoth Cyber: Mammoth Enterprise Browser

Solution Overview
The Mammoth Enterprise Browser combines a policy engine and a hardened Chromium-based web browser. The solution enforces conditional access and prevents data leakage as users connect to the public cloud, internal applications, and SaaS applications. Integrations with identity providers automate the secure onboarding of remote users, contractors, and partners without the need for virtual desktop infrastructure (VDI) or VPN connections.  

The two components to the system are the Mammoth Browser, which can be installed by the user or pushed by IT, and the Mammoth Admin Console, a cloud-based management console where security admins can configure browsers, set policies, and monitor logs.

Mammoth Cyber is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Mammoth Cyber scored well on a number of decision criteria, including:

• Network security functions: Mammoth Cyber's robust network security functions include end-to-end TLS 1.2/1.3 or WireGuard for internal web app traffic, and last-mile URL filtering to enforce policies for blocking, allowing, rate-limiting, or alerting on URLs based on categories and protecting against phishing. It supports filtering based on categories and blocking of specific domains by fully qualified domain name (FQDN). Additionally, it can block websites based on regular expressions, keywords, and other patterns in website content, such as HTML or JavaScript elements. 

• Identity and access management: Mammoth Cyber's solution integrates with existing identity and access management (IAM) solutions, enabling the creation of user accounts, the inheritance of policies such as multifactor authentication (MFA) and access controls, and seamless single sign-on (SSO). It offers integrations with various identity and access management (IAM) providers, including Active Directory, Ping Identity, Okta, and any SAML-based IAM solutions.

• Endpoint security functions: Mammoth Cyber's solution supports blocking malicious DLL injection into browser processes, allows for JavaScript control per web app or for the entire browser, and scans local files for malware protection. It can isolate websites, extensions, and tabs into separate processes, restricting inter-process access, and blocks risky, malicious, and unwanted browser extensions. The solution also monitors running processes, prevents the uninstallation, disabling, or configuration changes of browsers or extensions, and blocks the use of developer tools. 

Opportunities
Mammoth Cyber has room for improvement in a few decision criteria, including:

• Policy definition engine: While Mammoth Cyber enables administrators to define policies using a graphical user interface, it can further improve by offering out-of-the-box policy templates, tiered and guided policies, and automatically generating policies based on observed traffic or behavior patterns.

• Off-device processing: The solution can open and view documents (such as macro-enabled Word or Excel files) without the need to download files to the endpoint. It also scans files before they are downloaded, but it does not currently steer traffic to sandboxes or enforce read-only mode.

• User and session anomaly detection: As of this writing, Mammoth Cyber’s anomaly detection for users and sessions is not yet available; however, it is an item on the near-term roadmap.

Purchase Considerations
Pricing options are available on a per-seat or per-device basis. Pricing is per user per month, with both pay-as-you-go and pay-as-you-grow models. Business hours support is included in the base price, while 24/7 support is available at an additional cost. Access to private applications incurs an extra charge based on the number of networks being connected.

Use Cases
Mammoth Cyber can deliver on use cases such as secure access for remote employees and unmanaged devices, data security controls over browser functions (like watermarking, copy and paste, and download and upload), masking sensitive data, VDI reduction, mobile device security, and safeguarding generative AI usage.

ManageEngine: Endpoint Central

Solution Overview
ManageEngine’s Browser Security Plus is the secure enterprise browsing module of Endpoint Central and consists of a proprietary enterprise browser, Ulaa, and capabilities for provisioning, baselining, managing, and securing consumer browsers such as Google Chrome and Mozilla Firefox. Endpoint Central is a unified endpoint management and security (UEMS) product for devices on which these browsers reside, allowing them to be comprehensively managed and secured. 

Ulaa offers a browsing experience that prioritizes user privacy and features multiple containerized modes to enhance productivity. With Ulaa, there is end-to-end encryption during the sync process, allowing users to safely and privately synchronize their data and browser preferences across devices using mode-specific sync passphrases. Ulaa features built-in data and activity blockers to protect against user tracking, cryptomining, and social media tracking and can also be used to secure access to unmanaged devices. 

