AI Browser Agents in 2026: What Agentic Browsers Can Do — and Why Security Teams Are Nervous
AI browser agents — agentic browsers like ChatGPT Atlas, Perplexity Comet, and Opera Neon — are browsers that do the web instead of just displaying it: give them a high-level instruction ("find three flight options under $400 and hold the best one") and they navigate, click, fill forms, and execute multi-step tasks autonomously. They're also, by the admission of their own makers, structurally vulnerable: OpenAI wrote in December 2025 that prompt injection against browser agents is "unlikely to ever be fully 'solved.'"
That tension — genuinely useful automation built on a genuinely unsolved security problem — defines the category in 2026. University researchers have demonstrated working attacks against the major agentic browsers, a critical vulnerability family called "PleaseFix" hit in March, and enterprises have settled into an uneasy policy of restricted approval rather than bans.
Here's a clear map of the landscape: what these browsers actually do, who the main players are, what the security research really found, and how to use them without handing your sessions to an attacker.
Key Takeaways
- Agentic browsers execute multi-step web tasks from a single instruction — the major players are OpenAI's ChatGPT Atlas (launched October 2025), Perplexity Comet (July 2025), Opera Neon, and Dia, plus agent modes inside Chrome and Firefox.
- OpenAI itself says prompt injection — hostile instructions smuggled through ordinary web content — is "unlikely to ever be fully 'solved.'"
- A University of Washington study of seven agentic browsers found four could be made to bypass the same-origin policy, with a successful proof-of-concept attack on ChatGPT Atlas.
- The "PleaseFix" vulnerability family (disclosed March 2026 by Zenity Labs) allowed agent hijacking, local file access, and credential theft inside authenticated sessions.
- Enterprise consensus in 2026: approve specific tools, block shadow adoption, and keep sensitive workflows off agentic browsers entirely.
What Is an Agentic Browser?
An agentic browser uses an autonomous AI agent to complete web tasks for you rather than requiring you to perform each step. As Palo Alto Networks defines it, these browsers interpret intent, take actions across websites, and persist context across sessions. Instead of navigating, clicking, and form-filling, you state the goal; the agent plans and executes.
The category became viable because models crossed a competence threshold: per DigitalOcean's overview, modern LLMs can now accurately interpret page structure, understand navigation patterns, and plan multi-step actions. The benchmark race reflects it — web-agent evals like BrowseComp and OSWorld are now headline numbers in every frontier launch, including OpenAI's GPT-5.6 release this month.
The Players in 2026
Per TechTimes' comparison and Seraphic Security's top-five roundup:
| Browser | Maker | Notable facts |
|---|---|---|
| ChatGPT Atlas | OpenAI | Launched October 2025; Agent Mode executes multi-step tasks autonomously |
| Comet | Perplexity | Launched July 9, 2025 on Windows/macOS; initially exclusive to the $200/month Max tier |
| Neon | Opera | AI-native browser from an established vendor |
| Dia | The Browser Company | AI-first successor to Arc |
| Chrome + Gemini / Claude for Chrome / Firefox AI | Google / Anthropic / Mozilla | Agent capabilities retrofitted into mainstream browsers |
The strategic logic is obvious: whoever owns the browser owns the user's authenticated sessions — email, banking, shopping, work SaaS — which is exactly what makes an agent useful. It's also exactly what makes the security question existential rather than incremental.
The Security Problem Nobody Has Solved
The core vulnerability is prompt injection: an attacker plants instructions in ordinary web content — a comment, a hidden div, an email — and the agent, which reads pages as instructions-plus-data with no reliable way to tell them apart, executes the attacker's intent with the user's credentials. OpenAI's own December 2025 assessment concedes this is "unlikely to ever be fully 'solved'" — the same property that makes browser agents useful (acting on what they read) is what makes them structurally risky.
