Perplexity Agent Security Risks

General Assistant Agents perplexity.ai Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (4) ATTACK SURFACE (6.68) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.82
High
Attack Surface
6.68
High
Blast Radius
6.38
High
Defense Controls
4
High
About The Agent

Perplexity is a cloud-hosted AI search and research assistant that ingests real-time web content, executes browser automation via its Comet agentic browser, and accesses local files through its Personal Computer desktop agent. The default configuration delivers web chat with persistent Spaces, cross-session memory, and model-agnostic reasoning. The primary risk surface is the convergence of untrusted external content ingestion with authenticated browser session access and unrestricted outbound network capabilities.

About the AI Risk Quadrant

Exposed Giants describes agents with above-median attack surface exposure but bounded blast radius, typically lacking infrastructure deployment capabilities. Perplexity scores 6.68 on Attack Surface (driven by demonstrated zero-click exploits), 6.38 on Blast Radius (bounded by absence of deploy access), and 4 on Defense Controls (minimal vendor safeguards). Operators should prioritize restricting outbound egress from agentic features before expanding connector access.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Perplexity presents a trifecta-complete risk shape where untrusted web content, authenticated session access, and unrestricted outbound egress converge on the default configuration.

Key Input Risks
Every search query ingests untrusted web content into the reasoning context, and the Comet agentic browser processes arbitrary page content from attacker-controlled sources including calendar invites. Independent red-teaming of the BrowseSafe prompt injection detector demonstrated a 36% bypass rate using standard encoding techniques against the deployed model.
Key Execution Risks
The Comet browser executes multi-step navigation and form-filling within authenticated sessions, and the Sandbox API runs Python, JavaScript, and SQL in K8s pods with egress proxy routing. The browser execution boundary was publicly red-teamed by Zenity Labs, who demonstrated file traversal bypassing the intended isolation tier.
Key Action Risks
Once a user initiates a Comet browser task or Personal Computer workflow, the agent executes multi-step actions without per-action approval gates for individual navigation steps, file reads, or connector invocations. The highest-blast-radius scope is authenticated browser sessions with access to email, banking applications, and local file system read.
Key Output Risks
The agent emits text responses with citations, generates shared chat URLs, and navigates to arbitrary endpoints via the Comet browser without documented DLP, credential redaction, or URL sanitization for agentic features. The PleaseFix exploit demonstrated silent data exfiltration to attacker-controlled endpoints via ordinary browser navigation.
Key Monitoring Risks
SOC 2 Type II audit and AWS IAM with JIT access provide infrastructure-level logging, but no per-session anomaly detection or SIEM forwarding is documented for end-user agent actions. Individual tool invocations and browser navigation steps within an agentic session are the blind spot for operators relying on default telemetry.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Perplexity scores 3.46 on the composite AIRQ metric, reflecting moderate residual risk where broad attack surface is partially offset by limited blast radius.

AIRQ Metrics

Perplexity lands in the Exposed Giants quadrant with Attack Surface 6.68, Blast Radius 6.38, and Defense Controls 4, placing it above the attack threshold but below the blast threshold.

Attack Surface and Blast Radius are scored out of 10, Defense Controls out of 15, and the AIRQ composite out of 15.

Metric Score Comments
AIRQ Score 4.82 Moderate residual risk after defense offset; hardening is achievable but the demonstrated exploit history warrants immediate attention.
Blast Radius 6.38 / 10 Broad compromise reach through file system, network, and credential access, constrained only by absence of deployment capabilities.
Attack Surface 6.68 / 10 Above-median exposure driven by trifecta-complete posture and demonstrated zero-click exploits on three surfaces.
Defense Controls 4 / 15 Minimal vendor-provided defenses with BrowseSafe and Sandbox API as the only documented safeguards on the default configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Perplexity's reasoning loop ingests untrusted web content on every query and operates within authenticated browser sessions that hold credential manager access.

Attack Surface Metrics

Surfaces scoring 5.0 have demonstrated zero-click exploits or high-severity CVEs; surfaces at 3.0 have documented architectural exposure confirmed by vendor research.

