Five Attack Categories Every Security Team Must Understand

Approving AI browser agents means approving five distinct attack surfaces. And each one bypasses a different layer of your existing security stack.

A generic “AI risk” checkbox doesn’t cover this. Prompt injection, session hijacking, identity spoofing, tool-call abuse, and exfiltration via legitimate agent actions each evade different controls. Treat them as one category and you leave gaps that attackers are already walking through.

By April 2026, agentic browsers represented nearly three-quarters of all agentic web traffic (Human Security). Comet alone accounted for 48.12% of measured agent requests — a 7,851% year-on-year increase. Five distinct attack categories across that traffic volume means five distinct gaps in your security stack.

Each section below covers the mechanism, a documented example, and the specific mitigation required. For broader context, see the agentic browser security overview.

Why Do Attack Categories Matter More Than a Risk List?

A risk list tells a security team what to worry about. An attack taxonomy tells them what controls to deploy and where. These are different operational outputs — and only one of them funds the right remediation.

The five categories each route around a different layer of your security stack:

• Prompt injection bypasses content filtering — attacker instructions are embedded in external content that filters never see
• Session hijacking bypasses perimeter controls — the agent uses real, authorised credentials, so no unauthorised access event occurs
• Identity spoofing bypasses bot detection — Chromium-based agents present genuine browser fingerprints that header inspection can’t distinguish from a human
• Tool-call abuse bypasses access management — overpermissioned MCP tools let agents invoke capabilities outside their intended scope without alerts
• Exfiltration via legitimate actions bypasses DLP — the agent moves data using sanctioned browser actions that DLP treats as authorised user behaviour

The OWASP Top 10 for Agentic Applications 2026 is the governance baseline — prompt injection ranks first — but it only becomes actionable when mapped to specific browser agent mechanics. That’s what this taxonomy does.

Categories chain. Cornell University documented a five-stage agentic attack chain that mirrors traditional malware campaigns: prompt injection (Category 1) initiates a session hijacking sequence (Category 2) that terminates in exfiltration (Category 5). A team that understands the individual risks but not how they connect isn’t prepared for multi-stage attacks.

Budget planning follows from taxonomy. Browser-level DLP, agent identity verification, MCP tool-call logging, and step-up MFA each address different categories. None maps cleanly to an existing budget line and none substitutes for the others.

Attack Category 1: What Is Prompt Injection and Why Is It Ranked the Top Agentic Threat?

Prompt injection is when an attacker embeds malicious instructions inside content an AI agent processes — a webpage, document, calendar invite, or email — causing it to abandon its original task and execute attacker-controlled actions instead.

OWASP ranks it as the top threat to LLM applications. The agentic browser variant is more severe than chatbot-level prompt injection because the agent acts on injected instructions — navigating URLs, submitting forms, writing files — rather than just responding to them.

The zero-click variant removes user interaction from the equation entirely. The agent retrieves and processes malicious content on its own. There’s no behaviour to train users against.

The EchoLeak vulnerability (CVE-2025-32711, CVSS 9.3 Critical) in Microsoft 365 Copilot established zero-click injection as a production-grade threat. An attacker sends an email with hidden instructions; the recipient never opens it. Copilot’s RAG engine ingests the payload and encodes sensitive data into an outbound URL through a CSP-approved Microsoft domain — automatically, silently.

Cymulate documented zero-click RCE chains across Cursor CLI, AWS Kiro, Gemini CLI, and Codex. Execution triggers when the user sends any prompt after a tool restart. The payload can live in a README or a GitHub issue.

No current defence fully solves this — academic evaluation of eight approaches found all can be bypassed. The goal is to raise attack cost and create forensic signals.

Detection and mitigation

• Toxic-prompt blocking at the input pipeline: classify content the agent is about to process for hostile instruction patterns before execution
• Content source monitoring: flag agent actions triggered by external content rather than internal user instructions
• Human-in-the-Loop (HITL) gates: require human approval before agents execute actions sourced from external content

For the calendar-invite zero-click hijack in detail, see the Zenity Labs calendar-invite zero-click hijack in detail.

Attack Category 2: How Does Session Hijacking Work When Agents Inherit Authenticated Sessions?

