Skip to main content

Surface Security Overview

Surface Security is a self-hosted enterprise credential telemetry and security monitoring platform that gives security teams full visibility into how employees interact with authentication systems across their browsers — without ever capturing passwords.

Key Capabilities

Zero-Trust Credential Visibility

Monitor credential security across employee browsers in real time. Surface Security tracks authentication events, password reuse, and credential hygiene without capturing or transmitting actual passwords.

Advanced Phishing Detection

Detect phishing attacks using multiple layered techniques:

  • Domain lookalike detection — identifies visually similar domains targeting your organization
  • Perceptual hashing (pHash) — compares visual similarity of page screenshots against known brands
  • Fuzzy hashing (ssdeep) — detects cloned login pages through content similarity analysis
  • Adversary-in-the-Middle (AITM) detection — identifies proxy-based phishing attacks through timing and TLS analysis
  • Threat intelligence integration — automated reputation checks via URLScan.io and VirusTotal

Attack Surface Discovery

Automatically map authentication endpoints and SaaS application usage across your organization. Identify shadow IT, unmanaged applications, and authentication services your employees interact with.

Password Breach Detection

Check employee credentials against the Have I Been Pwned (HIBP) database using k-anonymity, ensuring no full password hashes are transmitted over the network. Get immediate visibility into compromised credentials.

Policy Enforcement

Define and enforce browser-level security controls with configurable actions:

  • Allow — permit access with telemetry collection
  • Warn — display a warning interstitial before allowing access
  • Block — prevent access entirely with an explanation page

Real-Time Alerting

Receive immediate notification of security events including credential reuse, compromised passwords, suspicious redirects, and phishing attempts. Alerts are triaged through a built-in workflow (acknowledge, investigate, resolve).

SIEM Integration

Forward security events to your existing SIEM platform. Supported destinations include:

  • Splunk HEC
  • Webhooks
  • Syslog (TCP/UDP/TLS)
  • Elasticsearch
  • Amazon S3

Clipboard Monitoring

Detect credential paste events and potential data exfiltration through clipboard activity monitoring.

Core Security Principle

Passwords never leave the endpoint. All credential fingerprinting uses HMAC-SHA256 with device-specific secrets stored in the operating system keychain. Only metadata about authentication events is transmitted to the backend. At no point does Surface Security have access to employee passwords.

Technology Stack

ComponentTechnologyVersion
StreamingRedpanda25.3.3
AnalyticsClickHouse25.12.4
Transactional DBPostgreSQL18.1
Object StorageMinIOLatest
BackendGo1.25.6
FrontendNext.js + React16.1.4 + 19.2.3
GatewayEnvoy1.37.0
Browser ExtensionTypeScript + Manifest V3Chrome 120+
ObservabilityGrafana + TempoLatest
TelemetryOpenTelemetryLatest

Supported Browsers

The Surface Security browser extension supports the following browsers using Manifest V3:

Chromium-based browsers:

  • Google Chrome (120+)
  • Microsoft Edge

Other browsers:

  • Mozilla Firefox (separate Manifest V3 implementation)
  • Apple Safari

Deployment Options

Surface Security is fully self-hosted and scales from a single mini PC to a multi-node Kubernetes cluster. Deployment tiers range from 1,000 to 60,000+ endpoints. See the Architecture page for details on system components, or the deployment guide for hardware and infrastructure requirements.