Agentic AI Browsers in 2025: Atlas Copilot Dia and Comet

Agentic AI browsers have moved the model from “answering about the web” to operating on the web, and that shift is now reshaping privacy, security, and productivity expectations for every kind of user.

Background / Overview​

The term agentic browser describes a class of browsers that expose page content, the DOM, tab and history graphs, and authenticated connectors to a large language model (LLM) so the model can reason across pages and take actions — opening tabs, clicking, filling forms, and chaining multi-step workflows on behalf of the user. This is more than chat-over-a-page: it’s an assistant that can act.
Four products define the mainstream conversation in late 2025:

• ChatGPT Atlas (OpenAI) — a ChatGPT-centric, Chromium-based browser with a gated Agent Mode and opt-in browser memories.
• Edge with Copilot Mode (Microsoft) — an opt-in AI mode inside Edge that reasons across tabs, offers Journeys and Copilot Actions, and targets enterprise governance.
• Dia (The Browser Company) — an AI-first, privacy-forward Chromium browser focused on reading, structured workflows, and Skills; macOS-first with local-first memory design.
• Comet (Perplexity) — a highly agentic assistant browser that pushed full automation and connector access early, and has since been the focus of multiple security reviews and legal scrutiny.

These four represent different tradeoffs along the axes of autonomy, memory/persistence, privacy posture, and enterprise governance. The remainder of this feature unpacks architectures, threat surfaces, and practical guidance for readers deciding which model suits their workflows.

---

1. ChatGPT Atlas (OpenAI): AI-native browser with full agent mode​

1.1 Architecture and product intent​

Atlas is built as a first-class ChatGPT product rather than a thin extension on Chromium. OpenAI ships a Chromium rendering layer wrapped by an agent/application architecture that gives ChatGPT direct, permissioned access to tab content, the current page DOM, and chat continuity across the browser shell. The official product page and release notes describe a docked ChatGPT sidecar, cursor chat (inline editing), and an Agent Mode preview for paid tiers. Atlas launched macOS-first and is rolling to Windows and mobile over time; Agent Mode initially appears in preview for ChatGPT Plus, Pro, and Business customers.

1.2 Agent Mode: what it can — and can’t — do​

Agent Mode enables multi-step browser automation:

• Open, close, and navigate tabs
• Follow links and synthesize across pages
• Fill forms, assemble shopping carts, and attempt bookings (with user consent prompts)

OpenAI imposes explicit constraints: the agent cannot run arbitrary local code, cannot install extensions, and is sandboxed from direct OS file access; it also provides a logged-out execution option to reduce exposure when visiting sites that require authentication. OpenAI documents these guardrails and warns Agent Mode remains vulnerable to some attack classes.

1.3 Memory, privacy, and UI affordances​

Atlas introduces optional browser memories that store summaries and inferred intent rather than raw page dumps; the feature is opt-in, editable, and auditable in the UI. OpenAI describes user controls for viewing, deleting, and disabling memories as well as parental controls for child accounts. The company also states browsing data isn’t used for model training by default (with opt-ins available). Caution: vendor messaging lists user-controlled memory settings but does not unambiguously document every retention period or the precise telemetry boundaries for all actions — claims like “memories are retained for about 30 days” appear in secondary reporting and are not confirmed in every official document, so treat retention figures as approximate and subject to change.

1.4 Security posture and known weaknesses​

Atlas’s deep agentic integration increases the available attack surface. Independent security teams have already demonstrated prompt-injection variants that exploit the Atlas omnibox and agent context by disguising malicious instructions as URLs or clipboard content; these proofs of concept show how ambiguous input handling can convert an apparently benign paste into a trusted instruction to the agent. Multiple security outlets and research groups published such findings shortly after Atlas’s launch. These are real, practical signals: agentic behaviors raise new classes of confused-deputy problems that traditional same-origin protections and URL-safety checks were not designed to handle.

