Since July 2025, one browser has been trying to redefine our relationship with the web. Perplexity Comet isn't just an AI layer bolted onto Chromium — it's a browser where artificial intelligence is not an add-on but the central paradigm. The built-in agent can browse, click, fill out forms and carry out complex tasks autonomously. A revolution for productivity, a potential nightmare for security. Let's break down what Comet really changes and the risks it introduces.
What is Perplexity Comet?
Comet is a Chromium-based browser developed by Perplexity AI that natively embeds an agentic AI assistant at the heart of the browsing experience. Unlike AI extensions that graft onto Chrome or Firefox, Comet was designed from the ground up around an autonomous agent capable of interacting with web pages.
The architecture rests on four major components:
- The Perplexity API backend — where the AI model plans tasks and generates commands
- The user interface — a classic Chromium browser with an assistant panel
- Embedded Chrome extensions — privileged extensions that control the browser and execute actions
- The Chromium engine — compatible with the majority of existing Chrome extensions
Launched in July 2025, first for Max subscribers ($200/month), Comet became free and global in October 2025. Available on macOS, Windows and Android, it still lacks an iOS version to this day.
Key features: the browser that acts on your behalf
The Comet assistant and agentic mode
The flagship feature is the Comet Assistant. You give it a natural-language instruction — book a flight, compare prices, send an email based on content you've been reading — and the agent executes the necessary sequence of actions: navigating to sites, extracting information, clicking, filling out forms. All without any manual intervention.
In practice, agentic mode turns multi-step workflows into a single conversational interaction. Instead of browsing five sites to compare flights, you describe your need and the agent handles it. This is the promise of autonomous AI agents applied directly to the browser.
Background Assistants
Max subscribers get access to Background Assistants, agents that work in the background while you browse. You can assign them several tasks simultaneously: send an email, add the cheapest tickets for a concert to a cart, and find the best direct flight for a given date — all in parallel.
Multi-tab summarization and intelligent context
Comet reads the content of your open tabs and can summarize, correlate and extract cross-cutting information. The assistant is aware of the context of your browsing session — recent history, open tabs, content you've consulted — to provide relevant answers without having to copy and paste text into a separate chat.
Integrations and connectors
Comet integrates with third-party services: a Slack connector, Gmail and calendar access, real-time currency conversion, maps for local searches. The goal is to become a central hub that replaces not only your browser but also part of your productivity stack.
AI models and pricing
Comet doesn't rely on a single model. The infrastructure supports several LLMs depending on subscription tier:
| Plan | Price | Available models | Features |
|---|---|---|---|
| Free | $0 | Sonar (Perplexity model) | Comet Assistant, basic agentic mode, ad blocker |
| Pro | $20/month | Sonar + advanced models | Advanced search, more queries/day |
| Max | $200/month | Claude Opus 4.6, Claude Sonnet 4.5, GPT-5, Gemini Pro, Grok 4 | Background Assistants, model choice, unlimited usage |
| Comet Plus | $5/month (add-on) | — | Premium content from partner publishers |
The notable point: Max subscribers can choose the model that drives the agent. Claude Opus 4.6 is the default model, recognized for its complex reasoning abilities. Sonnet 4.5 offers a faster alternative for everyday tasks. This is a major advantage over competing browsers that lock you into a single model.
Security and privacy: the critical angle
What data is collected?
According to Perplexity's privacy policy, Comet collects and stores locally on your machine:
- Your full browsing history (URLs, text, page images)
- Permissions granted to websites
- The number of open tabs and windows
- Search queries
- Download history
- Cookies from visited sites
Perplexity claims this data stays on your device until you use the assistant. As soon as you ask Comet a question, the current tab and the relevant browsing history are transmitted to Perplexity's servers to process your request. Queries classified as personal are automatically deleted after 30 days.
However, security researchers have demonstrated that Comet sends every visited URL to Perplexity's servers, with no way to disable this behavior — information that contradicts the official statements about local processing by default.
CometJacking: when the browser's AI becomes a weapon
In August–October 2025, several security teams (LayerX, Brave, ActiveFence) discovered critical vulnerabilities in Comet, grouped under the name CometJacking.
The principle of the attack: an attacker embeds malicious instructions in a URL or in the content of a web page. Comet's AI agent, designed to read and interpret page content, executes these hidden instructions — a form of indirect prompt injection applied to the browser.
Scenario documented by the researchers:
- The user clicks on a seemingly harmless link
- The URL contains a hidden prompt in its parameters
- The Comet agent executes the prompt: extracting Gmail data, Base64-encoding it, exfiltrating it to a server controlled by the attacker
- The user only sees a normal interaction with the assistant
Brave subsequently discovered even more sophisticated attacks via invisible prompt injections in screenshots (white characters on a white background, micro-text), exploiting Comet's ability to analyze images.
