In April 2026, Human Security reported that Perplexity Comet holds 48.12% of all tracked agentic web traffic — up 7,851% year-on-year. That is not a niche experiment. It is the dominant way AI agents interact with the web right now, and it raises a pretty immediate question: what is Comet actually doing?
In this article we cover what Comet does under the hood, how it stacks up against ChatGPT Atlas, what the permission model means in practice, and why the $200/month price point is itself an enterprise risk signal. For the complete picture, see our agentic browser security and governance overview.
What is Perplexity Comet, and why does calling it a “browser” undersell it?
Comet is built on Chromium — the same rendering base as Chrome, Edge, and Brave. But Chromium is the substrate, not the product. The AI agent layer is integrated at the browser’s rendering and extension level, which makes the agent the execution engine, not an add-on.
Compare that to Chrome with a sidebar assistant, or Arc‘s Dia. In that setup, the browser stays in control: the AI reads the page, suggests an action, and waits for you to execute. In Comet it’s reversed — the agent navigates, clicks, fills forms, and completes tasks. You review the outcomes.
Perplexity CEO Aravind Srinivas’s “Everything is Computer” framing makes the strategic intent explicit. The browser is the universal interface through which all computer-mediated work passes. An app-only agent sees only what the app exposes; a browser agent sees everything your authenticated sessions expose.
💡 Chromium is the open-source browser project that underpins Chrome, Edge, Brave, and Comet — it handles page rendering while each product adds its own layer on top.
Comet launched on iPhone on March 18, 2026, with Mac, Windows, and Android following. All Chrome extensions work in Comet, and bookmarks import without friction.
How does Comet work under the hood — DOM access, authenticated sessions, and the semantic work graph?
The thing that makes Comet architecturally distinct is DOM access. Comet’s internal extension reads and writes to the Document Object Model — the programmatic representation of a webpage’s structure — of every page it visits. That gives the agent access to form fields, buttons, authentication tokens, and dynamically rendered content in real time.
This is different from older automation approaches. Screen-coordinate automation reads pixel positions. Accessibility API access reads structural labels. DOM access gives the agent the actual live page structure and session state. (For more, see the architectural shift from display surface to execution environment.)
Add authenticated session access and it gets interesting. Once you’re logged into a service — email, Salesforce, a banking portal — Comet’s agent can read and act within that context. No re-authentication required, and the site has no reliable way to distinguish the interaction from your own behaviour.
Session-level synthesis turns that access into something genuinely useful. Rather than treating each page as an isolated query, Comet maintains context across all pages in a session. That feeds the semantic work graph: a durable, cross-domain record of your work context across calendar, email, SaaS apps, and internal tools.
The underlying concept — a semantic work primitive — means the agent isn’t reasoning about button clicks. It’s reasoning about the actual thing you are trying to accomplish: a refund, a payment authorisation, a booking. How the work graph persists across sessions is not fully resolved publicly, and that gap determines whether Comet becomes a genuine work intelligence layer or a sophisticated per-session assistant.
The companion layer is Perplexity Personal Computer, the macOS agent for native apps and the file system. Both require the Perplexity Max subscription.
What can Comet do in practice that a standard AI browser extension cannot?
An AI extension operates above the browser. It reads the page, suggests actions, and waits for you to execute. Comet operates inside the browser. It executes directly, chaining steps across multiple sites without waiting for input at each one.
That is a qualitative capability gap, not just a speed advantage. Comet maintains authenticated session access and session-level context across domains, so a single instruction can span a vendor portal and an internal approval system without re-authentication or context re-passing at each step. An extension-based agent needs manual handoffs for the same workflow.
In practice: multi-step research synthesis, email drafting informed by full session context, travel booking across airline and hotel sites in a single instruction. Personal Computer extends this to macOS native apps and the file system.
A few current limitations worth noting. The $200/month Max subscription is required. Work graph persistence across device reinstalls is unresolved. And Comet does not replace purpose-built RPA tools for complex, API-integrated enterprise workflows.
Human Security’s April 2026 data shows three industries capturing 98% of agentic traffic: media (45.62%), e-commerce (38.20%), and travel (14.12%). These capabilities are being exercised at scale right now. For the security implications, see five attack categories every security team must understand.
How does Perplexity Comet compare to ChatGPT Atlas?
