Perplexity has introduced BrowseSafe as an open research benchmark and lightweight content detection model designed to improve safety as AI agents move directly into the browser. As assistants evolve from answering queries to executing tasks on users’ behalf, browser environments are becoming a new security frontier for enterprise AI.
The shift toward agentic browsing changes the nature of the web itself. Instead of navigating static pages, users increasingly rely on autonomous agents that retrieve information, make decisions, and take action. In that model, trust becomes foundational. Any browser-based assistant must reliably act in the user’s interest, even when exposed to untrusted or hostile content.
BrowseSafe addresses this challenge by focusing on a narrow but critical question: does a web page contain malicious instructions intended to manipulate an AI agent? Rather than relying on large, general-purpose models that are costly and slow to run continuously, BrowseSafe is fine-tuned for real-time scanning of full HTML pages. The model is designed to operate fast enough to inspect every page an agent encounters without degrading browser performance. Alongside the model, the BrowseSafe-Bench evaluation suite has been released to support consistent testing and improvement of defenses.
The need for this approach reflects a growing class of threats specific to AI-driven browsing. Prompt injection attacks embed malicious instructions into content an agent reads, attempting to override its original task. Because agents process entire pages, these attacks can be hidden in comments, templates, footers, or invisible HTML elements that never appear on screen but are still parsed by the model. Sophisticated attackers often avoid obvious phrasing, using indirect language, multiple languages, or hypothetical scenarios to evade detection.
BrowseSafe and BrowseSafe-Bench were developed to reflect these real-world conditions. The benchmark contains 14,719 examples modeled on production web pages, combining noisy HTML with both benign and malicious content. The dataset spans multiple attacker objectives, instruction placements, and linguistic styles, enabling realistic evaluation of how well detection systems perform outside of controlled lab settings.
The model fits into a broader defense-in-depth strategy for agentic browsers. In this approach, the assistant operates within a trusted environment, while all external content is treated as untrusted by default. Outputs from tools such as web retrieval, email, or file access are scanned before the agent can act on them. Permissions are constrained, and sensitive actions can require explicit user approval, complementing existing browser security mechanisms.
Evaluation results from BrowseSafe-Bench highlight important patterns. Direct attacks that explicitly request sensitive actions are generally easier to detect, while indirect or multilingual attacks are significantly more challenging. Placement also matters: instructions hidden in comments are often flagged successfully, whereas similar content embedded in visible footers or inline text is harder to identify. These findings underscore the importance of targeted training on realistic examples rather than reliance on keyword-based rules.
BrowseSafe and BrowseSafe-Bench are fully open source, positioning them as practical building blocks for teams developing autonomous agents. The detection model can run locally, scanning untrusted content before it reaches an agent’s core logic, and is efficient enough for continuous use. The benchmark provides a large, production-like testbed for stress-testing agent behavior against the kinds of HTML structures and attack patterns that routinely defeat standard LLM safeguards.
As browser-based agents become more capable and more autonomous, tools like BrowseSafe point toward a path where enterprises can adopt powerful AI-driven workflows without compromising user trust or security.