Menlo Security today announced the first browser security platform purpose-built for the agentic enterprise — where autonomous AI agents outnumber human employees and the browser has become the operating system for both.
“The next billion web users won’t be human,” said CEO Bill Robbins. “This isn’t a future prediction; it’s the current reality for the modern enterprise.”
The Problem: Agents Browse Unsupervised
Enterprise AI agents increasingly use headless browsers or web protocols directly, operating entirely outside traditional security tools. They process invoices, navigate internal apps, and access data — all at machine speed, with no human skepticism.
The attack surface is already being exploited. Menlo highlights a specific vector: steganographic prompt injection via documents. An AI agent processing an invoice could ingest hidden white-on-white text commanding it to redirect payment to a malicious account. The human supervisor sees a standard invoice. The agent follows the hidden instruction.
“A single compromised AI agent can move laterally across enterprise systems, exfiltrate data, or execute fraudulent transactions at machine speed, with no human in the loop,” Robbins warned.
What the Platform Does
Menlo’s approach treats humans and AI agents as equal participants in the enterprise workforce, applying the same governance to both through a unified control plane:
- Guardian Runtime — Enforces instruction-data separation so agents never mistake malicious data for legitimate commands. Fundamentally neutralizes goal hijacking and lateral movement.
- Universal Connectivity — Translates complex, API-deficient applications so agents can safely replicate human workflows. Targets the vast amount of enterprise data trapped behind infrastructure that lacks APIs.
- Deterministic Visibility — Operates at the browser DOM and file component level for full forensic intelligence and real-time session-flow views. Legacy stacks are blind to this context.
- Least-Privileged Agent Governance — Granular controls prevent agents from moving laterally or extracting unauthorized data.
Architectural Immunity
The core concept is what Menlo calls “Architectural Immunity” — moving the security control point directly into the browser session. A cloud runtime performs multimodal visual analysis before content reaches an AI reasoning workflow or human endpoint. Evasive threats can’t execute because the attack surface is neutralized at the point of entry.
“For the first time, security teams have a single control plane that applies the same security and governance policies to an AI agent processing invoices as to the human CFO approving them,” said CPO Ramin Farassat.
Market Context
The launch follows Menlo surpassing $140M in ARR with net retention exceeding 120%. A recent Google partnership delivers zero-trust remote access via the browser for both humans and agents.
Menlo is trusted by over 1,000 global enterprises, including eight of the ten largest financial institutions, protecting 8 million users and millions of simultaneous AI agent sessions.
Where This Fits
Menlo’s approach is distinct from the wave of agent security startups we’ve covered recently (Kai’s $125M raise, Singulr Agent Pulse, Mimecast adaptive security). Where those focus on wrapping agents in external governance, Menlo embeds security directly into the browser session — the actual execution environment.
As healthcare executive Michael D’Arezzo of Wellstar Health System put it: “Menlo is building governance directly into the agents, securing them from inception. Other solutions are trying to chase down agents and build a security perimeter around them — which is a losing battle.”
The platform will be showcased at RSAC 2026.