98. How Browser Security Became the New Battleground for Enterprise AI

In this episode…

Host Jon McLachlan talks with Or Eshed, co-founder and CEO of LayerX Security, about why the browser has become the main control point for enterprise security and AI. Eshed explains that employees now spend most of their time outside the corporate perimeter in SaaS and AI tools, so LayerX delivers data security, identity security, and governance as an enterprise browser extension instead of through proxies or network appliances. Drawing on his time in IDF cybersecurity and at Check Point, where he led the takedown of the largest browser hijacker operation in history, he argues that securing the "last mile" inside the browser beats stretching legacy firewalls to cover web traffic. The conversation also turns to founder lessons on ruthless focus, betting on growing problem spaces over AI hype, and why he believes trying to be "the AI security vendor" is a poison pill.

Key takeaways:

  • Most enterprise activity now happens outside the network perimeter, inside SaaS and AI tools, so the browser is where security controls actually need to live.

  • LayerX Security deploys as an enterprise browser extension that adds data security, identity security, and governance across web, SaaS, and AI without forcing changes to existing architecture.

  • Or Eshed started LayerX after two shifts made browser-layer security practical: Microsoft deprecating Internet Explorer, so every browser supported extensions, and Office 365 moving to SaaS.

  • Eshed led the takedown of the largest browser hijacker operation in history while at Check Point, which shaped his conviction that the browser is the best place for both defense and offense.

  • He argues network security tools are drifting toward becoming "glorified VPNs," and sees a once-in-a-generation chance to build a security service edge with no proxies or inline data centers.

  • For founders, he advises investing in growing problem spaces rather than specific solutions, holding ruthless focus on the ICP, and resisting pressure to "just do AI" because investors expect it.

  • Eshed calls trying to be "the AI security vendor" a poison pill, since if AI is everywhere you are forced to become the everywhere security vendor.

Before we jump in, a quick note of who's behind this podcast. Imagine this. You're about to close this massive deal. You've been grinding for it.

You're pumped. And then your customer's legal team decides to make things interesting. What happens if you get hacked? How do you protect your data?

And then your brain just goes blank. That's the nightmare founders deal with all the time. That's actually what YSecurity solves, the sponsor of today's show. There are 40-plus security engineers who've actually done security at Apple, Uber, Microsoft, Robinhood, Brex, and so many more.

And get this, you don't hire them. You rent them. By the hour. No massive salaries.

No expensive consultants. Just real experts embedded in your company helping you get SOC 2, ISO, HIPAA, whatever it is that you need to close that big deal. Set a monthly cap. Know exactly what you're spending.

And close the deal. Head to ysecurity.io slash startups and book your free strategy call. Your first eight hours are free. 40 engineers, one full working day, totally free.

Go take it. ysecurity.io slash startups. Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I'm your host, Jon McLachlan, and I'm joined today with a very special guest, Or Eshed, the co-founder and CEO of LayerX Security.

Welcome to the show. Thank you for having me, John. It's great to have you. It's great to have you.

So would you like to share with our listeners a little bit about what's LayerX Security? Yeah, sure. So again, thank you for having me. LayerX is an interesting concept where we're in a world in which users spend most of their time outside of the corporate perimeter using SaaS applications, AI tools, and it's pretty much impossible to maintain a traditional perimeter security approach.

LayerX is basically around the vision of CoinWare users are. We provide browser security. Now we expand to AI applications as well with the purpose of spend the most time where users are, where adjacent to the SaaS space, when eventually when you really want to detect interactions and provide interaction security effectively, you need to be really baked into the application error where they spend most of their time. The benefit of using LayerX is having a true data security, identity security, and governance across anything users do on web, SaaS, and AI.

Wow, so it's like the all-in-one AI and browser security platform. Something like that, yes. And if I'm a CISO and I'm responsible for the security of a large organization, I have all of these users, and we're browsing things, and we're outside that perimeter, that domain, that security domain, this is a browser extension that's really geared towards enterprise security and compliance? First of all, what do you get out of it?

If you're a CISO, you need to think what you get out of it. And what you get out of it is full last mile of security across web, SaaS, and AI. If you want a strategy for safe enablement of AI, that's your way to go. The way it's run, it's sessionless, it's working in the application layer.

We deploy as a browser extension built for enterprises across any browser. We're now expanding to additional applications as well with a purpose to provide the most fine-grained last mile control. What it means for you as a CISO is you get the benefits you wanted, but you don't make any changes to your architecture. I think there are a million startups out there.

