Shadow State Mesh
Shadow State Mesh is an active countermeasure that detects credential harvesting and session theft by planting coordinated decoy authentication artifacts across multiple browser surfaces. When a malicious script, browser extension, or adversary-in-the-middle proxy interacts with these decoys in a correlated pattern, Surface Security generates a confidence-scored alert -- often before any real credential is compromised.
How It Works
When a user navigates to a site that is not on your trusted domain list, the Surface Security extension silently plants a set of decoy values that mimic real authentication state across five browser surfaces:
| Surface | What Is Planted | What It Mimics |
|---|---|---|
| Cookies | A Secure, SameSite session cookie | Session tokens stored in cookies |
| Local Storage | A decoy authentication state key | Auth tokens persisted across sessions |
| Session Storage | A decoy tab-scoped state key | Per-tab session tokens |
| DOM | A hidden form input with an auth-like value | Hidden credential fields in login forms |
| JavaScript | A global property resembling an auth marker | Runtime session variables |
These decoys are invisible to users and have no effect on normal page functionality. They are designed to look like high-value targets to automated credential harvesters.
How Scoring Works
Shadow State Mesh uses a correlation-based scoring model rather than alerting on individual surface touches. The extension monitors decoy interactions within a 30-second observation window per page and computes a composite confidence score based on what happened:
Observation tier (no alert): A single decoy surface was accessed. This is common in normal browsing -- password managers, browser extensions, and JavaScript frameworks may incidentally touch one storage key. These events are logged as telemetry for forensic review but do not generate alerts.
Alert tier (medium severity): Two or more distinct decoy surfaces were accessed within the same observation window. Cross-surface correlation is the key differentiator -- legitimate software rarely reads localStorage, sessionStorage, and DOM hidden inputs in the same pass. This pattern is consistent with automated credential harvesting.
High-confidence tier (high severity): Multiple surfaces were accessed with strong correlated signals, or cookie tampering was combined with storage access. This pattern indicates targeted collection behavior.
Critical tier: A decoy value was detected leaving the page in an outbound network request to a third-party destination. This is direct evidence of data exfiltration and generates the highest-confidence alert.
Domain Trust Adjustment
Sites your organization has more history with receive higher alert thresholds, reducing noise from semi-trusted applications. Unknown or newly encountered sites use the default thresholds. Fully trusted domains (those on your allowed list or with high trust scores) are excluded from mesh injection entirely.
Exfiltration Detection
In addition to monitoring which decoy surfaces are accessed, Shadow State Mesh monitors outbound network requests for decoy marker values. If a decoy value planted by the mesh appears in a request being sent to a different domain, this is direct evidence that something on the page collected the decoy and is attempting to send it elsewhere.
Exfiltration detection covers the three primary channels that page scripts use to send data:
- Standard HTTP requests (fetch API)
- Legacy HTTP requests (XMLHttpRequest)
- Beacon requests (commonly used by analytics and, increasingly, by exfiltration toolkits because they survive page navigation)
Only cross-origin requests are flagged. A page sending data back to its own server is not exfiltration.
Detection Signals by Confidence
| Confidence | What Happened | Alert Severity |
|---|---|---|
| Low | Single surface accessed (e.g., one storage read) | None -- observation logged |
| Medium | Two or more surfaces accessed in same window | Medium |
| High | Multiple surfaces + cookie tampering or strong correlation | High |
| Critical | Decoy value detected in outbound cross-origin request | Critical |
Cookie Tampering
The cookie surface is monitored for tampering rather than reads. Because document.cookie returns the full cookie jar, any script reading cookies for normal session logic would trigger a read event. Instead, the mesh detects when a script overwrites, expires, or clears the decoy session cookie -- behavior consistent with session hijacking toolkits that clean up evidence after exfiltrating cookies.
Enabling Shadow State Mesh
Shadow State Mesh is part of the Active Countermeasures suite and requires the master Active Countermeasures toggle to be enabled first.
- Navigate to Settings > Active Countermeasures in the admin dashboard
- Enable Active Countermeasures if not already active
- Toggle Shadow State Mesh to enabled
- Confirm the change with your administrator password
The feature takes effect immediately on all enrolled browser extensions at the next policy sync (typically within 60 seconds).
Where It Runs
Shadow State Mesh is selectively deployed based on domain trust:
- Injected on sites that are not on your organization's trusted or allowed domain list. These are the sites most likely to be phishing pages, adversary-in-the-middle proxies, or compromised applications.
- Not injected on trusted domains, allowed domains, or domains with a high trust score. This avoids unnecessary overhead on known-safe internal and SaaS applications.
