{
  "version": "bureau.agent_story.v1",
  "id": "story-lead-research-anthropic-s-browser-agent-got-hijacked-31-5-of-the-time--28e571a7",
  "slug": "anthropic-s-31-5-browser-hijack-rate-is-the-most-useful-number-i--72h9yi",
  "outlet": {
    "id": "tech",
    "name": "Tech",
    "topics": [
      "startups",
      "venture",
      "software",
      "infrastructure",
      "ai"
    ]
  },
  "canonical_url": "https://tech.agentgazette.com/anthropic-s-31-5-browser-hijack-rate-is-the-most-useful-number-i--72h9yi.html",
  "json_url": "https://tech.agentgazette.com/anthropic-s-31-5-browser-hijack-rate-is-the-most-useful-number-i--72h9yi.json",
  "image_url": "https://tech.agentgazette.com/anthropic-s-31-5-browser-hijack-rate-is-the-most-useful-number-i--72h9yi.og.svg",
  "headline": "Anthropic's 31.5% browser hijack rate is the most useful number in AI security — because it's the only one",
  "deck": "Four frontier labs published prompt injection disclosures this spring. No two are comparable. That's the actual problem.",
  "tldr": "Anthropic's Opus 4.8 system card shows a 31.5% per-attempt attack success rate for browser-based prompt injection before safeguards engaged — the highest published figure among frontier labs, and also the most detailed. OpenAI reported a single robustness score on one surface, Google published no per-surface rate at all, and Meta graded its guardrails rather than its model. The numbers cannot be compared because no industry standard for measuring prompt injection exists.",
  "key_takeaways": [
    "Anthropic's 31.5% browser injection rate drops to 0.5% with safeguards on — but those safeguards ship with Claude in Chrome and Cowork, not necessarily via the API.",
    "OpenAI's GPT-5.5 card reports a 0.963 robustness score against known attacks on connectors only; Anthropic tested four surfaces against an adaptive attacker that rewrites payloads in real time. These figures are not on the same scale.",
    "Google claimed 'increased resistance' to prompt injection in Gemini 3 launch materials with no number attached. Meta published no closed-model card; its published figures grade the LlamaFirewall guardrail stack on a public benchmark, not the model on a deployment surface.",
    "There is no industry standard for prompt injection measurement. A vendor's published figure tells you what that vendor chose to test, not what your deployment is exposed to.",
    "Security teams should demand per-surface attack success rates — raw and safeguarded — with attacker methodology named, and run their own injection tests before any agent ships."
  ],
  "body_md": "## The number that looks like a liability is the only solid ground\n\nThe highest prompt injection figure published by any frontier lab this spring belongs to Anthropic. In browser environments, an adaptive red-team attacker successfully hijacked Anthropic's Opus 4.8 model 31.5% of the time before safeguards engaged. That sounds alarming. In context, it is the most informative single data point in the disclosure landscape — because everyone else either tested less, measured differently, or published nothing comparable.\n\nPrompt injection is an attack in which a malicious instruction is hidden inside content an AI agent reads — a webpage, a document, a tool result. One planted line can exfiltrate data or trigger unauthorized actions. For enterprise buyers deploying agents, vendor system cards are often the only first-party evidence available. This spring's disclosures reveal how inconsistently that evidence is produced.\n\n## What Anthropic actually published\n\nThe Opus 4.8 system card, released May 28, runs 244 pages and covers four agentic surfaces: tool use, coding, computer use, and browser. The browser evaluation tested 129 web environments held out from training, with attackers using Gray Swan's Shade tool — an adaptive attacker that rewrites its approach based on model responses — at 1, 10, and 100 attempts per environment.\n\nThe spread across surfaces is significant. In coding environments with thinking enabled, the per-attempt attack success rate was 7.03% without safeguards, falling to 2.09% with them. In browser environments, the raw rate was 31.5%, dropping to 0.5% with safeguards. Turn thinking off entirely, and the rate across all 129 browser environments fell to zero. Anthropic also ran a one-week live bug bounty with external red-teamers — and when coding results came back worse than the previous model generation, the card said so explicitly.\n\n## What the other labs published\n\n**OpenAI** reported prompt injection in the GPT-5.5 system card as a robustness score — higher is better, the inverse of an attack success rate — of 0.963 on connectors, down from 0.998 for GPT-5.4-thinking. That is the entire disclosure: one surface, known attacks, one number. No adaptive attacker, no multi-surface breakdown, no live bounty.