ManageEngine is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
ManageEngine scored well on a number of decision criteria, including:

• Policy definition engine: Policies can be tailored to these specific device groups based on various criteria such as department, location, and roles, ensuring that policies and access controls are customized to align with the roles and responsibilities of each user or group. Even when a user undergoes a department or location change, these policies can be automatically applied to devices through dynamic custom groups. 

• Network security functions: ManageEngine also provides web filter policies to block or regulate access to specific web domains and websites, ensuring users avoid malicious websites and enhance productivity. The enterprise browser prioritizes privacy and offers transit encryption capabilities to protect sensitive data as it travels across networks, using industry-standard protocols such as TLS 1.2/1.3. 

• Identity and access management: The solution integrates with leading IAM providers, including Azure, Okta, Ping Identity, Microsoft Azure Active Directory, and ManageEngine’s proprietary Zoho Directory. MFA is available through various channels, including email and authenticator apps such as Zoho OneAuth, Google Authenticator, Microsoft Auth, and DUO Auth. Seamless SSO that uses SAML-based authentication is offered for both devices and SaaS applications. Moreover, SSO is also supported for enterprise applications based on Kerberos, requiring no extra integration effort.

Opportunities
ManageEngine has room for improvement in a few decision criteria, including:

• Endpoint security functions: While the solution can block malicious DLLs, block JavaScript, scan files for malware, and support process isolation, it does not currently isolate or block compromised accounts, kill sessions, revoke user access, integrate with EDR solutions, or execute processes in a local sandbox.

• Data loss prevention: While the solution can block copy and cut and screenshot functions and restrict access based on file type, content, or application source, it does not currently offer anti-keylogging capabilities.

• Off-device processing: The solution does not currently execute web content in a remote, containerized sandbox, open and view documents without downloading to the endpoint, or enforce read-only mode with web pages loaded remotely and desktop streamed to the user's browser.

Purchase Considerations
The solution is offered in two editions: a free edition, supporting up to 25 computers, and a professional edition, which includes the complete feature set. Support and maintenance are included in the base price with the subscription licensing model and are also available as an add-on for the perpetual licensing model. Customers can choose from monthly, annual, multiyear, and perpetual licenses. NGOs, charities, and educational institutions can benefit from free licenses or significant discounts. ManageEngine offers a 30-day free trial with complete access to features for an unlimited number of devices in addition to the free edition.

Considering that some capabilities evaluated in the report require the UEM agent, the vendor should enhance the enterprise browser natively to offer improved sandboxing and endpoint protection capabilities.

Use Cases
ManageEngine’s secure browsing solution can deliver standardized and consistent browsing, enforce data security and DLP, support compliance with regulatory standards, and provide safe access to internal resources.It can secure third-party contractors, bring-your-own-devices, and remote or hybrid workers.

Menlo Security: Menlo Secure Enterprise Browser 

Solution Overview
Menlo’s Secure Enterprise Browser delivers secure enterprise browser capabilities through the Menlo Cloud, consisting of a broad range of steering mechanisms, including the Menlo Enterprise Extension and the Menlo Secure Cloud Browser. Secure Cloud Browser provides visibility into browser behavior, JavaScript execution, and other web session telemetry. The extension enables users to access web applications with Zero Trust policy enforcement for both public SaaS and private web applications. Applications display as “tiles” within the extension user interface and can also be directed to the Secure Cloud Browser by policy when entered in the browser location field. This is ideal for contractors, other third parties, and remote or hybrid workers.

The Menlo Client is an optional agent that extends Zero Trust access beyond the browser to traditional applications, enabling users to enhance their security posture within the policy. Menlo Secure Application Access encompasses web applications and legacy applications such as SSH and RDP, continuously assessing and enforcing a conditional access policy. With support for least-privilege access that protects the browser, the user, and the applications, Menlo Security provides an ideal platform for knowledge work and IT work, even when it requires a client-server app.

