What Is Remote Browser Isolation (RBI)? How It Works in Plain English

Your security team deployed firewalls, endpoint detection, email filtering, and a VPN. The stack looks solid on paper. Then an employee clicks a link to what appears to be a routine invoice PDF on a supplier's website. The site was compromised two days ago. Malicious JavaScript executes in the browser, captures the employee's session cookies for three SaaS applications, and exfiltrates them before the page even finishes loading. None of the tools in the stack saw it, because the attack happened inside the browser.

This is the gap that Remote Browser Isolation (RBI) was built to close. Instead of trusting the local browser to safely handle whatever the web delivers, RBI moves that execution to a remote environment where threats are contained and destroyed.

Remote Browser Isolation in One Paragraph

How RBI Works, Step by Step

The RBI workflow follows four stages. Each stage applies regardless of the specific architectural approach.

Step 1: The User Requests a Web Page

The user navigates to a URL in their browser. Instead of the browser fetching the page directly, the RBI layer intercepts the request. Depending on policy configuration, the request is either routed to the remote isolation environment (for all traffic or for specific categories like uncategorized sites, newly registered domains, or known-risky URLs) or passed through to the local browser for trusted destinations.

Step 2: The Page Loads in a Remote Environment

The web page loads and renders inside an isolated container or virtual machine on remote infrastructure. All JavaScript, WebAssembly, plugins, and embedded content execute there. If the page contains malicious code, an exploit, or a phishing kit, it executes in the remote environment, completely separated from the user's device.

Step 3: Safe Output Is Sent to the User

The RBI system sends a safe representation of the rendered page back to the user's browser. The user sees and interacts with the page normally (scrolling, clicking, typing). The RBI layer translates user interactions into actions in the remote environment in real time.

Step 4: The Session Is Destroyed

When the user closes the tab or the session times out, the remote environment is destroyed. Cookies, cache, session tokens, browser state, and any malware that executed inside the container are eliminated. The next session starts from a completely clean state.

For the technical primer on this architecture, Legba publishes a lite paper on browser isolation technology.

Three Architectures of RBI

Not all RBI implementations work the same way. The differences in how safe output is delivered to the user have significant implications for performance, bandwidth, and user experience.

1. Pixel Pushing (Full Visual Stream)

The remote browser renders the page into an image or video stream and sends it to the user's browser frame by frame. This is conceptually similar to a remote desktop session. It provides the strongest isolation (no code whatsoever reaches the local browser) but consumes the most bandwidth and can feel sluggish for interactive applications. Every scroll, every hover state, and every animation requires a round trip.

2. DOM Reconstruction (Sanitized HTML)

The remote browser processes the page, strips all potentially dangerous code (JavaScript, iframes, embedded objects), and sends a sanitized version of the page's HTML, CSS, and safe assets to the local browser for rendering. This approach uses less bandwidth than pixel pushing and feels more responsive because the local browser handles rendering. However, some complex web applications may not render correctly after sanitization.

3. Browser-Native Edge Isolation

Web content executes at the network edge, close to the user, using distributed infrastructure. Instead of routing traffic to a centralized cloud data center, the isolation happens at the nearest edge node. This minimizes latency while maintaining strong isolation. This architecture is typically delivered through a browser extension rather than a network appliance, making deployment significantly simpler. This is the approach Legba uses.

What RBI Stops That Other Tools Cannot

RBI addresses the specific threat category that executes inside the browser session. These are threats that firewalls, VPNs, and endpoint detection tools are architecturally unable to prevent.

• Phishing and credential harvesting. Fake login pages execute in the remote environment, isolated from real credential stores.
• Zero-day browser exploits. Exploits trigger in the remote container and are destroyed with it. The local browser is never exposed.
• Drive-by downloads.Malicious files are downloaded into the disposable environment, not onto the user's file system.
• Malicious JavaScript and WebAssembly. Code executes remotely. The local device never processes it.
• Session hijacking. Session tokens exist only in the remote environment and are destroyed when the session ends.

For specific browser-based threat patterns, see the browser threat playbook library.

RBI vs Browser Isolation: Is There a Difference?

The terms "browser isolation" and "remote browser isolation" are often used interchangeably, but there is a technical distinction.

Browser isolation is the broad category. It includes any technology that separates web content execution from the local device. This encompasses local sandboxing, cloud-based RBI, and browser-native edge isolation.

Remote browser isolationis a subset. It specifically refers to approaches where web content executes on infrastructure that is remote from the user's device: a cloud server, a data center, or an edge node.

In practice, most modern browser isolation products use remote execution (either cloud or edge), so the terms overlap heavily. For the broader overview, see What Is Browser Isolation? The Complete 2026 Guide.

The Enterprise RBI Market in 2026

RBI is no longer an experimental technology. The market was estimated at $1.04 billion in 2025 and is projected to reach $3.25 billion by 2029, growing at a compound annual rate above 30% according to industry analyst estimates.

Several enterprise trends are accelerating adoption:

• Zero trust mandates. NIST SP 800-207 and similar frameworks require security controls at every layer, including the application layer. RBI provides zero trust at the browser level.
• BYOD expansion. With unmanaged devices accessing corporate applications, RBI protects the session without requiring endpoint management software.
• Browser as the work environment. An estimated 85% of knowledge work now happens in browser tabs. The browser is no longer just an application. It is the primary interface for enterprise work.
• Compliance requirements. Regulations in financial services, healthcare, and government increasingly require isolation of sensitive data from endpoints.

For context on why browser-level attacks are particularly devastating for smaller organizations, see Why 60% of Small Businesses Shut Down After a Cyberattack.

Common Objections to RBI (And the Reality)

Where Legba Fits

Legba uses the browser-native edge isolation architecture. Web content executes at the network edge, close to the user, with minimal latency. It is delivered as a Chrome extension with no infrastructure changes required.

• $10 per month for individual use
• MSP platform for managing isolation across client organizations
• Ephemeral sessions destroyed on tab close
• Ghost Mode for visible isolation state
• 15+ country exit points for geographic routing

For the full architectural deep dive, see How Legba's Browser-Native Isolation Actually Protects You. For the product comparison, see 5 Best Browser Isolation Extensions for Chrome in 2026.