Giving a web browser agent access to your email, banking sessions, and login credentials — on every site, simultaneously, by design — is the most useful thing an agentic browser does. Security researchers confirmed in early June 2026 that it is also the core reason no agentic browser can be fully secured. That is not a temporary engineering gap. OpenAI wrote in December 2025 that prompt injection — the attack technique that turns a browser agent against its owner by smuggling hostile instructions through ordinary web content — is "unlikely to ever be fully 'solved.'" The implication is direct: the same property that makes these browsers powerful is what makes them structurally dangerous, and the three leading options (OpenAI's ChatGPT Atlas, Perplexity's Comet, and The Browser Company's Dia, now part of Atlassian) handle that risk very differently.

The category itself is barely a year old. All three browsers reached broad availability during 2025 and early 2026. Perplexity's Comet went free to all users in October 2025. ChatGPT Atlas launched on macOS in October 2025. The legal stakes clarified this month: the Ninth Circuit heard oral arguments on June 11 in Amazon v. Perplexity, the first federal case to determine whether an AI browser agent can legally access a third-party platform at a user's direction. That ruling will govern what all three browsers can do on your behalf.

Why Agentic Browsers Break Browser Security

For thirty years, the foundational protection of the web was the same-origin policy, introduced by Netscape Navigator 2.02 in 1995. It prevents any script or application on one site from reading data belonging to another. Open Gmail and your bank in adjacent tabs, and the bank page cannot see the Gmail contents. That protection has underpinned every assumption about safe multi-session browsing.

Agentic browsers make that protection irrelevant — not by breaking it, but by design. When a user authorizes an AI agent to act across the web, the agent operates with full user-level authenticated access to every domain the user has logged into. Unlike a malicious script, the agent is not crossing origin boundaries illegally; it has been given the keys. The result is that the same-origin policy no longer applies at all. As Dark Reading security researcher Josh Hoodlet noted in February 2026: "Now you have an application that can perform actions like a human. It gets logged as if those actions are taking place like a human in some respects, and it opens the world to new challenges."

The mechanism that then creates danger is indirect prompt injection. An attacker embeds a hostile instruction in a web page, a calendar invitation, a Reddit comment, or any document the agent reads. The LLM processes that instruction through exactly the same pipeline it uses for the user's legitimate commands — and since the LLM has no reliable way to distinguish the two, it can follow the attacker's instruction instead. The attack requires no malware, no exploit chain, and no technical access to the user's device. It requires only that the agent read content the attacker has touched.

In August 2025, Brave's security team demonstrated this by placing invisible text inside a Reddit spoiler tag; Comet read the tag, followed the hidden instructions, and extracted a user's email address and one-time passcode. In March 2026, researchers at Zenity Labs published a family of vulnerabilities called "PleaseFix," which demonstrated zero-click agent hijacking in Comet — including one path that could access and extract credentials from a 1Password vault through the agent's authorized workflows, without directly exploiting any flaw in 1Password.

Technically, this works through the browser's execution architecture. A Chromium-based agentic browser — Atlas, Comet, and Dia are all Chromium-based — uses a privileged browser extension that accepts task commands through an API. The agent observes a page by extracting its Document Object Model (the structured representation of all the page's content and elements) or by taking a screenshot that is then converted to image tokens for the language model to interpret visually. The language model then plans a sequence of actions and dispatches them through the extension's API: clicks, keystrokes, form fills, navigation. The entire pipeline runs with the user's session credentials, which means hostile content anywhere in the data the agent reads can redirect any step in that plan. A screenshot-based observation is more general but more expensive — a single screen can cost over a thousand tokens to process; DOM-based parsing is cheaper and more precise but limited to web content.

OWASP's June 2026 State of Agentic AI Security report mapped prompt injection to six of ten categories in its Agentic Applications Top 10. Researcher Simon Willison described the "lethal trifecta": any agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally can be converted into a data-exfiltration tool by a single injected prompt. Meta's published Agents Rule of Two states that without human supervision, an agent should satisfy at most two of those three properties at once.

Every agentic browser, by design, combines all three. None of the three reviewed here has solved this. The question is which has handled it most responsibly.