Menlo Security is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Menlo Security scored well on a number of decision criteria, including:

• Policy definition engine: Menlo Security allows users to define policies at the single-user, user-group, or global level, using conditions such as geolocation, IP address, file type, and file size. Policies are declared and manipulated within an intuitive visual interface that includes robust predefined templates. The Menlo Secure Enterprise Browser solution supports role-based access controls for users, allowing policies to be defined differently for personal internet sessions and hybrid work web application sessions.

• Off-device processing: The Menlo Security architecture is entirely cloud based, and the Secure Cloud Browser is immediately instantiated for each user’s session. The browser interprets and inspects all traffic in the user’s session, including the document object model (DOM). As a cloud service, it offers many options for traffic ingress to the Secure Cloud Browser, including endpoint-based steering from the enterprise extension, cloud-based primary proxying, URL prepend or redirection, and network firewall forwarding. 

• Visibility and monitoring: This is covered by Menlo Security’s Browsing Forensics and Menlo Security Client modules. Browsing Forensics replaces the work of deciphering packet captures and endpoint logs with forensically accurate session recordings. During threat hunting and alert investigations, analysts simply “click play” to view sessions and the associated browser content and user inputs. Select session data is captured and stored within a secure location that the customer controls, and the data is never captured from or stored within the local endpoint.  

Opportunities
Menlo Security has room for improvement in a few decision criteria, including:

• Endpoint security functions: By mainly enforcing its security functions off-device, the solution does not block malicious DLLs from being injected into the browser processes or scan files locally. 

• User and session anomaly detection: While the solution can enforce DLP policies, impose read-only mode, and terminate the session, it does not currently detect impossible travel or perform analyses to detect anomalies with respect to an unusual number of file downloads, print or copy and paste events, or the use of developer tools.

Purchase Considerations
Menlo Security‘s pricing is per user per year, which is subject to volume discounts and selective application of controls. The forensics module must be purchased separately as an add-on. 

Customers can obtain quotes and ROI calculators from Menlo representatives and reseller partners, who can assist in selecting a suitable feature set. Basic support is included with all Menlo offerings, while premium support is available as part of some packages and can also be purchased separately. 

Use Cases
The solution can deliver on a wide range of use cases, which include zero-hour phishing, session hijacking protection, hybrid and remote access to internal web and native applications, and reducing the risk of IP and PII leakage with policy-driven DLP capabilities. It can be deployed as an alternative to virtual desktop infrastructure products.

Microsoft: Edge for Business

Solution Overview
Microsoft Edge for Business is an enterprise browser with built-in security capabilities and native support for security features employed by other Microsoft technologies across various Microsoft products. Microsoft Edge for Business is not a new browser; instead, it leverages existing Edge deployments. It is automatically activated by signing in with Microsoft Entra ID, it offers a distinct work environment separate from personal browsing, and it is available across all supported platforms, including mobile devices. Microsoft provides a Chrome extension (Microsoft Defender Browser Protection) that applies some of these features to the Google Chrome browser. 

Microsoft Edge is built on top of the Chromium open source project, inheriting Chromium's security features and incorporating proprietary protection features on top of Chromium. It also supports Microsoft Security solutions from Microsoft Defender, Microsoft Entra, and Microsoft Purview. It has built-in defenses against phishing and malware, and it natively supports hardware isolation on Windows without requiring additional software. 

Microsoft's primary advantage in the secure enterprise browsing space stems from its incumbency and robust Microsoft product ecosystem. Microsoft Edge for Business benefits from native integration with a wide range of Microsoft security products. 

To support Zero Trust principles, Microsoft Edge for Business offers features such as Microsoft Purview DLP, Microsoft Defender SmartScreen, enhanced security mode, website typo protection, native support for Microsoft Entra Conditional Access, a password monitor and generator, Microsoft Edge management service (EMS), and unmanaged device support with Microsoft Intune Mobile Application Management (MAM).

