• After two decades, Tyler Anderson has seen trust become an attacker’s most exploited asset. 
• His career saw a shift in web security from simple filtering to intelligence-driven web defenses fueled by context, visibility, and risk-based decisions. 
• As AI accelerates both offense and defense, Anderson emphasizes human judgement remains irreplaceable.

The internet runs on trust. Every click, redirect, and shortened link carries with it an implicit question: is it safe? Meanwhile attackers continue weaponizing URLs, domains, and web infrastructures, exploiting the web’s trust model in ways traditional defenses weren’t built for.

In our last Cyber Legends conversation, we explored decades of threat hunting with Liam O’Murchu. This time, we turn our attention to the web—the front door of today’s most common attacks—with Tyler Anderson, a security engineer working at the intersection of web intelligence and URL reputation.    

The engineer behind the web

Did you always know you wanted to be a software engineer? 

I knew right from junior high that I wanted to go into computer science. That was never really a question for me.

The last summer before my final semester of college I was looking for an internship. I joined Blue Coat Systems shortly after the acquisition of Cerberian Web Filter and became part of that web filtering team.

What drew you to URL reputation and security? 

Within a couple years, the market kind of shifted from filtering out non-work content to blocking phishing and protecting people from malicious sites.

Working in web security means the threats never really stop. How do you step away?

I like being outdoors—hiking, camping, skiing—but I'd say how I unplug most is by being present in my kids' activities or traveling together. And whenever I can, serving in my community. It’s getting harder and harder to unplug, but it's also becoming more and more important.

When phishing was obvious—the good ol’ days

In the last 20 years, how have attacks changed?

Early on there were different techniques used to trick users—like registering a site that looked legitimate but changing one of the letters or numbers so at first glance you might not even think about it.

Early attacks relied on visual impersonations like paypa1.com versus paypal.com, while protection started with static blacklists—with ours updating within minutes rather than daily. As defenders started to close these gaps, attackers expanded to typosquatting, and IDN homograph attacks, using look-alike characters (like Cyrillic letters) that are nearly indistinguishable to users. 

Why is URL protection harder today than it used to be?

We’ve moved into an era of user-generated content and social platforms—an internet within an internet—introducing entirely new attack surfaces. At the same time, mobile browsing often obscures critical parts of URLs, making deception much easier.

What do modern URL-based attacks look like in practice?

We’re seeing techniques like:

• Lookalike domains using international characters (IDN homograph attacks), as well as abused top-level domains—where the TLD itself is misleading like .zip or .mov, resembling file names.   
• Tricks that hide the real destination using abused special URL characters, redirects,URL wrapping, and URL shorteners. 
• Event-driven phishing that creates urgency around taxes, fines, or payments pretending to be from legitimate offices like the IRS or DMV. 
• QR codes that bypass link inspection, shifting attacks to new, unprotected devices. 
• Malicious content hosted on trusted cloud services like Dropbox or OneDrive that are often too business-critical to simply block. 
• Manipulated GenAI responses where users only get to see the final, misleading output. 

Stopping threats at the start

How does web reputation and Secure Web Gateways help stop attacks?

Known good traffic is allowed through without extra analysis while known bad and risky sites are blocked or analysed in real-time. Because we see so much, we’re very effective at blocking most of the attacks we come across. 

With Webpulse Threat Intelligence integrated into 30+ products across Broadcom and its partners, once we detect something for one customer we’re able to feed that back into the overall system. This creates massive scale in visibility and telemetry across web, mobile, email, files, SSL, and APIs.

How do risk levels and real-time analysis handle the gray areas? 

Not only does it give us additional visibility into what’s happening in the internet as a whole, risk levels lead to an intelligent way of handling grey areas where a site isn’t clearly defined as definitely good or bad. By analyzing domain age, hosting, behavior, and history, we calculate a score that lets customers tailor policies based on their own tolerance for risk. It doesn’t have to be an-all-or-nothing decision.

Combined with Secure Web Gateway capabilities like full URL visibility, SSL inspection, web isolation, and real-time analysis, this approach allows users to access new or uncertain sites more safely while still blocking any genuine malicious activity. 

AI can change the game, but not the rulemakers         

How will AI transform web security?

GenAI will make it harder to identify and weed out the fakes, especially when it comes to email phishing. Attacks will blend in better too, with targeted attacks becoming cheaper and more personal—not just aimed at executives.

Where does human expertise still matter most? 

AI looks at what’s happened and tries to guess what’s going to happen next. But to get to that future, we really need humans to provide the context, train the machine learning, find new techniques, and make the final judgement call when risk isn’t black and white. 

Protecting trust starts with crystal clear visibility 

Attackers have always exploited the openness of the web, but they’re getting even better at hiding in plain sight. Security teams need unified visibility and real context across emails, URLs, cloud services, and user behavior to understand how attacks unfold. Not just where they happen.

Symantec and Carbon Black help defenders cut through internet noise with reputation-driven intelligence, real-time analysis, and expert insight from those tracking threats as they emerge. When visibility scales and context connects, teams can stop chasing false positives and start preventing compromise. 

Gain visibility into how adversaries exploit web infrastructure, and learn how to stop them with Symantec Security Service Edge for SWG and network protection that earns its keep.