AI browser agents promise a more active web experience: they can look at pages, interpret what they find, and take action inside services a user is already signed into. Perplexity’s BrowseSafe is an attempt to reduce one of the biggest risks in that model: manipulated web content that tricks an agent into doing something the user never asked for.
The problem with agentic browsing
Perplexity launched Comet earlier this year, a web browser with integrated AI agents. Those agents can view websites in a way similar to users and operate inside authenticated sessions for services like email, banking, and enterprise applications.
That access is powerful, but it also changes the security picture. Perplexity describes the result as an "unexplored attack surface" because the agent is not only reading the web. It may also act on what it reads while connected to sensitive accounts.
The core threat is prompt injection. Attackers can hide instructions in websites, comments, or other page content. If an AI assistant treats those hidden instructions as if they came from the user, the agent may take unwanted actions, including sending sensitive data to external addresses.
The danger became visible in August 2025, when Brave discovered a security vulnerability in Comet. Brave showed that indirect prompt injection could hide commands in web pages or comments, then cause the assistant to misread those commands as user instructions while summarizing content. According to the source, the technique could be used to steal sensitive information, including email addresses and one-time passwords.
What BrowseSafe claims to improve
BrowseSafe is Perplexity’s security system for detecting prompt injection attacks against AI browser agents. The company says it reaches a detection rate of 91 percent.
That figure is higher than the other examples named in the source. PromptGuard-2 detects 35 percent of attacks, while GPT-5 reaches 85 percent. Perplexity also says BrowseSafe runs quickly enough for real-time use, which matters because a browser agent cannot wait on slow security checks every time it processes web content.
The system uses a mixture-of-experts architecture, Qwen3-30B-A3B-Instruct-2507, designed for high throughput and low overhead. Its security scans run in parallel with agent execution so the checks do not block the user’s workflow.
That design choice shows the tension at the center of AI browser security. A defense has to be careful enough to catch malicious instructions, but practical enough to run while the agent is browsing, summarizing, and acting.
A benchmark aimed at messy web content
Perplexity argues that existing benchmarks such as AgentDojo do not fully reflect these threats. The company says many benchmark attacks rely on simple prompts like "Ignore previous instructions," while real websites contain complex and chaotic material where attacks can be hidden more easily.
To address that gap, Perplexity built BrowseSafe Bench around three dimensions:
- Attack type: the goal of the attack, from simple instruction overwrites to complex social engineering.
- Injection strategy: where the attack is placed, including HTML comments or user-generated content.
- Linguistic style: how the attack is written, from obvious triggers to subtle, professionally disguised language.
The benchmark also includes "hard negatives." These are harmless items, such as code snippets, that can look similar to attacks. Perplexity found that without these examples, security models tended to overfit on surface-level keywords and mark safe content as dangerous.
That matters because a browser agent will encounter many legitimate pages that include instructions, snippets, comments, or technical language. A security system that blocks too much useful content can become disruptive. A system that blocks too little can expose users to hidden commands.
Where the system still struggles
The evaluation surfaced several weaknesses. Multilingual attacks reduce the detection rate to 76 percent, which Perplexity attributes to many models focusing too strongly on English triggers.
Placement also matters in unexpected ways. Attacks hidden in HTML comments were easier to detect than attacks placed in visible areas such as page footers. That suggests the obvious hiding place is not always the hardest one for a model to catch.
Benign distractors create another problem. Perplexity says just three prompt-like texts can reduce accuracy from 90 to 81 percent. The source frames this as a sign that many models may be relying on false correlations rather than true pattern recognition.
These results point to a broader issue for AI browser agents. The web is not a controlled input field. It contains normal user-generated content, code, comments, formatting artifacts, multilingual material, and persuasive language. A defense that works well on clean examples can degrade when harmless but confusing text appears near an attack.
A layered defense, not a final fix
BrowseSafe uses a three-level defense architecture. First, all web content tools are treated as untrustworthy. Then a fast classifier checks content in real time. If the classifier is uncertain, a reasoning-based frontier LLM analyzes possible new attack types as an additional protection layer.
Borderline cases are tagged and used to retrain the system. That feedback loop is important because prompt injection tactics can change, and the source notes that live web environments are likely more complex than benchmarks can fully anticipate.
Perplexity is making the benchmark, model, and paper publicly available to help improve security for agentic web interactions. The move comes while OpenAI, Opera, and Google are also working to integrate AI agents into browsers and face the same risks.
Still, the numbers leave a clear warning. Nearly 10 percent of attacks still bypass BrowseSafe. The source calls that an unacceptably high rate for real-world security, especially because live attacks may use novel forms that a benchmark does not predict, such as attacks written as poems.
BrowseSafe therefore looks less like a solved answer and more like a step toward a safer design pattern for AI browser agents. It improves detection in Perplexity’s evaluation, adds a more realistic benchmark, and treats web content as untrusted by default. But the remaining gap shows why agentic browsing will need layered defenses, ongoing retraining, and caution around sensitive actions.