I always laugh at that, you know, in the Fortune 1000, you still got only 1,000 CISOs, and the number of startups and security vendors is growing. When 80% of the budget is going to the GSIs and the hyperscalers, actually very little goes to solve risk. And then there are two questions. A, which problems are good problems to solve?

And I think AI and data are great problems to solve because they're very meaty and they're very much meeting the organization. The other question is what kind of technology can make a big bet? Because unfortunately, you won't be able to buy features endlessly. You need to buy something that can scale and expand to additional use cases.

I think that's what makes LayerX very unique because we solve really big problems, but we also sit in an intersection in the organization that can scale to other things. Maybe two years from now, AI will be boring. It will be yesterday's news and everything will be around identity. Guess what?

Identity has happened online in the browser as well, so that provides a future-proof technology. Yeah, I really appreciate all of that. I do see a future where AI just becomes the norm. People just expect it will be everywhere.

Exactly. And I think identity will always be with us. So what inspired you to take this on? You've been doing this for a while now.

How long has LayerX been around? More than five years? I'm a former practitioner, so during my career, I spent a couple of years in the IDF. Many Israeli founders come from military cybersecurity background, and I was working on web security, and it was always clear to me that actually application intrusion, identities, and applicative layer are the most interesting ones.

Then when I left to the market, I led the takedown of the largest browser hijacker operation in history while I was working at Checkpoint, and at the time, everyone was ransomware, ransomware, ransomware. But for me, it was pretty clear that actually the best place to do both defense and offense is where employees spend their time, and the amount of activity that's happening in the browser was just scaling. Actually, a decade ago, it was pretty clear to me that I was working at Checkpoint. While using a firewall and stretching that ineffectively with IPs and IDS signatures to try and catch web traffic, if you can just be embedded into the session.

And it was always there, and then I was working for financial services, and I was doing IR, and guess what? Every IR investigation would end with a user downloading something or browsing somewhere or doing something online, and it just bugged me. I think the point in time in which it was clear I must do something was when two things happened at the same time. One is a point in time in which Microsoft deprecated Explorer, and all the browsers became supportable browsers in terms of browser extension, so you actually had the technological path that allows doing that.

The second thing is a point in time in which Office 365 became accessible and something you can deploy on SaaS. And suddenly, you don't actually need the operating system. The operating system is not very significant. At that point in time, I was like, okay, you can, in 10% of the effort, solve 90% of the problem and do way more.

I must do this. Luckily, it was a good time. The company is doing very well. I'm very fortunate to have great CISO adoption.

And then AI is a huge gift for us because it just landed exactly where we are. So you weren't just skating to where the puck was going to be. You were already there, and that puck just sort of arrived. So it's a good question of, you know, is it luck or is it wisdom?

I think that the overall understanding that the main trend is that it's easier to deploy and deliver capabilities and services as SaaS. It's an always true statement. And now you really see that when the AI companies develop their own browsers, which is a discussion topic for later. And then when you understand that, you just want to be where the crowd is.

It sounds like you have a very strong go-to-market engine supporting your journey and connecting with the CISOs. And maybe it's part of your background. It's absolutely your credentials. You felt the pain point directly.

All of that, you know, puts you in a position to be a thought leader in this space. Right. But, you know, Galileo Galilei said that the earth was round. And when he was too much, you know, ahead of the curve, it's not always great.

I think there are two kind of sales. One of them is to the mind. The other one is to the heart. And within our space, selling to engineers is actually pretty easy because they feel the pain.

Actually, I never sold to an engineer. They sell to themselves. They self-qualify and they spot us as a good solution. We don't actually sell.

In that regard, I'm not selling. Strategically, it's a good place to be in. And then you have people that are less technical and they say, well, you know what, whatever vendor is operating my firewall or SASE said, they take care of that. And they are a great company.

You are not a great company. You're a startup. I think I'll go with them. I'll stick to them.

Like, what's the worst that can happen? So I think it's also outlining and picturing where, you know, what raises awareness and what empowers the buyer. Eventually, cybersecurity is not that significantly different than selling ceviche or falafel. It's just a commodity.

It's supposed to be a net positive for the buyer. You're not supposed to stress or fear or sell to anyone. You're supposed to be an instrument they can use to get to their professional and personal goals. With that regard, there's some sort of a tension between the long-term vision to what you do tomorrow morning.

