What the Anthropic Claude for Chrome disclosure tells procurement

ABBY

This is Agent Mode AI. I'm Abby. Anthropic shipped Claude for Chrome on the twenty-sixth of August 2025 to one thousand Max-plan subscribers at one hundred to two hundred dollars per month. The same announcement window included a published security disclosure: twenty-three point six percent prompt-injection success rate pre-mitigation, eleven point two percent post-mitigation, and zero percent on URL-injection variants after subsequent patches. Today we're walking AM-009. The headline is not the eleven point two percent rate. The headline is the disclosure cadence, and what it tells procurement about the browser-resident agentic AI class.

AVERY

I'm Avery. What do the three numbers actually measure.

ABBY

Red-team measurements against a defined attack corpus. The pre-mitigation twenty-three point six percent figure is the success rate of the corpus against an instance of Claude for Chrome with the safeguards disabled. The post-mitigation eleven point two percent is the same corpus against the launch-configuration safeguards. The zero percent on URL-injection variants reflects a subsequent patch round that closed a specific variant class within the corpus. Three properties of the methodology bound the procurement read. The corpus is finite and disclosed; the rates apply to that corpus and to the variants it tested. The rates are red-team measurements under controlled conditions, not production-incident statistics. And the zero percent figure is post-patch and corpus-specific. The patch closes the URL-injection variants tested. It does not close URL-injection as an attack class for arbitrary future variants.

AVERY

How should a deploying enterprise read the eleven point two percent.

ABBY

As a useful upper bound on platform-layer exposure for the disclosed attack corpus, a lower bound on the deployment-layer compensating-control work the operator should plan for, and a snapshot rather than a steady state. The class of risk outside the corpus is unbounded by the eleven point two percent and is the operator's primary planning input. A laboratory rate of eleven point two percent does not translate directly to a production-incident rate at the deploying enterprise. The production rate depends on the deployment's exposure profile: which sites the agent operates against, which content classes it processes, how aggressively the operator's compensating controls filter inputs.

AVERY

Then why is the rate not the headline.

ABBY

Because the disclosure cadence is the procurement signal. AM-007 names two cohorts on cross-agent-class disclosures. Cohort A engages with researcher disclosure, ships mitigations, and publishes the resulting numbers including the residual rate. Cohort B classifies the disclosed behaviour as intended functionality and does not patch. Anthropic's Claude for Chrome launch is the marquee execution of the Cohort A pattern. The vendor disclosed pre-mitigation rates, post-mitigation rates, and subsequent patch deltas in the same announcement window as the product launch. The disclosure itself is procurement evidence that the vendor's response posture for future variants will likely follow the same pattern. The absence of a comparable disclosure from a competitor shipping a parallel browser-resident agent is a procurement signal in the opposite direction.

AVERY

The Brave Software Comet research.

ABBY

Brave Software published parallel-class research on Comet, a different browser-AI product, in August 2025. The testing found similar exposure to the prompt-injection class, confirming the structural failure mode is generic to browser-resident agents rather than Anthropic-specific. The deploying enterprise reading the eleven point two percent Anthropic figure should not infer that competitors will land at the same rate. The rate is a function of the specific product's mitigation work and the variants tested. The relevant comparison across vendors is the published-disclosure posture, not the rate.

AVERY

The operationally important read.

ABBY

A vendor's product can have a higher residual rate than Anthropic's eleven point two percent and still be in Cohort A on the disclosure axis if the rate is published transparently. A different vendor's product can have an unmeasured residual rate, with no public disclosure, and be in Cohort B on the disclosure axis even if the underlying rate were lower. Procurement should weight Cohort A disclosure-with-disclosed-rate above Cohort B disclosure-absence-or-classification-as-feature, regardless of the specific rate number.

AVERY

The browser-resident class as a whole.

