How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Support FAQ
Browser isolation is a security control that separates a user's web browsing session from the device, browser profile, or internal network they normally use. Instead of allowing all page code, downloads, scripts, and embedded content to execute directly on the endpoint, the session runs in a controlled environment. The user sees and interacts with the site, but the risky parts of the browsing activity are kept away from local systems.
The goal is not to make the web disappear from work. Most organizations rely on browsers for research, SaaS tools, customer portals, support systems, and internal applications. Browser isolation is useful when the business needs that access but does not fully trust the destination, device, user context, or content being handled.
Different products and architectures isolate different parts of the browsing experience. Remote browser isolation runs the browser session on a remote server and sends a visual stream, sanitized page model, or controlled interaction layer to the user. Local isolation keeps the session on the endpoint but contains it inside a sandboxed process or virtualized environment. Some approaches isolate every browsing session, while others apply only to unknown sites, newly registered domains, risky categories, privileged users, unmanaged devices, or sessions that handle sensitive data.
Isolation can also control specific actions. A policy may allow a user to view a page but prevent downloads, uploads, clipboard use, printing, credential entry, or file extraction. In a high-risk investigation workflow, read-only browsing may be enough. In a normal SaaS workflow, copy and upload restrictions may be too disruptive. The useful design question is therefore not simply "is isolation on?" but "which browser actions are allowed for this user, device, destination, and data type?"
The browser is one of the most exposed parts of a modern work environment. It renders untrusted code, handles authentication, processes files, loads third-party content, and connects to both business applications and unknown public sites. That makes it a common path for phishing pages, credential theft, drive-by downloads, malicious documents, risky browser extensions, and accidental data exposure.
Browser isolation reduces the impact of those risks by changing where dangerous activity can execute. If a malicious page attempts to exploit browser behavior, the attack is directed at the isolated environment rather than the user's laptop. If a downloaded file is blocked or detonated away from the endpoint, the user is less likely to introduce malware into the local environment. If a user visits a phishing page in an isolated session, policy can restrict credential entry or capture additional evidence before the event becomes an account compromise.
Isolation is also useful for unmanaged or less trusted devices. Contractors, partners, bring-your-own-device users, and temporary staff may need access to web applications without receiving the same level of trust as managed corporate endpoints. Isolation can provide a middle ground between full denial and unrestricted access.
Browser isolation is often discussed as a web security control, but it also belongs in access management. Access decisions increasingly depend on context: who the user is, what device they are using, which application they are requesting, what data is involved, and whether the session looks risky. Isolation can be one possible outcome of that decision.
For example, a managed device on the corporate network may receive normal access to a low-risk SaaS tool. The same user on an unmanaged device may receive isolated access. A privileged administrator may have research traffic isolated by default but receive direct access to an internal admin console only after stronger authentication and device checks. A finance user may be allowed to view an external portal while upload and copy actions are restricted.
This model works best when isolation is tied to identity, device posture, application sensitivity, and clear business rules. If the control is deployed only as a broad web filter, it may protect some browsing activity but miss important access paths.
Isolation changes the user experience. Pages that rely on complex client-side behavior, real-time media, unusual browser APIs, local file access, or device integrations may behave differently. Streaming a visual representation of a page can add latency or reduce fidelity. File workflows may need new review or release processes. Users may need clear prompts that explain whether a block is caused by security policy, browser compatibility, or a temporary service issue.
Operations teams should test isolation against real workflows before enforcing it broadly. Include login flows, form submissions, document previews, downloads, uploads, support tools, collaboration apps, and any line-of-business application that depends on browser features. Testing should cover both normal work and exception cases, such as urgent support access, partner access, or incident response research.
Monitoring is equally important. Useful metrics include isolated session counts, blocked downloads, prevented uploads, credential-entry attempts on risky pages, user support tickets, performance complaints, bypass requests, and confirmed security incidents. A policy that blocks many actions but produces no reviewable evidence may be hard to tune. A policy that generates evidence but no response process may only create backlog.
Browser isolation is not a replacement for patching, endpoint protection, phishing-resistant authentication, web filtering, or user education. It reduces exposure from browsing activity, but it does not make every page safe or every user decision harmless. Attackers can still target credentials, session tokens, business processes, and social engineering workflows.
It is also not always the right control for every user or every site. Isolating all traffic can be expensive, slow, and frustrating. Isolating only the most obviously risky sites can leave gaps around sensitive business workflows. The right balance depends on risk, user role, application sensitivity, device trust, and the organization's ability to support exceptions.
Another misconception is that isolation eliminates the need for privacy review. Browsing logs can reveal sensitive information about users, customers, investigations, legal matters, or health-related activity. Collection, retention, and review processes should be explicit.
Start with a small set of high-value use cases. Common starting points include unknown or uncategorized sites, newly registered domains, personal webmail, privileged-user browsing, contractor access, unmanaged devices, and research performed by security or fraud teams. Define what should be allowed, what should be blocked, and what evidence should be retained.
Then run a staged rollout. Monitor first, enforce on a narrow population, review the support impact, and expand only when the policy is understandable and stable. Each exception should have an owner, an expiry date, and a reason. Each blocked action should produce enough context for a reviewer to decide whether the policy is working as intended.
Browser isolation is most effective when it is targeted, observable, and connected to the broader access program. Used well, it gives users access to the web while reducing the chance that untrusted content can directly affect devices, accounts, or sensitive data.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2025 ABN 76 619 930 826 All rights reserved.