HeadsUpAI

Perplexity Secures Computer Agent With Hardware Isolated Sandboxes and Proxy Tokens

Perplexity detailed the security architecture for Perplexity Computer, an autonomous agent that writes code and browses the web. Every session runs inside a Firecracker microVM (a lightweight virtual machine for hardware-level isolation) to protect user data. This follows the launch of Perplexity's Mac-based Personal Computer.
Isolation
Firecracker microVMs
Authentication
Short-lived proxy tokens
File retention
7 days
SIEM integrations
Splunk, Azure Sentinel, Datadog
Compliance
SOC 2 Type II (2026)

As agents move toward autonomous computer use, security risks like prompt injection (malicious instructions hidden in web content) become critical. Perplexity addresses this by running parallel ML classifiers and its BrowseSafe detection model to scan external data. This mirrors industry moves toward Cloudflare's secure agent sandboxing to protect enterprise environments.

Organizations can manage these agents through centralized controls, including audit logs that integrate with Splunk or Datadog. Admins can toggle connectors for services like Slack or Salesforce and set credit caps. These features are available for Perplexity Enterprise users and inherit the platform's SOC 2 Type II foundation.

View the full update on perplexity.ai
Perplexity
Perplexity
@perplexity_ai
X

Computer is secure by default. Every task runs in its own hardware-isolated sandbox with VPC-level storage and compute separation. Agents are authenticated with short-lived proxy tokens instead of raw API keys. https://t.co/ohIjY3dboB

50retweets562likes
View on X

Still wondering? A few quick answers below.

Perplexity Computer is an autonomous AI agent capable of writing and executing code, browsing the web, and connecting to external services to complete multi-step tasks. It operates on Perplexity's infrastructure and is designed to act on a user's behalf by orchestrating various tools and integrations to solve complex queries or automate digital workflows.

Every task runs in a hardware-isolated sandbox using Firecracker microVMs, which are lightweight virtual machines that provide a dedicated Linux kernel for each session. This architecture ensures that code execution is separated from the host system and other users. Once a task is finished or becomes idle, the entire sandbox environment is destroyed to prevent data persistence.

Perplexity uses a multi-layer defense system that includes ML classifiers and a specialized model called BrowseSafe to scan external web content before the agent acts on it. These classifiers run in parallel with the agent's reasoning process. If suspicious or malicious instructions are detected in the retrieved content, the system triggers a safe stop to prevent a hijack.

For enterprise users, data such as task inputs, outputs, and sandbox contents are not used for model training. Files uploaded through connectors are automatically deleted after seven days. Additionally, the system separates data storage from the code execution environment across different cloud networks to ensure that stored user information remains isolated from the active execution sandbox.

Administrative controls are available for organizations on the Perplexity Enterprise plan. Admins can enable or disable specific third-party connectors like Slack, GitHub, and Salesforce, set per-seat credit limits, and monitor activity through audit logs. These logs can be integrated with external security information and event management platforms such as Splunk, Azure Sentinel, and Datadog for centralized monitoring.

Share this update