82% of IT professionals reported a web-based security incident last year: BYOD, SaaS tools, and remote work policies play a role in security resilience.

NordLayer Web-Based Threat Report 2026 found a gap between trust and reality: 73% of companies feel prepared, but 82% suffered browser-based attacks
Malware collected 1.8 million credentials and 68.8 billion cookies last year, and stolen logins enabled silent intrusions as reliance on SaaS grows.
The researchers emphasize that browsers are the critical boundary, urging DLP and stricter controls to address the uneven coverage and increasing sophistication of web threats.

Most companies believe they are well prepared to deal with cyberattacks, but the number of successful breaches in the last year paints a different picture.

Earlier this week, NordLayer published a new report called “Why Browser Security Can’t Wait: Web-Based Threat Report 2026.” In it, the company states that while 73% of organizations say they are prepared for web-based attacks and trust their solutions, 82% experienced some type of web-based attack.

The document is based on an analysis of 504 “top-rated and most reviewed job applications,” an analysis of data stolen from various information thieves, and a survey of 405 US IT and cybersecurity professionals.

Hackers don’t hack anymore

NordLayer emphasizes that coverage is “modest and uneven,” with data loss prevention (DLP) tools leading at just 53%, followed by other security controls. Nearly all IT professionals reported that their organizations are concerned about web-based threats (98%) and most expect an escalation. In fact, 81% expect greater sophistication and 73% believe there will be more incidents in the coming years.

“There is a clear gap between recognizing the threat and knowing how to address it,” Buinovskis says. “Concern is high, but knowledge of which controls actually address browser-specific risks is low. Much of the initial confidence probably comes from having general security controls in place, but they rarely adequately cover risks in the browser.”

The researchers also highlighted that 100% of the apps tested were browser-accessible, and almost four out of five (78.8%) were browser-only. At the same time, malware was able to collect 1.8 million credentials and 68.8 billion cookies last year.

“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells: a login appears legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will continue to exploit this until organizations secure the browser as a critical boundary.”