Each row maps a distinct attack surface to its adjusted score and a one-sentence rationale citing the evidence anchor.

Surface Score Comments
User Input 4 / 4 BrowseSafe ML detection deployed for Comet browser input but independently shown to have 36% bypass rate with encoding attacks. [5][6]
External Data 5 / 4 Real-time web search results and Comet browser content demonstrated exploitable via zero-click calendar invite injection. [3][14]
Memory 3 / 4 Persistent Spaces with cross-session memory and automated writes without documented integrity verification gates. [12]
Reasoning 3 / 4 Model-agnostic multi-step reasoning across interchangeable LLM backends with partial transparency in Pro Search mode. [5]
Planning 2 / 4 Deep Research performs autonomous multi-step planning within user-supervised sessions with documented policy enforcement. [7]
Tool Execution 5 / 4 Comet browser demonstrated vulnerable to file traversal enabling local file theft and credential exfiltration in authenticated sessions. [4]
Orchestration 2 / 4 Pro Search chains iterative searches and Personal Computer coordinates actions across local apps without subagent spawning. [11]
Inter-Agent 1 / 4 No inter-agent communication protocol or MCP server exposure documented; Sonar API is a standalone endpoint. [10]
Output Processing 5 / 4 CVE-2025-50708 demonstrated sensitive information disclosure via shared chat URL token; no DLP for agentic features. [1][2]
Configuration 1 / 4 Configuration through validated settings UI and Spaces custom instructions; no auto-loaded config from untrusted sources. [12]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Perplexity ingests untrusted web content on every query, reaches authenticated sessions and local files, and uses unrestricted outbound network for its core search function.

Lethal Trifecta · Complete (3 of 3)

Perplexity exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Real-time web search results and Comet browser page content inject attacker-controlled bytes into the reasoning context. [3]
  • Sensitive data — Personal Computer accesses local files, 400+ connectors, and authenticated browser sessions including credential managers. [4]
  • External egress — Core web search performs unrestricted outbound HTTP and Comet browser navigates to arbitrary URLs enabling data exfiltration. [8]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Perplexity session reaches local files, authenticated web sessions, and unrestricted outbound network, bounded only by absence of infrastructure deploy access.

Blast Radius Metrics

Higher blast scores indicate broader damage scope if the agent is compromised; scores of 3 indicate user-level access with demonstrated capability.

Each row ties a blast radius factor to the workflow node, OAuth scope, or sandbox boundary that enables it.

Factor Score Comments
Code execution 3 / 4 Sandbox API provides K8s pod isolation for Python/JS/SQL execution; Comet browser additionally runs JavaScript in authenticated contexts. [11]
File system access 3 / 4 Personal Computer accesses local files and Zenity demonstrated full file system read via Comet browser file traversal. [8]
Network access 3 / 4 Unrestricted outbound from browser and Personal Computer; Cloudflare documented millions of daily outbound requests via user-agent spoofing. [13]
Credential access 3 / 4 Authenticated browser sessions expose OAuth tokens, cookies, and credential manager access; 1Password theft demonstrated. [3]
Autonomous action 2 / 4 Multi-step execution after user initiation without per-action approval gates but no scheduled background automation documented. [9]
Deployment access 1 / 4 No documented capability to modify infrastructure, deploy code, or publish artifacts to production environments. [10]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Perplexity publishes BrowseSafe detection and Sandbox API isolation but lacks documented output filtering and per-session monitoring for agentic features.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-provided safeguards; most components score 1 indicating basic coverage with known limitations.

Each component is scored by vendor-implemented coverage on the default configuration with confidence reflecting independent verification.

