Agent runtime security is the practice of inspecting, sanitizing, and governing what autonomous AI agents do at the moment they act: calling tools, opening browser sessions, and moving data across production systems. On June 4, 2026, Menlo Security published a white paper for Menlo Agent Runtime Security (MARS), a cloud runtime that runs agent browser sessions in isolated containers, strips indirect prompt injection from web pages, and bridges legacy web apps that lack APIs. For CISOs and platform engineers, the launch names a control point most stacks still miss: the browser session where agents ingest untrusted HTML and exfiltrate data at machine speed.

Key takeaways

  • MARS executes agent browser work in remote, disposable Menlo Cloud containers and sanitizes DOM and files before the agent sees them. (Source: Menlo Product)
  • Agent runtime security sits at the execution boundary, distinct from model-output guardrails and MCP tool gateways. (Source: AGAT Enterprise Security)
  • 88% of organizations reported confirmed or suspected AI agent security incidents in the last year, per a 2026 survey cited by AGAT Software. (Source: AGAT Enterprise Security)
  • Production stacks need layered controls: no single product covers model safety, tool invocation, and browser ingestion together. (Source: WitnessAI Prompt Injection)

What Menlo shipped with MARS on June 4, 2026

Menlo Security had already announced its Browser Security Platform on March 18, 2026. The June 4 resource page reframes the agent piece under the product name Menlo Agent Runtime Security (MARS) and positions it as infrastructure for autonomous agents that browse the open web and internal portals.

MARS acts as what Menlo calls a Guardian Runtime: a managed cloud layer that instantiates browser sessions on demand, enforces instruction-data separation, and prevents agents from treating poisoned web content as legitimate commands. The June white paper highlights two missions: Agent Threat Defenses (strip invisible content, assess adversarial intent, sanitize files against indirect prompt injection) and API gap closure (route agent traffic through Menlo Cloud so agents can interact with web UIs without backend modernization). (Source: Menlo MARS White Paper)

Bill Robbins, CEO of Menlo Security, framed the stakes in the March launch: "The next billion web users won't be human. This isn't a future prediction; it's the current reality for the modern enterprise." Menlo reports more than 1,000 global enterprise customers, protection for over 8 million users, and millions of simultaneous AI agent sessions on its elastic cloud. The company also disclosed surpassing $140 million in ARR with net retention above 120%. (Source: Menlo Press Release)

Why the browser is the missing execution boundary

Most enterprise AI agents that touch customer data, ERP screens, or SaaS portals do their work through a browser: headless Chromium, integrated assistants in Chrome or Edge, or AI-native browsers. That session is where untrusted HTML, PDFs, and hidden text meet an agent that lacks human skepticism.

Security researcher Simon Willison described the core risk as a lethal trifecta: an agent with access to private data, that processes untrusted content, and that can communicate externally, is exploitable by design. Prompt injection does not require malware. An attacker hides instructions in a webpage or document; the agent reads them as high-priority tasks and acts with real credentials. (Source: CyberDesserts Agent Security)

Indirect prompt injection is the browser-native variant. Menlo's product documentation notes that malicious actors embed commands in HTML, steganography, or files that humans never see but agents interpret literally. WitnessAI ranks prompt injection as the number one risk on the OWASP Top 10 for LLM Applications 2025, and stresses that agentic workflows multiply the blast radius because a successful injection can trigger tool calls and data exports, not just bad text. (Source: WitnessAI Prompt Injection)

A second browser problem is access, not just abuse. Menlo claims 80% of enterprise systems lack modern APIs, trapping valuable data behind web UIs. Agents blocked by bot detection or unable to navigate legacy portals stall automation programs unless something bridges that gap safely. (Source: Menlo Product)

Legacy endpoint and network tools were built for human-speed clicks. Menlo argues they are blind to headless agent environments and to privileged sidebar agents such as Microsoft Copilot or Google Gemini that read live tabs. (Source: Menlo Product)

Agent runtime security vs model-layer and MCP controls

Teams often conflate three layers. They are related, but they protect different choke points.

Security layer | What it governs | Typical controls | Gap if missing

Model layer | LLM inputs/outputs, chat safety | Output validators, AI firewalls, RLHF guardrails | Agents still execute harmful tool or browser actions

Tool / MCP layer | Tool invocations, connector permissions | AI gateways, MCP policy, Cisco AI Defense-style runtime | Web HTML and file ingestion bypass tool scanners

Browser runtime layer | Agent web sessions, DOM/file ingestion | Cloud browser isolation (MARS), remote containers, DOM sanitization | Prompt injection via web content; bot blocks; legacy UI access

Model-layer security asks whether the LLM said something unsafe. Tool-layer security asks whether this API or MCP call should run. Browser runtime security asks whether this page, file, or web UI session is safe for an agent to consume and what data may leave the session.