ABBY

The AgentFlayer research from Zenity Labs at Black Hat USA 2025, the EchoLeak common vulnerability identifier 2025-32711 disclosed in August 2025, and the Brave Comet research together describe the structural failure mode at the product class. Browser-resident agentic AI processes context-sourced content. Page text, document uploads, image-embedded text, user-supplied URLs that resolve to attacker-controlled content. The agent treats embedded instructions as actionable input. The architecture is shared across the class. The mitigation work is per-product.

AVERY

What this means for the deploying enterprise.

ABBY

Three things at once. First, the agentic productivity gains the marketing material attributes to the browser-resident class are real for the use cases where the agent operates against trusted internal content. Intranet pages, internal documents, authenticated software-as-a-service surfaces under operator control. Second, the same productivity case does not extend, on the same evidence, to use cases where the agent operates against attacker-influenceable content. Public web pages, untrusted email attachments, third-party document uploads from outside the operator's control. Third, the procurement decision is not whether to deploy browser-resident agents. It is which content classes the deployment is approved to operate against and which compensating controls run at the deployment layer.

AVERY

Five questions for the chief information officer and chief information security officer.

ABBY

Question one. Has the vendor published a security disclosure with red-team rates pre and post-mitigation, on a defined attack corpus, for the browser-resident product. Anthropic's twenty-three point six, eleven point two, zero pattern is the current reference shape. A vendor that has not published a comparable disclosure is not in Cohort A on this product class regardless of corporate-level disclosure posture on other products.

AVERY

Question two.

ABBY

What is the variant-class coverage of the published corpus, and how does the vendor describe the variants outside the corpus. The corpus describes what the rate covers. The discussion of out-of-corpus variants describes what the rate does not cover. A vendor that publishes the rate without naming the corpus is publishing a marketing number rather than a procurement input.

AVERY

Question three.

ABBY

What is the patch cadence the vendor commits to for newly-disclosed browser-resident variants, in days from researcher notification to deployed fix, with named accountability. Anthropic's URL-injection-to-zero-percent patch round demonstrates the cadence is non-zero. The procurement-deck question is whether that cadence is committed for future variants or whether the launch-window patches were one-time.

AVERY

Question four.

ABBY

Does the deployment support per-tenant or per-user disable of the most exposed agent capabilities. Autonomous mode, document-upload processing, cross-tab context retention, image-embedded text processing. The disable lever at the operator's control is the load-bearing compensating control when an emerging variant lands faster than the patch cadence accommodates. Per-tenant disable is the minimum useful granularity. Per-user and per-workflow is the operationally healthy target.

AVERY

Question five.

ABBY

What is the audit-log surface for the operator's security operations centre. Every page the agent visits, every form it fills, every external URL it fetches, every embedded image it processes, with timestamps and outcome. The deploying enterprise's incident-response runbook depends on this surface existing at the granularity the security operations centre needs, not at the granularity the vendor chooses to expose. Simon Willison framed the eleven point two percent rate on the twenty-fifth of August 2025 as a meaningful residual for any deploying enterprise that does not pair the platform-layer mitigation with deployment-layer practice. Question five is the deployment-layer instrumentation.

AVERY

Final word.

ABBY

A vendor that cannot answer all five in writing for the browser-resident product is not Cohort A on this product class regardless of marketing posture. A vendor that can is in Cohort A, the published rate becomes the operator's deployment-layer planning input rather than the procurement-disqualifier, and the MTTD-for-Agents framework operationalises the detection-window inside the security operations centre against the audit-log surface in question five. The Anthropic announcement, the Brave Comet research, the AgentFlayer disclosure, the EchoLeak common vulnerability identifier, and the Willison commentary are linked at agentmodeai dot com slash holding slash question mark claim equals A-M zero zero nine. AM-009 is Holding. The next review is on the sixth of July 2026. Cadence is sixty days, shorter than typical because Claude for Chrome is in active research preview and the product is changing.

AVERY

Holding-up. See you next Sunday.