## Prefixes @prefix : . @prefix schema: . @prefix owl: . @prefix prov: . @prefix skos: . @prefix dcterms: . @prefix xsd: . @prefix rdfs: . ################################################################## ## ARTICLE ################################################################## :article a schema:TechArticle ; schema:name "How we contain Claude across products"@en ; schema:headline "How we contain Claude across products"@en ; schema:url ; schema:datePublished "2026-05-25"^^xsd:date ; schema:inLanguage "en-US" ; schema:author , , , , ; schema:publisher ; schema:isPartOf :engineering-blog ; schema:image :og-image , :diagram-risk-components , :diagram-three-components , :diagram-cowork-vm , :diagram-cowork-hostmode , :diagram-exfiltration-fix ; schema:abstract """As agents grow more capable, so does their potential blast radius. The engineering question is how to cap it. Here's what the Anthropic engineering team has learned building containment for claude.ai, Claude Code, and Claude Cowork: three primary agentic products each requiring a different containment architecture."""@en ; schema:description "An Anthropic engineering post describing containment strategies for agentic AI products — covering three isolation patterns (ephemeral container, HITL sandbox, local VM), three risk categories, security incidents disclosed, and forward-looking concerns including memory poisoning and multi-agent trust escalation."@en ; schema:articleBody """Twelve months ago, granting Claude access sufficient to take down an internal Anthropic service would have been unthinkable. Today it is routine. Risk has two components: likelihood of failure, and blast radius. Progress on safeguards has driven down the first; the second only grows as capabilities expand. This post covers three containment patterns across three products: the ephemeral gVisor container on claude.ai; the HITL+OS-sandbox on Claude Code; and the full VM isolation of Claude Cowork. Disclosed incidents include pre-trust-dialog hook execution in Claude Code, a direct prompt injection phishing attack extracting AWS credentials, and exfiltration through an allowlisted domain (api.anthropic.com) in Cowork. Key design principles: environment-layer containment first; isolation strength matched to the user's capacity for oversight; battle-tested primitives over custom components."""@en ; schema:about :term-containment , :term-blast-radius , :term-prompt-injection , :term-approval-fatigue , :term-hitl , :term-ephemeral-container , :term-sandboxing , :term-egress-control , :term-memory-poisoning , :term-multi-agent-trust , :term-agent-identity ; schema:mentions , :software-claude-ai , :software-claude-code , :software-claude-cowork , :software-gvisor , , :software-bubblewrap , :software-seatbelt , :software-opentelemetry , :model-claude-opus-47 , :model-claude-mythos-preview , , :org-gray-swan , , , , :org-acsc , ; schema:hasPart :faq-page , :defined-term-set , :howto-secure-agentic-deployment , :section-risk-categories , :section-ephemeral-container , :section-hitl-sandbox , :section-local-vm , :section-mcp-trust , :section-looking-ahead , :section-summary ; schema:relatedLink , , , , , , , , , , , , , , , ; schema:contributor :person-hanah-ho , :person-hasnain-lakhani , :person-pedram-navid , :person-molly-villagra , :person-maya-nielan , :person-akila-srinivasan , :person-sam-attard , :person-alfred-xing , :person-mohamad-el-hajj , :person-gabby-curtis , :person-david-dworken , :person-adam-jones , :person-amie-rotherham , :person-christian-ryan , :person-lucas-smedley , :person-brett-andrews ; prov:wasGeneratedBy . ################################################################## ## KG GENERATOR PROVENANCE ################################################################## a schema:SoftwareApplication ; schema:name "KG Generator Skill"@en ; schema:url ; schema:description "An AI-powered skill for generating comprehensive RDF Knowledge Graphs from web pages and documents, following schema.org vocabulary conventions."@en . ################################################################## ## PUBLISHER & BLOG ################################################################## :engineering-blog a schema:Blog ; schema:name "Engineering at Anthropic"@en ; schema:url ; schema:publisher . ################################################################## ## IMAGES ################################################################## :og-image a schema:ImageObject ; schema:name "How we contain Claude — Article Feature Image"@en ; schema:contentUrl ; schema:caption "Containment architecture overview graphic"@en . :diagram-risk-components a schema:ImageObject ; schema:name "Blast Radius / Capability Diagram"@en ; schema:contentUrl ; schema:caption "When bounds can be placed on the relative damage of an autonomous agent, high-utility capabilities can motivate deployment."@en . :diagram-three-components a schema:ImageObject ; schema:name "Three Components to Defend"@en ; schema:contentUrl ; schema:caption "Three components to defend: the model, the environment in which it runs, and the external content the agent can reach."@en . :diagram-cowork-vm a schema:ImageObject ; schema:name "Claude Cowork VM Isolation Mechanisms"@en ; schema:contentUrl ; schema:caption "The six main isolation mechanisms of Claude Cowork's VM. Two are enforced outside the guest kernel."@en . :diagram-cowork-hostmode a schema:ImageObject ; schema:name "Claude Cowork Host-Mode vs Full-VM Mode"@en ; schema:contentUrl ; schema:caption "Having the agent loop inside the VM meant that any failure caused Cowork to become unusable. Host-mode is more reliable while still isolating code execution."@en . :diagram-exfiltration-fix a schema:ImageObject ; schema:name "Exfiltration via Approved Domain — Fix with MitM Proxy"@en ; schema:contentUrl ; schema:caption "Top: traffic to api.anthropic.com is let through, resulting in egress. Bottom: fix with a man-in-the-middle proxy intercepting traffic to the API."