Agentic browser detection — detect and assess ChatGPT Atlas, Perplexity Comet, Dia, and browser-based agents

[JBAhire]

Summary

Extend g0 detect and g0 endpoint to discover and assess agentic browsers — a new category of AI agents that browse the web autonomously on behalf of users.

Motivation

A new class of AI agents operates as autonomous browsers:

• ChatGPT Atlas (OpenAI) — autonomous web browsing agent
• Perplexity Comet — autonomous research browser
• Dia — AI-native web browser
• Google Mariner — Chrome-based browsing agent
• Anthropic Computer Use — desktop/browser agent

These agents can:

• Access any website the user can access (SSO sessions, internal tools)
• Read and exfiltrate data from authenticated sessions
• Execute actions on web applications (form submissions, purchases)
• Bypass traditional browser security controls

g0 detect currently covers 19 AI developer tools but not agentic browsers.

Proposed Implementation

1. Browser Agent Detection

Add detectors for agentic browsers in src/discovery/detectors/:

• ChatGPT Atlas — detect installation, running processes, configuration
• Perplexity Comet — detect app/extension, running processes
• Dia — detect installation and configuration
• Google Mariner — detect Chrome extension and usage
• Generic pattern: detect AI browser extensions with agent capabilities

2. Configuration Assessment

For each detected browser agent:

• What permissions has the user granted?
• Which websites/domains can the agent access?
• Is there session isolation between agent and user browsing?
• Are there data exfiltration controls?
• Is browsing history logged and auditable?

3. Risk Assessment Rules

New rules for agentic browser risks:

• Browser agent with access to internal/corporate domains
• No domain allowlist configured
• Session tokens shared between agent and user browser
• No audit logging of agent browsing activity
• Browser agent with form submission / purchase capabilities enabled

4. Endpoint Integration

• Include agentic browsers in g0 detect output
• Include in g0 endpoint security assessment
• Show browser agent risk in endpoint score

Files to Create/Modify

• src/discovery/detectors/browser-agents.ts — browser agent detection
• src/rules/builtin/data-leakage/browser-agent-*.yaml — browser agent rules
• Update src/endpoint/ assessment to include browser agents
• Update src/cli/commands/detect.ts output

Acceptance Criteria

• Detect 5+ agentic browsers (Atlas, Comet, Dia, Mariner, Computer Use)
• Configuration assessment for each detected browser
• 5+ security rules for browser agent risks
• Browser agents in g0 detect and g0 endpoint output
• Cross-platform detection (macOS + Linux + Windows)

[m13v]

interesting seeing this from the detection side. we build desktop automation agents and can share what's detectable vs what's not. for Anthropic Computer Use specifically, the main signal is the AXUIElement inspection patterns - it walks the accessibility tree in a distinctive traversal order (depth-first, querying role+title+value on every element) which is easy to fingerprint from the receiving app's perspective. the macOS audit log also captures these AX queries per-PID. for Playwright-based agents, the browser UserAgent string and navigator.webdriver flag are the obvious tells, but most agent frameworks override those now. the harder-to-spoof signal is mouse movement interpolation - real humans have jitter and acceleration curves, agents post pixel-perfect coordinates with uniform timing.

[JBAhire]

Interesting @m13v ! Appreciate you sharing the thoughts. Would you mind enhancing the detections or picking up this issue in that case?

[m13v]

Yeah, happy to take a crack at this! The AXUIElement fingerprinting approach could work well here - each of those agentic browsers (Atlas, Comet, Dia) will have distinct accessibility tree patterns compared to regular Chrome/Firefox. Things like missing UI chrome elements, synthetic event timing, and process metadata differences.

I'll look at putting together a PR that adds detection heuristics for the ones listed. Might start with Playwright/browser-base since those are easiest to fingerprint (headless flags, missing window decorations), then work up to the more sophisticated ones.