If I had a time machine and I would have, you know, had the pleasure to go and talk to myself back then, I would have the conversation that I would have had with any other founder right now. When you start a company, you have this picture that if everything runs smoothly, once you grow and grow and grow, you can tackle the entire world's problems. Like, I'll start with this and then I do that and that

Microsoft, CrowdStrike, Palo Alto, Fortinet, a few others, just like 20% of half, which is pretty much 10% of the cybersecurity market, could be utilized by startups. And not all of it is moving yearly. So not everyone in your ICP is in market. So actually, on the first couple of years, you're supposed to get a couple of millions.

And then you're a great company, not tens of millions, not hundreds of millions. And understanding what's my ICP? How do I reach my ICP? How do I make sure that I don't leak or have scope creep to outside my ICP and lose traction?

That's great. That's important. And then when your investors don't understand cybersecurity, you can get better devices, such as everyone is doing AI, let's do whatever AI. And I've seen so many companies fail that way.

You need to have someone that you have confidence to fight the world with and swim against the stream. And it's hard because when you swim against the stream, most signals say that you're wrong. But those are the best possible investments. So you need to understand how to filter out the noise.

And that's what you get from great investors. Amazing. And as a founder, as a great founder, you have to be able to see that vision. You have to be able to share that vision confidently, even though it feels like you're swimming upstream, even though you believe something is wrong and can be improved and is different about the world.

If you're at consensus, you're not doing something right. Consensus is really bad in entrepreneurship. Being entirely against everyone is also not the greatest. So you need to really be the hypothesis on the market by fun signals that validate it.

And, you know, the vertical cybersecurity VCs, they talk to CISOs daily. They have on the radar everything. They know things before you know them on your space. And eventually it's a force multiplier that's unbeatable.

And you can actually use that vision and that passion and that drive when you share it with others. You're not just sharing it with the VCs and the customers, but you can use it to attract an amazing team that shares that vision and wants to be part of that journey too, right? Exactly. So let's say you have a great idea.

Let's say you have an idea, John, you came up with an idea for a time machine. That's a great idea. Not that easy to build. No, very difficult to build a time machine, yes.

People assume in early stage it ends with your idea. Then you get to execution and then you get to build the product. And there are always nasty surprises when you do that. Let's say you get the product, you get the first couple of sales.

You now need to show great self-sufficiency, low CAC, high ACP. You need to build the sales organization. Good sellers for early stage are like unicorns. If you find one, catch it.

And then they ask themselves, why should I go with this company? And they will ask themselves, who invested in them? Do I think whoever invested in them's voice means something? That's one.

Second thing, they'll ask how much skin in the game do they have? One of the reasons I moved to the US was because of that. I wanted to show my sellers I have skin in the game. And whenever they ask me to join them on a meeting, day and night, 24-7, I'll be there because they need this confidence.

If you make good sellers want to work for you, any seller would want to work for you, and then you become a good company to be in. And that's actually when the race actually begins. It doesn't end at that point. It only begins at that point.

It begins. It begins. Yeah. It's almost like every day for an entrepreneur that morning, it begins again.

Right. 100%. And you dream about it at night. Yes.

It is. You live and breathe it. What's been your most difficult day along your entrepreneurial journey? The most difficult day?

I always assume, by the way, I don't know, it kind of sounds depressed. I always assume that today is ahead of me. I always believe, you know, just try to avoid a day. Like, I mean, like, probably it can always get worse.

I think that, you know, you take decisions. Not all of them are perfect. I think the ones, the bad days are those that you fail. But looking backwards, you had enough information to take a different decision.

When you fail, when you had enough information, let's say you miss a huge deal on points, on inches. That's so annoying, but you've done the best you could. And then if you just put in the meat grinder, like 10 of those, you'll close five. And that's a great company.

So don't think about that one. Think about the next one. However, when you get into a reality in which you actually had enough information to take a different decision, and you went consciously to the wrong path, I think those are the places in which I feel really bad. Because I feel, first of all, like I burn cash for no good reason.

Like I waste other people's time, but also it makes me question my own decision-making process. And that's when, you know, I have a small depression. Luckily, it happens very rarely. On the other hand, you know, Federer, the tennis player, was on a VC event once said that, you know, he only wins like a bit over half of the matches, but he wins those that matter.

So eventually he became number one. You don't have to catch every ball, but you need to catch the balls that matter the most. So you also need to understand like where it's good to be depressed and where, you know, just keep on, move on, because it's never perfect. It's never perfect.

No, no, it never is. You know, focusing on the pieces that matter and being able to discern those pieces, that's critical for a lot of the success, for a lot of the game. I'm curious, when you look into the future and you see LayerX security as a smashing success, as it continues to grow, what does that future really look like? Yeah, so the question is, like, are you invested in a problem space?

