Anthropic’s browser agent got hijacked 31.5% of the time before safeguards engaged

Anthropic released a 244-page system card on May 28, 2026, detailing security evaluations of its Opus 4.8 model across four distinct agentic surfaces, disclosing that attackers successfully hijacked the model through prompt injection in a browser environment 31.5% of the time before safeguards engaged. This disclosure stands in sharp contrast to the fragmented security reporting practices of competing frontier laboratories. OpenAI, Google, and Meta each published their own prompt injection assessments in spring 2026, yet none provided comparable metrics or consistent methodological frameworks that would allow security teams and enterprise buyers to conduct meaningful side-by-side analysis. Anthropic's willingness to publish granular, surface-specific vulnerability rates marks a turning point in how advanced AI systems are being evaluated for security risk, even as it exposes the fundamental absence of industry-wide measurement standards that might enable such comparisons.

The emergence of prompt injection as a material security concern reflects the structural shift in AI deployment from single-purpose model interfaces to multi-surface agent architectures that interact with browsers, code environments, connectors, and desktop applications. Unlike traditional software vulnerabilities that malware detection systems can identify through signature matching, prompt injection attacks embed malicious instructions within otherwise benign content that an agent naturally reads, such as web pages or tool outputs. Carter Rees, VP of AI at Reputation, framed the challenge explicitly: a phrase as simple as "ignore previous instructions" carries the destructive payload of a legacy buffer overflow yet shares no signature that existing security infrastructure can scan for. The threat landscape has accelerated beyond defensive capabilities, as CrowdStrike's 2026 Financial Services Threat Landscape Report documented, with adversaries using AI to compress the time between initial system access and operational impact faster than legacy defenses can respond. This timing gap means that organizations deploying agent-based AI systems now face an expanded attack surface that compounds with each new integration point the model accesses.

Anthropic's system card breaks vulnerability rates down by surface, revealing a variation of nearly an order of magnitude depending on deployment context. In a coding environment, the model fell to adaptive attackers 7.03% of the time per single attempt with thinking enabled, dropping to 2.09% once safeguards activated. The browser surface, where Claude operates through products like Claude in Chrome and Cowork, presents substantially higher exposure. Across 129 web environments held out from training data, red-teamers achieved injection success in 31.5% of attempts on Opus 4.8 without safeguards enabled, dropping to 0.5% with the full safeguard stack active and descending to zero percent when thinking capability was disabled. The methodology matters significantly: Anthropic employed both Gray Swan's adaptive Shade tool, which rewrites attack payloads based on model responses, and a one-week live bounty where external red-teamers attempted to break the system in real operational conditions. When Opus 4.8 performed worse than its predecessor Opus 4.7 on coding evaluations, the system card disclosed the regression explicitly rather than obscuring it.

For security teams currently implementing agent-based AI systems, these figures carry immediate operational relevance that generic risk statements cannot convey. The 31.5% browser hijacking rate applies specifically to Anthropic's deployment stack with particular system prompts and safeguard configurations, meaning the vulnerability metrics shift when models are integrated into proprietary architectures with different prompts, permission structures, and data access patterns. OpenAI's comparative disclosure of a 0.963 robustness score for GPT-5.5, measured against known attacks on a single connector surface, cannot be directly compared to Anthropic's multi-surface per-attempt success rate, yet security procurement teams face pressure to treat such figures as commensurate. Meta's approach of measuring guardrail effectiveness on the public AgentDojo benchmark rather than model-level vulnerability, while operationally useful, provides no insight into how an attacker would exploit the underlying model in deployment. The practical implication is stark: a buyer cannot lift any vendor's published number directly into risk assessment without understanding the surface being evaluated, the attacker model being tested, and the specific integration architecture being deployed.

The fragmentation across four frontier labs reveals a critical industry-wide vulnerability that is not technical but institutional. No standard methodology exists for measuring prompt injection resistance, so each laboratory constructed its own measurement framework, resulting in data that appears comparable at first glance but rests on fundamentally incompatible methodologies and test environments. Anthropic's disclosure is simultaneously the most transparent and the most damning: by publishing detailed numbers across multiple surfaces, it becomes obvious how little the other vendors have measured. Google's Gemini 3 documentation mentions stronger prompt injection resistance qualitatively with no numbers attached. Meta grounds its security claims in guardrail performance rather than model robustness. OpenAI discloses robustness scores but only for one surface against known attacks rather than adaptive adversaries. This pattern exposes not vendor incompetence but the nascent state of the AI security practice itself, where the field lacks shared definitions for what constitutes adequate measurement of agentic system security. The consequence is that procurement decisions must default to vendor specification rather than validated security properties, perpetuating asymmetric information that favors vendors claiming the strongest security posture without transparent verification.

Security teams must treat vendor disclosures as incomplete regardless of how comprehensive they appear and implement five concrete practices before deploying agentic systems. First, catalogue every deployed or scoped agent by the surface it touches, then pull the vendor's published rate specific to that surface, treating any untested surface as unmeasured rather than secure. Second, distribute the Cross-Vendor Prompt Injection Disclosure Grid to all vendors under evaluation and demand per-surface attack success rates from both adaptive attackers and external bounty testers, making explicit which metrics are blank. Third, confirm in writing which specific metric applies to the intended deployment architecture, recognizing that Anthropic's 0.5% safeguarded browser rate applies to Claude in Chrome rather than API deployments without safeguards. Fourth, add contractual requirements that vendors have tested with adaptive attackers and external red-teamers rather than internal known-attack scenarios. Fifth, conduct proprietary injection testing against the actual integration stack before any agent reaches production, setting measurable pass thresholds rather than assuming vendor testing covers organizational risk profiles. The field will develop standardized measurement frameworks, but that standardization remains months or years ahead. Until then, vendor numbers describe what each laboratory chose to measure, not what any organization is actually exposed to.