There is a piece of software that climbed into the top three on the iOS App Store this spring and can open your Gmail, read every thread, draft replies, compare prices across five retailer tabs, and add the winner to your cart while you watch. It is free. It crossed 10 million users earlier this year. And the week I am writing this, the company behind it raised another $200 million at a valuation near $20 billion.

The tool is Comet, Perplexity’s AI browser. If you spend any time in operator circles right now, you have heard some version of the pitch: the browser is becoming the place where an AI agent starts a task and finishes it for you, and whoever owns that surface owns the next decade. Maybe. What I want to give you today is the version of this I would give a client over coffee, because the hype and the reality are both real and they point in different directions.

For the last three years I have used AI every single day, and I have watched the same pattern repeat. A capability shows up, the demos look like magic, and then the gap between the demo and a safe daily workflow turns out to be the whole game. Comet is the cleanest example of that gap I have seen in a while.

Start with what it actually does well, because that part is not marketing.

What Comet is good at today

The honest wins are research and synthesis. You point it at a topic, it opens the relevant sources, pulls the key information, and assembles a structured summary inside the browser with citations you can click back to. A developer named Naresh B A wrote up an honest week with Comet and described asking it to find the best video tutorial on a topic: it compared several options, analyzed them, and opened the best one without him touching a tab (medium.com). For competitive research, pulling notes out of a long thread, or turning six open tabs into one brief, this is a real time save.

It is also a capable shopper and reader. Summarize this page, or find a product under a set budget across a few retailer sites. These lower-stakes, mostly-public-web tasks are where the tool earns its place in a workday.

Now the part the demos skip.

Where it gets slow and rough

Naresh’s review is useful precisely because he is not selling anything. When he asked Comet to draft and send an email, it took nearly five minutes, because the agent methodically analyzed the page, captured screenshots, and navigated the HTML step by step. His verdict on the rough edges: “more genius toddler than polished pro” (medium.com). That matches what I see. The agent will occasionally misread a button, open an extra tab, or stall on a complicated page. For a one-off task that is a curiosity. For a workflow you run thirty times a day, five minutes plus an occasional misfire is the line between a tool and a toy.

What I tell the operators I work with is that “it can do it in a demo” and “I can trust it to do this unattended on my real accounts” are separated by roughly eighteen months of engineering, and most tools in this category are still on the early side of that line.

The part nobody hyping this wants to dwell on

Here is the uncomfortable middle of the story.

The single most useful thing an agentic browser does, acting across every site you are logged into at once, is also the reason security researchers say it cannot be fully secured. For thirty years the web’s core protection has been the same-origin policy: the bank tab cannot read the Gmail tab. An AI agent operating with your logged-in credentials erases that boundary by design, because you handed it the keys.

The attack that exploits this is called indirect prompt injection. Someone hides an instruction inside a web page, a Reddit comment, a calendar invite, or a document, the agent reads it, and the language model cannot reliably tell your command apart from the attacker’s. In August 2025, Brave’s security team hid text inside a Reddit spoiler tag, Comet read it, followed the hidden instructions, and pulled out a user’s email address and a one-time passcode (brave.com). In March 2026, Zenity Labs demonstrated a zero-click version triggered by a malicious calendar invite, plus a path that lifted credentials out of a 1Password vault through the agent’s own authorized workflow (siliconangle.com). Enterprise testing by LayerX found Comet up to 85 percent more vulnerable to phishing and web attacks than Chrome (layerxsecurity.com).

I want to be fair here, because this is not a Perplexity-only failure. OpenAI’s competing browser, Atlas, has the same structural problem, and OpenAI itself wrote in December 2025 that prompt injection is “unlikely to ever be fully ‘solved’” in browser agents. Security researcher Simon Willison calls it the “lethal trifecta”: any agent that can touch private data, read untrusted content, and send information out can be turned into a data-exfiltration tool by a single injected prompt. Every agentic browser, by design, does all three of those things.

There is a legal cloud on top of the technical one. Amazon sued Perplexity in November 2025, arguing that Comet’s agent visiting Amazon’s logged-in pages with your credentials counts as unauthorized access under the Computer Fraud and Abuse Act. The Ninth Circuit heard oral arguments on June 11 and has not ruled yet (techtimes.com). Whichever way that lands, it tells you how unsettled the ground under this whole category still is.

What to do with this

The part that actually matters for an SMB owner is that none of the above is a reason to ignore the tool. It is a reason to use it the way you would onboard a sharp but brand-new assistant: hand them the research, keep them away from the checkbook until they have earned the trust. Here is how I would set it up this week.

First, install it in a walled-off profile. Run Comet as a dedicated browser that does not share saved passwords, payment methods, or active logins with the browser where you do your real email and banking. The damage an injected prompt can do is capped by what the agent can reach, so a profile with nothing sensitive in it is a small target.

Second, give it only research and reading jobs to start. Spend a week pointing it at public-web work: competitive scans, summarizing long reports, comparing vendors, turning a pile of tabs into a one-page brief. Notice where it genuinely saves you time and where it stalls. You will know inside five sessions whether it belongs in your week.

Third, keep your hand on anything irreversible. Every agentic browser has a setting that makes the agent pause before it buys, sends, submits, or changes a password. Leave that on. The cost of one confirmation tap is nothing next to an agent completing a purchase or sending a message you never approved.

If your work is research-heavy, Comet is worth the hour it takes to test. If you want an agent transacting on your real accounts unattended, the honest answer in June 2026 is that the tooling, the security, and the law are all still catching up, and a careful operator stays on the research side of that line for now.

The judgment call I spend most of my time on with the businesses I work with is figuring out where a tool safely fits in how you already operate, separate from how impressive it looks in a demo. If you want help mapping which AI tools earn a place in your stack and which ones are still demos wearing a product page, that is exactly what an AI Clarity Call is for. You can grab one at muddventures.com/book.

And if you just want to compare notes with other operators kicking the tires on this stuff before betting real workflows on it, come hang out in the Abra AI community at whop.com/abra-ai.

The browser that runs your whole business is coming. It is not here in June 2026, and knowing the difference between a useful copilot and an unattended employee is most of the edge.

Andrew

P.S. If a friend forwarded you this, you can get it straight to your inbox at muddventures.substack.com.