How Anthropic Secures Claude Across Multiple Applications
Anthropic has published a comprehensive technical overview of its security containment strategies for Claude, Claude Code, and Cowork. This transparency addresses a common concern with sandboxed products—lack of documentation—and provides valuable insight into how the company manages risks.
The core approach involves multiple layers of defense:
- Process Sandboxes: Limit where agents can execute code
- Virtual Machines: Create isolated environments for execution
- Filesystem Boundaries: Restrict access to specific files and directories
- Egress Controls: Monitor and limit data leaving the sandbox
These measures aim to create hard boundaries that prevent unauthorized access, even if models find unexpected pathways.
Technical Implementation Details
- Claude.ai utilizes gVisor for containerization
- Claude Code employs Seatbelt on macOS and Bubblewrap on Linux
- Claude Cowork runs within full virtual machines (Apple Virtualization framework or Hypervisor-based Containers)
The company has documented previous security incidents, including an exfiltration vector via the api.anthropic.com/v1/files endpoint, which was identified and addressed through enhanced monitoring.
Anthropic’s open-source Sandbox Runtime (srt) provides additional tooling for developers who want to implement similar containment measures in their own applications.