Perplexity integrates security into Comet from day one | Keryc
Comet gives AI assistants the ability to browse sites, interact with content, and complete complex tasks for users. Can you imagine everything that could go wrong if that had no robust defenses? Perplexity decided not to improvise: they built security from day one and opened part of their work to the community.
Why was security a priority from day one?
Assistants that browse the web face concrete attacks, like prompt injection, where a malicious page tries to manipulate the assistant's instructions. How do you stop the assistant from following a hidden order in HTML or getting confused by misleading text?
Perplexity's answer was simple in concept but ambitious in practice: one barrier isn't enough. If one layer fails, others must keep protecting the user. It's the layered logic: multiple independent defenses that back each other up.
Key milestones in the security journey
April 2025: pre-launch audit. Before opening Comet to the public they hired Trail of Bits to model threats and try to break the defenses with real attacks. That allowed them to find gaps and fix them before users relied on Comet for sensitive tasks.
October 2025: they published their defense architecture. They shared a technical post describing a four-layer framework that protects against hidden injections in HTML and CSS, content confusion, and goal hijacking. They also launched a bug bounty program so researchers could test the system.
December 2025: they released BrowseSafe as open source. They included BrowseSafe-Bench, a set with 14,719 examples covering 11 attack types, 9 injection strategies, and 3 linguistic styles. Publishing data and tools lets other teams learn and improve their own defenses.
How the defense layers work (explained without technicalities)
Think of a fortress with several walls: if an attacker gets past the first, the second and third are still there. Applied to Comet, the layers combine automatic detection, security rules, contextual validations, and human review when needed.
Practical example: a page tries to instruct the assistant with invisible text. The first layer detects suspicious elements in the HTML, the second assesses whether the content changes the task's objective, and another layer checks if the requested action poses risks to the user's account. If something smells off, Comet rejects the action or asks for human confirmation.
What they learned and why it matters for everyone
External testing finds blind spots that internal teams don't see, no matter how expert they are.
Threat modeling isn't a checkbox: it's an ongoing discipline because attack techniques evolve.
Transparency helps the industry. By sharing methodologies and benchmarks, Perplexity pushes standards that benefit everyone.
They also keep active programs: periodic evaluations, a vulnerability disclosure program, and a private bug bounty for researchers. They invest in rigorous evaluation practices to avoid misinterpreted research creating misinformation about their defenses.
What this means for users and developers
If you're a user, it means Comet was designed with layers of protection that aim to reduce risks when the assistant acts on the web. If you're a developer or researcher, the existence of BrowseSafe and the open benchmarks lets you test and improve your own solutions.
Is it a guarantee of total immunity? No system is. But what we do see here is a responsible posture: external testing, data openness, and programs that invite community participation.
In the end, security for web-browsing assistants isn't a destination but a process. Perplexity bet on building from day one and sharing that learning. That makes the technology safer and the experience more trustworthy for you.
