A single URL is now enough to make an AI browser leak your inbox. That’s not a hypothetical from a threat-modeling deck — it’s CometJacking, the attack LayerX disclosed against Perplexity’s Comet browser, where instructions hidden in URL parameters told the agent to grab Gmail and Calendar data and ship it out base64-encoded to slip past the platform’s own guardrails. No malware. No credential phishing. You click a link, the agent reads it, and the agent does what the link says.
If you run security for a company where people have started using Comet, ChatGPT Atlas, or some in-house agent wired into Slack and Google Workspace, this is the question on your desk right now: which tool actually stops this, and is the answer even a tool you can buy as a standalone product anymore? Because the short version is that the market for “agentic browser security” got swallowed almost whole in the last nine months, and that changes how you should shop.
What actually happened in the last year
The reason this category went from niche to budget-line-item is a run of real incidents, not vendor FUD.
CometJacking landed in October 2025. Then in March 2026, Trail of Bits researchers walked Comet into a phishing scam in under four minutes using prompt injection — the browser’s own assistant got talked into handing over private data from connected services. Zenity Labs disclosed a family of agentic-browser bugs they called PleaseFix that let an attacker silently hijack the agent inside an authenticated session and reach local files.
And then the ceiling fell in on the framework layer. On May 7, 2026, Microsoft published research showing that prompt injection in its own Semantic Kernel could become host-level remote code execution. Two CVEs came out of it: CVE-2026-25592 in the .NET SDK, rated CVSS 10.0, where an internal DownloadFileAsync helper got accidentally tagged as a callable [KernelFunction] and let an injected agent escape its sandbox — and CVE-2026-26030 in the Python SDK, CVSS 9.8, where attacker-controlled fields in the in-memory vector store flowed straight into a Python eval().
A single crafted prompt could launch calc.exe on the host. Patches shipped in Semantic Kernel 1.39.4 (Python) and 1.71.0 (.NET), so if you’re running either, go check your version before you read another paragraph.
The thread connecting all of these is the same structural problem.
The lethal trifecta, and why your existing stack can’t see it
Simon Willison’s framing has stuck because it’s correct: an agent becomes dangerous the moment it combines three things — access to private data, exposure to untrusted content, and the ability to communicate outward. An agentic browser has all three by definition. It reads your authenticated Gmail (private data), it renders whatever webpage or Reddit comment you point it at (untrusted content), and it can navigate, fill forms, and call APIs (outbound). There’s no configuration that removes one leg without gutting the product.
Here’s the part that trips up security teams. Your SSO doesn’t help, because the agent is acting inside a legitimately authenticated session — the identity provider already said yes. Your vendor’s SOC 2 report doesn’t help, because the vulnerability isn’t in their infrastructure, it’s in the decision the agent makes when it reads a malicious page. And your network DLP mostly doesn’t help, because by the time data leaves, it’s encoded, it’s flowing over the same HTTPS the agent always uses, and the “decision” to exfiltrate happened in a place your proxy can’t inspect — inside the browser’s reasoning.
That last gap is the whole pitch for this category. The defenders argue you have to enforce at the point of use, which in practice means in the browser itself or in a runtime that sits between the agent and its tools. I think they’re mostly right, with caveats I’ll get to.
The plot twist: almost nobody here is independent anymore
Before comparing products, you need to know who owns them, because in this market that determines what you’re actually buying.
- Prompt Security was acquired by SentinelOne, closed September 5, 2025, for roughly $133.6 million in cash and stock.
- Aim Security was acquired by Cato Networks — Cato’s first-ever acquisition — announced September 2025 at a reported ~$350 million, folding into the Cato SASE Cloud platform.
- LayerX agreed to be acquired by Akamai in May 2026 for about $205 million, slotting into Akamai’s Zero Trust portfolio.
- Nightfall AI is, as of this writing, still independent and shipping its own AI Browser Security product (announced January 2026).
So three of the four “best of breed” names on every listicle are now features of a bigger platform. That’s not a knock — consolidation usually means the capability is real enough that a platform vendor paid up for it. But it reframes the decision. You’re rarely choosing a point product; you’re choosing which platform’s gravity well to fall into.
Platform by platform
LayerX (now Akamai)
LayerX is the one that built its identity around agentic browsers specifically, and it’s the source of the CometJacking research, so they’ve earned some credibility on the threat. The architecture is a lightweight browser extension — agentless — that does agentic identity detection, meaning it tries to distinguish an AI agent’s actions from a human’s in real time, plus AI sidebar governance, prompt-injection blocking, and shadow-SaaS visibility.
The extension model is the strength and the weakness. Strength: it sits exactly where the agent acts, so it can see things a network proxy can’t, and there’s nothing to route. Weakness: extensions can be uninstalled, don’t cover everything, and you’re now betting on Akamai’s roadmap to keep the standalone product sharp post-acquisition. If you’re already an Akamai shop leaning into Zero Trust, this is the natural pick. If you’re not, you’re buying into a platform relationship, not just an extension.