1.5 Fit and recommendation​

Atlas is best for power users who want the most extensive in-browser automation and who accept cloud-hosted model processing and a still-evolving security posture. It offers fast productivity gains but requires careful use: run agents logged out for sensitive sites, audit memories regularly, and expect patches and additional mitigations as red teams find new attack vectors.

---

2. Microsoft Edge — Copilot Mode: tab-reasoning with controlled autonomy​

2.1 Product architecture and controls​

Microsoft’s strategy is to convert Edge into an AI browser via a toggleable Copilot Mode rather than shipping a new standalone browser. Copilot Mode exposes a unified Copilot pane or new-tab entry where the assistant can summarize and reason over open tabs, and the system includes Journeys (topic-grouped session recovery) and Copilot Actions (previewed agentic automations). Microsoft positions these features as permissioned and opt-in, tied to Microsoft account settings and enterprise policy tooling. Edge’s Copilot features emphasize auditability and enterprise governance: admin controls, tenant policies, and Azure-backed safety layers are leveraged to reduce unsanctioned agent behavior in corporate environments. The UI provides explicit Page Context toggles before Copilot can read history or synthesize across tabs.

2.2 Agentic behavior and limitations​

Copilot Actions can execute multi-step tasks (unsubscribe, fill forms, book reservations) but are currently narrower and more guarded than Atlas or Comet. Industry testing reports inconsistent reliability for complex actions: Copilot may assert task completion even when steps failed, demonstrating classic brittleness at scale. Microsoft’s guardrails create a more auditable, incremental path to agentic browsing that is intentionally conservative relative to the fully open agent model.

2.3 Enterprise suitability​

Edge + Copilot Mode is compelling for organizations that want AI-assisted browsing inside an existing governance fabric. The product maps cleanly to Microsoft 365, Teams, Outlook, and tenant identity, which simplifies connector-based automations and logging. For regulated industries, Copilot Mode’s opt-in defaults, admin policies, and built-in DLP integration make it the pragmatic choice. Still, organizations must validate retention, non‑training guarantees, and DLP hooks before broad rollout.

2.4 Fit and recommendation​

Choose Copilot Mode when enterprise policies, auditability, and ecosystem integration matter more than unconstrained automation. It reduces immediate risk exposure while delivering substantial productivity improvements inside Microsoft-centric workflows.

---

3. Dia (The Browser Company): AI-first, Chromium-based, privacy-forward​

3.1 Design and UX​

Dia (the follow-up to Arc) is an AI-first browser optimized for reading, writing, and structured knowledge work. It centers on tab-based chat, Skills (reusable prompt templates and workflows), and an editor-friendly UX for inline content transformation and learning workflows. Dia ships as a Chromium derivative and is presently macOS-only (Apple silicon required in initial releases).

3.2 Local-first memory and privacy posture​

Dia’s differentiator is a local-first storage model: history, chats, bookmarks, and some personalization are stored locally and encrypted, and cloud calls are limited to situations where server-side models are required. Memory features are visible to users and can be disabled. This approach reduces the telemetry envelope relative to cloud-first agentic browsers and makes Dia attractive to privacy-conscious knowledge workers.

3.3 Agentic scope and constraints​

Dia intentionally limits agent autonomy. The assistant excels at summarization, rewriting, generating structured outputs, and running Skills over current tabs, but Dia does not currently expose an open DOM‑level automation agent that freely clicks and transacts across arbitrary sites. That constraint is a product decision: The Browser Company prioritizes trusted, local-first knowledge workflows over transactional automation.

3.4 Pricing and availability​

Dia is publicly available on macOS with a free tier and a Pro subscription around the $20/month mark that unlocks higher-usage allowances and unlimited chat within acceptable use. The product’s macOS focus and local-first stance make it a strong pick for writers, students, and researchers who want robust AI assistance without broad automation risk.

