How we contain Claude across products

2026-05-30 · Source: Simon Willison's Weblog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

Anthropic has detailed its comprehensive approach to containing Claude across various products, including Claude.ai, Claude Code, and Claude Cowork. The core strategy involves process sandboxes, VMs, filesystem boundaries, and egress controls to establish a hard boundary on agent capabilities, preventing issues like credential exfiltration. Specifically, Claude.ai utilizes gVisor, while Claude Code employs Seatbelt on macOS and Bubblewrap on Linux for local execution. Claude Cowork, designed for more sensitive environments, runs within a full VM using Apple's Virtualization framework on macOS and HCS on Windows. The company also acknowledged past risks, such as the `api.anthropic.com/v1/files` exfiltration vector, highlighting the continuous evolution of their security measures.

Key takeaway

For AI Security Engineers designing secure AI agent deployments, Anthropic's detailed sandboxing overview underscores the necessity of multi-layered containment. You should evaluate diverse techniques like gVisor, local sandboxes, and full VMs based on your agent's environment and data sensitivity. Consider exploring Anthropic's open-source `srt (Anthropic Sandbox Runtime)` tool to enhance your own agent security frameworks and mitigate exfiltration risks.

Key insights

Robust, multi-layered sandboxing is crucial for containing AI agent actions and preventing data exfiltration.

Principles

• Hard boundaries prevent unauthorized data access.
• Diverse sandboxing tools suit varied execution environments.
• Thorough documentation builds trust in security measures.

Method

Constrain AI agent actions using process sandboxes, virtual machines, filesystem boundaries, and egress controls to establish hard boundaries and prevent data exfiltration.

In practice

• Implement gVisor for web-based AI agent containment.
• Utilize Seatbelt or Bubblewrap for local code execution sandboxing.
• Deploy full VMs for highly sensitive AI co-working environments.

Topics

• AI Security
• Sandboxing
• Data Exfiltration
• Virtualization
• Claude
• gVisor

Code references

• anthropic-experimental/sandbox-runtime

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Engineer, AI Architect

Related on AIssential

• Trump administration to ask US AI firms to voluntarily submit models for cybersecurity tests — The U.S. government seeks voluntary AI model cybersecurity testing from firms like OpenAI and Google via CAISI.
• Anthropic scales Project Glasswing to 150 partners across 15 countries to hunt critical software flaws — AI models like Claude Mythos can rapidly identify critical software vulnerabilities, posing both defensive and offensive capabilities.
• Your JWT Is Lying to You - The Authorization Problem Nobody Solves Correctly — JWTs alone are insufficient for dynamic, fine-grained authorization; external policy engines are essential for scalable security.
• Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email — Meta's AI support chatbot was exploited via prompt injection to hijack Instagram accounts, bypassing 2FA and automated identity checks.
• Chrome stops hackers from stealing your browser cookies now - how its new security feature works — Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.
• Reference your own AWS Secrets Manager secrets in Amazon Bedrock AgentCore Identity — Amazon Bedrock AgentCore Identity now allows referencing existing AWS Secrets Manager secrets for enhanced credential governance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.