Here’s the key distinction for this category: agents inherit credentials rather than steal them. When a user opens an AI browser agent, it picks up the full session state of the active browser profile — cookies, OAuth and SAML tokens, cached credentials across every authenticated site. From the perspective of every application the agent touches, all traffic arrives with valid credentials. No theft event occurs. No alert fires.

Lateral movement at machine speed

Cornell University’s five-stage attack chain maps this: initial access, privilege escalation using inherited credentials, persistence in agent memory, lateral movement, and execution. An agent with sessions across Gmail, Slack, HR systems, and cloud storage can access all four without triggering a single authentication alert. Every log entry records an authorised action — the malicious instruction exists only in the external content the agent processed.

HIPAA 45 CFR §164.312(b) requires audit controls for all activity involving protected health information; agents across multiple systems without unified session logging create violations. GDPR Article 22 is triggered when agents make autonomous data-access decisions without human oversight.

Mitigation: step-up MFA for high-sensitivity actions breaks the assumed trust of inherited sessions. Session recording creates the audit trail compliance requires. Zero Trust means no standing elevated access for agent accounts. ITDR surfaces velocity, breadth, and timing anomalies — an agent accessing 12 authenticated services in 90 seconds at 2am is detectable even when every access is authorised.

For context on how AI agents use browser sessions in practice, see how AI agents use browsers.

Attack Category 3: What Is Identity Spoofing and How Does Comet Masquerade as Chrome?

Identity spoofing is when an automated agent misrepresents itself as a human browser — or a different software identity — to get around bot-detection, rate-limiting, or access controls designed for human visitors.

The canonical example is Perplexity Comet and the Amazon v. Perplexity case. Amazon alleged Perplexity configured Comet to falsely identify its agent activity as coming from Google Chrome — presenting itself as a human customer shopping via a Chrome browser. Amazon notified Perplexity executives at least five times between November 2024 and October 2025. The behaviour continued.

On March 9, 2026, a US district court issued an injunction against Perplexity — the first legal ruling on authenticated agentic browsing conduct. Agents will push legal and access-control boundaries before security policy exists to constrain them.

Why the scale makes this a governance priority

Comet led all agentic traffic at 48.12% of measured agent requests in April 2026 (Human Security). At nearly half of all agentic traffic, it is not an edge case — it is the dominant agent operator.

Why standard bot detection fails

Both Comet and Atlas are built on Chromium. They present genuine Chromium browser fingerprints — header inspection can’t tell them apart from a human user. Detection requires behavioural analysis: request timing, navigation sequences, and interaction signatures.

Mitigation: for operators, require behavioural analysis beyond headers and enforce agent disclosure requirements. For enterprises deploying agents, define which agent identities are authorised in vendor contracts and track them via DSPM.

For what Perplexity Comet actually does at the product level, see what Perplexity Comet is and exactly what it can do.

Attack Category 4: What Is Tool-Call Abuse and How Do Overpermissioned MCP Tools Enable It?

Tool-call abuse is when an AI agent invokes capabilities — through the Model Context Protocol (MCP) or other tool interfaces — that exceed its intended authorisation scope. This happens either through malicious prompt injection redirecting the agent, or because the agent was configured with excessive permissions from the outset.

💡 The Model Context Protocol (MCP) is the standardised interface through which AI agents access external tools, APIs, databases, and services. It’s the enabling layer for much of what makes agentic AI useful — and the layer where permissions are most often over-provisioned.

Tool poisoning: a tool called add_numbers can contain a buried instruction to read SSH private keys before performing the addition — the stated function executes correctly while credentials exfiltrate in the background. Static code analysis finds nothing.

Tool shadowing: MCP servers expose all tool descriptions simultaneously. One description on a non-related server can shape how the agent constructs parameters for a completely separate tool — giving an attacker who controls any description in the agent’s context influence over all tool calls.

OX Security documented an architectural MCP vulnerability affecting 150M+ downloads, 7,000+ exposed servers, and 200+ open-source projects. Anthropic confirmed the behaviour is by design.

A worked example: an agent configured to read email and draft responses — but also given MCP access to a calendar and file system — can be induced via prompt injection to write files, create calendar events, or query internal APIs. The email-drafting agent becomes a file-write agent because its permissions were set once and never audited.

Mitigation: HITL controls before irreversible tool calls; least-privilege tool configuration evaluated per action, not set at deployment; tool-call logging for every MCP invocation; JIT access for elevated permissions, revoked immediately after use.