Comet holds 48.12% of all tracked agentic web traffic. ChatGPT Atlas holds 21.33%. Together they account for roughly 70% of total agentic volume — but traffic share is not the whole story. Atlas had 62 times more corporate downloads, with adoption of 67% in technology companies, 50% in pharmaceuticals, 40% in finance. Different products, different enterprise maturity.
Autonomy philosophy is the practical difference. Comet is autonomy-first: agent execution with your review at completion. Atlas is confirmation-first: the agent pauses at consequential steps and requests approval before proceeding.
Architecture is the technical difference. Comet uses an internal Chromium extension that interacts directly with the DOM, leaving detectable traces — “DOM artifacts” — in page structure. Atlas uses OWL (OpenAI Web Layer), an out-of-process architecture where the agent operates outside the Chromium process entirely.
💡 OWL (OpenAI Web Layer) is Atlas’s architecture for controlling the browser from outside the browser process — lower privilege depth than Comet’s internal extension, but fewer detectable artifacts.
Comet’s internal extension gives it richer access to dynamically rendered content and authenticated sessions. Atlas’s OWL approach reduces the attack surface but limits access to some page structures that only expose state through the DOM.
Model flexibility: Comet lets you choose between GPT, Claude, and Perplexity’s Sonar. Atlas is tied to OpenAI’s model stack — a real consideration if you’re evaluating vendor lock-in.
Comet gives you depth and flexibility; Atlas gives you caution and corporate readiness.
What is the permission ladder and where does Comet currently sit on it?
The permission ladder is a five-stage autonomy framework from MindStudio — analyst framing, not an official Perplexity document:
- Read — observing without acting
- Suggest — surfacing something proactively without action
- Draft — preparing an action for human approval
- Act with confirmation — executing, pausing at consequential moments
- Act autonomously — completing consequential actions without asking
Current commercial deployments sit at “act with confirmation” for consequential actions — transactions, form submissions, authenticated data changes. For read-only and low-stakes tasks, Comet operates fully autonomously. As MindStudio puts it: “read calendar (fine); reschedule a meeting (needs confirmation); authorise payment (different conversation entirely).”
The Trail of Bits audit — commissioned by Perplexity, published February 20, 2026 — demonstrated four prompt injection techniques capable of extracting private information from authenticated sessions, including a proof-of-concept where the agent submitted Gmail contents to an attacker-controlled URL. The audit recommended least-privilege defaults; Perplexity’s confirmation model is consistent with that.
This is why the permission model is not just a UX choice. Prompt injection — malicious instructions embedded in page content — can redirect agent behaviour without your awareness. At full autonomy, a successful injection can complete harmful actions before any review. Full attack taxonomy: five attack categories every security team must understand.
Why does the $200/month price point matter beyond the feature set?
Perplexity Max at $200/month includes Comet’s full AI features, Perplexity Personal Computer, 10,000 cloud workflow credits, and the full Perplexity Search stack. The browser is free; Max is where the execution intelligence lives.
Here is the enterprise risk, and it is behavioural. At $200/month, a motivated team member might self-purchase on a personal credit card rather than wait for IT procurement. That means an unsanctioned authenticated browser agent inside your SaaS environment, reading email, accessing dashboards, submitting forms — without IT visibility or DLP coverage. Bypassing procurement bypasses the security review that would otherwise happen before a new tool gets authenticated access to your systems.
Perplexity’s enterprise response: through a CrowdStrike partnership, Comet Enterprise customers get extension visibility, risk scoring, and prevention of sensitive data entry. Enterprise SSO is rolling out. But verify current maturity against your actual compliance requirements, not roadmap statements.
For governance, procurement controls, and the Amazon v. Perplexity dispute as a worked example of boundary-pushing agent behaviour, see the Amazon legal dispute as a worked example.
What happens next: security implications and governance questions
Comet’s architecture — DOM access, authenticated session inheritance, cross-site task chaining — creates a security exposure category traditional browser tooling was not designed to govern. Same-origin policy and CORS become less effective when an AI agent follows embedded commands across origins. Cornell University research shows prompt injection has evolved into five-stage attacks mirroring traditional malware: initial access, privilege escalation, persistence in agent memory, lateral movement, execution. OWASP LLM Top 10 ranks it the top threat to LLM applications.