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Microsoft scored well on a number of decision criteria, including:

• Endpoint security features: The solution provides complete coverage for malicious DLL injection prevention, granular JavaScript blocking controls, local file malware scanning, and process isolation for websites, extensions, and tabs. It includes robust extension management to block risky add-ons, compromised account isolation with session termination capabilities, and continuous process monitoring within local sandbox environments. Edge for Business integrates with major security platforms, including CrowdStrike, for enhanced threat correlation and event ingestion. 

• Data loss prevention: Microsoft Purview Data Loss Prevention is built into Microsoft Edge and uses the sensitive service domains feature. This enforces admin-configured policies for sensitive files and records and audits events for non-compliant activities. Several user activities can be audited and managed on devices, including printing, cut and copy actions, downloading and saving, uploading or dragging and dropping a sensitive file to an excluded website, or pasting sensitive data into an excluded website.

• Identity and access management: Microsoft Edge for Business offers strong integration capabilities with existing identity and access management infrastructure. It supports integration with key Identity and Access Management (IAM) providers, such as Entra ID, Ping Identity, and Duo, ensuring compatibility with diverse enterprise environments. Edge for Business inherits security policies from connected IAM systems, including device trust and other security configurations. 

Opportunities
Microsoft has room for improvement in a few decision criteria, including:

• Policy definition engine: While the solution offers out-of-the-box policy templates and can define access controls, upload and download restrictions, and copy and paste blocking, it does not offer automatic policy generation based on observed traffic or behavior patterns, natural language policy definition, or tiered policies.

• Network security functions: While the solution can impose last-mile URL filtering, it does not currently enforce end-to-end TLS 1.2/1.3 or WireGuard for internal web app traffic, filter rich media such as images, videos, and documents, or inspect packets before encryption for content filtering and alerting.

• Data loss prevention: The solution can block copy and cut functions, it offers anti-screen capture functions and anti-keylogging capabilities, and it can restrict access based on file type, content, or application source. It can further improve by adding features such as watermarking, blocking microphone and webcam access, alerting admins in instances such as a user downloading a large number of files with sensitive content, and preventing users from saving passwords or exporting bookmarks.

Purchase Considerations
While there are no additional costs associated with Microsoft Edge for Business compared with Microsoft Edge, the product relies on additional Microsoft products to deliver some of its advanced capabilities. 

Use Cases
Microsoft Edge for Business can deliver on a variety of use cases, including secure web and application access for remote and hybrid workers and for third-party contractors and bring-your-own-device policies. It can protect end users from web-based attacks and social engineering by providing phishing and malware protection. Additionally, it can prevent data loss and data exfiltration and block malicious scripts from running on web pages or accessing other browser resources.

Palo Alto Networks: Prisma Access Browser*

Solution Overview
Acquired in late December 2023 by Palo Alto Networks, Talon Cyber Security developed the Talon Enterprise Browser, a secure browser replacement built on the open source Chromium project to offer security, visibility, and control over SaaS and web applications. Now called Prisma Access Browser, the solution offers a familiar browsing experience to users of Chrome and Edge, with capabilities that include DLP, threat protection, Zero Trust enforcement, visibility, and reporting.

Palo Alto Networks has integrated Prisma Access Browser with Prisma SASE (secure access service edge) to provide a unified security solution for users and applications from any device or location. The company extends the browser technology to qualified SASE AI customers at no additional cost.

The solution consists of a Chromium-based browser replacement with additional security capabilities for protecting web applications and hybrid workforces, a browser extension for adding advanced security capabilities to consumer-oriented web browsers, and an enterprise browser for mobile devices designed for use cases such as frontline workers in the insurance, manufacturing, transportation, construction, healthcare, professional services, and retail industries. 