For how these controls map to Prisma Browser’s integrated MCP governance, see Prisma Browser’s controls mapped to these attack categories.

Attack Category 5: How Do AI Agents Exfiltrate Data Without Triggering DLP Alerts?

This is the most likely blind spot in your current security model — and it’s a structural gap, not a product failure.

Standard DLP operates at the network layer. It watches for sensitive data crossing a perimeter without authorisation. When an agent exfiltrates data using sanctioned browser actions — pasting into an authorised cloud document, emailing from the user’s verified account, uploading to approved cloud storage — the action is authorised, and DLP records it as such. The instruction that triggered it is the only thing that isn’t authorised, and that instruction lives in external content the agent processed, not in any system log.

CASBs are blind to cross-tab data synthesis within a single browser session. DLP monitors network egress but misses copy/paste operations within the browser runtime — those happen before data ever crosses a network boundary.

Trail of Bits documented exfiltration via DNS (encoding data into DNS queries) and via Google Search (combining leaked data with low-probability search terms). As EchoLeak demonstrated, exfiltration can route through CSP-approved infrastructure — perimeter blocking fails when attackers use trusted channels.

Mitigation: browser-level DLP operating within the session layer (not just network-layer DLP); data classification as the prerequisite — without it, browser-level DLP can’t enforce differentiated protections; session recording as the primary forensic control; Shadow AI governance to track which unsanctioned agents have access to what data.

For the full Prisma Browser DLP implementation, see browser-level DLP as the required supplement to network DLP.

What Does the Least Privilege Response Actually Look Like for Agentic Browser Deployments?

Least Privilege and Zero Trust are the right architectural responses — but in the agentic context they need operational translation that goes well beyond what most enterprise implementations currently cover.

If your users carry excessive permissions today, a browser agent inherits every one of them and exercises them at machine speed. Sort out your over-provisioning before you deploy agents — it reduces the blast radius of every attack category at once.

For agents, least privilege has to mean per-action constraint — evaluated at the level of each individual tool call, not set at deployment. JIT access grants privileged permissions only for specific operations and revokes them immediately after.

The Zero Networks four-step framework:

1. Establish AI visibility: audit which agents are running, what sessions they can access, and what tools they can invoke
2. Limit to task scope: no standing elevated access, no session inheritance beyond the specific task
3. Enforce session recording: every step and prompt captured with the invoking identity
4. Deploy ITDR: retune SIEM rules from human-velocity baselines to agent-velocity thresholds

Classify agents by risk tier. Low risk: approve with standard logging. Medium risk: restrict data classifications, require HITL. High risk: session recording, step-up MFA, JIT access for every tool call — for agents on regulated data or production systems.

Extension allowlisting via Chrome Enterprise or Microsoft Edge for Business is a default-deny control requiring no additional procurement — the highest-impact, lowest-cost move you can make today.

For the governance and policy framework that operationalises these technical controls, see the governance gap that makes these risks an organisational priority.

How Do These Five Attack Categories Map to My Existing Security Stack?

Each category maps to a specific gap:

• Prompt Injection — content filters inspect user-submitted input, not content the agent processes. Fix: toxic-prompt blocking at the agent input pipeline.
• Session Hijacking — SIEM rules tuned for human velocity miss agent-speed lateral movement during business hours. Fix: step-up MFA, ITDR with agent-velocity baselines, session recording.
• Identity Spoofing — header-based bot detection fails against Chromium-based agents with genuine fingerprints. Fix: behavioural identity verification and agent disclosure enforcement.
• Tool-Call Abuse — MCP permissions are set once and never audited; no equivalent of Privileged Access Review exists for agent tools. Fix: least-privilege MCP configuration, HITL for high-risk calls, tool-call logging.
• Exfiltration — network-layer DLP is blind to sanctioned browser actions. Fix: browser-level DLP, data classification, sensitivity labelling.

Palo Alto‘s Prisma Browser maps native controls to each category — toxic-prompt blocking, session isolation and recording, agent identity verification, MCP tool governance, and browser-level DLP with 1,000+ AI-driven classifiers. See Prisma Browser’s controls mapped to these attack categories for the full evaluation.

The required controls span identity and access management, endpoint security, and DLP budgets — and none maps cleanly to any one of them. Absorbing agentic browser risk into an existing line item will underfund the controls that don’t fit. For the policy and accountability framework, see the governance gap that makes these risks an organisational priority.

