How we contain Claude across products (https://www.anthropic.com/engineering/how-we-contain-claude)

A complaint I often have about sandboxing products is that they are rarely thoroughly documented, and in the absence of detailed documentation it’s hard to know how much I can trust them.

Anthropic just published a fantastic overview of how their various sandbox techniques work across Claude.ai (https://claude.ai/), Claude Code, and Cowork.

We constrain where and how an agent can act with process sandboxes, VMs, filesystem boundaries, and egress controls. The goal is to set a hard boundary on what an agent can reach. For example, if credentials never enter the sandbox, they can’t be exfiltrated, regardless of whether the cause is a user, a model finding a “creative” path, or an attacker.

Claude.ai uses gVisor. Claude Code, run locally, uses Seatbelt on macOS and Bubblewrap on Linux. Claude Cowork runs a full VM (Apple’s Virtualization framework on macOS, HCS on Windows).

There’s a lot in here, including some interesting stories of risks they missed such as the api.anthropic.com/v1/files exfiltration vector covered here previously (https://simonwillison.net/2026/Jan/14/claude-cowork-exfiltrates-files/).

This reminded me it’s time I took another look at Anthropic’s open source srt (Anthropic Sandbox Runtime) (https://github.com/anthropic-experimental/sandbox-runtime) tool - it’s mature enough know that I’m ready to give it a proper go.

Tags: sandboxing (https://simonwillison.net/tags/sandboxing), security (https://simonwillison.net/tags/security), ai (https://simonwillison.net/tags/ai), generative-ai (https://simonwillison.net/tags/generative-ai), llms (https://simonwillison.net/tags/llms), anthropic (https://simonwillison.net/tags/anthropic), claude (https://simonwillison.net/tags/claude), claude-code (https://simonwillison.net/tags/claude-code)