Palo Alto Networks is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Palo Alto Networks scored well on a number of decision criteria, including:

• Visibility and monitoring: The solution can capture audit trails and session recordings for forensics investigations and compliance, and it can integrate with third-party SIEM solutions and extended detection and response (XDR) platforms.  The Talon solutions are centrally managed through a unified console that provides administrators with visibility and control over the browser activity of all Talon Enterprise Browser, Talon Extension, and Talon Mobile users. 

• Endpoint security functions: Prisma Access browser features comprehensive endpoint security, including blocking malicious DLLs from being injected, JavaScript blocking, scanning local files, blocking risky or malicious browser extensions, monitoring device processes, and local sandbox execution.

• Data loss prevention: The solution supports extensive DLP capabilities, including copy and paste and screen protection; granular file controls; access controls like print, camera, and microphone; typing restrictions; watermarking; and extension controls via allowlists, blocklists, and permission management. Contextual DLP leverages Zero Trust principles and directional context for data protection.

Opportunities
Palo Alto Networks has room for improvement in a few decision criteria, including:

• Network security functions: While the solution supports last-mile URL filtering and filtering based on categories, it does not currently enforce end-to-end TLS 1.2/1.3 or WireGuard, use FQDN-based filtering, inspect traffic, or identify C2 traffic.

• User and session anomaly detection: While the solution can conduct device posture assessments and other signals such as unusual device and location context, it could improve on this metric by calculating user or session risk scores, establishing user behavior baselines or detecting deviations, and providing analyses of keystroke cadence and automated follow-up actions based on risk scores.

• Policy definition engine: Prisma Access Browser can define granular policy definitions but can further improve by writing access policies based on observed real-world behavior patterns and adjusting policies in response to user role changes, transitions between devices, or location changes.

Purchase Considerations
Following the acquisition by Palo Alto Networks, the pricing and licensing model from Talon may change, particularly with the integration of Prisma SASE. Palo Alto Networks confirmed that the Talon solution will be made available to qualifying SASE customers at no additional cost. 

Use Cases
The solution can deliver on a variety of use cases, including secure access for contractors and third parties, organizations with bring-your-own-device policies, frontline and remote workers, and managed employee devices. It can be used to replace solutions such as virtual desktop infrastructure, desktop-as-a-service, remote browser isolation, and virtual private networks, and it can provide Zero Trust access to web applications during mergers and acquisitions. 

Red Access

Solution Overview
Red Access offers an agentless, secure web browsing solution delivered via a proxy. It works by injecting a small JavaScript-based file into the user's browsing session to enforce security controls by the organization’s defined policies. It can secure any browser, does not require an agent or extension, and provides a range of services, which include DNS filtering, URL categorization, file scanning, and DLP.

Red Access is compatible with and can be delivered via industry-standard mobile device management solutions. 

Red Access is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Red Access scored well on a number of decision criteria, including:

• Network security functions: The solution can filter ingress traffic using controls such as allowing, blocking, rate limiting, and alerting. It can filter rich media such as images, videos, and documents, block traffic from specific countries by using regular expressions, keywords, and binary patterns, filter by URL and URL categories, and require a FQDN. The solution can operate at Layer 7 for context-aware filtering of protocols such as HTTP.

• Policy definition engine: Red Access provides an extensive mechanism for defining policies, which includes out-of-the-box policy templates, tiered policies, guided policies, and the ability to automatically generate policies based on observed traffic or behavior patterns.

• Visibility and monitoring: The solution can alert on DLP violations, monitor browser extensions installed, enabled, or disabled by users, and view and store all instances of data cut, copy, and paste (whether they occurred via the UI or keyboard, and whether they were allowed or blocked). It can also highlight password reuse events and user login events, such as logging into shadow IT applications or sharing credentials in a phishing attack.

Opportunities
Red Access has room for improvement in a few decision criteria, including:

• Endpoint security functions: The solution can block JavaScript for the entire browser or on a per-web-app basis, as well as block risky, malicious, and unwanted browser extensions. It can also isolate or block compromised accounts, kill the session, and revoke user access. However, it does not monitor processes running on the endpoint, block malicious DLLs from being injected into the browser processes, or run processes in a local sandbox.

