Blog

Research

Careers

Help Center

Ask anything

Written by

Perplexity Team

Published on

How We Built Security Into Computer

Perplexity Computer is an autonomous agent that writes and runs code, browses the web, and connects to external services to complete tasks on your behalf.

It's built directly on Perplexity's existing infrastructure, which has completed its 2026 SOC 2 Type II attestation, and inherits Perplexity’s enterprise security features such as SAML SSO, audit logs, and granular administrative controls. 

Executing code and acting on live services introduces new requirements. This post covers what we built on top of the original foundation to continue keeping our users safe: sandbox isolation, connectors and data handling, prompt injection defense, and enterprise governance.

Sandbox isolation

Running code safely requires hardware-level isolation. Every Computer task runs inside a Firecracker microVM sandbox, enforcing least privilege at a level that goes beyond default operating system security. Each microVM boots its own dedicated Linux kernel with a minimal device model that reduces the attack surface.

Each sandbox is isolated across three dimensions:

  • Dedicated kernel: Every session gets its own Linux kernel instance. 

  • Isolated filesystem: Each VM uses an isolated filesystem that resets when the session ends.

  • Private network namespace: Sandboxes have their own isolated network with dedicated firewall rules.

Sandboxes auto-pause when idle and are destroyed after a period of inactivity. Each new session starts clean. Only the credentials needed for the current task are injected, and they are destroyed with the sandbox. Sub-agents use short-lived proxy tokens routed through an authenticated gateway rather than raw API keys.

We also separate data storage from code execution across cloud VPCs. This separation helps isolate stored user data from the execution environment. All communication between the two happens over encrypted HTTPS.

Connectors and data handling

Computer can connect to external services while keeping access scoped and data handling controlled. Admins can enable or disable connectors for the organization, and individual users then authenticate the services they want to use inside Computer.

The connection path depends on the connector. Built-in integrations such as Google and Microsoft use provider authentication flows, while custom remote connectors support OAuth 2.0 or enterprise-managed API key authentication. All connector types are designed to transmit only the minimum data required to complete the task.

Data handling follows the same control model. Remote custom connectors must use HTTPS, and file connector data is encrypted in transit and at rest. Enterprise data, such as task inputs, outputs, connector data, and sandbox contents, is not used for model training. Enterprise file attachments are deleted after 7 days.

Prompt injection defense

An agent that browses the web and reads external content is exposed to prompt injection attacks. Computer inherits and extends the defenses we originally built for Comet, including our four-layer defense architecture and BrowseSafe, our open-source detection model for browser agent security. These defenses were audited by Trail of Bits.

ML classifiers scan content retrieved from external sources before Computer acts on it. The detection system runs in parallel with the agent’s reasoning pipeline and triggers a safe stop when suspicious content is detected. Classifiers are continuously updated based on findings from our bug bounty program, red team exercises, and real-world detection events.

Beyond classification, each tool's system prompt includes explicit guardrails. External content is demarcated as untrusted, and the system continuously references the original user query when selecting and executing tools.

Computer applies additional safeguards when processing untrusted content, including stricter prompt handling and model-level protections. If you’d like to read more about this, we’ve linked the relevant research and security evaluations above.

Enterprise controls

For organizations on Perplexity Enterprise, admins get additional governance over how Computer operates:

Audit logs: Admins can log key events such as user queries, agentic actions, file access, and connector usage. Logs integrate with leading SIEMs including Splunk, Azure Sentinel, and Datadog so security teams can monitor Computer activity alongside existing infrastructure telemetry.

Access controls: Admins can disable Computer entirely or enable it for specific members only. Third-party connectors, including Gmail, Outlook, Slack, GitHub, Notion, Snowflake, Databricks, and Salesforce, can each be enabled or disabled at the organization level. Admins can also restrict which models Computer is allowed to use.

Billing controls: Admins can set per-seat credit caps, override allocations for individual users, configure auto-reload thresholds and monthly limits, or choose not to add credits beyond the included seat allocation.

For full details, visit our Trust Center or see the Computer for Enterprise documentation.

Share this article