How we contain Claude across products

The persistent, quiet problem with most AI sandboxing is not that it’s ineffective, but that it’s a black box. We, as users and observers, are asked to trust that robust boundaries exist without any clear understanding of what those boundaries are, what trade-offs were made, or how they’ve been tested. Anthropic has just published a detailed technical overview of how it contains Claude

🔗 Related Read: Quoting Karen Kwok for Reuters Breakingviews

🔗 Related Read: Quoting Daniel Jalkut

across its ecosystem, and in doing so, has set a new, necessary standard for transparency in an industry where security is too often a matter of faith.

This isn’t just a technical document; it’s a declaration that the methods used to prevent a powerful AI from accessing your files, exfiltrating credentials, or causing unintended real-world harm are worthy of scrutiny. The core thesis Anthropic advances is that effective containment requires hard, verifiable boundaries—not just clever prompting or policy rules. Their architecture employs a defense-in-depth strategy, with distinct sandboxing for different deployment contexts: process sandboxes, virtual machines, strict filesystem boundaries, and egress controls. The goal is clear: ensure an agent, even one acting unpredictably or maliciously, cannot reach assets that were never placed within its operational sandbox.

The specifics are telling. For its web-based Claude.ai, Anthropic leverages gVisor, a container-runtime security tool that creates a user-space kernel to mediate system calls. This adds a significant layer of isolation between the model’s processes and the host machine. For Claude Code, which runs locally on a developer’s machine, the approach is platform-native: Seatbelt on macOS and Bubblewrap on Linux. These tools are chosen for their fine-grained control over process permissions in a local environment. For the more ambitious Claude Cowork, which aims for agentic collaboration, they’ve gone with full virtual machines—using Apple’s Virtualization framework on macOS and Hyper-V on Windows. This is the most robust but also the most resource-intensive approach, signaling a prioritization of absolute containment for higher-risk agentic tasks.

What makes this disclosure particularly valuable is its candid acknowledgment of past failures. Anthropic openly discusses risks they missed, including a previously identified exfiltration vector through an API endpoint. This isn’t a PR victory lap; it’s a sober account of an iterative security process. It demonstrates a crucial principle in AI safety: safety is not a feature you install, but a practice you cultivate. By detailing their past oversights, they implicitly argue for why ongoing, transparent scrutiny—like what they’re inviting with this publication—is essential.

This move has significant implications beyond Anthropic. It raises the bar for competitors, who will now face increasing pressure to demystify their own security architectures. It also benefits the open-source and research community. Anthropic’s mention of its open-source SRT (Sandbox Runtime) tool suggests a desire to standardize and share these defensive mechanisms. If widely adopted, such tools could help build a more secure ecosystem for running potentially volatile AI agents, moving the industry away from proprietary, opaque security and toward auditable, shared infrastructure.

Ultimately, Anthropic’s publication is a bet on trust. By making the complex machinery of containment legible, they argue that users can and should demand to know how their data and systems are protected. In an era where AI agents are being granted more autonomy, the most critical safeguard may not be the model’s alignment itself, but the rigor and transparency of the walls we build around it. This report doesn’t claim those walls are perfect, but it shows us exactly what they’re made of—and that is a profound step forward for responsible AI deployment.