We basically invest in problems. We don't invest in solutions. We invest in problems. Is the problem space I'm investing in, is it a growing problem space or not?

You know, every reality can be good and beneficial for someone and be bad for someone else. You know, global warming, I guess there is an ice cream shop that's, you know, cheering out there. You know, you need to really be conscious of how you interpret the reality. And when I look into that, I see a couple of trends.

One of them is consolidation, which means, pardon my French, that every big hyperscaler becomes like Walmart. You can't really find what you need. It doesn't really work. Eventually, the impact, the ROI is becoming very questionable.

And with some of those hyperscalers, customers say, I get for cheap a lot of bad products. So we'll see a couple more of those, more hyperscalers and more hyperscaler dollars. The problem space is becoming to shift more and more. So the understanding that you can't secure everything will be a part of the status quo.

Application delivery on our space is becoming more complex, more encryption, more sophistication. So I think the network security players are destined to become VPNs, glorified VPNs. Sorry for being a bit technical. When I think of all of that, it means that we need to expand out of the browser, but we need to be very, very focused on interaction security.

I think there is a once-in-a-generation opportunity to build a next-generation approach to security service edge that is not dependent on proxies and inline data centers, no complex infrastructure that really is around the user and around the corporate assets. It's possible to do that in a lightweight manner now and be more future-proof. In the next couple of years from now, it will be a billion-dollar company sending things outside of browser security, but on the same paradigm, which is device-centric user governance. And expand to other areas, probably, you know, TLP, network securities, your trust, so on and so forth.

What shouldn't be happening is becoming another tiny new Walmart. We're trying to do too many things. Aside from that, we'll see other crazy things happening with non-humans, agents, stuff like that. But there's someone else's problem.

Yeah. I was going to ask you, how do you think AI has shifted the future of the security landscape? But I love that ruthless sense of focus that you have. So, you know, mention it like it's someone else's problem.

Eventually, you have. Otherwise, like, why should... And I tell that to CISOs. I tell them when they ask me, what about, you know, that other problem?

And then I tell them, you know, we talk about AI, and then you have users to AI, which is natural stupidity to artificial intelligence sort of thing. And then you have agents roaming the web or your customers towards AI. And that's an application security problem. It's a bit different.

You can try and do everything. But then, you know, I tell them, you know, the same cow looks very different to the butcher and the veterinarian. Like, you can't assume that everything AI should be handled by the same vendor. Eventually, if AI will be everywhere, it's a poison pill to try and be the AI security vendor.

Because if AI is everywhere, you have to be the everywhere security vendor. Newsflash, we're in 2026, 40 years after the first security vendors came to the market. Some offerings are like 30, 35 years old, and are actually downsizing. They're starting to minimize what they do

It's a really hot topic in 2026, and we're always happy to share information. By the way, we're contributors to a lot of research entities. Verizon's Data Breach Investigation Reports. We were the only AI security contributor in 2025, and we are always happy to be part of the ecosystem and share information.

There we have it, everyone. The co-founder and CEO of LayerX. Thank you so much for joining and so much for sharing all of this insight, friendly discussion around not just security, but what it means and feels like to be an entrepreneur as well. We'll have all of the links in the show description.

And thank you to all of our listeners for tuning in to another episode of the Security Podcast of Silicon Valley. Thank you very much, John. One last thing before you go. Think about who you were 20 minutes ago.

Maybe security's been that thing that's on your roadmap, that thing that you'll get to right after the next sprint, the thing that you'll get to after the raise or after something. But here's the truth. SOC 2 and ISO, these things are not just checkboxes. They're keys.

It unlocks enterprise deals. It opens up regulated industries. It's the difference between selling to a 10-person startup and closing Fortune 500s. That's where YSecurity comes in.

We don't just advise, we build. SOC 2, ISO, done right the first time. 40-plus engineers from Apple, Uber, Microsoft, Robinhood, Brex. This is not guesswork for us.

This is all we do. And maybe you're not the one who needs this, but you know a founder who does. The one trying to break into bigger markets. The one doing the zero-to-one thing.

Send them our way. We have an awesome referral program. We pay for introductions that turn into partnerships. So head to ysecurity.io slash startups.

The first eight hours are free. 40 engineers, one full working day entirely on us. YSecurity has your back. See you in the next episode.

This episode covered SOC 2.

YSecurity helps teams get audit-ready without slowing the roadmap, from first scoping call to clean opinion.

Talk to YSecurity