Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
ai-platform-securitystandards-framework-update

Security Risk Management for Agentic AI in Browsers and Applications

Updated 2d agoFirst seen Feb 27, 20264 sources

Security teams are increasingly treating agentic AI—systems that can interpret untrusted content and take actions—as a new class of enterprise risk that breaks assumptions in traditional security and threat modeling. As AI moves into user-facing workflows, especially where models can reason over web content and instructions, untrusted inputs can influence behavior in ways that resemble inferred intent rather than explicit user actions, expanding the attack surface beyond conventional boundaries designed for deterministic software.

Socradar highlighted that AI-based browsers vary materially in risk: “assistant” modes (e.g., summarization on request) can often be governed with existing controls, while agentic browsers that autonomously navigate and act within a user session introduce risks that classic browser security models were not designed to contain—particularly when page text/metadata becomes model input. Microsoft emphasized that threat modeling for AI applications must adapt because generative/agentic systems are probabilistic, have uneven performance across languages and contexts, and treat conversation/instructions as part of a single input stream; this requires planning for rare but high-impact failure modes and adversarial manipulation rather than relying on predictable code paths and stable input/output behavior.

Share:
Security Risk Management for Agentic AI in Browsers and Applications
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Apr 13, 20263mo ago

Varonis details architectural attack surfaces in agentic LLM browsers

Varonis Threat Labs published research arguing that agentic LLM browsers introduce a privileged control layer that can bypass traditional browser security boundaries. The report analyzed products including Perplexity Comet, OpenAI Atlas, Microsoft Edge Copilot, and Brave Leo, highlighting trusted communication bridges and noting that some title-based prompt injection was fixed during the research.

Deep Dive into Architectural Vulnerabilities in Agentic LLM Browsers
Feb 26, 20264mo ago

SOCRadar analyzes security risks in AI-based browsers

SOCRadar published an analysis warning that agentic AI browsers introduce structural security risks because untrusted web, email, and file content can influence model behavior. The article highlighted attack classes including indirect and multimodal prompt injection, privacy profiling risks, and examples such as EchoLeak, cross-tab data exposure in Perplexity Comet, HashJack, and omnibox intent ambiguity in OpenAI Atlas.

Microsoft publishes guidance on threat modeling AI applications

Microsoft Security Blog published guidance arguing that traditional threat modeling must be adapted for generative and agentic AI systems. The post outlined AI-specific risks such as prompt injection, tool misuse, privilege escalation, data exfiltration, and harmful outputs, and recommended mitigations including least privilege, separation of instructions from untrusted content, and stronger observability.

Jan 16, 20266mo ago

Wiz reviews 2025 security failures and defenses in agentic browsers

A Wiz Blog year-end review described how mainstream adoption of agentic browsers in 2025 drove extensive offensive research into prompt injection, phishing, data exfiltration, session poisoning, and task hijacking across products from OpenAI, Perplexity, Opera, and others. It also summarized vendor responses including human-in-the-loop confirmations, architectural isolation, reinforcement learning-based hardening, secondary model critics, and access restrictions, while noting prompt injection remained unresolved.

Agentic Browser Security: 2025 Year-End Review | Wiz Blog
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

25 LINKEDOpen in app
Vulnerabilities
1 linked
Affected products
7 linked
Brave BrowserVisual Studio CodeChromeCopilotGithubChatgptChromium
Organizations
17 linked
The Browser CompanyBrave SoftwareAnthropicOpenaiPerplexityMicrosoft CorporationOperaGoogleTechCrunchTenableSOCRadarCato NetworksVaronisGartnerLayerXGuardioGitHub
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.