• Identity and access management: Red Access can integrate with customers’ existing identity and access management solutions to create user accounts and provide seamless access through techniques such as single sign-on (SSO). However, it does not inherit security policies from IAM solutions, including device posture and other relevant security configurations.

• Data loss prevention: The solution can block copy and cut functions, restrict uploads and watermark screenshots, and limit access to printing, microphone, and webcam features. However, it does not provide anti-keylogging capabilities or screenshot blocking.  

 Purchase Considerations
Red Access offers a free trial of its product, but pricing and licensing details are not publicly available. The solution has different licensing tiers and is priced on a yearly subscription basis per seat. It is sold as one platform with no additional add-on modules. It is worth noting that customers do not need to make any changes to their existing browsing solutions to deploy the Red Access solution.

Use Cases
The solution can be deployed as an alternative to virtual desktop infrastructure and virtual private network deployments. It can cater to various use cases, including safe browsing for internal employees and conditional access for companies with BYOD policies. It secures both managed and unmanaged devices across remote and hybrid workforces, including contractors, third parties, and consultants.

Seraphic Security: Enterprise Browser Security

Solution Overview
Seraphic Security delivers enterprise-grade secure browsing via its patented technology, JavaScript Layout Randomization (JSLR), which equips all browsers including Chrome, Safari, Edge, and Firefox with advanced security mechanisms. 

Seraphic Security is deployed to both managed (employee) browsers and unmanaged (contractor and BYOD) browsers to prevent breaches and phishing attacks that bypass all other existing defenses. It simplifies Zero Trust access to private web applications for third-party contractor and employee BYOD devices. It protects against data loss and identity theft from users accessing web and SaaS applications.

Seraphic Security offers a range of modules tailored to the customer’s specific needs and the type of device requiring protection. Seraphic Protect is a browser agent designed to deliver safe browsing, data loss prevention (DLP), and governance across any standard browser. Seraphic Connect enables Zero Trust network access (ZTNA) connectivity for web applications, virtual desktop infrastructure (VDI) apps, SaaS platforms, and private cloud environments. Seraphic Collaborate provides governance and DLP capabilities across collaboration and communication tools, including Slack, Teams, WhatsApp, and Microsoft 365 applications.

Seraphic Security is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
Seraphic Security scored well on a number of decision criteria, including:

• Network security functions: Seraphic Security’s network security functions include ingress traffic filtering to allow, block, rate limit, and alert on traffic; the ability to filter rich media such as images, videos, and documents; blocking traffic from specific countries; and using regular expressions, keywords, and binary patterns to filter. Seraphic Security inspects the data before encryption to identify risks, such as data exfiltration, C2 traffic, or other dangers within the browser. It supports URL filtering categories, custom domain blocking, and FQDN filtering.

• Data loss prevention: The solution can block copy and cut functions, block or obfuscate screenshots, prevent sensitive data from being downloaded locally or uploaded to third-party services, and mask or redact personally identifiable information (PII) and sensitive data. Seraphic Security can prevent sensitive data from being downloaded or encrypt it during download. It also features browser tools such as view source and developer tools and has the ability to control printing functions.

• Endpoint security functions: Seraphic Security offers comprehensive endpoint security functions, such as blocking JavaScript execution globally or per web application; isolating websites, extensions, or tabs into separate processes; blocking risky, malicious, and unwanted browser extensions; blocking compromised accounts (including killing sessions and revoking access); monitoring running processes on the device; and blocking the use of developer tools.

Opportunities
Seraphic Security has room for improvement in a few decision criteria, including:

• Policy definition engine: Seraphic Security offers a comprehensive and granular policy definition engine that can adjust based on user role changes and transitions between devices or locations. However, it can be further improved by automatically generating access policies based on observed real-world behavior patterns.

• User and session anomaly detection: While Seraphic Security monitors activity within the browser to detect anomalous or risky behavior, it can improve by evaluating unusual device, network, or location logins and detecting impossible travel and uncommon downloads.