AGAT Software's March 2026 analysis captures why the execution layer stays open: 80.9% of technical teams are in active testing or full deployment, yet most governance still covers which models employees may use, not what deployed agents do at runtime. Their survey also found 88% of organizations with confirmed or suspected agent security incidents in the prior year, while 82% of executives remained confident existing policies were enough. Only 14.4% sent agents to production with full security or IT approval. (Source: AGAT Enterprise Security)

Cisco expanded AI Defense in February 2026 with runtime protections against tool abuse at the MCP layer. That matters for connector governance. It does not replace sanitizing a poisoned invoice PDF an accounts-payable agent downloads from a supplier portal. (Source: AGAT Enterprise Security)

"The browser is where agent identity, intent, and action converge, making it a critical control point in the enterprise." - Antonio Bovoso, Founder and Principal, Consiro Advisory (Source: Menlo Press Release)

What MARS actually does in production

Menlo centralizes agent browser execution in the Menlo Cloud. When an agent needs the web, MARS spins up a remote, disposable container, fetches content, strips malicious scripts and hidden instructions from the DOM, and runs file sanitization before any bytes reach the agent's reasoning loop. Sessions can last seconds or hours; planner agents spawning worker swarms are explicitly part of the scaling story. (Source: Menlo Product)

Connectivity options matter for architects. Menlo documents a path from agentic systems into secured browser sessions via proxy or MCP integration, then applies policy, filtering, and audit on those sessions. (Source: Menlo Product)

Operator note (first-hand): A direct fetch of Menlo's product page on June 9, 2026 confirmed that MARS advertises proxy and MCP integration into disposable cloud browser sessions, with DOM sanitization before agent processing. That wording is easy to miss in press summaries that only mention "browser security" generically.

On data access, MARS navigates API-deficient web UIs with visual rendering, masks sensitive fields per policy, and delivers sanitized content to the agent. Least-privileged scoping limits lateral movement if a session is compromised. Menlo also positions human-in-the-loop oversight for high-risk actions rather than fully unattended exfiltration paths. (Source: Menlo Product)

Ramin Farassat, Chief Product Officer at Menlo Security, described the unified control plane: "For the first time, security teams have a single control plane that applies the same security and governance policies to an AI agent processing invoices as to the human CFO approving them, at machine speed, with full forensic visibility." (Source: Menlo Press Release)

Michael D'Arezzo, Executive Director of Information Security and GRC at Wellstar Health System, said Menlo's approach builds governance into agents from inception rather than chasing perimeter around already-deployed bots. (Source: Menlo Press Release)

Inference: MARS is strongest where agents browse untrusted or legacy web properties at scale. Teams whose agents only call well-scoped internal APIs may prioritize MCP gateways and compute sandboxes first, then add browser runtime if web ingestion enters the threat model.

How to evaluate whether your stack covers browsing agents

Use this checklist before the next agent rollout reaches production web data.

  • Inventory browser use: List agents that use headless browsers, browser extensions, or embedded copilots. If the answer is "we are not sure," shadow AI risk is already elevated. CyberDesserts cites Cisco finding only 29% of organizations prepared to secure agentic deployments. (Source: CyberDesserts Agent Security)
  • Map ingestion paths: Trace where agents read HTML, PDFs, email bodies, or SaaS screens. Each path needs sanitization or isolation, not just LLM output filtering.
  • Test indirect injection: Red-team a benign agent against pages with hidden text and poisoned attachments. Model guardrails alone rarely catch these.
  • Separate MCP from browser controls: Gateways that approve search_database do not inspect a malicious ERP screen the agent screenshots.
  • Require auditability: Session-level forensic logs for agent browser actions, not only chat transcripts.

If agents must reach legacy web apps, evaluate browser runtime vendors on container isolation, DOM stripping, file sanitization, and policy masking. If agents primarily invoke MCP tools on internal services, prioritize connector discovery and invocation gateways, as covered in supply-chain-focused incident guides. Many enterprises will need both.

FAQ

What is agent runtime security?

Agent runtime security is real-time evaluation and enforcement on AI agent actions during execution: tool calls, browser sessions, data retrieval, and exports. It differs from model-layer safety, which governs what an LLM generates, because agents can cause harm even when the model output looks benign.

What is Menlo Agent Runtime Security (MARS)?

MARS is Menlo Security's cloud runtime for agent browser sessions. It runs sessions in remote disposable containers, sanitizes web content and files before agents process them, enforces least-privilege access to web apps, and connects agents to API-deficient systems through managed browser navigation.

How is browser runtime security different from MCP security?

MCP security governs tool servers and connector invocations: permissions, server authentication, and tool poisoning. Browser runtime security governs what agents ingest from web pages and files, including indirect prompt injection hidden in HTML or documents that never passes through an MCP policy check.

Why do AI agents need browser isolation?

Agents interpret web code literally and lack human skepticism. Isolation lets security teams strip hidden instructions, contain malware, and mask sensitive fields before content reaches the agent logic, shrinking the blast radius of a compromised session.

Can existing EDR or SSE tools protect browsing agents?

Traditional EDR and secure web gateways were built for human browsing patterns. Vendors including Menlo argue they miss headless agent traffic, machine-speed exfiltration, and invisible prompt injection embedded in DOM content. Browser-runtime products aim to fill that visibility and sanitization gap.

Related coverage

References