Under HIPAA, agents operating across systems without unified logging create audit concerns. Under GDPR Article 22, autonomous data access without human oversight can trigger automated decision-making protections. Human Security’s April 2026 data shows the blocking rate for agentic traffic hit 8.2% — a 3.9 percentage point increase from March.
Who is liable when an agent completes a task incorrectly? What does Comet transmit to Perplexity’s servers? How does work graph accumulation interact with data residency requirements? The governance frameworks have not caught up to Comet’s 48.12% market share. Our complete agentic browser security and governance guide maps the full landscape — from product capabilities to threat taxonomy to organisational response.
For the attack taxonomy, see five attack categories every security team must understand. For governance depth, see the Amazon legal dispute as a worked example. For the full picture, see our agentic browser guide.
Frequently Asked Questions
Is Perplexity Comet available on desktop?
Yes. Comet launched on iPhone on March 18, 2026, and is available on Mac, Windows, and Android. All Chrome extensions work in Comet; bookmarks import without manual configuration.
What is the difference between Perplexity Comet and Perplexity Personal Computer?
Comet handles web-based interfaces — forms, portals, authenticated SaaS sessions — via DOM access and session-level synthesis. Personal Computer is the companion agent for macOS native apps and file system access. Both require the $200/month Max subscription.
How does Comet compare to using ChatGPT with a browser extension?
A ChatGPT extension reads the page and asks you to take the next action. Comet reads the DOM directly, maintains session context across pages, and executes multi-step tasks without per-step input. The extension suggests; Comet acts.
Does Perplexity Comet store what it sees in my browser sessions?
Comet has potential access to all your browsing history, page content, and form data. Data retention terms for session-level synthesis are still evolving as of publication. Perplexity provides an incognito mode that does not log session activity. Read their current privacy policy directly.
What is a semantic work graph in plain English?
Perplexity’s term for a durable, cross-domain record of your work context — the appointments, approvals, purchases, and documents that make up your actual job. Comet accumulates this so the agent understands not just “click this button” but “this is a payment authorisation in the procurement workflow for vendor Y.”
Is Perplexity Comet safe to use in an enterprise environment?
It depends on the controls you have in place. DOM-level access to authenticated SaaS sessions creates exposure to prompt injection and unauthorised data access if a team member self-purchases without IT review. Perplexity commissioned a Trail of Bits pre-launch audit and is developing Comet Enterprise — but enterprise control maturity is not yet at parity with established SaaS security tooling.
What is the Perplexity Max subscription and what does it include?
Perplexity Max is the $200/month tier that includes Comet’s full AI features, Perplexity Personal Computer, cloud-based Perplexity Computer with 10,000 workflow credits, and the full Perplexity Search stack. The browser is free; Max is where the execution intelligence lives.
What did the Trail of Bits security audit find about Comet?
Four prompt injection techniques capable of extracting private information from authenticated sessions — including a proof-of-concept that caused the agent to submit Gmail contents to an attacker-controlled URL. Least-privilege agent defaults were recommended, consistent with Perplexity’s confirmation model.
Why did Perplexity build a browser instead of just extending its app?
Because the browser is the universal interface through which all computer-mediated work passes. An app-only agent can only act on what the app exposes; a browser agent can act on everything your authenticated sessions expose.
What is OWL and how is ChatGPT Atlas different from Comet architecturally?
OWL (OpenAI Web Layer) is Atlas’s out-of-process control architecture — the agent operates outside the Chromium process. Comet’s internal extension gives it richer DOM access at the cost of detectable artifacts and higher privilege; Atlas reduces the attack surface but limits access to some dynamically rendered content.
Can Comet complete transactions on my behalf without asking me first?
In current commercial deployments, Comet requests confirmation before consequential actions — purchases, form submissions, data changes. For read-only and low-stakes tasks it operates autonomously. You can configure the autonomy level within the product.
How does Comet’s 48.12% traffic share compare to other agentic browsers?
Human Security’s April 2026 State of Agentic Traffic report puts Comet at 48.12% of tracked agentic web requests, ahead of ChatGPT Atlas (21.33%), Claude Chrome Extension (17.33%), and ChatGPT Agent (8.55%). Despite lower overall traffic, Atlas has approximately 62 times more corporate downloads than Comet.
