Agentic Browsers
A Dream and a Nightmare, All-in-one!
“Agentic” is all the rage. Every vendor is building some form of “agentic” … something. And investors are clamoring for it. If you’re a CEO of a vendor company offering an agentic [insert tool/platform/widget], you’re almost guaranteed funding. If you’re not advertising “agentic” and you’re seeking funding, you probably have a lot of questions to answer.
This isn’t to say agentic is all hype; there are some legitimate applications of agentic security tools, some of which actually do what marketing teams say they do. The problem? A lot of marketing teams over-hype the reality. Speaking from experience, I promise you this isn’t all marketing teams’ fault. CEOs and heads of product are almost insistent that “agentic” is splattered all over every piece of collateral. For marketers who are less technical, this is not a problem: “Insert SEO phraseology; get credit.” For marketers, especially product marketers who may know better, a moral dilemma arises: Be honest or be unemployed.
But, enough of my rant.
As I said, there are legit agentic products/platforms on the market, and there are certainly a ton of plausible use cases.
Today, I read Wiz’s “Agentic Browser Security: 2025 Year-End Review” and had thoughts. My non-security brain was spinning one way. My security brain was going in the complete opposite direction. Because I haven’t posted in a while, and because I have some time this AM, I decided to share with you, dear reader (if you’ve even made it this far).
The Promise of the Agentic Browser
Agentic browsers promise something deceptively simple: fewer clicks, less friction, and a browser that doesn’t just display the internet, but acts on it on behalf of the user. Want to book a flight? It will fill out the form. Need to pay an invoice? It will seamlessly handle the workflow.
For unassuming end users, this feels like convenience and efficiency all rolled into one neat and tidy package. For security teams, it’s something else entirely.
Agentic browsers present a fundamental change in how web actions are initiated, authorized, and executed. They collapse long-standing assumptions about user intent, browser trust, and application boundaries while introducing an attack surface that most security teams are not equipped to manage quite yet.
The Dream: Invisible Automation for Everyday Work
From a user perspective, agentic browsers are compelling because they remove the complexity and the tedium from everyday tasks.
Rather than manually navigating SaaS interfaces, users describe outcomes. The browser agent translates the user’s intent into action—logging into systems, moving data between tools, and completing tasks autonomously. For non-technical users, this is the good stuff—fulfilling the promise of AI when it’s at its best, making life easier and more efficient.
Think back to the days of pre-consumer tech:
Remember having to look up a restaurant’s phone number in the Yellow Pages, then rummage through your junk drawer to find the paper takeout menu, then call the restaurant, wait on hold, start to place your order, only to learn they’re out of your favorite dish and start from scratch? Yeah, what a pain in the ass.
Or, <GASP!>, having to call a cab company, place a reservation verbally, then sweat while waiting to see if the taxi driver is going to show up or if you’re going to miss your flight?
No one misses those things, and once-newfangled technology eliminated those issues. Agentic browsers are similar for end users; they can now leverage AI practically and don’t need to understand how it works.
Why? Most actions executed by the browser are or look legitimate:
The agent uses a real browser session
It operates with valid credentials
It interacts with applications exactly as a human would
From a productivity standpoint, this is the holy grail—fewer repetitive tasks and faster execution of rote actions.
From a security standpoint, though, this is where the trouble begins.
The Nightmare: Autonomy Changes the Threat Model
Traditional browser security models assume there is a human in the loop. Clicking a link is intent. Typing in text is intent. Submitting a form is intent.
Agentic browsers break that assumption.
As Wiz’s review of agentic browser security shows, agents can be manipulated into taking malicious actions without explicit user interaction. They can execute tried-and-true threat actor techniques like indirect prompt injection, task poisoning, and malicious content embedded in otherwise benign webpages.
In other words, the browser can act autonomously to exploit ... itself and the user.
Unlike a traditional exploit, you won’t find memory corruption, inserted malware, or a suspicious binary. Looking into the event, what you’d see is an agent following the instructions it was given—and doing so with full, authorized(!!), access to the user’s session, data, and permissions.
This is not a traditional endpoint problem. It’s a logic problem.
Prompt Injection Is Not “An AI Problem”—It’s an AppSec One
One of the most dangerous misconceptions about agentic browser risk is the idea that prompt injection is a niche or theoretical issue.
In its summary, Wiz documents multiple real-world attack classes discovered in 2025, including:
Indirect prompt injection, where instructions are hidden in webpages, images, or metadata
Task injection, where malicious actions are disguised as legitimate workflow steps
Persistent memory attacks, where agents retain poisoned instructions across sessions
Zero-interaction data exfiltration, requiring no explicit trigger from the user
These attacks resemble classic AppSec failures more than AI mishaps. They echo XSS, CSRF, and injection flaws—except the vulnerable component is no longer just the application, but the decision-making layer sitting on top of it.
