An AI browser doesn't just show you the web, it clicks through it for you, and that shift is opening a security conversation most users haven't had yet.
So what is an AI browser? It's a web browser built around an AI agent that can read a page, decide what to click, fill in your forms, and complete a task across multiple sites, all without you touching the mouse. Perplexity's Comet, released in July 2025, is the clearest example on the market right now. You tell it to book a flight or clear out your inbox, and it goes and does it, opening tabs, reading confirmation screens, and making judgment calls the way you would.
That's a real departure from what a browser has been for thirty years. Chrome, Safari, and Firefox render pages and wait for you to act. An agentic browser assumes the action itself. It's less a window onto the internet and more a pair of hands you've handed the keyboard to.
Under the hood, these tools chain together a few capabilities that used to live in separate products. A large language model reads the page's content and structure, effectively the same DOM your browser already parses, and turns it into something it can reason about. An agent framework then plans a sequence of steps: which link to open, which field to fill, when to stop and ask you a question. And a browser automation layer, often built on the same kind of tooling used for QA testing, actually executes the clicks and keystrokes.
Comet does this inside a Chromium-based shell, so it behaves like a normal browser you can also use manually. Perplexity's pitch is that the agent, called Comet Assistant, can summarize a page, cross-reference open tabs, and take multi-step actions like adding items to a cart or drafting a reply, all triggered from a sidebar rather than a separate app. OpenAI has pushed a similar idea with Operator, and Anthropic's Claude has computer-use capabilities that let it control a desktop directly rather than just a browser tab. The category name varies, agentic browser, browser AI agent, AI-powered browsing assistant, but the mechanism is the same: an LLM given eyes on the page and hands on the input.
None of this requires a new kind of internet. It requires giving software the same access you have, and trusting it to use that access the way you would.
Why the security risk is not hypothetical
Here's the part that should worry you more than it seems to worry most users. An agentic browser reads whatever is on a page, including text that was put there specifically to manipulate it. Security researchers call this prompt injection, and it's already been demonstrated against real products, not imagined ones. Brave's security team published research in August 2025 showing that Comet could be tricked by hidden instructions embedded in a webpage, including text hidden inside a Reddit comment, and made to leak a user's data or take unintended actions, because the agent couldn't reliably tell the difference between the user's instructions and instructions planted by whoever wrote the page. Guardio Labs ran a similar test and found Comet could be walked through a fake banking login page and get fooled into treating a phishing site as legitimate, entering credentials on the user's behalf.
Perplexity pushed back on some of the specifics of that reporting but did ship patches after the disclosures, which tells you the vulnerability class was real even if the exact framing was disputed. That's the pattern to watch here: not that any one browser is uniquely broken, but that giving an LLM the ability to act on a page creates an attack surface that simply didn't exist when browsers only displayed content. A malicious ad, a poisoned search result, a comment thread with white-on-white text, any of it can now potentially talk to your agent instead of just to your eyes.
Frankly, this is the tradeoff nobody selling these products wants to lead with. You're not just trusting the browser vendor anymore. You're trusting every page your agent visits on your behalf not to contain an instruction it shouldn't follow.
The privacy side is just as real
An agent that can act on your behalf usually needs to see your logged-in state, your email, your calendar, sometimes your saved payment methods, to do anything useful. Comet Assistant can be granted access to a user's Gmail and Google Calendar to schedule things automatically, which means the browser is holding credentials and context far beyond a normal tab. Centralizing that much access in one AI system is efficient, and it's also a single point of failure if the agent is manipulated or the account gets compromised. A regular browser leaks a session cookie at worst if something goes wrong. An agentic browser with connected accounts can leak a lot more, because it was designed to reach further in the first place.
None of this means the category is a bad idea. It means the convenience and the risk arrived in the same release, and most users are only being sold the first half.
What this means if you're building or just using one
If you're a founder building on top of agent-in-the-browser tooling, the lesson from the Comet disclosures isn't
Also read: Best AI Video Generator for Marketing: A Founder's Hands-On Ranking • These Are the Best AI Coding Tools for Non-Technical Founders Right Now • How to Read a Startup Cap Table Before You Sign Anything