Anthropic Two-Layer Browser Agent Prompt Injection Defense: RL + Runtime Classifier
Official Anthropic research describes a two-component system for browser-use agents: an RL-trained model exposed to prompt injections embedded in simulated web content and rewarded for correct refusal, plus a runtime classifier scanning all untrusted content entering the context window for adversarial commands in hidden text, manipulated images, and deceptive UI elements. This reduced attack success rate from 10.8% (Sonnet 4.5 baseline) to 1.4% on Claude Opus 4.5. Developers deploying browser agents can replicate the classifier layer without RL access — run a lightweight classifier over all untrusted web content before injecting it into agent context, treating the classifier as a preprocessing gate.
↳ Follow the thread