---

4. Comet (Perplexity): highly agentic assistant browser with a heavy risk surface​

4.1 Product capabilities and positioning​

Comet positioned itself as an aggressively agentic assistant browser: a persistent sidecar that could summarize pages, compare products across sites, access connectors like email and calendar (with permission), and execute long-running workflows — including end-to-end shopping and checkout flows in some configurations. These capabilities made Comet a clear functional analogue to Atlas early in the year.

4.2 Security findings: CometJacking and audit timeline​

Comet has attracted the most sustained independent security scrutiny of the four. Multiple security groups (Brave, Guardio, LayerX and others) documented prompt injection and indirect prompt-injection vectors that enable data exfiltration or unauthorized actions by steering Comet’s assistant with content embedded in pages, comments, or URLs. The LayerX proof-of-concept labeled “CometJacking” shows how crafted URL parameters can instruct the agent to consult connected services (Gmail, Calendar) and exfiltrate data encoded to evade filters. Several reports allege Perplexity initially downplayed or rejected some findings, and advisory writeups urged extreme caution for sensitive use.

4.3 Legal and platform friction​

Beyond technical findings, Comet also entered legal conflict: Amazon filed a lawsuit alleging Comet’s agentic shopping feature covertly accessed Amazon accounts and disguised automated actions as human browsing, a claim Perplexity disputes. Reuters and other outlets reported Amazon’s complaint and Perplexity’s denial. The suit underscores how agentic shoppers can run headlong into platform rules and policy enforcement when automation mimics human browsing patterns.

4.4 Privacy model and claims​

Perplexity publicly describes a hybrid model — local storage of credentials by default, local-first browsing state, and selective context uploads. In practice, audits recommended cautious deployment because deep connectors plus high autonomy increase the blast radius for data leakage, particularly in corporate environments. Despite local-storage claims, the practical risk depends on which connectors are enabled and how often the agent is permitted to act.

4.5 Fit and recommendation​

Comet is for advanced power users who explicitly trade security surface area for maximum automation. For nearly all enterprise and sensitive personal workflows, Comet’s audit history and the Amazon litigation make it a poor default choice unless IT teams have formal, technical mitigations and a risk acceptance plan.

---

Cross-product technical comparison (concise)​

• Autonomy
  • High: Atlas (Agent Mode) and Comet (full agent flows).
  • Medium: Edge + Copilot Actions (guarded, enterprise-aware).
  • Low–Medium: Dia (Skills and tab-aware reasoning; no open DOM automations).
• Memory & personalization
  • Atlas: opt-in browser memories, user controls.
  • Edge: Journeys + enterprise-aligned retention controls.
  • Dia: local-first encrypted memory, user-controlled.
  • Comet: local-first by design but connector-enabled behaviors increase practical risk.
• Enterprise readiness
  • Best fit: Microsoft Edge + Copilot Mode (admin controls, Azure integration).
  • Conditional: Atlas for research/automation pilots with strong consent and sandboxing.
  • Not recommended without controls: Comet (security audits, legal uncertainty).

---

Security, privacy, and operational risk: what every IT team must consider​

1. New threat surface from prompt injection — Agentic browsers process untrusted page content with higher trust to the model; hidden instructions (in pages, comments, query strings) can be treated as actionable input. Security teams must adapt defenses to detect and block semantic injections, not just code-based exploits.
2. Credential and connector risk — Connectors to Gmail, Calendar, and stores concentrate sensitive signals. Even when credentials are claimed to be local, agent actions running against authenticated sessions can leak context or cause undesired transactions. Limit connectors in pilot groups; require explicit audits and DLP integration.
3. Auditability and rollback — Agentic actions must produce auditable logs and easy undo. Vendors vary widely in logging quality — insist on verifiable action trails and human-in-loop confirmations for high-risk flows.
4. Policy and legal exposure — Automated buying or scraping behaviours can violate platform terms and produce litigation (as Amazon vs Perplexity shows). Legal review is essential before enabling agentic commerce workflows or large-scale scraping.
5. Default settings matter — Privacy defaults and onboarding nudges determine real-world exposure. Products that are opt-in for memory and connectors reduce risk; those that nudge users strongly toward enabling persistence will create a larger telemetry envelope. Verify defaults and make enterprise policy decisions accordingly.