Most concerning: when LayerX reported these vulnerabilities to Perplexity in August 2025, the initial response was to classify them as having no security impact. Perplexity has since published a blog post on mitigating prompt injection, but the fundamental problem persists: an agent that executes actions based on untrusted web content is intrinsically vulnerable.
Local command execution
Comet's architecture relies on privileged Chrome extensions that control the browser. Researchers at Zenity Labs demonstrated that Comet can execute system-level commands without explicit user permission. If Perplexity's servers were compromised — via an XSS flaw, phishing targeting an employee, or malicious internal access — an attacker could exploit these extensions to take control of the user's machine.
For AI agent security professionals, Comet perfectly illustrates the systemic risks tied to agent autonomy in non-sandboxed environments.
Comet vs Chrome, Arc and Brave: comparison
| Criterion | Comet | Chrome | Arc | Brave |
|---|---|---|---|---|
| Base | Chromium | Chromium | Chromium | Chromium |
| Native AI agent | Yes (free) | Gemini (gradual integration) | No | Leo (assistant, not agentic) |
| Agentic mode | Full | Partial (Gemini) | No | No |
| Ad/tracker blocking | By default | No (extensions required) | uBlock Origin built in | By default |
| AI model choice | Multi-model (Max) | Gemini only | — | Claude/Llama (Leo) |
| Privacy | Data sent to Perplexity servers | Data sent to Google | Minimal | Privacy-first |
| Chrome extensions | Compatible | Native | Compatible | Compatible |
| Open source | No | Chromium yes, Chrome no | No | Yes |
| Price (advanced AI) | Free / $200/month (Max) | Free | Free | Free |
The AI browser landscape is heating up: Google is gradually integrating Gemini into Chrome, OpenAI launched its own browser Atlas, and Brave is beefing up Leo. But Comet remains the only one to offer a full, free agentic mode capable of executing multi-step tasks autonomously.
The trade-off is clear: more capability means more attack surface. Brave, with its privacy-first and open-source approach, remains the safest choice for privacy-conscious users. Chrome offers the most mature ecosystem. Comet offers the most powerful AI, at the cost of near-total trust in Perplexity.
Implications for security professionals
The rise of agentic browsers raises fundamental questions for enterprise security teams:
1. Expanded attack surface
An agentic browser is no longer a simple HTTP client. It's an autonomous agent with access to the file system, emails, calendar and browsing history. Every web page visited becomes a potential prompt-injection vector. Traditional WAFs and proxies don't detect this kind of attack because the payloads are natural-language text, not classic malicious code.
2. Amplified shadow IT
Because Comet is free and easy to install, employees will adopt it without security-team sign-off. Since the agent potentially has access to corporate data viewed in the browser, this is an uncontrolled data-leak risk.
3. Trust in third-party infrastructure
Unlike a classic browser where data flows directly between the client and web servers, Comet introduces a systematic intermediary: Perplexity's servers. Every request to the assistant potentially exposes the content of your open tabs. For companies handling sensitive data, that's a deal-breaker.
4. Audit and compliance
Agentic browsers complicate the traceability of actions. When the agent clicks, fills out a form or sends a message, who is responsible? Audit logs must be able to distinguish human actions from agent actions — a capability most current SIEMs don't have.
A paradigm taking hold, with guardrails yet to be built
Perplexity Comet embodies an inevitable shift: AI will no longer be a tool you consult but an agent that acts on your behalf in the browser. The projected 2.5% market share in 2026 may seem modest, but it was enough to force Google, OpenAI and others to accelerate their own agentic browsers.
The fundamental problem remains unchanged: an agent that executes actions based on unverified web content is vulnerable by design. The CometJacking attacks are only the first generation. As agents gain autonomy and access, attack vectors will multiply.
For users, the choice is pragmatic:
- Maximum productivity with accepted risk — Comet for research, comparison and non-sensitive tasks
- Security first — Brave or a classic browser for anything touching sensitive, financial or professional data
- Hybrid approach — Comet as a secondary browser, Chrome/Brave as the primary one
Tools like Claude Code have shown that a well-designed AI agent can be a considerable productivity accelerator. Comet aims to bring that same power to the web browser. It remains to be seen whether Perplexity can build the necessary guardrails before attackers massively exploit this new attack surface.
The agentic browser is no longer a question of "if" but of "when" — and above all of "with what protections."
Comments