The web app you're using may never actually run in your browser.
A San Francisco startup is quietly moving the browser session somewhere attackers can't reach it - the edge - so malware, bots, and rogue extensions get a mirror instead of your code.
There is a particular kind of person who understands exactly how dangerous a browser extension can be, and it is a person who has built one. Brian Silverstein co-founded Honey, the shopping-rewards extension that lived deep inside your browser's DOM, watched your checkout pages, and eventually convinced PayPal to buy it for a reported $4 billion. Honey worked because it could see and touch everything happening in your tab. That was the feature. Silverstein's next company, MirrorTab, exists because that is also the bug.
The pitch is almost pleasingly counterintuitive. For roughly two decades, web security has assumed the browser is a place you defend - you scan it, you score it, you sprinkle it with agents and detection models and hope you catch the bad script before it skims a credit-card field. MirrorTab's argument is that this is the wrong layer. You cannot protect what you insist on exposing. So instead of guarding the browser, MirrorTab removes it from the equation.
Mechanically, the company describes intercepting and sanitizing a browser session at the edge - through the CDNs and web application firewalls a company already runs - before that session ever reaches the user's device. The application's actual code, data, and API calls stay server-side. What lands in your browser is an obfuscated view of the session, a mirror. If your laptop is riddled with malware, or you've installed a browser extension that turns out to be malicious, or an automated bot is hammering a login page, none of it finds the real thing to attack. There is, in MirrorTab's phrasing, "no DOM exposure."
Browsers have become the battleground for hacking, bots, and malware.— Brian Silverstein, Founder & CEO, MirrorTab
This is a sensible thing to say if you are the person raising money to fight on that battleground, but it also happens to be true in a boring, well-documented way. Magecart and formjacking attacks - the digital equivalent of a skimmer glued to a gas pump - have quietly drained e-commerce and banking sites for years by injecting code that reads form fields as users type. Credential stuffing and account-takeover bots grind through stolen password lists at industrial scale. The common thread is that all of it happens in a place the application chose to trust: the browser. MirrorTab's answer is to stop trusting it.
The elegant part of MirrorTab's design is what it does not require: no plugins, no agents on employee laptops, no rewrite of your application. It rides infrastructure you already own and switches on only when you want it to.
A WAF rule, bot score, authentication state, or feature flag decides a session is risky enough to isolate.
MirrorTab catches the session at the edge, inside the CDN/WAF stack, before it reaches the device.
Code, data, and APIs are obfuscated and kept server-side. The browser only ever receives a mirrored view.
Extensions can't read submitted fields or modify the DOM; bots and automation lose the surface they need.
The practical use of MirrorTab is narrow on purpose. You don't wrap your whole site in it; you point it at the workflows where automation and client-side tampering do real damage - the login page, the checkout, the money-movement screen, the API endpoint that's being abused. In those places, the sensitive fields never exist in a form an attacker can read, and the automation that fuels fraud simply stops working.
Break the credential-stuffing and session-hijack chain by removing the DOM the bots depend on.
Defeat Magecart and formjacking - if the field data never reaches the browser, there's nothing to skim.
Malicious or compromised browser extensions can't see submissions or extract data from the page.
Shut down scraping, data harvesting, and API abuse in the specific workflows you choose to protect.
In February 2025 MirrorTab emerged from stealth with a seed round led by Valley Capital Partners, with GV among the backers. It's the kind of investor list that suggests the "browser is the new endpoint" thesis is finding believers.
A rough sketch of the attack classes MirrorTab is built to neutralize. Bars are illustrative of relative focus in the company's own materials, not measured incidence.
In March 2025 MirrorTab announced a cybersecurity advisory board that is comically over-qualified for a company this size - which is either a red flag or, more likely, a sign that a lot of senior security people quietly agree with the premise.
Co-founder / former CTO of Honey (acquired by PayPal). Built one of the world's most popular browser extensions.
Former VP of Trust & CISO at Reddit; prior work at Google, EA, Visa, and PayPal on real-time risk.
Former Chief Risk Officer at SoFi and EVP/CRO at Wells Fargo Consumer Lending. 40+ years in finance.
VP, CIO & CSO at Chime; former CSO at Credit Karma. 30+ years of security leadership.
Leads Field Security at Databricks; Carnegie Mellon CISO faculty; boards of HITRUST and the FAIR Institute.
Creator of the Cyber Defense Matrix and DIE Triad; ex-Chief Security Scientist, Bank of America; Hall of Fame inductee.
Today's hackers are getting smarter, faster, and more targeted. They have weaponized AI and more advanced tooling to bypass web security controls.— Omar Khawaja, MirrorTab Advisory Board
MirrorTab Corp. founded in San Francisco to attack the client-side security problem.
Emerges from stealth with an $8.5M seed round led by Valley Capital Partners; GV participates.
Assembles a cybersecurity advisory board spanning Reddit, SoFi, Chime, Databricks, and Bank of America alumni.
Taps a veteran COO to scale go-to-market around the "browser as the new corporate endpoint" thesis.
The founder helped build one of the world's most popular browser extensions - then built the technology to block the malicious ones.
The app you interact with may never actually run in your browser. You're looking at a sanitized mirror rendered elsewhere.
It deploys with no plugins, no agents, and no code changes - it rides on the WAF you already have.
The team is roughly 12 people, but its advisory board could headline a Fortune 500 CISO summit.