Perplexity Comet

Why Is Perplexity Comet On My Website?

Comet introduces a browser-native form of automation. Instead of navigating pages manually, users delegate actions to the embedded Perplexity assistant — asking it to read, compare, fill out, or decide. The result is traffic that originates from genuine human intent but executes at the pace and precision of automation.

Common patterns include product research and price comparison, cross-tab synthesis of information, form filling for bookings or registrations, and end-to-end shopping workflows. Users often stay within the Perplexity interface while the agent loads your site in the background to gather details, complete steps, or verify results.

From a security and visibility standpoint, this means Comet sessions look like ordinary browsing but behave differently. They generate higher-density interactions, fewer idle periods, and more systematic navigation than human users typically produce. The difference is subtle in the logs but material for governance: every action is authentic to a user’s goal, yet automated in execution.

 Common use-cases include:

• Research and Analysis: Users requesting in-depth analysis, comparisons, or synthesis of information across multiple sources
• E-Commerce Activities: Product research, price comparisons, and automated purchasing workflows
• Content Summarization: Processing articles, videos, and documents for quick insights
• Task Automation: Booking services, filling forms, managing calendars, and handling routine workflows
• Cross-tab Operations: Analyzing information across multiple open tabs to provide comprehensive answers

Key Security Concerns for Perplexity Comet

Perplexity Comet carries a higher baseline risk than other AI agents because it lacks a verifiable identity layer and operates from within the user’s browser session. That combination gives Comet session-level privileges, such as access to the user’s cookies, logins, extensions, and stored credentials, while offering little accountable visibility at the network layer. The agent operates under the user’s real identity, performing multi-tab actions and interacting with sensitive flows while appearing indistinguishable from a standard Chromium browser to most detection systems. HUMAN detects and manages Comet through behavioral and contextual signals.

Key risks include:

Prompt-injection and cross-domain action

Independent researchers showed Comet’s assistant can ingest hostile instructions from untrusted page content and then act across the user’s authenticated sessions, effectively bypassing SOP/CORS assumptions because the agent operates with the user’s privileges. Even after partial fixes were reported, follow-up testing suggested residual risk. 

Browser-wide context and cross-tab exposure

Because Comet’s assistant maintains context across tabs, a single malicious page can influence actions in other, authenticated tabs. Several disclosures describe exfiltration of sensitive data from adjacent sessions if the agent is induced to comply. 

Uncontrolled or misinterpreted automation

Comet can click, type, and submit forms under real user sessions. Ambiguous instructions or poisoned content can lead to unintended purchases, account changes, or data access that the human did not intend. Given agent speed and persistence, small mistakes escalate quickly without granular permission management.

Potential for abuse disputes and policy conflicts

Major platforms are beginning to challenge agentic shopping and account access patterns in court, alleging that agent traffic can masquerade as human sessions and degrade site integrity. 

For example, Amazon filed a legal threat in November 2025 against Perplexity AI, alleging that Comet’s agentic shopping tool disguised automated transactions as human sessions and accessed restricted areas of Amazon’s platform without proper disclosure. 

Operational load and scaling pressure

Agent-driven browsing compresses many actions into short windows. Research and comparison tasks can translate to high-density pageviews, repeated form posts, and cross-site traversals that stress rate limits and inventory controls, even when user-initiated.

Data exposure from legitimate access

If the user is already authenticated, the agent may legitimately reach sensitive pages. Minimize what is exposed to automated sessions and log agent actions separately for audit and response.

How to Detect Perplexity Comet

Perplexity Comet does not provide a per-request, verifiable identity signal. It operates from the user’s local Chromium session and presents as ordinary human traffic. Detection therefore shifts from who it claims to be to what it actually does in the browser. HUMAN’s approach combines interaction context, execution artifacts, and action governance to make that distinction reliable.

Behavioral context

Agent sessions compress many actions into short windows. They show consistent timing, high action density, and systematic navigation that differs from human variability. HUMAN’s research documents that modern AI agents reuse classic automation techniques, which means updated versions of established behavioral checks still surface agent activity.

Automation frameworks and artifacts

Most agents run on known automation engines such as Playwright or Puppeteer. These leave tell-tale client-side indicators: navigator.webdriver states, DOM or window inconsistencies, and injected helper functions. Some agents also introduce stable DOM artifacts or bundled helper extensions that are attributable at runtime. These signals, used in concert rather than isolation, allow attribution without relying on self-declared headers.

User-agent and header claims are weak

HUMAN’s crawler-spoofing analysis shows that AI identities are routinely faked with look-alike user-agents and plausible network traits. Relying on UA strings or light friction confuses real agent sessions with spoofed automation and lets unauthorized traffic blend in. Treat header claims as advisory and require corroborating behavioral evidence.

Intent and action validation

Because identity is unsignaled, enforcement must hinge on what the session attempts to do. In AgenticTrust, Comet-class sessions can read and navigate by default. State-changing actions such as login, account edits, or checkout are permitted only when they fit approved intent. If the session attempts an unapproved action, it is rejected in real time. This aligns detection with governance so that verified human intent is preserved and risky automation is contained.

Should I Block Perplexity Comet? 

Because Perplexity Comet operates on behalf of legitimate users seeking to accomplish real tasks, a blanket blocking strategy is counterproductive. Instead, implement adaptive governance based on intent and impact.

Classification first

Comet does not provide a signed identity, so governance begins with classification and visibility. Treat Comet sessions as unverified automation with access to user credentials. AgenticTrust automatically classifies this traffic and establishes session context before any enforcement occurs, ensuring legitimate user intent is preserved.

Granular Permission Management

Use AgenticTrust’s role-based permissions to control what Comet can do, not just whether it can connect. Allow reading and navigation, and explicitly restrict risky workflows such as Login, Change Account, or Checkout unless you intend to support them. Comet’s embedded assistant can act quickly on ambiguous instructions, so constrain high-impact actions.

Continuous Behavioral Oversight

Visibility doesn’t stop at identity. AgenticTrust monitors each Comet session for automation density, navigation rhythm, and action sequences that suggest escalation or misuse. These telemetry signals guide adaptive throttling and help tune policies to reflect real-world agent behavior rather than theoretical risk.

Real-time Enforcement

If Comet attempts an unapproved action, AgenticTrust blocks the session immediately. This prevents prompt-driven or misinterpreted actions from affecting business-critical systems.

Per-Agent Rate Limits

Agentic browsing compresses hundreds of actions into seconds. Set limits for concurrent sessions, repeated form posts, and transactional attempts to prevent unintentional load spikes or runaway automation. 

Build Trust in the Agentic Era

AI agents are already reshaping how users browse and buy. With AgenticTrust, you see every agentic session, govern what each agent can do, and protect critical flows without blocking legitimate user intent.

See. Govern. Grow.

Ready to manage Perplexity Comet on your terms? Request a demo to learn how AgenticTrust turns agent activity into trusted engagement.