Artificial Intelligence (AI)

The 2026 Agentic Browser Landscape: ChatGPT Atlas, Perplexity Comet, Claude for Chrome, and the Rest

The 2026 agentic browser landscape: an overview of the products that let an AI agent read pages, click, type, and complete multi-step tasks inside the browser, including ChatGPT Atlas (OpenAI's standalone Chromium browser with an agent mode), Perplexity Comet (the search-first standalone browser positioned as a front door to the agent economy), Claude for Chrome (Anthropic's side-panel extension that adds an agent to Chrome and Edge), Microsoft Edge with Copilot (multi-tab reasoning and policy-governed agentic browsing for business), and Google Chrome auto-browse powered by Gemini (agentic browsing rolling out across Chrome's roughly three billion users), described in terms of what each product is, the autonomy and platforms it offers, the indirect prompt injection security problem the whole category shares, and what the shift means for publishers and search, rather than ranked or recommended.

Agentic browsers are web browsers that can act on your behalf. Instead of only answering questions about the page you are reading, they read the page, click buttons, fill in forms, move between tabs, and carry a multi-step task to completion while you do something else. In 2026 they moved from research demos into products shipping inside the browsers most people already use. OpenAI has Atlas, Perplexity has Comet, Anthropic runs Claude inside Chrome and Edge, Microsoft has rebuilt Copilot into Edge, and Google has turned Chrome itself into an agent for paying subscribers. This piece is a map of that landscape as it stands in mid-2026.

It is written the way we write every landscape piece at Digital Matters: as a description of what each product is and who tends to choose it, not a ranking. The products are different enough that a single recommendation would be misleading. What they have in common matters more than which one wins a feature checklist, and the thing they have in common includes a security weakness that is still unsolved.

The short version is this. There is no single best agentic browser, because the products are not competing on the same axis. Atlas and Comet are standalone browsers built around a chat assistant. Claude for Chrome is an extension that adds an agent to a browser you already run. Edge and Chrome are mainstream browsers adding agent features on top of a base that billions of people use. They differ on platform support, price, how much autonomy they take, and who they are built for. They share a vulnerability called indirect prompt injection that should shape how much access you give any of them. This post walks through what an agentic browser is, each major product, the security problem, the effect on publishers and search, and the practical decisions to make today.

What an agentic browser actually is

It helps to separate two things that often get bundled together. The first is assistant browsing: a sidebar that can summarize the page, answer questions about it, compare a few open tabs, or rewrite a selection. The assistant reads, but you still do the clicking. The second is agentic browsing: you give the browser a goal, and it navigates, clicks, types, and works across pages until the task is done or it stops to ask you something. Most of the products below do both, with the agentic mode usually gated behind a paid tier or an explicit opt-in.

The useful way to think about these tools is as a dial for autonomy rather than an on or off switch. At the low end, the agent suggests and you confirm each step. In the middle, it acts but pauses before anything sensitive, such as entering a password or a payment. At the high end, it runs a whole task on its own. Where a given product sits on that dial, and whether you can move the dial yourself, is one of the most important differences between them.

There is a structural point that every section below comes back to. When you let a browser agent act, it inherits whatever you are already logged into. Your email, your calendar, your bank, your company tools, your code host: if the session is open in that browser, the agent can reach it. That is what makes agentic browsing useful, and it is also the reason the security questions are not academic. The capability and the risk are the same capability.

ChatGPT Atlas (OpenAI)

Atlas is OpenAI’s standalone browser, built on Chromium and launched in October 2025. It puts a ChatGPT sidebar next to every page, where you can ask about what you are reading, summarize, compare products across tabs, or have the assistant rewrite selected text inline (a feature OpenAI calls cursor chat). It also keeps optional browser memories, so ChatGPT can carry context from sites you have visited, subject to privacy controls you set.

The agentic part is agent mode, available to paying subscribers (ChatGPT Plus at twenty dollars a month and Pro at two hundred dollars a month, as of mid-2026), which lets ChatGPT carry out tasks on a site for you. Atlas has been macOS only since launch, with Windows, iOS, and Android described as coming later. In March 2026 OpenAI said it would fold Atlas, the ChatGPT desktop app, and its Codex coding tool into a single desktop application, which signals that OpenAI sees the browser as one surface of a broader assistant rather than a standalone bet.

Atlas is worth understanding as the most direct expression of the idea that the browser should be rebuilt around the assistant. It also came with an unusually candid security caveat. At launch, OpenAI’s own chief information security officer described prompt injection as a frontier, unsolved problem that adversaries would work hard to exploit. That is a vendor telling you to be careful with its own product, and it applies to the whole category, not just Atlas.

