Agentic browsers and AI assistants that can browse the web have moved from experiment to product faster than their security models have matured. A year-end review published by Wiz in January 2026 catalogues the techniques attackers are already exploring, from indirect prompt injection to CometJacking, Tainted Memories, HashJack and Task Injection. The consistent message is that this attack surface is real, growing and largely unsolved.
For UK businesses, the issue is not abstract. Tools that browse on behalf of users are being integrated into productivity suites, customer-service platforms and research workflows. Each integration adds capability and risk in equal measure.
The attack catalogue
Wiz groups the threats into several practical categories. Indirect prompt injection remains the headline risk: malicious instructions embedded in web pages, documents or emails that the agent processes, causing it to act against the user’s interest.
CometJacking and similar browser-specific attacks target the agentic browser itself, manipulating its navigation, session state or rendering to hijack the agent’s flow. Gemini Trifecta refers to compound attacks that chain multiple weaknesses across Google’s agentic stack, showing how a flaw in one layer can be amplified by another.
Tainted Memories describes how long-context agents can retain and later act on poisoned information from earlier sessions or earlier pages in a browsing trace. HashJack involves manipulating identifiers, links or fragment URLs to redirect the agent. Task Injection is the broader class of attack where an attacker redefines the agent’s objective through embedded instructions.
What unites these techniques is that they target the model’s interpretation of instructions, not the underlying operating system or application code. They exploit the gap between what a user thinks they asked for and what the model actually executes.
Why standard security controls fall short
Traditional web security assumes a human operator who can read warnings, recognise phishing and decide whether to click. Agentic browsers remove that human from most of the loop. A model cannot easily distinguish a legitimate checkout button from a malicious one, or a real search result from a SEO-poisoned page designed to inject instructions.
Standard controls such as HTTPS, DNS filtering and endpoint protection still matter, but they do not address the reasoning layer. An agent can visit a fully legitimate site over a secure connection and still be manipulated by content on the page. The threat model has shifted from compromised infrastructure to compromised context.
What to do now
Organisations adopting agentic browsing should start with containment.
Isolate browsing agents from sensitive systems. If an agent browses the open web, it should not simultaneously have write access to email, CRM or financial systems without explicit approval steps.
Sanitise the context window. Be careful about what prior content the agent carries forward. Long context is useful, but it is also a reservoir for tainted instructions.
Log and review agent decisions. Treat an agent’s action history as an audit trail. Unusual sequences — visiting a site, reading a document, then exporting data — should be flagged.
Limit autonomous execution. The more actions an agent can take without confirmation, the greater the damage from a successful injection. Require approval for external-facing or irreversible operations.
The bottom line
Wiz’s review makes clear that agentic browser security is still in its early days. The attackers are experimenting faster than many defenders are adapting. For businesses, the right posture is cautious adoption: use these tools where the value is clear, but assume the security model is incomplete until proven otherwise.