Better training for the model doesn’t solve the problem. UI confirmations or on-screen warnings don’t either.
This is a systemic issue.
Security Teams In the Crosshairs
For enterprise security teams, agentic browsers introduce an uncomfortable (but familiar) problem.
Security teams are responsible for:
Browser risk
Identity and session integrity
SaaS access
Data movement
Application behavior
Agentic browsers touch all of these at once—while fitting cleanly into none of the existing ownership models.
Business leaders want:
Efficiency
Usability
Increased employee productivity
On the surface, enterprise browsers offer all this. When marketed correctly (or, one could argue, incorrectly), agentic browsers look like productivity tools, and thus the business champions their use. These browsers behave like automation, only without automation controls; they act like users, only without human intent.
Wise security teams will (at least for now) push back against deploying agentic browsers. But we all know how well pushing back worked in the early days of cloud or mobile (or myriad other “consumer-focused” technologies).
However, even if the security team is currently effective at blocking agentic browsers, shadow use is undoubtedly occurring. And indeed, blocking an emerging technology doesn’t address the reality that the agentic model is not going away. Not as long as it continues to be the biggest buzzword on the planet.
Human-in-the-Loop Is Not a Safety Net
As you may have heard me rant on many occasions on Enterprise Security Weekly, AI in many of its current forms is not ready for autonomy. Enterprises still need a human in the loop to ensure the technology is doing what it’s supposed to do, that it’s not hallucinating, that bad data isn’t poisoning the well.
Vendors, even while they (over)advertise the use of AI in their products, are aware of their buyer personas and attempt to ward off fear, uncertainty, and doubt. They may point to their tool’s requirement for human confirmation of an action as the solution: make the user manually hit “confirm” before sending data, before paying money, before changing records.
But as Wiz’s research makes clear, confirmations happen only after reasoning has already been influenced. If the agent’s understanding of the task is compromised, confirmation is a rubber stamp—not a safeguard.
Human-in-the-loop is a control, not a strategy. Enterprises should be wary of solutions that rely on UX friction instead of architectural constraints. We’ve all seen how well that’s worked for multi-factor authentication.
The Risk: Unbounded Authority at Runtime
At its core, the agentic browser problem is about authority. Browser agents are designed to operate with:
Broad session access
Long-lived credentials
Visibility into sensitive workflows
The ability to execute multi-step actions autonomously
An alert can’t be triggered. No kill switch exists for this (yet??) Once compromised, the blast radius of an agentic browser compromise is immediate and difficult to observe. Security teams might not be able to search through logs to identify what went wrong, when. They’ll simply see actions taken—correctly, programmatically, and with permission.
For security teams, this is the worst-case scenario: high impact, low visibility, and limited control.
Security Teams Must Embrace Reality
Agentic browsers are not inherently bad (and I say this from the user side of my brain). They offer a way to eliminate a certain amount of busywork. A certain amount of tedium. They are powerful productivity tools, offering automated workflows that non-technical users generally lack but dream of.
However, the power they possess introduces a significant security liability. The nightmare side to the user’s dream state.
If you’re an enterprise security practitioner, agentic browser usage is likely coming to a network near you! As such, it’s smart to both recognize and evangelize that:
These tools function as runtime actors, not passive clients
Prompt injection must be treated like a first-class vulnerability category
Isolation, least privilege, and blast-radius reduction matter more than detection
AppSec, identity, and browser security can no longer operate in silos
Because the business side of the house is or may soon catch wind of the promised “productivity upside,” expect to have conversations with non-technical users very soon. You should be ready to explain the risks, but do so in a pragmatic way. Remember: Fear, uncertainty, and doubt work best when you want to scare people into doing what you want them to do. Education and understanding are ALWAYS better solutions (especially because you don’t want to be a dishonest authoritarian security regime) and make the enterprise more secure.
For security operators, agentic browsers are a new execution layer—one that demands the same rigor, governance, and restraint we expect everywhere else in the modern application stack. It’s one more challenge to tackle. Not that we need another challenge, but thank your gung-ho AI friends for that.
The agentic browser issue will lead to a fresh batch of security companies—complete with cute names and catchy slogans—but only a few vendors will stand the test of time.
Until the wheat is separated from the chaff, do your due diligence and implement the same foundational blocking and tackling you know will offer the layered defenses against compromise.