Perplexity Comet

Comet is Perplexity’s standalone browser, and it reflects the company’s roots in search. The assistant is built around answering and researching, with agentic actions layered on top. Comet launched on desktop in July 2025 and finished its cross-platform rollout through 2026, reaching Android in November 2025 and iOS in March 2026.

Perplexity has framed the browser as the front door to what it calls the agent economy, the idea that an agent doing your shopping, booking, and research becomes the main way you touch the web. The company has raised heavily against that thesis. It reportedly added around two hundred million dollars in early June 2026 at a valuation near twenty billion, bringing total funding to roughly 1.7 billion dollars. Treat the exact figures as point-in-time and vendor-adjacent, but the direction is clear: Comet is a well-funded attempt to make a search company into a browser company.

Comet is also, for better and worse, the product that security researchers have probed most publicly. Brave’s research team documented an exploit in which a booby-trapped web page could get Comet to take sensitive actions, including reading a user’s email. We cover that in the security section because it is not really a Comet-specific failing. It is the clearest published example of a problem the entire category has.

Claude for Chrome (Anthropic)

Anthropic took a different structural path. Rather than ship a standalone browser, it ships Claude as an extension that lives in a side panel inside Chrome and Microsoft Edge. From that panel, Claude can see the page, navigate, click, fill forms, manage tabs, and complete multi-step workflows while you work on something else. It began as a research preview in August 2025 with about a thousand testers and, after months of testing, opened to all paid plans (Pro, Max, Team, and Enterprise) in 2026. It runs on Chrome and Edge, not on Brave, Arc, or Firefox.

The extension fits a wider Anthropic push to put Claude wherever work happens: agentic AI in the browser, on the desktop through its Cowork desktop-control feature released in March 2026, in spreadsheets and slides, and in the terminal through Claude Code. For background on the models behind these tools, see our coverage of Anthropic’s recent model releases.

Anthropic’s approach also produced a useful cautionary tale. A flaw in the Claude for Chrome extension (version 1.0.69, released in late April 2026) reportedly let another browser extension hijack the agent’s actions, and researchers said the initial patch was bypassed within hours. The lesson is not that this product is uniquely unsafe. It is that an agent living inside the browser shares the browser’s attack surface, including every other extension installed alongside it.

Microsoft Edge and Copilot

Microsoft has been folding agent features directly into Edge rather than running them as a separate mode. In May 2026 it expanded Copilot across Edge on Windows, Mac, and mobile, adding multi-tab reasoning (Copilot can reason across several open tabs with permission), Journeys (it groups related pages, searches, and chats so you can return to a task), plus voice, vision, and a study mode with quizzes and guided sessions. In the process Microsoft retired the standalone Copilot Mode branding, treating the AI as a built-in part of the browser.

On the agentic side, Microsoft introduced agentic browsing for Edge for Business in late May 2026 as a limited preview. Copilot can navigate approved sites, fill in information, and complete multi-step workflows, but under IT control: administrators set which sites are in scope, the agent pauses for sensitive actions such as passwords or payment details, and data-loss-prevention policies apply at runtime. This is the most explicitly enterprise framing in the landscape. Microsoft is selling agentic browsing as something a company can switch on inside guardrails rather than something an individual turns loose.

Google Chrome auto-browse and Gemini

Google’s entry matters mostly because of distribution. In late January 2026 it launched Chrome auto-browse, powered by Gemini 3, which turns Chrome into an agent that can scroll, click, type, and navigate for you. It started as a feature for Google AI Pro and AI Ultra subscribers in the United States. Because Chrome has on the order of three billion users, this is the largest deployment of agentic browser technology by reach, even if only a fraction of those users turn it on.

Google has also been consolidating. In May 2026 it wound down Project Mariner, its earlier standalone web-agent experiment, and folded the capability into Gemini and Chrome auto-browse. The most recent step, in late June 2026, extends auto-browse to Android at the operating-system level, shipping on flagship devices including the Pixel 10 and Galaxy S26, alongside Google’s broader move to replace the legacy Assistant with Gemini. The strategic read is that Google would rather make agentic browsing a native capability of the browser and the phone than a separate app, which is a very different bet from a standalone product like Atlas or Comet.

Other players worth knowing about

A few names round out the picture. Dia, the browser from The Browser Company (the team behind Arc), was acquired by Atlassian, which points it toward workplace and team use. Arc itself has been wound down in favor of Dia. Opera ships Neon, an agentic browser aimed at automating tasks. Brave continues to build its Leo assistant while playing an outsized role as the security researcher documenting the category’s weaknesses. None of these has the reach of the Chrome and Edge integrations or the mindshare of Atlas and Comet, but they show how many teams are converging on the same idea from different starting points.

