Coming SoonHijackShield is launching soon. Sign up for early access
Security & Trust

Protecting users without watching them

HijackShield needs deep visibility into the page to stop an attack — and we designed it so that visibility never becomes surveillance. Detection runs on the device, your browsing stays private, and the only component that touches the network is the one you control.

The model

Four principles, built into the architecture

These aren't policies layered on top — they're structural. The component with page access holds no secrets and reaches no network; the component that holds secrets and reaches the network has no page access.

Detection runs locally

Analysis happens on the device. There's no cloud lookup in the protection path, and no record of everyday browsing is sent anywhere. Detection works offline, on VPN, and behind firewalls.

Credentials stay protected

Any secrets used to connect to your environment are encrypted on the device using Windows DPAPI and are never returned to the browser. Access tokens live in agent memory only and are flushed on configuration change.

Minimal, scoped access

The connection to your Microsoft environment is limited to exactly what reporting and remediation require — telemetry publishing and the narrow Graph permission needed for mailbox remediation. No broader tenant access.

Sensitive data handled with care

Information forwarded to your security tools is redacted of personal data where appropriate, and detection events — not page content — are all that leave the device, and only to your own Azure tenant.

Where data goes

What leaves the device — and what never does

Never leaves the device

  • Page content and the DOM HijackShield inspects
  • The URLs you visit during normal browsing
  • Credentials, form contents, and session data
  • The scoring decision itself (computed on-device)

Goes only to your Azure tenant

  • Detection events when a page is blocked or reported
  • Device identity and detection reason tags
  • Email metadata needed for remediation
  • Sent directly to your Sentinel — never through us

The browser extension never makes an outbound call to AiTM Security or any external service. The local agent is the only component that reaches the network, and only to forward events to your organization's own Microsoft Sentinel and to run remediation.

Responsible disclosure

Found something? We want to hear from you.

We welcome scrutiny from the security community. If you believe you've found a vulnerability or have a security concern, please reach out and we'll respond promptly.

security@hijackshield.ai