This targeted approach means the mesh is active precisely where it is most needed -- on unfamiliar, risky, or unlearned sites -- while generating low overhead on your approved applications.
Alerts
Alerts appear in the main alerts feed on the dashboard and can be investigated, acknowledged, or resolved through the standard alert workflow. Each alert includes:
- The origin (site) where the correlated activity occurred
- Which surfaces were touched (cookie, storage, DOM, JS, or exfiltration)
- The composite confidence score
- The exfiltration destination if data was sent to a third party
- The device and user associated with the event
Alert severity for the medium and high tiers can be customized via the heuristic anomaly severity override in your tenant settings. Critical-tier alerts (exfiltration detected) cannot be overridden below critical severity.
Deduplication
To prevent alert fatigue, Shadow State Mesh applies two layers of deduplication:
- Client-side correlation window -- The browser extension buffers all surface events for the same page into a 30-second observation window and sends one composite result, rather than alerting on each individual touch.
- Server-side deduplication -- The backend suppresses duplicate results for the same device and origin within a 120-second rolling window.
Threat Scenarios Detected
Shadow State Mesh is designed to catch a range of real-world attack patterns:
Credential Harvesting Extensions
Malicious browser extensions that enumerate storage and cookies to steal session tokens will interact with multiple decoys during their sweep, triggering a correlated alert before they reach real credentials. This is the primary detection scenario -- the multi-surface correlation model is specifically designed for this threat.
Session Hijacking Scripts
Injected scripts (via XSS, compromised third-party libraries, or supply chain attacks) that enumerate localStorage, sessionStorage, and DOM for tokens will encounter multiple decoys during their collection phase. If they attempt to exfiltrate collected values, the outbound request hooks catch the decoy markers leaving the page.
Form Scraping Malware
Malware that parses the DOM looking for hidden form fields containing authentication data will read the decoy hidden input. Combined with storage enumeration, this produces a high-confidence correlated signal.
Adversary-in-the-Middle (AiTM) Proxies
Phishing toolkits like Evilginx and Modlishka proxy the real login page and intercept session state after authentication. Shadow State Mesh can detect these proxies when they mirror, relay, or tamper with decoy artifacts during the proxied flow. However, AiTM detection is primarily handled by the dedicated AiTM scoring system -- the mesh provides a complementary signal rather than the primary detection path for this threat category.
Performance and Privacy
- No passwords involved -- Shadow State Mesh plants synthetic decoy values only. No real credentials, tokens, or user data are used or transmitted.
- Top-level frames only -- The mesh runs in the top-level page frame, not in iframes or embedded content, minimizing performance overhead.
- Minimal footprint -- Decoy values are small strings. The instrumentation adds negligible memory and CPU overhead to page loads.
- Correlation reduces traffic -- The 30-second observation window means at most one network request per page load to the backend, regardless of how many surface touches occur.
- Encrypted telemetry -- All mesh events are transmitted over the same end-to-end encrypted channel (ECDH + AES-256-GCM over mTLS) used by all other extension telemetry.
Frequently Asked Questions
Will Shadow State Mesh interfere with normal website functionality?
No. The decoy values use reserved key names that legitimate applications do not use. The instrumentation does not modify any existing page state, cookies, or storage values.
Does it run on every page?
No. It only runs on sites that are not on your trusted domain list. Internal applications, approved SaaS tools, and other trusted domains are excluded.
Why don't single surface touches generate alerts?
In enterprise environments, password managers, browser extensions, debugging tools, and JavaScript frameworks routinely enumerate browser storage. A single decoy touch is more likely to be benign enumeration than credential harvesting. The correlation model focuses on the patterns that distinguish attackers from legitimate software: accessing multiple surfaces in rapid succession, or exfiltrating collected values to a third party.
Can attackers detect and evade the mesh?
The decoy values are randomized per injection using a unique mesh identifier, making each set of planted values distinct. The decoy key names (such as cookie names, storage keys, and DOM attributes) are fixed by design to ensure reliable detection instrumentation. An attacker who discovers the key names could filter them, but doing so requires active knowledge of the deployment and ongoing maintenance as the extension evolves -- raising the cost of evasion beyond casual avoidance.
How does it relate to other Active Countermeasures?
Shadow State Mesh operates independently alongside other countermeasures. It focuses specifically on detecting credential harvesting behavior through correlated decoy interaction, complementing phishing detection, clipboard protection, and other active defenses.
What if I see alerts on a site I trust?
If you receive alerts for a domain you consider safe, investigate the alert details to determine what triggered the correlated signal. If satisfied the domain is benign, add it to your allowed domains list to prevent future mesh injection on that site.