Agentic Browser

What It Is

An agentic browser is a web browser whose primary interface is an AI agent that can read pages, click buttons, fill forms, log into accounts, summarize content, and complete multi-step workflows on the user’s behalf. The user gives an instruction in plain English, and the agent takes actions across multiple tabs and authenticated sessions using the same context the user already has. This is different from a chatbot sidebar in a browser. The chatbot waits for a prompt. The agent acts.

The category exists because the assistant pattern outgrew the search box. People asked their assistants for things that required clicking through several pages: book this restaurant, compare three insurance plans, fill out this form using my saved information. The browser is where those actions actually happen, and it is also the surface where the agent can be wired into the user’s identity, payment methods, and persistent state. Perplexity’s Comet, the agent surfaces being built into Chrome and Edge, and the wave of standalone agentic browsers like Dia and the relaunched Arc all answer the same product question: if the assistant is going to act, where should it live?

How It Actually Works

The agentic browser runs an agent that has access to the same DOM, cookies, and authenticated session the user does. When the user types a goal, the agent decomposes it into steps, navigates between pages, calls APIs where they exist, and falls back to DOM manipulation where it must. Some implementations route through hosted virtual machines so the agent can keep working when the user closes the laptop. Others run locally and pause when the tab is backgrounded. The browser is still a browser. The agent is the operating logic on top.

Why It Matters Right Now

The agent economy needs a front door. The model layer is solved. The orchestration layer is hardening. The question that remains is where the user actually meets the agent in daily life. The browser already has the user’s identity, payment methods, and session state. Building a new agent destination from scratch means re-acquiring all of that. Building the agent into the browser inherits it for free. That is why Perplexity raised another $200 million in early June at a $20 billion valuation specifically to push Comet, and why Google, Microsoft, and Apple are all building agent layers into their existing browsers and assistants rather than launching standalone agent apps.

The Cost and Tradeoff

The trade is trust. Once the browser is an agent, the agent inherits everything the user trusts the browser with: logged-in banking, work email, internal company tools, saved credit cards, identity documents. A successful indirect prompt injection inside a page the agent reads can now move money, send mail, or exfiltrate data. The defensive surface is wider than a normal browser and wider than a normal chat assistant. The category is moving fast for the same reason it is dangerous fast: every action the user used to take by hand can now be taken at machine speed, against the wrong target, if anyone has injected the wrong instructions into a page the agent visits.

How TWO Uses It

TWO treats the agentic browser as a category the operator reader will be invited into well before the trust model is proven. The first wave will work. It will save time. It will collect the credit cards and saved logins of users who let it. The second wave will be the breach reports.

The decision for an operator running their own work through one is not “use it or do not.” The decision is which sessions you give it. A clean profile with no payment methods and no work email is a fine sandbox for a research workflow. The same browser logged into your bank, your CRM, and your company email is a different artifact. Treat the agentic browser the way you would treat a new junior employee with full systems access on day one. Watch what it does. Audit the logs. Pull back permissions until trust has been earned.

A Concrete Operator Scenario

You want Comet to fill out a vendor onboarding form for a new SaaS purchase. Do it in a profile where the agent has access to your work email and your company card, and nothing else. Do not do it in the same profile where the agent is logged into your personal banking, because the next vendor’s confirmation email could contain instructions that the agent will dutifully follow before you read them. Separate profiles for separate trust boundaries. The browser learned that lesson ten years ago for cookies. The agentic browser is going to have to learn it again for goals.