Pick a task, let the AI run it, get results back. The AI never touches your real data. Here's the whole thing, start to finish.
The Explore page has pre-built templates for things like filing taxes, processing insurance claims, exporting reports, managing accounts. Each one shows a success rate, how many times it's been run, and what it actually does. Filter by category or search for what you need.
You can also create your own. Write the agent's instructions, pick which websites it can visit, list what credentials or personal info it will need.
First time you run a task, you create a master password. This encrypts your vault, where your logins, personal info, and anything sensitive is stored. The encryption happens in your browser. We never see the password or anything it protects.
Before the agent runs, you see a two-column view. Left side: what the AI agent will see (generic placeholders). Right side: your real values, which the agent never gets. You fill in whatever the task needs and hit Confirm.
When the agent types PASSWORD_1 into a login form, the browser container silently resolves it to the real password at the last moment. The model itself only ever works with the placeholder.
USERNAME_1
PASSWORD_1
SSN_1
ACCOUNT_1
sarah.thompson@gmail.com
••••••••••••
482-71-9284
7294018365
Hit Run. You get a live video feed of the agent working in a real browser: navigating websites, filling forms, clicking buttons, scrolling through pages. You're watching the actual session happen.
The browser runs in its own isolated container with its own network. When the task ends, the container is destroyed. No cookies, no history, no cached data. Every run starts clean.
There's a chat panel next to the live view. Give the agent instructions, answer its questions, redirect it, or upload files for it to work with.
Chat Protection is on by default. Every message you type gets scanned by a PII detection model first. If it finds a password, SSN, name, or anything sensitive, it swaps it for a placeholder. You see a preview bar showing the redacted version. Press Enter to send it, Esc to go back and edit.
Each task has a security policy defining which URLs the agent can visit and what it can do on each one: click, type, scroll, access sensitive data. When the agent tries to visit a site that isn't in the policy, you get a popup. You pick the capabilities and decide which vault data, if any, links to that site.
If you want hands-off, flip on Autopilot. Policy violations are automatically denied and the agent works around them. No popups, no interruptions.
The agent can download files from websites as it works. CSV exports, PDF reports, spreadsheets, whatever the site offers. Downloads get intercepted and show up in the Documents dropdown in the browser toolbar. Click any document to see a converted preview right in the browser.
You can also upload files to the agent through the chat panel. Attach a PDF, spreadsheet, or Word doc and the agent can reference it during the task.
When the task is done, click Finish and rate how it went. Completed or Failed, with optional notes. The workspace report and any files the agent produced are encrypted with your key and stored on your dashboard.
Decrypt and view reports anytime from your task history. Each run logs duration, model used, tool usage, and a timeline of what happened. The container is destroyed when the session ends. Nothing persists.
Every session has a built-in report. Both you and the agent can write to it. It has sections for a summary, a findings table (with severity columns), recommendations, and free-form notes. All editable directly in the browser.
The agent can open the report, fill in its analysis, add rows to the findings table. You can review what it wrote, change anything, or add your own notes. Changes auto-save as you type. A status indicator in the corner shows whether you're saved or not.
When the session ends, the whole thing gets locked to your key and saved. Open it later from your task history by clicking View Report on any completed run. The decryption happens in your browser. The platform stores an opaque blob it can't read.
Summary, findings table with severity, recommendations, and notes. Add rows to the findings table as you go.
Encrypted with ECIES using your public key at session end. Only your vault password can decrypt it.
Every edit saves after one second. No save button.
The report is always listed in the Documents dropdown in the toolbar. Open it at any point during the session to read or edit.
The agent can open a full Jupyter notebook to run real code against downloaded data. One click on the notebook button in the browser toolbar and it's there.
The agent writes Python in Jupyter cells and executes them. Load CSVs, generate charts with matplotlib, build comparison tables, compute trends. The workspace comes with pandas, numpy, matplotlib, seaborn, plotly, openpyxl, and reportlab pre-installed.
The Jupyter workspace has zero internet access. No egress at the network level. The kernel policy drops all outbound packets. It reads downloaded files and writes results. That's all it can do. The anonymization layer still scans everything the agent sees in Jupyter output: names and identifiers get masked, aggregate numbers pass through, and charts pass through entirely because they're rendered as pixel images the scanner can't read.
Files the agent downloaded from websites are available in Jupyter automatically. The agent loads them with pandas and starts working.
No internet, no DNS, no connection to anything except the browser pod. Enforced by kernel-level network policy. Data can't leave.
The same anonymization layer that protects the browser scans Jupyter's HTML output. Names and account numbers get replaced. Aggregate numbers and charts go through untouched.
The agent can produce PDF reports, charts, processed spreadsheets, and the notebook itself. Locked to your key and saved at session end, same as everything else.
A PII detection model scans every message before the agent reads it. Passwords, names, SSNs get replaced with placeholders. You see a preview of the redacted message and confirm before it sends. Toggle it off with the shield icon when you don't need it.
Each task defines which URLs the agent can visit and what it can do there. New sites trigger an approval popup with toggles for click, type, scroll, and PII access. You pick which vault data links to which site. Editable mid-session.
The system auto-detects sensitive values as the agent works: passwords being typed, account numbers on screen. They show up in a clipboard bar with detected and pinned sections. Searchable, keyboard-navigable. Copy values to paste into chat.
Need to protect something mid-task the system hasn't caught? Open the Add Words drawer, type the sensitive value and a placeholder name, and it gets redacted from that point forward.
When you trust the policy, enable Autopilot. Policy violations get denied automatically and the agent works around them. No interruptions. A confirmation modal makes sure you meant to turn it on.
Switch to External Agent mode during config. You get a CLI command for your terminal and instructions to paste into Claude Code, GPT, or whatever model you use. The security layer sits between your model and the browser. Same protection regardless of which AI is driving.
Run up to 12 agents at once. A carousel grid shows live thumbnails of each browser session with status dots, pause/finish controls, and overlay alerts when the agent needs you. Click a slot to zoom in.
Every run is logged. Duration, model, tool usage, exit code, an activity timeline. Filter by date and status. Expand any run to see the full breakdown, open the encrypted report, re-run the task, or delete the record.
Write the agent's instructions, pick a category, set the allowed URLs, list what credentials or PII fields it needs. Publish it or keep it to yourself.
Lock your vault from the dashboard at any time. Immediately cuts off all placeholder resolution. The agent can't fill in any sensitive fields until you unlock. Good for when you walk away.