Anthropic Details How It Contains Claude Agents Across Products
On May 25, 2026, Anthropic published a detailed engineering post explaining containment architectures for claude.ai, Claude Code, and Claude Cowork. The post quantifies approval fatigue (users approved roughly 93% of permission prompts), reports an 84% reduction in prompts after OS-level sandboxing, cites Gray Swan Agent Red Teaming attack success near 0.1% on single attempts for Opus 4.7, and documents real incidents including pre-trust-dialog hooks, phishing-driven credential exfiltration, and allowlist-based data egress.
TLDR
Anthropic on May 25, 2026, published “How we contain Claude across products,” a long-form engineering account of how the lab bounds agent blast radius across claude.ai, Claude Code, and Claude Cowork. Rather than relying only on human approvals or model-layer classifiers, the post centers on environment isolation—gVisor containers, OS sandboxes, and local VMs—backed by concrete telemetry, red-team findings, and postmortems of failures that still occurred.
Three risks, three defense layers
Anthropic groups agent risk into user misuse, model misbehavior, and external attackers (including prompt injection). Defenses target the environment, the model, and external content the agent can reach.
- Environment: process sandboxes, VMs, filesystem mounts, and egress controls set hard limits on what agents can touch.
- Model: system prompts, classifiers, probes, and training shape tendency but never guarantee 100% safety. On Gray Swan’s Agent Red Teaming benchmark, Claude Opus 4.7 held single-attempt attack success to roughly 0.1% (around 5–6% after 100 adaptive attempts). Claude Code auto mode catches roughly 83% of overeager behaviors before execution.
- External content: MCP servers, plugins, and web tools can inject untrusted text even when the connector itself is audited.
Product-specific containment patterns
claude.ai runs code in ephemeral gVisor containers on isolated infrastructure with no host filesystem access—minimal blast radius, limited local capability.
Claude Code runs on the user machine. Early human-in-the-loop approvals suffered approval fatigue: telemetry showed users approved about 93% of prompts. An OS-level sandbox (Seatbelt on macOS, bubblewrap on Linux) cut permission prompts by 84% and was open-sourced as sandbox-runtime. Anthropic also disclosed pre-trust vulnerabilities where project hooks ran before the “trust this folder” dialog, fixed by deferring project config until after consent.
Claude Cowork targets less technical users and uses a full local VM (Apple Virtualization on macOS, HCS on Windows) with only the selected workspace mounted. Credentials stay on the host. A third-party disclosure showed attackers could still exfiltrate workspace files through api.anthropic.com via an attacker-controlled API key; Anthropic fixed this with an in-VM MITM proxy that only allows the VM’s provisioned session token.
Why this story matters
As coding and desktop agents gain shell, filesystem, and network access, containment engineering becomes as important as model capability. Anthropic’s post is rare public documentation of production agent security architecture with measurable failure modes—approval fatigue, pre-consent code execution, phishing via the user, and allowlist egress—offering a practical template for anyone shipping agentic products.
Sources
- Anthropic Engineering: “How we contain Claude across products” (anthropic.com/engineering/how-we-contain-claude, published May 25, 2026). Primary source for architectures, metrics (93% approvals, 84% prompt reduction, Gray Swan rates, auto-mode catch rate), and incident write-ups.
- Related Anthropic posts linked from the article (Claude Code auto mode; sandbox-runtime; Mythos Preview sandbox escape; Glasswing).
Featured Image Alt Text
Diagram-style illustration of Claude agent containment: sandboxed container, local VM boundary, and egress proxy blocking unauthorized API keys.
Tags
Anthropic, Claude, Agent Security, Sandboxing, Claude Code, Cowork, Containment