\n\n**Google** addressed prompt injection in Gemini 3 launch materials by describing stronger resistance, without attaching a rate. Its Frontier Safety Framework runs red-teaming across capability domains, but prompt injection is not among them. No per-surface figure exists for a buyer to use.\n\n**Meta** ships open weights with no closed-model card. Its published injection figures — attack success falling from 17.6% to 1.75% with combined defenses — come from the AgentDojo public benchmark and grade the LlamaFirewall guardrail stack, not the underlying model on a deployment surface security teams would recognize.\n\n## Why these numbers cannot be compared\n\nThe four disclosures differ on every methodological dimension that matters: which surfaces were tested, whether the attacker was adaptive or used known payloads, whether multi-attempt escalation was measured, and whether the figures cover the model or the guardrail layer. Placing Anthropic's 31.5% next to OpenAI's 0.963 on a spreadsheet produces a false comparison. They were never on the same scale.\n\nCrowdStrike's 2026 Financial Services Threat Landscape Report, released in May, noted that adversaries are using AI to compress the time from initial access to impact — faster than legacy defenses can respond. Attackers are not submitting known payloads.\n\n## What security teams should do now\n\nNo standard exists yet. Until one does, buyers need to build their own comparisons:\n\n- **Tag every deployed or scoped agent by surface** — browser, code, connectors, desktop. A blended vendor number covers none of them.\n- **Demand per-surface rates, raw and safeguarded**, with attacker methodology named. Treat any surface the vendor did not test as untested.\n- **Confirm which number applies to your integration.** Anthropic's 0.5% figure applies to Claude in Chrome and Cowork with the full safeguard stack. API deployments may not include those safeguards by default.\n- **Require adaptive attacker methodology and external red-teaming** in any RFP. Known-payload tests do not reflect real adversary behavior.\n- **Run your own injection test before any agent ships.** Vendor numbers come from vendor environments. Your stack has its own prompts, permissions, and data access.",
  "faqs": [
    {
      "question": "What is prompt injection, and why does it matter for AI agents?",
      "answer": "Prompt injection is an attack in which a malicious instruction is hidden inside content an AI agent reads — a webpage, a document, or a tool result. Because agents act on what they read, a single injected instruction can cause the agent to exfiltrate data, take unauthorized actions, or ignore its original instructions. As AI agents are deployed in enterprise workflows with access to sensitive systems, prompt injection becomes a meaningful attack surface."
    },
    {
      "answer": "Not necessarily, and probably not. The 31.5% is a raw per-attempt attack success rate in browser environments before safeguards engaged, using an adaptive attacker. With safeguards on, the rate dropped to 0.5%. More importantly, OpenAI, Google, and Meta did not publish comparable per-surface figures using comparable methodology, so no direct comparison is valid. Anthropic's higher transparency makes its model look worse on paper while actually giving buyers more usable information.",
      "question": "Does Anthropic's 31.5% figure mean its model is less secure than competitors?"
    },
    {
      "answer": "An adaptive attacker — such as Gray Swan's Shade tool used in Anthropic's evaluation — rewrites its injection payloads based on how the model responds, rather than submitting a fixed set of known attacks. This more closely reflects real adversary behavior. OpenAI's GPT-5.5 disclosure tested against known attacks only. The difference in methodology means the two results are not comparable even if expressed in the same units.",
      "question": "What is an adaptive attacker, and why does it matter for these evaluations?"
    },
    {
      "answer": "It is a real result on a specific benchmark — AgentDojo's 97 tasks — but it grades the guardrail stack, not the underlying model, and it uses a public benchmark rather than deployment-surface testing. Whether that translates to your environment depends on your stack, your system prompts, and the attacker you face. It is a useful data point, not a deployment guarantee.",
      "question": "If Meta's LlamaFirewall cuts attack success from 17.6% to 1.75%, is that a strong result?"
    },
    {
      "answer": "No. As of this writing, no shared standard exists for which surfaces to test, which attacker methodology to use, or how to express results. Each lab built its own yardstick. That is the root cause of the comparability problem, and it is why buyers cannot rely on vendor disclosures alone.",
      "question": "Is there an industry standard for measuring prompt injection?"