Component Score Comments
Input Guardrails 1 / 3 BrowseSafe ML detection for Comet browser input independently tested with 36% bypass rate; standard chat lacks documented shield. [6]
Execution Isolation 1 / 3 K8s pod sandbox for code execution with egress proxy; Comet file path blocking added after PleaseFix disclosure. [11]
Action Controls 1 / 3 No YOLO mode but also no per-action approval gate for browser navigation or Personal Computer actions beyond initial enablement. [9]
Output Guardrails 0 / 3 Citations provide source attribution; no documented DLP, credential redaction, or exfiltration blocking for agentic features. [1]
Monitoring 1 / 3 SOC 2 Type II infrastructure audit certified; no per-session anomaly detection or SIEM forwarding for end-user agent actions. [15]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize restricting Comet browser egress and adding per-action approval gates for sensitive workflows to reduce the combined risk exposure.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Comet browser tasks to be scoped to an explicit domain allowlist reviewed quarterly by the security team.
  • Configuration Configure Comet browser navigation to enforce a domain allowlist that blocks requests to unapproved origins for enterprise deployments.
  • Engineering Wire a secondary prompt injection classifier upstream of BrowseSafe to catch encoding-based bypass attempts before content reaches reasoning.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict Personal Computer connector access to a minimum-privilege set reviewed per team and enforce sandbox-only execution for untrusted workloads.
  • Configuration Disable file URI scheme access globally and restrict Sandbox API egress proxy to an explicit domain allowlist per workspace.
  • Engineering Instrument Comet browser sessions with content-security-policy headers that block inline script execution and restrict fetch destinations.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require explicit per-action operator approval for Comet browser or Personal Computer workflows accessing credential managers or financial applications.
  • Configuration Configure maximum step counts per agentic session and require re-authentication after crossing a domain boundary during browser automation.
  • Engineering Implement a step-level approval API that pauses browser automation at sensitive action boundaries and requires user confirmation.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require DLP scanning of all shared chat URLs and agentic browser output before data leaves the Perplexity boundary.
  • Configuration Enable URL token rotation for shared chat links and disable direct link sharing for conversations containing uploaded documents.
  • Engineering Wire an output redaction classifier that strips credentials, API keys, and PII from browser-generated output before external delivery.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward all Comet browser navigation logs and Personal Computer connector invocations to the organization SIEM with 90-day retention.
  • Configuration Enable verbose audit logging for all Spaces file operations and memory writes with alerting on anomalous access patterns.
  • Engineering Instrument the agentic runtime with OpenTelemetry spans per tool call and navigation step feeding a per-session anomaly detector.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-50708 CVSS 7.5 HIGH; sensitive information disclosure via token in shared chat URL. Patch status unknown.
  2. CVE-2025-50709 CVSS 4.3 MEDIUM; information disclosure via GET parameter. Patch status unknown.
  3. PleaseFix Zero-Click Agent Hijack Critical zero-click agent hijack in Perplexity Comet via indirect prompt injection. Patched February 2026.

Selected Research

  1. PerplexedBrowser Local File Theft End-to-end zero-click exploit chain from calendar invite to file traversal and silent data exfiltration.
  2. BrowseSafe Prompt Injection Detection Vendor open-source prompt injection detection model for browser agent contexts.
  3. Red Teaming BrowseSafe Independent red team achieved 36% bypass rate against BrowseSafe using encoding techniques.
  4. Perplexity NIST/CAISI Security Response Vendor defense architecture document covering input-level, model-level, and sandboxed mitigations.
  5. PerplexedBrowser Extended Analysis Detailed disclosure timeline including fix bypass and final remediation confirmation.

Vendor Documentation

  1. Perplexity Security Center SOC 2 Type 2 certified, AWS IAM with SSO+MFA, JIT access, quarterly access reviews.
  2. API Privacy and Security Zero data retention for Sonar API, SOC 2 Type II, HIPAA gap assessment, CAIQlite.
  3. Sandbox API for Isolated Code Execution K8s pod isolation with no direct network, egress proxy, credential separation, execution timeouts.
  4. Internal Knowledge Search and Spaces Persistent workspaces with file uploads, custom AI instructions, role-based access controls.

Other Sources

  1. Perplexity Stealth Crawling Report Cloudflare documented robots.txt evasion via user-agent spoofing and IP rotation at scale.
  2. Perplexity Comet Browser Security Coverage The Register coverage of PleaseFix disclosure timeline and fix bypass confirmation.
  3. Microsoft 365 Certification for Perplexity Confirms SOC 2, HIPAA, PCI, FedRAMP, CSA STAR; explicitly No for ISO 27001.