Frequently Asked Questions

Is prompt injection in agentic browsers the same as SQL injection?

Both are injection attacks — an attacker inserts instructions a system executes unintentionally — but the mechanism is different. SQL injection targets a database parser; prompt injection targets an LLM by inserting natural language instructions into content the model processes. The agentic browser variant is more severe than classic prompt injection because the agent acts on injected instructions with real-world consequences: file writes, data access, authenticated web actions. OWASP ranks it #1 for LLM applications.

Can existing endpoint detection tools catch agentic browser attacks?

Generally not. EDR tools look for process anomalies and unauthorised access patterns — neither of which is triggered by an agent using legitimate browser processes with inherited credentials. ITDR is the most viable existing control: it surfaces velocity, breadth, and timing anomalies. An agent accessing 12 authenticated services in 90 seconds at 2am is detectable even if every access is authorised. SIEM rules need retuning to agent-velocity thresholds.

Which of the five attack categories is hardest to detect in real time?

Exfiltration (Category 5) is hardest — the action and the authorisation are both real; only the triggering instruction is malicious, and it exists in external content, not any log. Session hijacking (Category 2) is close: inherited-credential lateral movement at agent speed generates no authentication alerts. Prompt injection (Category 1) is the most detectable because the injected content must traverse the agent pipeline, creating an interception point.

Does the OWASP Top 10 for Agentic Applications map directly to these five categories?

The mapping is not one-to-one. Prompt injection maps to OWASP #1 directly. Session hijacking, identity spoofing, and tool-call abuse correspond to OWASP entries on excessive agency, over-reliance, and supply chain risk respectively. OWASP provides the governance reference; this taxonomy provides the operational playbook.

Should agentic browser security be its own budget line?

Yes. The required controls don’t map cleanly to identity and access management, endpoint security, or network DLP budgets. Absorbing agentic browser risk into an existing line will underfund the controls that don’t fit. Treat it as a distinct category with its own risk assessment, control set, and procurement track.

Is it safe to let an AI browser log into websites for my organisation?

Safe only with the right controls: session scope limited to the task, session recording enabled, step-up MFA enforced for sensitive actions, managed account with JIT access. Most commercial AI browser agents don’t meet these requirements by default — Perplexity Comet, ChatGPT Agent, and Claude’s browser-use capability each inherit the full active session state. The Zero Networks four-step framework (audit, limit, record, detect) is the checklist.

How does agentic browser session hijacking differ from traditional session hijacking?

Traditional session hijacking requires stealing a session token and using it from a different context — a detectable event. Agentic session hijacking requires no credential theft. The agent already holds the live session. An attacker inducing the agent via prompt injection is using the real session through the real agent — no token exfiltration occurs, no unauthorised access alert fires. The attacker never needs to bypass the perimeter because the agent is already inside it.

What is the Model Context Protocol (MCP) and why is it a security concern?

MCP is the standardised interface through which AI agents access external tools, APIs, databases, and services. Two concerns: permissions are typically over-provisioned and never audited; tool descriptions are controlled by potentially untrusted sources, so a maliciously crafted description can induce an agent to invoke unintended capabilities. OX Security documented an architectural vulnerability affecting 150M+ downloads and 7,000+ exposed servers. Anthropic confirmed the behaviour is by design.

How do I detect prompt injection attacks targeting our AI tools?

Toxic-prompt blocking at the input pipeline classifies content the agent is about to process for hostile instruction patterns. Content source monitoring flags agent actions triggered by external content. Behavioural anomaly detection via ITDR can surface an agent performing actions outside its defined task scope after processing external content. No current approach achieves complete prevention — the goal is to raise attack cost and create forensic signals.

Which compliance frameworks are triggered by these five attack categories?

HIPAA 45 CFR §164.312(b): agents across multiple systems without unified session logging violate the audit trail requirement for protected health information. GDPR Article 22: automated decision-making protections apply when agents make autonomous data-access decisions without human oversight. OWASP Top 10 for Agentic Applications 2026 carries no regulatory force but is increasingly appearing in enterprise vendor questionnaires. Regulated FinTech and HealthTech organisations should map each attack category to the specific clause it implicates before deploying AI browser agents in production.

For the complete context on agentic browser products, vendors, and governance frameworks, see the full agentic browser security and governance guide.