Large-language models (LLMs) have pushed the boundaries of what AI can do, And soon, people began to realize that those powers could reshape how we browse the web.
What began as the release of ChatGPT from OpenAI, sparked a race for smarter text-generation, that soon expanded into images, then voice, and now full browser agents that navigate, interact, and act on users' behalf.
In that context comes Perplexity, a company that wishes to reinvent internet search. It hen came up with Comet, an AI-powered browser with the goal of redefining agentic search in a world now occupied by Google.
With Comet (and similar agentic AI browsers), the idea is that instead of users reading and clicking, the AI reads the page, interprets it, and executes actions. In turn, this should save users huge amounts of time.
But with that power comes real danger: as agents get more autonomous, giving them free rein on the unpredictable internet can backfire if web content isn’t trustworthy.
This is why Perplexity introduces what it calls 'BrowseSafe,' alongside its companion dataset 'BrowseSafe‑Bench.'
Prompt injection involves embedding malicious instructions in text read by AI agents, altering its behavior unnoticed.
Attackers hide this in comments, templates, footers, or invisible HTML elements parsed by agents but unseen by users.— Perplexity (@perplexity_ai) December 2, 2025
BrowseSafe is a specialized detection model designed to scan entire web pages in real-time, immediately halting the agent if it finds instructions meant to hijack its behaviour.
The goal is to ensure that as AI moves from passive reading to active doing, users remain safe.
Behind the scenes, the threat that BrowseSafe guards against is what’s known as "prompt injection." On a traditional browser, human readers usually ignore irrelevant bits of page code or hidden comments. AI agents on the other hand, parse everything, which means HTML metadata, comments, hidden fields, or obscured footers are all scanned.
Using prompt injection, attackers can embed malicious instructions there, telling the agent to leak credentials, perform unintended actions, or exfiltrate data.
Because agents often run with full access to logged-in sessions (email, cloud storage, social media), the stakes are high.
What sets BrowseSafe apart is that, rather than relying on a heavyweight general-purpose LLM (which would be too slow and expensive for real-time scanning), it’s a finely-tuned detector aimed precisely at finding these "agent-hijack" instructions.
It can scan full HTML content quickly enough so that the user’s browsing doesn’t lag, but malicious embedded instructions are flagged before the agent reads or acts on them.
BrowseSafe-Bench offers over 14,000 realistic examples (with different attack types, placements, linguistic styles) so developers can test and improve defenses systematically.
BrowseSafe-Bench is our security benchmark designed to evaluate the robustness of AI browser agents against prompt injection attacks embedded in realistic HTML environments.https://t.co/oq3TFelrWW
— Perplexity (@perplexity_ai) December 2, 2025
Yet BrowseSafe is just one layer.
Real safety requires a “defense in depth” approach. Even with a content scanner, agents should run with limited permissions by default, and any sensitive action (like sending info, logging in, filling forms) should require explicit user confirmation.
Combine that with traditional browser security (sandboxing, permission prompts, session isolation), manual vigilance, and restricted tool scope, users should get a safer agentic-browser experience.
The launch of BrowseSafe is a clear signal: the developer community recognizes that as browsers evolve into intelligent agents, the old trust model for the web no longer works.
AI-powered browsers offer amazing convenience: automatic summarization, research across tabs, auto-filling tasks, multi-step workflows, but they widen the attack surface dramatically. Without tools like BrowseSafe, that convenience can be weaponized.
In a world where an AI agent might click links, fetch emails, or fill out forms on users' behalf, the difference between a benign webpage and a maliciously crafted one can be invisible to human eyes.
BrowseSafe and BrowseSafe-Bench are fully open-source. Any developer building autonomous agents can immediately harden their systems against prompt injection.
Read more:https://t.co/T0AEPTTiTp— Perplexity (@perplexity_ai) December 2, 2025
In its own words:
BrowseSafe doesn’t eliminate all risk, there are broader issues like misinformation or "attacks by content," where false or misleading information (not explicit commands) tries to trick the agent, but it’s a major step forward in securing the new browsing paradigm.
For developers and everyday users alike, BrowseSafe (and BrowseSafe-Bench) is now open and available, meaning anyone building or using an agentic browser can plug in a ready-made safeguard rather than invent security from scratch.
In a rapidly evolving ecosystem, that kind of shared defense could make the difference between harmless convenience and catastrophic data leakage.