Nightfall AI
Nightfall comes at this from data-loss prevention, which is a genuinely different posture. Instead of trying to referee the agent’s decisions, it focuses on the data itself — detecting and redacting PII, API keys, and card numbers before they get pasted into a prompt or pulled into a third-party extension, across browser, endpoint, and SaaS. The bet is that you can’t reliably stop a clever agent from being tricked, so you make sure the sensitive payload never reaches a place where the trick matters.
I like this framing for one specific reason: it degrades gracefully. Prompt-injection blocking is an adversarial cat-and-mouse where a good enough attacker wins eventually. Data redaction is a more stubborn control — if the secret was already scrubbed, the injection has nothing to steal. The trade-off is that DLP-first tools are weaker at the behavioral side: an agent talked into taking a harmful action that isn’t about exfiltrating a regex-matchable secret. And Nightfall being independent cuts both ways — more focus, but no SASE or EDR platform underneath it.
Prompt Security (now SentinelOne)
Prompt Security was built for the full generative-and-agentic AI surface, not just browsers — securing employee use of public AI apps, protecting homegrown AI apps, and watching the agent development lifecycle. Inside SentinelOne, the logic is obvious: tie AI-usage telemetry to the endpoint and XDR data SentinelOne already collects, so an agent doing something weird correlates with what the host is doing. If your SOC already lives in SentinelOne, this is the path of least resistance and probably the best correlation story of the bunch.
The caution is the same as any acquired startup — the standalone product’s roadmap now serves a platform strategy. You evaluate it as “SentinelOne’s AI security module,” not as the scrappy independent it was a year ago.
Aim Security (now Cato Networks)
Aim covers three use cases — securing employee use of public AI, securing private AI apps and agents, and securing the agentic development lifecycle — and the team has real research pedigree (they found EchoLeak, CVE-2025-32711, the first zero-click vuln in Microsoft 365 Copilot). Inside Cato, it becomes part of the SASE Cloud, so enforcement happens in the network fabric Cato already runs for you rather than as a separate extension.
This is the right answer if you’ve standardized on SASE and want AI controls to live in the same place as the rest of your edge policy. The flip side is the architectural debate above: a network-layer control sees traffic, but the agent’s decision to exfiltrate happens before traffic leaves, and obfuscated payloads are exactly what slips past network inspection. Cato would argue their content-awareness handles that; I’d want to test it against base64-and-worse encoding before believing it.
Microsoft’s own guardrails
Worth a mention because a lot of you live in Copilot and the Microsoft agent stack. Microsoft does ship guardrails, and the Semantic Kernel research shows they’re taking framework-level RCE seriously. But the Semantic Kernel CVEs also show the limit: the vendor building the framework still shipped an eval() and a mis-tagged kernel function. First-party guardrails are necessary and not sufficient. Don’t treat “we’re all Microsoft” as a security strategy on its own.
How to actually choose
Skip the feature-matrix theater. The decision mostly collapses to three questions.
Where do you want enforcement to live? Browser extension (LayerX), data layer across browser/endpoint/SaaS (Nightfall), endpoint/XDR (Prompt Security via SentinelOne), or network/SASE (Aim via Cato). Match this to where your team already has muscle. A SASE shop fighting to deploy browser extensions on every device will lose; an endpoint-heavy org trying to re-architect around a proxy will lose differently.
What does “blocks prompt injection” mean in their demo? Push on this hard. Ask them to run CometJacking-style URL-parameter injection with base64-encoded exfiltration, and the Reddit-comment-style indirect injection, against Atlas and Comet specifically — not a generic prompt-injection slide. If the answer is “we redact the sensitive data so there’s nothing to steal,” that’s a real answer. If it’s “our classifier catches malicious prompts,” ask for the false-negative rate, because that classifier is the thing attackers will spend their time defeating.
Are you buying a product or a platform? With three of four vendors acquired, this is mostly already decided by who you’re standing next to. That’s fine — just be honest that you’re choosing Akamai, SentinelOne, or Cato as much as you’re choosing the AI feature.
A 30-day starting move
You don’t need a year-long bake-off to stop bleeding. Four moves for the first month:
- Inventory which agentic browsers and AI extensions are actually installed. Shadow AI is usually worse than you think.
- Patch any Semantic Kernel deployments to 1.39.4 / 1.71.0 today.
- Pick one enforcement layer that matches your existing stack and pilot it on the highest-risk group — finance, legal, anyone with broad Workspace access.
- Before you buy anything, write down exactly which exfiltration test cases a tool must pass.
Gartner’s been throwing around the figure that 40% of enterprise apps will integrate task agents by the end of 2026. Whether or not that number lands, the attack surface is arriving faster than the controls.
One thing to sit with: every product here is trying to referee a system whose entire value proposition is that it reads untrusted content and acts on your behalf. That tension doesn’t resolve with a better classifier. So the most useful question to bring into a vendor call isn’t “do you block prompt injection” — it’s “what happens the day you don’t?” The honest vendors have an answer for that. Try to find one.