Brave has started testing a new feature that allows its built-in assistant, Leo, to carry out browsing activities on behalf of the user. The capability is still experimental and is available only in the Nightly edition of the browser, which serves as Brave’s testing environment for early features. Users must turn on the option manually through Brave’s internal settings page before they can try it.
The feature introduces what Brave calls agentic AI browsing. In simple terms, it allows Leo to move through websites, gather information, and complete multi-step tasks without constant user input. Brave says the tool is meant to simplify activities such as researching information across many sites, comparing products online, locating discount codes, and creating summaries of current news. The company describes this trial as its initial effort to merge active AI support with everyday browsing.
Brave has stated openly that this technology comes with serious security concerns. Agentic systems can be manipulated by malicious websites through a method known as prompt injection, which attempts to make the AI behave in unsafe or unintended ways. The company warns that users should not rely on this mode for important decisions or any activity involving sensitive information, especially while it remains in early testing.
To limit these risks, Brave has placed the agent in its own isolated browser profile. This means the AI does not share cookies, saved logins, or browsing data from the user’s main profile. The agent is also blocked from areas that could create additional vulnerabilities. It cannot open the browser’s settings page, visit sites that do not use HTTPS, interact with the Chrome Web Store, or load pages that Brave’s safety system identifies as dangerous. Whenever the agent attempts a task that might expose the user to risk, the browser will display a warning and request the user’s confirmation.
Brave has added further oversight through what it calls an alignment checker. This is a separate monitoring system that evaluates whether the AI’s actions match what the user intended. Since the checker operates independently, it is less exposed to manipulation that may affect the main agent. Brave also plans to use policy-based restrictions and models trained to resist prompt-injection attempts to strengthen the system’s defenses. According to the company, these protections are designed so that the introduction of AI does not undermine Brave’s existing privacy promises, including its no-logs policy and its blocking of ads and trackers.
Users interested in testing the feature can enable it by installing Brave Nightly and turning on the “Brave’s AI browsing” option from the experimental flags page. Once activated, a new button appears inside Leo’s chat interface that allows users to launch the agentic mode. Brave has asked testers to share feedback and has temporarily increased payments on its HackerOne bug bounty program for security issues connected to AI browsing.
