Original broadcast 10/1/25
Presented by Menlo Security & Carahsoft
At the Billington CyberSecurity Conference in Washington, DC, Justin Valdes, Senior Director for U.S. Public Sector at Menlo Security, drew attention to a major blind spot in many federal cybersecurity strategies: the browser. While agencies invest heavily in identity management, network defenses, and endpoint security as part of their zero trust strategies, Valdes emphasized that browsers remain a prime target for attackers. With as much as 45 percent of cyberattacks now exploiting browser vulnerabilities, he argued that agencies must take browser isolation seriously if they hope to close critical gaps in their defenses.
Valdes began by describing the disconnect he often sees in the field. Agencies are purchasing and deploying tools branded as “zero trust,” yet they remain vulnerable to common browser-based exploits. The problem, he explained, is that many platforms and devices touted as zero trust are not interoperable, and simply acquiring them does not automatically deliver the promised protections. Agencies can find themselves with a collection of tools but no clear path to integration, leaving them little closer to achieving the secure environment they envisioned.
Valdes noted that the need for isolation is growing as attackers adapt. Traditional defenses such as firewalls or secure web gateways are no longer sufficient on their own. Exploits can bypass these controls, injecting malicious code that lingers unseen until activated. In addition, the rise of artificial intelligence has accelerated the speed and sophistication of these threats. Malware mutations now occur at a pace that makes manual detection and response nearly impossible. For agencies already struggling to keep up with existing vulnerabilities, the acceleration driven by AI makes proactive defenses more urgent than ever.
He also explained that Menlo Security’s approach to browser isolation avoids some of the pitfalls seen in other solutions. Rather than asking agencies to replace commodity browsers like Chrome, Edge, or Firefox, Menlo layers protection over them. This prevents agencies from having to manage entirely new browser environments, which could be a logistical nightmare at scale. By delivering isolation through the cloud, agencies can secure existing user environments while reducing complexity and cost.
Valdes stressed that isolation is not a niche fix but a fundamental enabler of zero trust. Zero trust assumes that threats exist everywhere and that no user, device, or connection should be trusted by default. Yet if browsers—the single most common way employees access the internet—remain exposed, the model is incomplete. By introducing isolation, agencies can close one of the largest and most frequently exploited gaps in their architectures.
When asked about over-the-horizon threats, Valdes pointed back to the rapid growth of AI-driven exploits. He cautioned that agencies cannot afford to treat AI as a problem for the future. Attackers are already leveraging it to generate and deploy malicious code faster than defenders can respond. This dynamic, he warned, will only intensify. Agencies must therefore invest in capabilities that are adaptable, interoperable, and designed to scale with the pace of threats. Browser isolation fits this description, providing a protective layer that remains effective even as malware evolves.
Equally important, Valdes underscored the need for interoperability. Agencies are already grappling with multiple tools and frameworks, from zero trust architectures to cloud access security brokers. If isolation tools cannot integrate with existing platforms, agencies risk adding yet another silo. Menlo’s focus, he explained, has been on ensuring that isolation technology serves as connective tissue—filling gaps without creating new fragmentation. This philosophy is essential if agencies are to optimize their investments and achieve the full vision of zero trust.
Valdes closed his remarks by reframing the browser not as a peripheral concern but as a core security priority. Agencies that fail to address browser vulnerabilities will remain at risk, no matter how advanced their other defenses may be. By adopting browser isolation, they can protect users, safeguard networks, and restore confidence that the internet can be used as a tool for productivity without becoming a vector for compromise.
Key Takeaways
Browser exploits now account for nearly half of all cyberattacks, making them a critical vulnerability in zero trust strategies.
Isolation technology provides safe internet access by separating user activity from agency networks and endpoints.
AI-driven threats are accelerating malware mutations, making proactive, interoperable defenses like browser isolation essential.