Purchase Considerations
Customers can purchase Seraphic Security’s solution from certified partners and get basic support included with premium services available at an additional price. Pricing is subscription-based per user per year, and customers can choose their preferred security modules. MSSPs also have a pay-as-you-go option. Technical support is available 24/7 and is subject to an SLA with the customer.

Use Cases
The solution can deliver on a wide range of use cases, including safe browsing, DLP, browser extension management, support for BYOD policies, managing organizational application access, and secure remote access. It can be used to replace technologies such as virtual private networks, secure web gateways, virtual desktop infrastructure, and remote browsing isolation.

SquareX: SquareX Enterprise

Solution Overview
SquareX Enterprise transforms end-users’ preferred browsers into secure enterprise browsers with detection and response functionality. SquareX Enterprise can also monitor, detect, mitigate, and enable threat hunting for client-side web attacks. This includes detection and response for identity attacks that leverage the browser, malicious sites and scripts, reassembly attacks, browser extensions, and malicious files. 

Furthermore, SquareX Enterprise offers private app access, enabling enterprises to offer secure access to internal applications and thick clients.

SquareX is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
SquareX scored well on a number of decision criteria, including:

• Data loss prevention: SquareX's DLP capabilities include anti-screen capture, blocking copy and cut functions, and restricting access based on file type, content, or application source. It also prevents downloads of specific file types or sensitive content, obfuscates sensitive data based on categories like social security and credit card numbers, and restricts uploads to emails and third-party storage. 

• Visibility and monitoring: SquareX Enterprise can reconstruct the sequence of events leading up to a security incident, identify the attack vector, determine the extent of the compromise, and develop security policies to mitigate future risks. It provides this detail in an easy-to-use attack graph and can record what happened in the browser leading up to an incident. 

• User and session anomaly detection: SquareX supports various follow-up actions based on a calculated risk score, including alerting the security team, requiring two-factor authentication, requesting explicit approval from the user, revoking user access, enforcing data loss prevention (DLP) policies, imposing read-only mode, and terminating the session. SquareX allows customization of risk scores based on signals such as the detection of impossible travel, excessive authentication failures, bandwidth consumed by data uploads and downloads, use of developer tools and the “inspect” element, unusual keystroke cadence, and specific in-app navigation patterns for supported web applications.

Opportunities
SquareX has room for improvement in a few decision criteria, including:

• Endpoint security functions: While SquareX can block JavaScript and extensions and monitor running processes, it does not currently block malicious DLLs from being injected into the browser processes or execute processes such as rendering in a local sandbox.

• Identity and access management: While the vendor integrates with the customer's identity provider to provision users and groups, SquareX does not currently inherit policies from the IAM providers.

Purchase Considerations
SquareX Enterprise is priced on a per-user or per-seat basis, with up to five browsers per user. Onboarding and implementation, including setting up the customer’s instance with recommended and prebuilt policies, is available at an additional cost. Customers can scale up to add users to their contract.

Use Cases
SquareX supports use cases for web attack detection, mitigation, and threat hunting, including malicious browser extensions, identity attacks, malicious files, and advanced spearphishing with last-mile reassembly. It also provides browser DLP for data leakage prevention from internal and external threat actors, covering GenAI DLP, file DLP, clipboard DLP, and protection against extension infostealers and insider threats. Additionally, SquareX enables private app access for secure access to company resources for BYOD, remote workers, contractors, and unmanaged devices, encompassing both SaaS and internal apps, and acting as a VDI replacement.

SURF Security

Solution Overview
SURF Security’s secure enterprise browsing solution consists of a browser client for unmanaged devices and a browser extension for managed devices. The SURF Security solution is built using the open source Chromium engine, providing compatibility with Chromium-based browsers and leveraging their features and performance optimizations.

The SURF Security solution enforces security controls for all entities that interact with the browser, which include users, data, corporate assets, applications, and development activities. It offers a compelling alternative to technologies that are hard to manage or introduce friction, such as virtual desktop infrastructure, virtual private networks, and remote browser isolation.

