Anthropic’s Browser Agent Got Hijacked 31.5% of the Time Before Safeguards Engaged

Prompt injection—embedding malicious instructions in data an AI agent consumes—has emerged as a critical vulnerability for generative models, especially when those models are embedded in browsers or other interactive surfaces. Anthropic’s recent system card for Claude Opus 4.8 is the first to publish a per‑attempt success rate for a browser‑based agent, showing a raw 31.5% hijack rate that collapses to 0.5% once its built‑in safeguards activate. This level of transparency is rare; most frontier labs either disclose a single robustness score or omit quantitative figures altogether, leaving enterprises without a common yardstick to compare risk across vendors.

The disparity in reporting underscores a broader industry challenge: no standardized methodology exists for measuring prompt‑injection resilience. OpenAI’s 0.963 robustness score reflects performance against known connector attacks, while Google’s Gemini 3 and Meta’s Llama stack provide only qualitative claims or benchmark‑specific guardrail results. Without uniform metrics, buyers must interpret each vendor’s numbers in context, considering surface type, attack sophistication, and whether adaptive red‑team testing was employed. Anthropic’s approach—testing four distinct surfaces and conducting a live bounty—offers a more realistic picture of real‑world exposure.

For security teams, the takeaway is clear: rely on vendor disclosures as a starting point, not a definitive risk assessment. Organizations should map every AI‑driven workflow to its interaction surface, demand per‑surface attack‑success rates, and conduct independent red‑team exercises that reflect their own prompt and permission structures. Embedding these practices into RFP clauses and continuous monitoring programs will help mitigate the expanding attack surface as AI agents become ubiquitous across browsers, code editors, and enterprise tools.