Credit: Perplexity

Perplexity has unveiled BrowseSafe, a real-time content detection model and open research benchmark designed to protect AI browser agents from prompt-injection attacks. As AI assistants increasingly transition from passive search tools to active agents capable of executing tasks within the browser, Perplexity emphasizes one core requirement: the assistant must always remain on the user’s side. BrowseSafe ensures this by scanning full HTML pages— including hidden elements, comments, and multilingual text— to detect malicious attempts to hijack agent behavior without slowing down browsing performance.

BrowseSafe is paired with BrowseSafe-Bench, a comprehensive evaluation suite containing 14,719 real-world HTML attack examples across 11 attack types, nine injection strategies, and multiple linguistic styles. This benchmark exposes how sophisticated prompt-injection threats exploit hidden fields, polished natural language, and non-visible HTML attributes to manipulate agents. Perplexity’s findings reveal that indirect and multilingual attacks are the hardest to catch, while injections placed openly in visible page sections often evade naive detectors—highlighting the need for specialized, structurally aware defenses.

The new system forms a key layer in Perplexity’s multi-layered security architecture for Comet, its agentic browser environment. By treating all web content as untrusted, Perplexity scans every tool output before the agent can act, while enforcing strict tool permissions and user confirmations for sensitive operations. BrowseSafe’s open-source release allows any developer building autonomous agents to adopt production-grade defenses, run the lightweight model locally, and stress-test their systems against thousands of realistic attack patterns. The result is a safer, more resilient foundation for the agent-driven internet.