SURF Security is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for Secure Enterprise Browsing chart.

Strengths
SURF Security scored well on a number of decision criteria, including:

• Network security functions: SURF Security can perform traffic filtering, including allowing, blocking, rate limiting, and generating alerts. It can filter rich media such as images, videos, and documents, block traffic from specific countries, and filter using regular expressions, keywords, and binary patterns. SURF Security offers category-based filtering using its engine and has the ability to block specific domains and filter by FQDN. For HTTP and HTTPS, SURF Security provides direct connectivity from the browser to any application. 

• Endpoint security functions: The solution can be configured to monitor running processes. If configured to run in an allowed mode, SURF Security will terminate any process not whitelisted. SURF Security scans every frame and script, and if it encounters a script considered malicious by the SURF Security engine, that script will be removed from the page. SURF Security can scan every download using multiple engines and execute the rendering process in a sandbox. 

• Identity and access management:  The solution requires users to authenticate using the SURF Security IDP or any integrated IDP, such as Azure AD, Okta, or any SAML-based solution. Permissions are granted upon authentication depending on the administrator's configuration. If an account is considered compromised, SURF Security offers the option to kill the session and revoke user access. It can direct any download into a sandbox for inspection and analysis, ensuring malicious content is isolated and does not affect the endpoint. 

Opportunities
SURF Security has room for improvement in a few decision criteria, including:

• Policy definition engine: SURF Security offers a comprehensive and granular policy definition engine that can adjust based on user role changes, transitions between devices, or locations. However, it can be further improved by automatically generating access policies based on observed real-world behavior patterns.

• Content inspection:  While SURF Security has some content inspection features, such as keyword detection and certificate pinning, it lacks the sophisticated visual analysis, logo comparison, spelling detection, and semantic analysis capabilities specified in the feature definitions. 

Purchase Considerations
The solution offers various licensing tiers based on factors such as user count and additional requirements, including storage and cloud traffic. Support is included for all customers, regardless of their size or subscription cost. While SURF Security charges annually, customers can scale up or down based on their requirements by contacting the company and making a request. Pricing is per user per year (based on identity), with an unlimited number of devices.

Use Cases
The solution’s browser and extension can cater to a range of use cases, including securing BYOD and contractor devices, protecting distributed workforces and endpoints, safeguarding against social engineering, and supporting compliance with industry regulations. The solution can be used to replace virtual desktop infrastructure, remote browser isolation, and VPNs.

Secure enterprise browsing solutions can improve security posture while also simplifying the technology stack. Integrating security functions into the most widely used application ensures that end users do not experience additional friction introduced by other security products. This is an appealing proposition, so we expect the adoption of enterprise browsers to increase considerably over the next few years. 

This form of secure browsing solutions emerged in the early 2020s, and while it is still in its early stages, secure browsing solutions will likely become the standard for enterprise workers. With more real-world deployments, new use cases, and edge cases, the market will accumulate more information, crystallizing into a standardized and stable space. This can take multiple forms. 

One possibility is that the incumbents will add enough security functions out of the box that the secure browser will become the new standard. This will depend heavily on incumbent vendors’ choices for pricing and licensing. Free options that come predeployed and preintegrated will be the most obvious choice for most enterprises. The main licensing decision will revolve around whether solutions offer a centralized management function that’s free of charge or chargeable.

Another potential scenario involves a diversified market with sufficient product differentiation, allowing customers to select the solution that best suits their specific use cases. This describes the current market landscape, and it is likely to remain stable over the next few years. 

Acquisitions, such as Fortinet’s purchase of Perception Point, are also a significant factor. Players such as Microsoft and Google may simply acquire the competition or intend to integrate their technology, including what is provided by browser extension vendors. 

Any such disruptions in secure enterprise browsing will likely be considered growing pains for a technology that can mitigate some of today’s most significant attack vectors.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Secure Enterprise Browsing" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.