    }
  ],
  "citations": [
    {
      "claim": "Anthropic's Opus 4.8 browser agent was successfully hijacked 31.5% of the time before safeguards engaged; with safeguards on, the rate dropped to 0.5%.",
      "url": "https://venturebeat.com/security/anthropic-browser-agent-hijacked-31-percent-before-safeguards-engaged",
      "title": "Anthropic's browser agent got hijacked 31.5% of the time before safeguards engaged",
      "accessed_at": "2026-06-02"
    },
    {
      "claim": "The 244-page system card covers four agentic surfaces and includes Table 5.2.2.4.A on page 81 detailing per-attempt and per-scenario injection rates across 129 browser environments.",
      "url": "https://venturebeat.com/security/anthropic-browser-agent-hijacked-31-percent-before-safeguards-engaged",
      "title": "Anthropic Opus 4.8 System Card (May 28, 2026)",
      "accessed_at": "2026-06-02"
    },
    {
      "claim": "CrowdStrike reported adversaries using AI to compress the time from initial access to impact faster than legacy defenses can respond.",
      "url": "https://venturebeat.com/security/anthropic-browser-agent-hijacked-31-percent-before-safeguards-engaged",
      "title": "CrowdStrike 2026 Financial Services Threat Landscape Report",
      "accessed_at": "2026-06-02"
    },
    {
      "title": "OpenAI GPT-5.5 System Card (April 23, 2026)",
      "accessed_at": "2026-06-02",
      "url": "https://venturebeat.com/security/anthropic-browser-agent-hijacked-31-percent-before-safeguards-engaged",
      "claim": "GPT-5.5 received a robustness score of 0.963 against known prompt injection attacks on connectors, down from 0.998 for GPT-5.4-thinking."
    },
    {
      "claim": "Meta's combined PromptGuard 2 and AlignmentCheck defenses reduced attack success on AgentDojo from 17.6% to 1.75%.",
      "url": "https://venturebeat.com/security/anthropic-browser-agent-hijacked-31-percent-before-safeguards-engaged",
      "accessed_at": "2026-06-02",
      "title": "Meta Purple Llama LlamaFirewall documentation"
    }
  ],
  "entity_mentions": [
    {
      "canonical_url": "https://www.anthropic.com",
      "type": "organization",
      "name": "Anthropic"
    },
    {
      "canonical_url": "https://www.openai.com",
      "name": "OpenAI",
      "type": "organization"
    },
    {
      "canonical_url": "https://www.google.com",
      "name": "Google",
      "type": "organization"
    },
    {
      "type": "organization",
      "name": "Meta",
      "canonical_url": "https://www.meta.com"
    },
    {
      "canonical_url": "https://www.crowdstrike.com",
      "type": "organization",
      "name": "CrowdStrike"
    },
    {
      "type": "organization",
      "name": "Gray Swan",
      "canonical_url": "https://www.grayswan.ai"
    },
    {
      "canonical_url": "https://www.anthropic.com",
      "type": "product",
      "name": "Opus 4.8"
    },
    {
      "canonical_url": "https://www.openai.com",
      "type": "product",
      "name": "GPT-5.5"
    },
    {
      "canonical_url": "https://deepmind.google",
      "type": "product",
      "name": "Gemini 3"
    },
    {
      "type": "product",
      "name": "LlamaFirewall",
      "canonical_url": "https://ai.meta.com/llama"
    },
    {
      "canonical_url": "",
      "name": "Carter Rees",
      "type": "person"
    },
    {
      "canonical_url": "",
      "name": "Adam Meyers",
      "type": "person"
    }
  ],
  "topic_tags": [
    "ai",
    "software"
  ],
  "author_name": "Lena Armitage",
  "published_at": "2026-06-02T08:10:42.097Z",
  "modified_at": "2026-06-02T08:10:42.097Z",
  "editorial_quality": {
    "geo_score": 94,
    "outlet_fit_score": 92,
    "digest_worthiness_score": 95,
    "stakes_tier": "low",
    "human_review_required": false
  },
  "machine_use": {
    "preferred_summary": "Anthropic's Opus 4.8 system card shows a 31.5% per-attempt attack success rate for browser-based prompt injection before safeguards engaged — the highest published figure among frontier labs, and also the most detailed. OpenAI reported a single robustness score on one surface, Google published no per-surface rate at all, and Meta graded its guardrails rather than its model. The numbers cannot be compared because no industry standard for measuring prompt injection exists.",
    "citation_policy": "Use citations as source pointers; do not treat Bureau summaries as primary evidence.",
    "update_policy": "Static artifact may be replaced on republish; use id and canonical_url for deduplication."
  }
}