Surface Security Overview
Surface Security is a self-hosted enterprise credential telemetry and security monitoring platform that gives security teams full visibility into how employees interact with authentication systems across their browsers — without ever capturing passwords.
Key Capabilities
Zero-Trust Credential Visibility
Monitor credential security across employee browsers in real time. Surface Security tracks authentication events, password reuse, and credential hygiene without capturing or transmitting actual passwords.
Advanced Phishing Detection
Detect phishing attacks using multiple layered techniques:
- Domain lookalike detection — identifies visually similar domains targeting your organization
- Perceptual hashing (pHash) — compares visual similarity of page screenshots against known brands
- Fuzzy hashing (ssdeep) — detects cloned login pages through content similarity analysis
- Adversary-in-the-Middle (AITM) detection — identifies proxy-based phishing attacks through timing and TLS analysis
- Threat intelligence integration — automated reputation checks via URLScan.io and VirusTotal
Attack Surface Discovery
Automatically map authentication endpoints and SaaS application usage across your organization. Identify shadow IT, unmanaged applications, and authentication services your employees interact with.
Password Breach Detection
Check employee credentials against the Have I Been Pwned (HIBP) database using k-anonymity, ensuring no full password hashes are transmitted over the network. Get immediate visibility into compromised credentials.
Policy Enforcement
Define and enforce browser-level security controls with configurable actions:
- Allow — permit access with telemetry collection
- Warn — display a warning interstitial before allowing access
- Block — prevent access entirely with an explanation page
Real-Time Alerting
Receive immediate notification of security events including credential reuse, compromised passwords, suspicious redirects, and phishing attempts. Alerts are triaged through a built-in workflow (acknowledge, investigate, resolve).
SIEM Integration
Forward security events to your existing SIEM platform. Supported destinations include:
- Splunk HEC
- Webhooks
- Syslog (TCP/UDP/TLS)
- Elasticsearch
- Amazon S3
Clipboard Monitoring
Detect credential paste events and potential data exfiltration through clipboard activity monitoring.
Core Security Principle
Passwords never leave the endpoint. All credential fingerprinting uses HMAC-SHA256 with device-specific secrets stored in the operating system keychain. Only metadata about authentication events is transmitted to the backend. At no point does Surface Security have access to employee passwords.
Technology Stack
| Component | Technology | Version |
|---|---|---|
| Streaming | Redpanda | 25.3.3 |
| Analytics | ClickHouse | 25.12.4 |
| Transactional DB | PostgreSQL | 18.1 |
| Object Storage | MinIO | Latest |
| Backend | Go | 1.25.6 |
| Frontend | Next.js + React | 16.1.4 + 19.2.3 |
| Gateway | Envoy | 1.37.0 |
| Browser Extension | TypeScript + Manifest V3 | Chrome 120+ |
| Observability | Grafana + Tempo | Latest |
| Telemetry | OpenTelemetry | Latest |
Supported Browsers
The Surface Security browser extension supports the following browsers using Manifest V3:
Chromium-based browsers:
- Google Chrome (120+)
- Microsoft Edge
Other browsers:
- Mozilla Firefox (separate Manifest V3 implementation)
- Apple Safari
Deployment Options
Surface Security is fully self-hosted and scales from a single mini PC to a multi-node Kubernetes cluster. Deployment tiers range from 1,000 to 60,000+ endpoints. See the Architecture page for details on system components, or the deployment guide for hardware and infrastructure requirements.