The corporate perimeter has been gradually moving elsewhere for some time, but by 2026 almost no one debates where it’s now located: in the browser. That’s where work is done, SaaS applications are accessed, identities are managed, documents are shared… and increasingly, conversations happen with Artificial Intelligence tools. It’s also where attackers are finding fertile ground: malicious extensions, injected scripts, session impersonations, and data leaks that don’t always pass through traditional controls.
Against this backdrop, Zscaler announced the acquisition of SquareX, a deal closed on February 5, 2026, with financial terms not publicly disclosed. The stated goal is to extend Zero Trust capabilities “up to the browser,” in a way designed for a world where work no longer happens solely on corporate devices and where daily AI use multiplies the attack surface.
The browser as a “hot zone” for security (and productivity)
For years, many organizations have tried to extend security to unmanaged devices — BYOD, third parties, contractors, hybrid environments — mainly through two common solutions: remote access VPNs or VDI. The problem is that both involve costs, friction, and, in the case of VPNs, a legacy of “implicit trust” that’s hard to reconcile with a modern least-privilege strategy.
Zscaler argues that this model no longer works for a distributed enterprise, and that the browser is the point where fine-grained policies need to be applied: who accesses, from which device, with what security posture, to what resource, and under what conditions. In this vision, Zscaler’s move isn’t just about stopping malware; it’s about controlling access and protecting data where the work actually happens.
What does SquareX bring to the equation?
SquareX built its approach around a straightforward concept: since the browser is where activity is concentrated, sensors need to be integrated within it. The company has developed Browser Detection and Response (BDR) capabilities via extensions, aimed at detecting and responding to browser-native threats, like malicious extensions or scripts with suspicious behavior, as well as providing actionable telemetry to security teams.
In their post-acquisition communication, SquareX emphasizes a key point that often influences IT purchase decisions: not forcing a browser change. Integrating with standard browsers avoids “cultural shifts” and the operational costs of deploying an alternative corporate browser organization-wide. It also addresses a major headache for many companies: how to control access and data when devices aren’t fully managed.
An approach: “any browser,” but with safeguards
This announcement aligns with a clear market trend: extending Zero Trust down to the last mile — where identity, sessions, content, and user actions (downloading, copying/pasting, uploading files, interacting with AI tools, etc.) converge.
Zscaler has explained that, with SquareX, the aim is to offer security within common browsers — without deploying full agents or forcing the use of third-party browsers — to protect access to SaaS and private applications, even from unmanaged devices. The subtext is clear: reduce dependency on VDI and VPN, without sacrificing control.
Why AI accelerates this decision
The rise of AI not only introduces new models and automation but also generates new data flows. In practice, many AI interactions happen via web interfaces: prompts with sensitive context, summaries of internal documents, code snippets pasted into sessions, search queries, and content generation that can incorporate corporate information.
In this scenario, the browser stops being just a client and instead becomes a “data output channel.” Simply blocking domains or filtering traffic is no longer sufficient; it becomes critical to control what happens within the session, with what permissions, and under what risk signals. That’s why Zscaler frames this operation within “the AI era” and emphasizes the need to strengthen the zero-trust model at the points where interactions occur.
IT and security perspective: fewer tools, more coherence
For system and security teams, this move promises consolidation: unifying access controls, device posture assessments, and policies within the browser, especially when the endpoint landscape includes everything from corporate laptops to personal devices and “guest” environments.
In other words: if work has become “browser-first,” then control should be, too — but without disrupting user experience. And if the organization wants to govern AI usage, policies need to be applied where prompts, attachments, and responses are generated: in the browser.
An intensifying race
The market message is clear: “browser security” is no longer a marginal category but is integrating with Zero Trust, application access, and data protection. Zscaler isn’t just acquiring technology; it’s acquiring a position to compete in a space where the boundaries between ZTNA, DLP, session security, and AI-specific controls are blurring.
If the deal delivers on its promise, the outcome will be a model where users keep their browsers, but organizations gain visibility and responsiveness against threats and leaks that previously went unnoticed. By 2026, with AI embedded across processes, that “blind spot” no longer remains a trivial issue — it becomes an operational risk.
Frequently Asked Questions
What does “Zero Trust security in the browser” mean for a real organization?
Implementing access and data protection policies based on identity, context, and risk directly within the browser, so that web sessions (SaaS and internal apps) are controlled with least privilege and security signals.
How does this differ from deploying a “corporate browser” or using VDI?
The approach aims to keep using standard browsers and enhance security via integration/extensions, reducing friction and avoiding the operational costs or latency of full browser deployment or VDI for every access.
Why is this relevant for BYOD and unmanaged devices?
Because the biggest challenge of BYOD isn’t just access, but the “last mile”: downloads, file uploads, copy-paste, and data controls within sessions. This is where a browser-centered approach can make a significant difference.
What should IT evaluate before deploying browser security extensions?
Compatibility with critical browsers and applications, impact on performance, management model (policies, updates, telemetry), user experience, and how events integrate with SOC systems (SIEM/SOAR) for response and traceability.
via: zscaler