%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Recently, Perplexity launched a new security system called BrowseSafe, designed to protect AI browser agents from threats posed by web content manipulation. The system claims a 91% success rate in detecting prompt injection attacks, surpassing the performance of other solutions currently on the market. For example, PromptGuard-2 can only detect 35% of attacks, while large cutting-edge models like GPT-5 have a detection rate of 85%. In addition, BrowseSafe runs fast enough to enable real-time monitoring.
The widespread use of AI browser agents has also introduced new security risks. Earlier this year, Perplexity launched Comet, a web browser that integrates AI agents. These agents can browse websites like users and perform authentication sessions, such as email, banking, and enterprise applications. This high-level access gives malicious attackers the opportunity to hide dangerous instructions within web pages, leading the agent to perform inappropriate actions, such as sending sensitive information to external addresses.
As Perplexity conducted deeper analysis of security issues, it found that existing evaluation benchmarks, such as AgentDojo, were insufficient to address these complex network attacks. These benchmarks typically rely on simple prompts and cannot cover the complex web content in the real world, allowing attackers to easily hide their malicious code.
To address this, Perplexity created BrowseSafe Bench, defining the scope of network attacks through three specific dimensions: attack type, injection strategy, and language style. This benchmark particularly focuses on "hard-to-detect content," which appears harmless but may be mistakenly identified as an attack. By using an expert hybrid architecture, BrowseSafe can perform security scans in parallel without affecting user experience.
However, the evaluation also revealed some issues. For instance, the detection rate for multilingual attacks dropped to 76%. Additionally, content hidden in HTML comments was easier to detect than content hidden in visible areas, such as the bottom of the page. Perplexity's three-tier defense strategy forms a complete protection mechanism through a fast classifier and a cutting-edge large language model based on reasoning.
Although BrowseSafe performs well in most cases, nearly 10% of attacks can bypass the system, highlighting the complexity of the network environment and the evolving nature of attack methods. Therefore, Perplexity has made its benchmark, model, and research paper public, aiming to provide better security guarantees for AI agents' interactions online.
Key points:
🌐 The detection rate of BrowseSafe reaches 91%, higher than most current solutions.
🔒 High-privilege access of AI browser agents increases the risk of being attacked.
📊 Perplexity's security strategy is designed to address complex network attack methods.