ChatGPT Atlas: Most Capable, Most Targeted

OpenAI launched ChatGPT Atlas on macOS in October 2025. The Chromium-based browser is the most fully autonomous of the three: in agent mode, it interprets a high-level instruction, plans a multi-step sequence, then executes it — clicking, typing, navigating, and submitting — across any sites the user is logged into. Its Browser Memories feature uses the ChatGPT memory system to carry context across sessions, so a user's preferences, past tasks, and ongoing projects are available to the agent without re-explaining them.

The headline capability is the most capable autonomous task completion available in a consumer browser as of mid-2026. Atlas can receive a single instruction — "find the cheapest flight to Miami next Tuesday and book it" — and carry out the research, comparison, and checkout across multiple airline sites with minimal user intervention.

Atlas is currently available on macOS only. In March 2026, OpenAI announced that it would merge Atlas with its ChatGPT desktop app and Codex coding agent into a single unified desktop application. The superapp has not yet launched; Atlas remains a standalone browser for now. Windows, iOS, and Android support have been announced but not released.

Security: Atlas has been specifically targeted by prompt injection researchers because of its autonomous depth. OpenAI shipped a security update in December 2025 after internal automated red-teaming found what it described as a new class of prompt-injection attacks. The update included an adversarially trained model and strengthened safeguards. OpenAI builds what it calls an LLM-based automated attacker — an AI system trained with reinforcement learning to actively search for vulnerabilities in Atlas — and runs it continuously. The company also said at that time that prompt injection is unlikely to ever be fully resolved, and that the mitigation approach is to design for permanent risk rather than pursue elimination. Independent enterprise security testing found Atlas blocks between 5.8 and 6 percent of malicious pages tested — a figure that reflects how novel the attack surface is rather than any specific implementation failure.

Best for: Users already subscribed to a paid ChatGPT tier who spend significant time on transactional workflows — booking, purchasing, comparing across multiple sites — and who are comfortable maintaining strict session hygiene, meaning a separate browser profile with no sensitive sessions open while the agent is active.

Pricing: Free tier available. Agent Mode and Browser Memories require a paid ChatGPT subscription. Platform: macOS only as of June 2026.

Comet (Perplexity): Widest Reach, Most Documented Vulnerabilities

Perplexity launched Comet on Windows and macOS on July 9, 2025, initially limited to its $200-per-month Max tier. The browser went free globally on October 2, 2025. Android launched November 20, 2025; iOS launched March 18, 2026.

Comet's AI agent does three things well: it understands the current page in full context, runs multi-step agentic tasks across tabs, and integrates Perplexity's search and research engine directly in the browsing session. For users whose work centers on synthesis — journalists, researchers, analysts, competitive intelligence teams — the ability to issue a research instruction, have the agent open relevant sources, extract key information, and assemble a structured summary within the browser itself is genuinely useful. Perplexity raised $200 million at a valuation near $20 billion in early June 2026, funding that it has stated will go toward expanding Comet's agent capabilities and its publisher revenue-sharing program.

Security: Comet has the most extensively documented security record of the three browsers, and not positively. Brave's August 2025 disclosure — the Reddit spoiler tag exfiltration — was the first major prompt injection demonstration against a consumer agentic browser. Zenity Labs' March 2026 "PleaseFix" / "PerplexedBrowser" research added a zero-click attack path via malicious calendar invitations and a separate 1Password credential-extraction vector. Security researcher Stav Cohen identified the core mechanism as "intent collision" — the moment at which an agent merges a legitimate user instruction with attacker-controlled web content into a single execution plan, with no reliable way to distinguish which is which. In enterprise security benchmarking, LayerX security researcher Paloma Perlov found Comet to be up to 85 percent more vulnerable to phishing and web-based attacks compared to Chrome, attributing the gap to the browser's weaker built-in phishing protections and its reliance on automated, context-aware actions.

Perplexity initially responded to the LayerX CometJacking disclosure by stating it saw no security impact and marking the report as not applicable. It subsequently worked with Brave to address the August 2025 vulnerability and issued a fix for the Zenity Labs findings in February 2026.

