Earlier this year, Perplexity released Comet, a web browser with built-in AI agent capabilities. By putting an agent directly inside the browser, users can learn, work, and complete tasks more easily—but this setup also introduces a new set of security challenges. Attackers can attempt prompt injection by hiding instructions inside the structure of a webpage, something that’s harder to detect outside of controlled research settings.

For years, security researchers have studied jailbreaks and prompt injection in traditional chat-based LLMs. When models began handling sensitive data and internal tools, it became clear that simple natural-language cues could be used to override user intent. Over time, LLMs have become better at blocking these attempts.

But modern agents do more than chat. They can plan, look at images, use tools, and execute multi-step tasks. This shift inspired new benchmarks such as AgentDojo, which measure whether an agent can be pushed into unsafe behavior.

Browser agents raise the stakes again. They see what the user sees, click what the user clicks, and often operate inside logged-in sessions for email, banking, or workplace applications. Yet most existing benchmarks test short, clean prompts—not the long, cluttered, unpredictable webpages these agents must understand.

To help address this gap, Perplexity created BrowseSafe, a system designed to evaluate security defenses on real-world web content as the first layer in a broader protection strategy.

Perplexity explains that most prompt-injection attacks against browser agents fall into three categories. Each affects how an attack is delivered and why an agent might follow a harmful instruction.

This refers to the actual goal behind the malicious instruction. It may involve overriding the model’s behavior, extracting sensitive information, or manipulating the agent into performing actions the user didn’t intend.

Examples from Perplexity include:

Both attempts try to expose sensitive information.

Attackers embed malicious instructions into:

Anything the agent can read becomes an attack surface.

Explicit attacks look obvious (“Ignore previous instructions”).
Stealth attacks mimic corporate policy language, like:
“Standard procedure requires immediate compliance…”

Stealth variants are harder to filter because they resemble legitimate notices.

By treating intent, placement, and phrasing as separate axes, BrowseSafe-Bench can build realistic and complex test cases—far beyond simple prompt attacks.

Real prompt-injection attacks are still uncommon, so the team built a synthetic data pipeline to generate realistic webpage examples. They inserted malicious instructions into various HTML templates and added benign but confusing hard negatives—such as policy statements or code snippets that resemble commands but are harmless.

Models trained on simple examples tend to latch onto keywords and miss attacks hiding in legitimate-looking content. Hard negatives help fix this by forcing the system to understand intent, not surface-level patterns.

The result is a benchmark that reveals how secure browser agents truly are in realistic environments.

Browser agents must scan web content continuously, so detection must stay fast. Frontier models like GPT-5 or Sonnet 4.5 perform well when reasoning step-by-step, but this process takes seconds—too slow for real-time scanning.

To solve this, Perplexity trained a Mixture-of-Experts model built on Qwen-30B-A3B-Instruct-2507, enabling high-throughput scanning alongside normal browsing.

They evaluated several alternatives:

The fine-tuned BrowseSafe model achieved F1 ~0.91, outperforming all tested models while remaining fast enough for deployment.

The tradeoff is specialization: it excels at known attack types but may struggle with unfamiliar ones. When uncertain, it escalates to a slower frontier model for deeper analysis.

Perplexity’s evaluation revealed clear patterns in which prompt-injection attacks evade detection.

Multilanguage or professionally formatted instructions reduce accuracy. Balanced accuracy dropped to 76% for multilanguage attacks.

Attacks in visible webpage elements—footers, tables, banners—blend in and are harder to identify than those in HTML comments or metadata.

Adding just three distractor elements reduced accuracy from 90%+ to ~81%.

These findings show why systems trained on simple prompts struggle when exposed to full, messy webpages.

Perplexity stresses that no single detection model can protect AI browser agents. A defense-in-depth approach is needed.

Tools that fetch web content are treated as untrusted. All content passes through a parallel detection pipeline before reaching the agent.

A fast fine-tuned detector handles routine scanning.
Uncertain cases escalate to slower reasoning-based frontier models like GPT-5 or Sonnet 4.5.

Novel or borderline cases become new synthetic training samples, improving future versions of the detector.

This creates a security system that learns, adapts, and scales as new attack types emerge.

Q: Why are browser agents more exposed to attack than chatbots?
A: Browser agents must interpret entire webpages, including clutter, hidden elements, and user-generated content—all potential vectors for prompt injection.

Q: Why are stealthy or multilanguage attacks harder to catch?
A: Many detectors rely on known English jailbreak cues. When those cues disappear, confidence drops.

Q: Why not use a frontier model for all scanning?
A: Frontier models are accurate but slow. They would create noticeable browsing lag.

Q: How do distractor elements undermine detection?
A: Distractors resemble instructions, forcing models to determine intent rather than rely on keywords.

AI browser agents now perform real actions—reading email, navigating dashboards, interacting with online accounts. Hidden instructions can cause real-world consequences.

BrowseSafe shows that protecting these systems requires more than basic prompt-injection defenses. Real webpages contain clutter, banners, comments, and UI elements that can disguise malicious intent.

Organizations adopting AI-driven workflows will need systems that can learn from new attack techniques, adapt quickly, and pair fast detection with strong guardrails.

The next era of AI depends on securing the everyday interactions where agents make real decisions. Systems built with continuous security, not one-time safeguards, will ultimately earn user trust.

Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.