The security problem every agentic browser shares

This is the section to read if you read only one. The defining weakness of agentic browsers is indirect prompt injection, and Brave’s researchers have called it a systemic challenge facing the entire category rather than a bug in any one product.

The mechanism is simple to describe. An agentic browser reads web pages to understand them. An attacker can hide instructions inside a page, in text colored white on a white background, in HTML comments, or even in an image, that the agent reads as if they were commands from you. Because the agent is already logged into your sessions, those hidden instructions can tell it to do things you never asked for. Brave documented a chain in which a compromised page caused Perplexity Comet to forward a user’s email to an attacker, and follow-up research showed instructions hidden in screenshots that a person would never see. Security firms have catalogued live examples in the wild, including an ordinary-looking retail page carrying embedded instructions meant to override an agent.

The reason this is more dangerous than a normal web exploit is the blast radius. When you grant a browser agent access to your session, you hand it every authenticated thing open in that browser: email, calendar, CRM, source control, HR, banking, internal tools. A traditional malicious page is limited by what the browser will let a page do. An agent removes some of those limits on purpose, because acting on your behalf is the whole point.

Vendors are responding, and the mitigations are real but partial. Confirmation prompts before sensitive actions, automatic pauses for passwords and payments, scoped site permissions, enterprise data-loss-prevention rules, and isolated browser profiles all reduce exposure. None of them closes the underlying gap, which is that the agent cannot always tell the difference between content it is supposed to read and instructions it is supposed to follow. OpenAI said as much at the Atlas launch. The honest framing for 2026 is that agentic browsing is useful and improving, and that prompt injection is an open problem you should plan around rather than assume is solved.

What agentic browsers mean for publishers, SEO, and measurement

For anyone who runs a website, agentic browsers change who, or what, is visiting. Independent measurement in 2026 found that browser-based agents, led by Comet and Atlas, accounted for roughly 71 percent of observed agentic activity in one April 2026 study, and that a small set of sectors absorbed almost all of it: media at around 46 percent, ecommerce at around 38 percent, and travel at around 14 percent. The agent reads your content, but a human may never see your page, your ads, or your calls to action.

The scale of the disruption is still contested, and it is worth being precise. Direct AI referral traffic remains small, on the order of half a percent to one percent of organic traffic by some measures, and not obviously growing fast. At the same time, some publishers report steep declines in clicks from Google as AI Overviews answer questions on the results page, and three quarters of publishers in one industry survey expect agentic tools to have a large effect over the next few years. Both things can be true: the measured traffic is small today, and the structural anxiety is reasonable, because an agent that reads and summarizes on a user’s behalf breaks the link between a visit and a view that most web business models depend on.

The strategic response has a name now, sometimes called agentic SEO or generative engine optimization. The goal shifts from ranking for clicks to being a source that AI systems can parse, trust, and cite. Clean structured data, clear and well-organized content, and an explicit decision about whether to allow AI crawlers all become levers. We go deeper on this in our pieces on generative engine optimization and on auditing AI crawler access. The short guidance: agentic browsers make machine-readability a first-class concern, not an afterthought.

How the options compare for different users

Because the products sit in different places, the useful question is fit, not winner. A few honest mappings, all subject to the security caveats above.

If you want a standalone, AI-first browser and you work on a Mac, Atlas is the most complete expression of that idea today, with the caveat that it is macOS only for now. If you want search-centric agentic browsing and you care about having it on every device, Comet has the broadest platform coverage. If you would rather add an agent to the browser you already run, and you are invested in Claude, Claude for Chrome is the lightest-weight way in, since it is an extension rather than a new browser. If you are an enterprise standardized on Microsoft, Edge for Business is the option built to run under IT policy from day one. And if your users already live in Chrome and the Google ecosystem, Chrome auto-browse reaches them where they are, at a scale none of the others can match.

For most teams, the deciding factor will not be features. It will be data governance and security posture: which product gives you control over what the agent can touch, which one fits your compliance requirements, and how much autonomy you are willing to grant given the prompt-injection risk. A capable agent you cannot govern is worse than a less capable one you can.

What teams evaluating agentic browsers should do

A practical checklist for the next quarter, written for builders and operators rather than for a marketing funnel.

Start in assistant mode before agentic mode. Summarizing and answering carry far less risk than acting, and they cover a large share of the value. Turn on autonomy deliberately, task by task. Require confirmation for anything sensitive, and never point an agent at a browser profile that is logged into financial, administrative, or production systems. Use separate browser profiles to limit what any agent can reach, so a research agent cannot see your banking session. In an enterprise, pilot under explicit policy: scoped sites, data-loss-prevention rules, and an approved-use list, which is exactly the model Microsoft is shipping for Edge for Business. Keep an eye on the security research, because the published exploits are the early warning system for the whole category. And treat autonomy as a dial you control, not a destination you have to reach.