The Amazon v. Perplexity lawsuit adds legal exposure on top of technical risk. Amazon sued Perplexity in November 2025 under the Computer Fraud and Abuse Act, arguing that Comet's agent accessing Amazon's password-protected pages — even with the user's credentials — constitutes unauthorized access. A federal judge issued a preliminary injunction in March 2026; the Ninth Circuit stayed the injunction pending appeal. The Electronic Frontier Foundation, ACLU, and Mozilla filed amicus briefs supporting Perplexity's position, arguing that a broad CFAA ruling would threaten every browser extension and automated tool that acts at user direction. The Ninth Circuit heard oral arguments on June 11, 2026. No ruling has been issued yet.

Best for: Research-heavy workloads where the integration of multi-step web research with Perplexity's answer engine creates a meaningful productivity gain. Users should route sensitive sessions — banking, email, password managers — through a separate, non-agentic browser while using Comet for research tasks.

Pricing: Free. Platform: Windows, macOS, Android, iOS.

Dia (The Browser Company / Atlassian): Most Security-Conscious Architecture

Dia launched in beta in June 2025. The Browser Company announced that Arc entered maintenance mode, and that Dia would be the company's primary product going forward. In September 2025, Atlassian acquired The Browser Company for $610 million, citing Dia as the foundation for a next-generation enterprise-focused browser.

Dia is positioned as the least autonomous of the three. Its AI agent excels at tasks the user supervises: writing assistance with awareness of current tabs, tab summarization, and workflow shortcuts called Skills that the user defines using natural language. It does not push toward fully autonomous multi-site transaction execution the way Atlas does.

Security architecture: Dia's approach to security is qualitatively different from its competitors', and that difference matters. Before Dia's public beta in June 2025, the engineering team discovered that a web-fetch tool built into the browser could be exploited for data exfiltration via prompt injection. They made the decision to remove the feature entirely rather than release it with only detection-based mitigations. It was reintroduced two months later, rebuilt from the ground up with what Dia describes as architectural controls that remain secure even when a prompt injection occurs — controls that do not rely on detecting hostile content, but on structurally preventing certain types of output regardless of what the LLM is instructed to do. That design principle — assume injection will occur, build the architecture so it cannot succeed — is exactly what OWASP and the broader security research community have called for.

Dia Sync, launched in April 2026, uses end-to-end encryption for cross-device data. The design assumption, explicitly stated by The Browser Company, is that Dia's own servers may be compromised; synced data is therefore encrypted on-device before being sent, so the server cannot read it. Dia completed a SOC 2 Type II examination covering security, confidentiality, and privacy for 2025, with the final report issued in 2026.

The tradeoff is capability and platform availability. Dia runs on macOS with Apple Silicon only as of June 2026. A Windows waitlist exists with no confirmed release date. The autonomous transaction execution that makes Atlas compelling does not currently exist in Dia. Users who want an AI agent that completes purchases and multi-site bookings without supervision will find Dia underwhelming.

The Atlassian acquisition raises a longer-term question: Atlassian's enterprise focus may shift Dia's development toward workflow integration with Jira and Confluence over time, which could make it significantly more capable for enterprise users while limiting its consumer-facing feature trajectory.

Best for: Knowledge workers who want AI assistance with writing, tab awareness, and synthesis, and who are not yet ready to give an agent permission to transact on their behalf. Developers and security-conscious professionals who want the better-tested security architecture. Former Arc users.

Pricing: Free with a $20-per-month Pro tier. Platform: macOS with Apple Silicon.

How the Three Compare

How to Use an Agentic Browser More Safely

Security researchers across Brave, Zenity Labs, OWASP, and academia have converged on three practical principles for anyone experimenting with these browsers now.

Isolate the context. Run the agentic browser in a dedicated profile or installation that does not share saved passwords, session cookies, or login states with your primary work or banking browser. The agent's blast radius — what an attacker can reach if an injection succeeds — is defined by what the agent has access to. A profile with no saved payment methods and no email access is a smaller target than one with both.

Preserve the human at decision points. Every agentic browser offers a mode in which the agent pauses before taking irreversible actions — purchases, form submissions, password changes, email sends. Keep that confirmation requirement active. The productivity cost of one confirmation tap is low; the cost of a completed unwanted transaction is not.