The empirical research backs the pessimism:
- A University of Washington team studied seven popular agentic browsers and found four created ways to bypass the same-origin policy — the web's foundational isolation guarantee. The researchers ran a successful proof-of-concept attack on ChatGPT Atlas and found the right conditions for similar attacks in Chrome with Gemini, Claude for Chrome, and Perplexity Comet, per TechXplore's report.
- In March 2026, Zenity Labs disclosed "PleaseFix" — a family of critical vulnerabilities affecting agentic browsers including Comet that allowed attackers to hijack AI agents, access local files, and steal credentials within authenticated sessions, per ISSSource.
If this attack pattern sounds familiar, it should: it's the browser-shaped sibling of agentjacking, the attack that hijacks AI coding agents through poisoned bug reports. Same root cause — agents can't reliably distinguish instructions from content — different blast radius. A hijacked coding agent leaks a repo; a hijacked browser agent is you, logged into everything.
How Enterprises (and Sensible Individuals) Are Responding
By April 2026 the enterprise consensus, per Forvis Mazars' governance analysis and LayerX's platform roundup, is narrower than a ban and firmer than a shrug:
- Approve specific tools rather than the category — one sanctioned agentic browser, patched and monitored, not five shadow ones.
- Block unsanctioned adoption at the network/endpoint level, because employees will otherwise install these themselves (a browser is the easiest shadow IT there is).
- Keep sensitive workflows off agentic browsers entirely — finance systems, admin consoles, health data. The agent doesn't get a session it can't leak.
For individual developers, the practical version:
- Use agentic browsing in a separate profile with minimal logins — the agent can't leak credentials it doesn't have.
- Enable confirmation prompts for consequential actions (purchases, sends, deletes) and never turn them off for convenience.
- Treat "let the agent browse while logged into everything" as what it is: giving an enthusiastic intern your unlocked laptop and your wallet — an intern who believes everything the internet tells them. The autonomous-threat landscape we mapped in the JADEPUFFER analysis applies here in miniature.
FAQ
What is an agentic browser? An agentic browser is a web browser with a built-in autonomous AI agent that completes tasks from high-level instructions — researching, navigating, filling forms, and executing multi-step workflows — instead of requiring you to click through each step yourself. Examples include ChatGPT Atlas, Perplexity Comet, Opera Neon, and Dia.
Are AI browser agents safe to use? Not unconditionally. OpenAI itself says prompt injection against browser agents is unlikely to ever be fully solved, researchers have bypassed same-origin protections in four of seven browsers tested, and the March 2026 "PleaseFix" vulnerabilities enabled credential theft. They're reasonably safe for low-stakes tasks in a minimal-login profile; they're not safe as your primary logged-into-everything browser.
What is prompt injection in a browser agent? It's an attack where malicious instructions are hidden inside ordinary web content the agent reads — a page, comment, or email. Because the agent can't reliably distinguish content from commands, it may execute the attacker's instructions using your authenticated sessions, cookies, and permissions.
Which is better: ChatGPT Atlas or Perplexity Comet? Atlas (OpenAI, October 2025) leads on autonomous Agent Mode depth and ChatGPT integration; Comet (Perplexity, July 2025) leads on research-centric browsing. Both appeared in security research findings in 2026, so the honest answer is: whichever one you run in an isolated profile with confirmation prompts enabled.
Can companies block agentic browsers? Yes, and most regulated ones do — the 2026 enterprise pattern is approving one sanctioned tool, blocking unsanctioned installs at the endpoint, and keeping sensitive systems off agentic browsing entirely. A whole category of agentic-browser security platforms has emerged to enforce exactly this.
The Bottom Line
Agentic browsers are simultaneously the most useful new interface since the search box and the largest new attack surface since email attachments — and both facts flow from the same design. The technology works; the trust model doesn't, yet.
Our verdict: use them — in a sandboxed profile, for low-stakes tasks, with confirmations on — and assume anything the agent can reach can eventually be exfiltrated. The vendors racing to own your browsing agent have every incentive to ship faster than they can secure. Until prompt injection has a real answer instead of an apology, the rule is simple: give the agent a browser, never your browser.