Web agents operating in open environments are highly vulnerable to prompt injection attacks embedded in HTML or user interfaces. Existing defense mechanisms suffer from poor generalization, high false positive rates, and susceptibility to adversarial evasion. To address these limitations, this work proposes WARD, a robust defense framework accompanied by two novel datasets: WARD-Base, comprising 177,000 samples, and WARD-PIG, specifically designed for evaluating defenses against adaptive attacks. The approach introduces A3T, a memory-driven attacker-defender co-evolutionary training mechanism that enables the model to learn under dynamic threat conditions. Evaluated under out-of-distribution scenarios, WARD achieves near-perfect recall with minimal false positives, effectively mitigating both adaptive adversaries and significant distribution shifts, all without incurring additional inference latency.

Web agents can autonomously complete online tasks by interacting with websites, but their exposure to open web environments makes them vulnerable to prompt injection attacks embedded in HTML content or visual interfaces. Existing guard models still suffer from limited generalization to unseen domains and attack patterns, high false positive rates on benign content, reduced deployment efficiency due to added latency at each step, and vulnerability to adversarial attacks that evolve over time or directly target the guard itself. To address these limitations, we propose WARD (Web Agent Robust Defense against Prompt Injection), a practical guard model for secure and efficient web agents. WARD is built on WARD-Base, a large-scale dataset with around 177K samples collected from 719 high-traffic URLs and platforms, and WARD-PIG, a dedicated dataset designed for prompt injection attacks targeting the guard model. We further introduce A3T, an adaptive adversarial attack training framework that iteratively strengthens WARD through a memory-based attacker and guard co-evolution process. Extensive experiments show that WARD achieves nearly perfect recall on out-of-distribution benchmarks, maintains low false positive rates to preserve agent utility, remains robust against guard-targeted and adaptive attacks under substantial distribution shifts, and runs efficiently in parallel with the agent without introducing additional latency.