Limit autonomous use to lower-stakes tasks. Research, comparison, and information gathering on public pages carry substantially less risk than authenticated sessions. An agent reading public product listings cannot access your payment credentials even if a prompt injection succeeds, because the page does not have them. Reserve full agentic autonomy — "book it, buy it, submit it" — for tasks you have verified personally.

Which Browser Fits Your Work

The right choice depends less on feature lists than on what you are willing to let an agent do.

For transaction automation — booking flights, comparing and buying products, managing repetitive multi-site workflows — Atlas is the most capable option available on macOS today. The security posture is actively managed and publicly documented. If you are already paying for a ChatGPT subscription, the marginal cost is the browser switch. Use a dedicated profile, keep sensitive accounts out of the agent's session, and know that OpenAI itself has stated the underlying risk cannot be eliminated.

For research and synthesis — investigative work, competitive intelligence, academic research, journalism — Comet's integration with Perplexity's answer engine creates a genuinely different experience than either of the other two. The security record is the most troubled of the group, but the use case (research on public or semi-public content) also carries lower per-session risk than transaction execution. Route banking, email, and password managers through a separate browser.

For security-conscious knowledge work — writing assistance with tab awareness, workflow shortcuts, and the best-tested security architecture currently available in this category — Dia is the most thoughtfully built of the three. Its lower autonomy is partly a tradeoff and partly a design choice that reflects an engineering team that removed a feature before launch rather than ship it with unresolved risks. For users whose work involves sensitive documents, confidential research, or high-trust data, Dia's architectural approach is the right starting point.

For all three: no agentic browser is ready to replace your existing browser entirely. Run one alongside your current browser — not instead of it — until the category matures and the legal and security frameworks around it settle.

Frequently Asked Questions

What does prompt injection mean for my agentic browser, and can it be fixed?

Prompt injection is an attack in which hostile instructions are hidden inside content the AI agent reads — a web page, an email, a calendar invitation, a document — causing the agent to follow the attacker's instructions instead of the user's. It works because the agent's language model processes all text through the same pipeline and cannot reliably distinguish developer-approved commands from attacker-injected ones. OpenAI stated in December 2025 that this vulnerability is "unlikely to ever be fully 'solved'" in browser agents. OWASP's June 2026 State of Agentic AI Security report confirmed it maps to six of ten categories in the Agentic Applications Top 10. Browsers can reduce the risk through adversarial training, architectural constraints, and human-in-the-loop confirmations — but cannot eliminate it while AI agents continue to read untrusted web content with user-level credentials.

Is ChatGPT Atlas available on Windows?

As of June 2026, ChatGPT Atlas is available on macOS only. Windows, iOS, and Android versions have been announced. In March 2026, OpenAI said it would merge Atlas with its ChatGPT desktop app and Codex coding agent into a single unified desktop application; that product has not yet been released.

What is the Amazon v. Perplexity case, and what does it mean for Comet users?

Amazon sued Perplexity in November 2025, arguing that Comet's AI agent accessing Amazon's password-protected pages — even using a user's own credentials — constitutes unauthorized computer access under the Computer Fraud and Abuse Act. A federal judge granted Amazon a preliminary injunction in March 2026; the Ninth Circuit stayed that injunction pending appeal and heard oral arguments on June 11, 2026. The ruling will set the first federal precedent on whether an AI browser agent can legally act on a user's behalf at third-party sites that have not granted explicit permission. If Amazon prevails, Comet's autonomous shopping and account-access capabilities could be legally blocked for Amazon and, by precedent, other major platforms.

Which agentic browser has the most secure architecture?

Dia has the most security-conscious architecture of the three, having removed a web-fetch feature before launch after discovering it was exploitable via prompt injection, then rebuilt it with structural controls rather than detection-based patches. Dia completed a SOC 2 Type II examination for 2025 and uses end-to-end encryption for cross-device sync. Comet has the most documented public exploit history. Atlas has the deepest autonomous capability and the most active internal security research program. No agentic browser is fully secure for sessions involving banking, email, or payment credentials — the category's architectural design makes that impossible for now.