Security Risk Management for Agentic AI in Browsers and Applications
Security teams are increasingly treating agentic AI—systems that can interpret untrusted content and take actions—as a new class of enterprise risk that breaks assumptions in traditional security and threat modeling. As AI moves into user-facing workflows, especially where models can reason over web content and instructions, untrusted inputs can influence behavior in ways that resemble inferred intent rather than explicit user actions, expanding the attack surface beyond conventional boundaries designed for deterministic software.
Socradar highlighted that AI-based browsers vary materially in risk: “assistant” modes (e.g., summarization on request) can often be governed with existing controls, while agentic browsers that autonomously navigate and act within a user session introduce risks that classic browser security models were not designed to contain—particularly when page text/metadata becomes model input. Microsoft emphasized that threat modeling for AI applications must adapt because generative/agentic systems are probabilistic, have uneven performance across languages and contexts, and treat conversation/instructions as part of a single input stream; this requires planning for rare but high-impact failure modes and adversarial manipulation rather than relying on predictable code paths and stable input/output behavior.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Varonis details architectural attack surfaces in agentic LLM browsers
Varonis Threat Labs published research arguing that agentic LLM browsers introduce a privileged control layer that can bypass traditional browser security boundaries. The report analyzed products including Perplexity Comet, OpenAI Atlas, Microsoft Edge Copilot, and Brave Leo, highlighting trusted communication bridges and noting that some title-based prompt injection was fixed during the research.
SOCRadar analyzes security risks in AI-based browsers
SOCRadar published an analysis warning that agentic AI browsers introduce structural security risks because untrusted web, email, and file content can influence model behavior. The article highlighted attack classes including indirect and multimodal prompt injection, privacy profiling risks, and examples such as EchoLeak, cross-tab data exposure in Perplexity Comet, HashJack, and omnibox intent ambiguity in OpenAI Atlas.
Microsoft publishes guidance on threat modeling AI applications
Microsoft Security Blog published guidance arguing that traditional threat modeling must be adapted for generative and agentic AI systems. The post outlined AI-specific risks such as prompt injection, tool misuse, privilege escalation, data exfiltration, and harmful outputs, and recommended mitigations including least privilege, separation of instructions from untrusted content, and stronger observability.
Wiz reviews 2025 security failures and defenses in agentic browsers
A Wiz Blog year-end review described how mainstream adoption of agentic browsers in 2025 drove extensive offensive research into prompt injection, phishing, data exfiltration, session poisoning, and task hijacking across products from OpenAI, Perplexity, Opera, and others. It also summarized vendor responses including human-in-the-loop confirmations, architectural isolation, reinforcement learning-based hardening, secondary model critics, and access restrictions, while noting prompt injection remained unresolved.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Deep Dive into Architectural Vulnerabilities in Agentic LLM Browsers
varonis.com
Open sourceAI-Based Browsers: Are They Really Safe?
socradar.io
Open sourceThreat modeling AI applications | Microsoft Security Blog
microsoft.com
Open sourceAgentic Browser Security: 2025 Year-End Review | Wiz Blog
ramimac.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


