CrowdStrike has signed a definitive agreement to acquire Seraphic Security, a company specializing in browser runtime security. This move directly reflects a shift already evident in many organizations: the browser has become the place where “work happens”—SaaS, collaboration, productivity—and increasingly, where AI agents also operate.
CrowdStrike’s thesis is clear: if the endpoint was the primary battleground of the last decade, the browser session is the “new front door”. In its announcement, the company states that nearly 85% of the workday takes place in the browser, using this fact to justify why this blind spot requires more granular controls than traditional approaches.
What exactly is CrowdStrike acquiring?
Seraphic positions itself as a protective layer “inside” the browser, with session visibility (in-session) and controls capable of acting while the user browses, logs into corporate apps, copies/pastes data, downloads files, or interacts with generative AI tools.
According to official communication, integration into Falcon will enable, among other capabilities:
- Securing access to enterprise AI from the browser, preventing “shadow AI” usage and exfiltration of sensitive data from chatbots and GenAI apps.
- Continuous Zero Trust during sessions, not just at login: dynamic policies that follow the user “tab by tab”.
- Next-generation Web DLP, with controls over copying, uploads, captures, and data flows within the runtime itself.
- Session threat mitigation, such as session hijacking, advanced phishing, or man-in-the-browser attacks.
- Coverage for non-managed devices and BYOD, with an “agentless-style” approach (not requiring a full agent on the endpoint for certain scenarios).
The deal will be primarily paid in cash, with a portion in stock subject to vesting conditions, and CrowdStrike expects to close it during its first quarter of fiscal year 2027, subject to usual closing conditions.
The missing piece: identity + session + endpoint
This acquisition isn’t just about “browser security.” CrowdStrike frames it within a broader strategy of Next-Gen Identity Security, where access is no longer a static decision.
The idea is to combine:
- Massive endpoint telemetry (Falcon)
- Deep session telemetry within the browser (Seraphic)
- Continuous authorization (SGNL)
The promised result: permissions granted per session and risk signal, which can be revoked immediately if the context changes. This aligns with the concept CrowdStrike is promoting: Zero Standing Privilege (no permanent privileges; dynamic, on-demand privileges).
Why “enterprise browser” is no longer enough
In recent years, two common approaches to securing the browser have grown:
- Forcing the use of a “closed enterprise browser” (a sort of corporate “walled garden” browser).
- Routing traffic through network paths (SSE/SWG/CASB) with inspection and centralized policies.
CrowdStrike aims to differentiate with a third approach: runtime security, where control resides within the session itself and is less dependent on the network “path” or requiring a specific browser.
Quick comparative table: approaches to browser security
| Approach | How it protects | Typical advantage | Main limitation |
|---|---|---|---|
| Closed enterprise browser | Controls environment by enforcing a corporate browser | Strong, uniform governance | Friction: browser switching, adoption, compatibility issues |
| Network-based security (SSE/SWG) | Traffic inspection and centralized policies | Macro control and visibility of egress | Latency/routing issues, “blind” to events inside tabs |
| Runtime security (in-session) | Observes and enforces policies during the session | Granular, real-time control | Integration and coverage depend on design and implementation |
What’s at stake: AI agents and sensitive data
The timing is crucial. Many organizations now do more than email and CRM: they copy data to copilots, open extensions, connect tools, automate tasks, and increasingly, allow agents to act on behalf of users.
This amplifies classic risks (phishing, credential theft, session hijacking) and introduces new ones: prompt leaks, automation “reading” data they shouldn’t, or silent data exfiltration to unauthorized services. In this context, the value of in-session defenses is intuitive: it’s not just about blocking malicious domains but about understanding intent, context, and data flows in real-time.
How much has CrowdStrike paid?
CrowdStrike has not disclosed the financial details publicly. However, specialized media reports estimate the deal value at approximately $420 million, contextualized by the recent acquisition of SGNL, also announced as part of their shift toward identity and continuous authorization.
Frequently Asked Questions
What is “browser runtime security,” and how does it differ from antivirus or SWG?
It’s a security layer active during the browser session, offering controls and visibility within the workflow (tabs, actions, interactions), not just at the endpoint or network level.
Why has the browser become a primary target for attackers?
Because it consolidates authentication, corporate apps, data, and active sessions. Plus, it’s where GenAI tools and agents are used, increasing the potential impact if a session is compromised.
Does this replace a SSE (Zscaler, Netskope, etc.) strategy or an “enterprise browser”?
Not necessarily; it can be complementary. CrowdStrike’s approach aims to cover what’s sometimes outside traditional network control or the enforcement of a specific browser: granular activity within the session.
What does this mean for companies with BYOD or third-party devices?
The promise is reduced friction: policy and control can be applied within the browser even on unmanaged devices, without always requiring a full endpoint agent (depending on the use case and deployment).