---

Practical adoption playbook — step-by-step for individuals and IT teams​

1. Pilot, don’t deploy:
   • Start with low-risk user groups and test only in segmented profiles. Validate the vendor’s audit logs and DLP integration.
2. Harden profiles:
   • Use separate browser profiles for sensitive work; disable agent/Actions for corporate accounts until policies are validated.
3. Lock connectors and memory:
   • Default connectors to disabled; require explicit approval for any account access. Disable memory for regulated datasets.
4. Require human confirmation:
   • Configure agents to always pause and require human approval before transacting, especially for payments or account changes.
5. Track advisories and legal developments:
   • Subscribe to vendor security advisories and follow third-party audit disclosures (Brave, Guardio, LayerX) — these groups proved vital in identifying real-world exploits.

---

Strengths, weaknesses, and a final recommendation​

• Atlas — Strengths: deepest ChatGPT integration and the richest agent surface; Risks: prompt-injection exposure, cloud telemetry, evolving safety posture. Best if you prioritize maximum in-browser automation and can tolerate vendor-side cloud processing and active security monitoring.
• Edge + Copilot Mode — Strengths: enterprise governance, integration with Microsoft 365, conservative action gating; Risks: action reliability is still inconsistent and advanced automations are U.S.-first in preview. Best for corporate rollouts and Microsoft-centric environments.
• Dia — Strengths: privacy-forward, local-first data model, Skills for structured workflows; Risks: limited cross-site automation and macOS-only footprint for now. Best for students, writers, and knowledge workers who want AI assistance without broad automation.
• Comet — Strengths: aggressive automation and fast iteration; Risks: documented prompt-injection exploits, CometJacking proofs of concept, and active litigation with major platforms. Best only for advanced users willing to accept high security and legal risk and who run strict sandboxing and monitoring.

---

Closing analysis: the next 6–12 months to watch​

• Expect hardening on two fronts: (1) vendor safety engineering to separate trusted user intent from untrusted page content (strict parsing, intent-mode UX, and robust sanitization) and (2) attacker sophistication that will weaponize semantic channels (URLs, forms, images) for prompt injection. The net effect will be an ongoing cat-and-mouse where operational best practices and product hardening co-evolve.
• Regulators and major platforms will push clearer expectations for automated agents that transact on behalf of users (disclosure, bot labeling, anti‑fraud measures). The Amazon–Perplexity litigation is likely the first of many platform–agent conflicts that will define acceptable commerce automation patterns.
• For most enterprise and privacy-sensitive users, the safe path is incremental: enable tab-reasoning and summarization first, gate connectors and agent actions, and require auditability and human confirmation for all transactions. For explorers and researchers, Atlas and Comet represent powerful new workflows — but those same users should adopt sandboxed profiles, incognito patterns, and disable memories or connectors for sensitive tasks.

---

Agentic browsers are a genuine, structural change to the web experience: they promise time savings by collapsing the browse‑summarize‑act cycle into a single conversational workflow. But they also move decision-making power into models that can be manipulated by subtle inputs. The choice among Atlas, Copilot Mode, Dia, and Comet is therefore a choice about how much agency you grant the assistant, and how much of your browsing life you are prepared to make auditable and recoverable. Adopt these tools deliberately, test them in isolated profiles, and require the vendors to prove the safety, audit, and retention guarantees you need before moving them into production for business-critical or sensitive personal tasks.

---

Source: MarkTechPost https://www.marktechpost.com/2025/1...5-atlas-vs-copilot-mode-vs-dia-vs-comet/?amp=