Perplexity Strengthens Computer Agent with MicroVM Sandboxes, Scoped Connectors and Prompt‑Injection Defenses

Perplexity announced technical enhancements to Perplexity Computer, its autonomous agent that writes and executes code, browses the web, and links to external services. The agent is deployed on the company’s existing infrastructure, which completed a 2026 SOC 2 Type II attestation and includes enterprise features such as SAML SSO, audit logs, and granular administrative controls. These changes aim to limit execution risk while preserving integrations for builders and enterprise customers.

Every Computer task now runs inside a Firecracker microVM sandbox that boots a dedicated Linux kernel and relies on a minimal device model to shrink the attack surface. Sandboxes are isolated across three dimensions: they use a dedicated kernel, an isolated filesystem that is reset at session end, and private network namespaces governed by dedicated firewall rules. Sandboxes also auto‑pause when idle and are destroyed after a period of inactivity to limit persistent exposure.

Credential and token handling is tightly scoped to each session: only the credentials required for the current task are injected into a sandbox and are destroyed alongside it. Sub‑agents never receive raw API keys; instead they operate with short‑lived proxy tokens routed through an authenticated gateway. Perplexity additionally separates data storage from code execution across cloud VPCs, and all communication between storage and sandboxes is encrypted over HTTPS.

Connectors are now under administrative control: organization administrators can enable or disable connectors, and users explicitly authenticate the services they want Computer to access. Built‑in integrations such as Google and Microsoft use provider authentication flows, while custom remote connectors support OAuth 2.0 or enterprise‑managed API key authentication. Connectors are designed to transmit only the minimum data necessary and require HTTPS; file connector data is encrypted both in transit and at rest.

Perplexity extended the prompt‑injection defenses it originally developed for Comet into Computer’s stack. The protection comprises a four‑layer defense architecture and the open‑source BrowseSafe detection model, and these defenses were audited by Trail of Bits. Machine‑learning classifiers scan external content retrieved by the agent in parallel with its reasoning pipeline and will trigger a safe stop if suspicious content is detected; the classifiers are continually updated from bug bounty findings, red team exercises, and real‑world detection events.

For enterprise customers, the Computer inherits governance primitives and data protections: enterprise data such as task inputs and outputs, connector data, and sandbox contents are not used for model training, and enterprise file attachments are deleted after seven days. Combined, these measures provide hardware‑level isolation, scoped credentialing, audited detection systems, and administrative controls intended to reduce operational and compliance risk for teams running code and integrating services.