If you publish on the web, run the parallel exercise on the other side: decide your stance on AI crawlers and agents, make your content machine-readable, and start measuring agentic visits separately from human ones so you can see the shift while it is still small.

Frequently Asked Questions

What is an agentic browser?

An agentic browser is a web browser that can take actions for you, not just answer questions. Given a goal, it can navigate to pages, click buttons, fill in forms, move between tabs, and complete a multi-step task while you do something else. Most agentic browsers also include an assistant mode that only reads and summarizes; the agentic part is the ability to act, which is usually gated behind a paid tier or an explicit opt-in.

How is an agentic browser different from a browser with an AI sidebar?

A sidebar assistant reads the page and helps you understand it: it summarizes, answers questions, or rewrites a selection, but you still do the clicking. An agentic browser closes that loop by acting on the page itself. The line matters because acting on your behalf means the tool inherits your logged-in sessions and can do things with real consequences, which raises security questions that a read-only sidebar does not.

Which agentic browser is the best?

There is no single best one, because the products are built for different users. Atlas and Comet are standalone AI-first browsers. Claude for Chrome is an extension that adds an agent to a browser you already use. Edge and Chrome are mainstream browsers adding agent features at scale. The right pick depends on your platform (Atlas is macOS only for now), your ecosystem, your need for governance, and how much autonomy you are willing to grant given the security tradeoffs.

Are agentic browsers safe to use?

They are useful and improving, but they carry a real and still-unsolved risk called indirect prompt injection, where hidden instructions on a web page can trick the agent into acting against your interests. The safest approach is to start in assistant mode, require confirmation for sensitive actions, use separate browser profiles, and avoid pointing an agent at sessions logged into financial or administrative systems. Enterprises should run agentic browsing under explicit IT policy.

What is prompt injection and why does it matter for browsers?

Prompt injection is when text that the AI reads is treated as a command. In a browser, an attacker can hide instructions inside a page, for example as white text on a white background, in HTML comments, or inside an image, and the agent may follow them as if they came from you. Because the agent is already logged into your accounts, those instructions can trigger sensitive actions like reading your email or accessing a banking portal. Security researchers consider it a systemic problem for the whole category.

Which platforms do agentic browsers run on?

It varies. ChatGPT Atlas has been macOS only since launch, with other platforms planned. Perplexity Comet covers desktop, Android, and iOS. Claude for Chrome runs as an extension on Chrome and Edge but not on Brave, Arc, or Firefox. Microsoft Edge runs everywhere Edge does, with agentic browsing first appearing for business users. Google Chrome auto-browse started on US desktop for paid subscribers and is extending to Android at the operating-system level.

How much do agentic browsers cost?

Most use a freemium model where assistant features are free and the agentic features require a subscription. ChatGPT Atlas ties agent mode to ChatGPT Plus (about twenty dollars a month) or Pro (about two hundred dollars a month). Google Chrome auto-browse requires a Google AI Pro or AI Ultra plan. Claude for Chrome is included with Anthropic’s paid plans. Pricing changes often, so confirm current figures on each vendor’s page before budgeting.

What do agentic browsers mean for my website’s traffic?

They change who is visiting. An agent may read your content and complete a task without the person ever seeing your page, your ads, or your calls to action. Direct AI referral traffic is still small today, but agentic activity is concentrated in media, ecommerce, and travel, and many publishers expect a large impact over the next few years. The practical response is to make your content machine-readable, decide your stance on AI crawlers, and measure agentic visits separately from human ones.

Can I use an agentic browser at work?

Sometimes, and increasingly under controls. Microsoft built agentic browsing into Edge for Business specifically so administrators can scope which sites are in play, force pauses for sensitive actions, and apply data-loss-prevention policies. If your organization has not set a policy yet, treat an agentic browser as you would any tool that can touch internal systems: check with IT before granting it access to work accounts.

Will agentic browsers replace regular browsers and search?

It is too early to say, and the major players disagree on the shape of it. OpenAI and Perplexity are betting on standalone AI-first browsers, while Google and Microsoft are folding agent features into the browsers billions already use. The more likely near-term outcome is that agentic capability becomes a standard feature of mainstream browsers rather than a separate category, with standalone products competing on being the best assistant rather than on replacing the browser entirely.

Digital Matters

Artificial Intelligence (AI) Desk