Perplexity’s BrowseSafe aims to patch the gaping security holes that come with AI browser agents, and the claim is that it can detect 91% of prompt injection attempts. That success rate sits above many existing solutions, with smaller models like PromptGuard-2 catching about 35% of attacks and even large frontier models such as GPT-5 reaching around 85%. BrowseSafe also claims real-time performance, making it practical for everyday use.
Browser agents introduce new vulnerabilities. Earlier this year, Perplexity rolled out Comet, a web browser that includes AI agents capable of viewing sites as a user would and performing actions in authenticated sessions for services like email, banking, and enterprise apps. That level of access opens what the company calls an unexplored attack surface, where malicious instructions can be concealed within websites to coax the agent into undesired actions, such as leaking sensitive data.
The seriousness of the risk was underscored in August 2025 when Brave disclosed a security flaw in Comet. By using indirect prompt injection, attackers could embed commands in web pages or comments, and the AI assistant could misread these hidden directives as user instructions during content summarization. Brave demonstrated that such tactics could steal sensitive information like email addresses and one-time passwords.
Perplexity argues that conventional benchmarks, such as AgentDojo, fall short in addressing these threats because they typically depend on simplistic prompts like “Ignore previous instructions.” Real-world websites, by contrast, are filled with chaotic content where attacks can be cleverly hidden.
Defining real-world attack scope
To tackle this, Perplexity developed BrowseSafe Bench, anchoring evaluation in three dimensions. “Attack type” captures the objective, from straightforward instruction overwrites to more intricate social-engineering schemes. “Injection strategy” identifies where a threat might be placed, such as HTML comments or user-generated content. “Linguistic style” covers the spectrum from obvious triggers to professionally disguised language.
A key feature of the benchmark is the inclusion of “hard negatives”—complex but harmless content like code snippets that resemble an attack. Without these, security models tended to overfit on superficial keywords and would flag safe content as dangerous.
Perplexity employs a mixture-of-experts architecture (Qwen3-30B-A3B-Instruct-2507) designed for high throughput and low overhead. The security scans run in parallel with the agent’s execution so they don’t interrupt the user’s workflow.
What the evaluation found
The study surfaced several surprising points. Multilingual attacks reduce detection to about 76%, since many models rely too heavily on English-trigger cues. Interestingly, attacks hidden in HTML comments were easier to detect than those in visible areas such as the page footer. Even a few benign distractors—three prompt-like texts—could drop accuracy from 90% to 81%, indicating that models sometimes rely on spurious correlations rather than genuine pattern recognition.
A three-tier defense approach
BrowseSafe’s defense architecture hinges on three layers. First, all web-content tools are treated as untrustworthy. A fast, real-time classifier assesses content, and if uncertainty remains, a reasoning-based frontier LLM provides an extra protective layer to scrutinize potential new attack types. Borderline cases are flagged and used to retrain the system.
Transparency and collaboration
Perplexity is making the BrowseSafe benchmark, model, and paper publicly available to help improve security for agentic web interactions. This comes at a time when competitors like OpenAI, Opera, and Google are pursuing AI-agent integrations in their browsers, all facing similar risks.
Still, the system isn’t perfect. Approximately 10% of attacks still slip past BrowseSafe, which is a concerning gap for real-world security. Live, dynamic web environments are likely even more complex and adversaries constantly evolve their techniques, sometimes even crafting attack vectors in poetic forms or other creative formats.
Bottom line
BrowseSafe represents a substantial step forward in defending AI browser agents, but it’s not a complete shield. Ongoing evaluation, broader multilingual testing, and continual updates will be essential as the attack landscape evolves and more platforms bring AI agents into everyday browsing.