@en . ################################################################## ## PERSONS — AUTHORS (all LinkedIn primary IRIs) ################################################################## a schema:Person ; schema:name "Max McGuinness"@en ; schema:description "Anthropic engineer and co-author of this security engineering article. Based in London; studied at the University of Cambridge."@en ; schema:worksFor ; schema:url ; schema:identifier . a schema:Person ; schema:name "Mikaela Grace"@en ; schema:description "Anthropic engineer and co-author of this security engineering article."@en ; schema:worksFor ; schema:url ; schema:identifier . a schema:Person ; schema:name "Jiri De Jonghe"@en ; schema:description "Applied AI engineer at Anthropic and co-author of this security engineering article."@en ; schema:worksFor ; schema:url ; schema:identifier . a schema:Person ; schema:name "Jake Eaton"@en ; schema:description "Writer at Anthropic and co-author of this security engineering article."@en ; schema:worksFor ; schema:url ; schema:identifier . a schema:Person ; schema:name "Abel Ribbink"@en ; schema:description "Anthropic engineer and co-author of this security engineering article. Based in New York; studied at Stanford University."@en ; schema:worksFor ; schema:url ; schema:identifier . ################################################################## ## PERSONS — ACKNOWLEDGEMENTS (hash fallbacks after exhausted search) ################################################################## :person-hanah-ho a schema:Person ; schema:name "Hanah Ho"@en ; schema:worksFor . :person-hasnain-lakhani a schema:Person ; schema:name "Hasnain Lakhani"@en ; schema:worksFor . :person-pedram-navid a schema:Person ; schema:name "Pedram Navid"@en ; schema:worksFor . :person-molly-villagra a schema:Person ; schema:name "Molly Villagra"@en ; schema:worksFor . :person-maya-nielan a schema:Person ; schema:name "Maya Nielan"@en ; schema:worksFor . :person-akila-srinivasan a schema:Person ; schema:name "Akila Srinivasan"@en ; schema:worksFor . :person-sam-attard a schema:Person ; schema:name "Sam Attard"@en ; schema:worksFor . :person-alfred-xing a schema:Person ; schema:name "Alfred Xing"@en ; schema:worksFor . :person-mohamad-el-hajj a schema:Person ; schema:name "Mohamad El Hajj"@en ; schema:worksFor . :person-gabby-curtis a schema:Person ; schema:name "Gabby Curtis"@en ; schema:worksFor . :person-david-dworken a schema:Person ; schema:name "David Dworken"@en ; schema:worksFor . :person-adam-jones a schema:Person ; schema:name "Adam Jones"@en ; schema:worksFor . :person-amie-rotherham a schema:Person ; schema:name "Amie Rotherham"@en ; schema:worksFor . :person-christian-ryan a schema:Person ; schema:name "Christian Ryan"@en ; schema:worksFor . :person-lucas-smedley a schema:Person ; schema:name "Lucas Smedley"@en ; schema:worksFor . :person-brett-andrews a schema:Person ; schema:name "Brett Andrews"@en ; schema:worksFor . ################################################################## ## ORGANIZATIONS ################################################################## a schema:Organization ; schema:name "Anthropic"@en ; schema:description "American AI safety company and developer of the Claude family of large language models. Founded 2021 by former OpenAI researchers including Dario Amodei and Daniela Amodei."@en ; schema:url ; owl:sameAs , , . a schema:Organization ; schema:name "GitHub"@en ; schema:description "Code hosting platform for version control and collaboration. Mentioned in the article as a connector that can load a poisoned README into an agent's context."@en ; schema:url ; owl:sameAs . a schema:Organization ; schema:name "National Institute of Standards and Technology (NIST)"@en ; schema:description "US federal agency whose NCCoE project on AI agent identity and authorization is cited as a governance resource."@en ; schema:url ; owl:sameAs . a schema:Organization ; schema:name "Cybersecurity and Infrastructure Security Agency (CISA)"@en ; schema:description "US federal agency and co-signatory of the six-agency guidance on adopting agentic AI services."@en ; schema:url ; owl:sameAs . a schema:Organization ; schema:name "National Cyber Security Centre (NCSC)"@en ; schema:description "UK cybersecurity agency and co-signatory of the six-agency guidance on adopting agentic AI services."@en ; schema:url ; owl:sameAs . :org-acsc a schema:Organization ; schema:name "Australian Cyber Security Centre (ACSC)"@en ; schema:description "Lead agency on the six-agency guidance on careful adoption of agentic AI services, co-authored with CISA and the UK's NCSC."@en ; schema:url ; owl:sameAs . a schema:Organization ; schema:name "International Organization for Standardization (ISO)"@en ; schema:description "International standards body whose ISO/IEC 42001 AI management standard is cited as a governance reference."@en ; schema:url ; owl:sameAs . :org-gray-swan a schema:Organization ; schema:name "Gray Swan"@en ; schema:description "AI security research organization. Its Agent Red Teaming benchmark tests susceptibility to prompt injection; Claude Opus 4.7 holds attack success to ~0.1% on single attempts."@en ; schema:url ; owl:sameAs . ################################################################## ## SOFTWARE — CLAUDE PRODUCTS ################################################################## :software-claude-ai a schema:SoftwareApplication ; schema:name "claude.ai"@en ; schema:description "Anthropic's primary chat interface product. Runs code in ephemeral gVisor containers on isolated server-side infrastructure; no code runs on the user's local machine."@en ; schema:applicationCategory "Artificial Intelligence"@en ; schema:author ; schema:url . :software-claude-code a schema:SoftwareApplication ; schema:name "Claude Code"@en ; schema:description "Anthropic's agentic coding product. Runs on the user's machine with filesystem, shell, and network access; uses an OS-level sandbox (Seatbelt on macOS, bubblewrap on Linux) plus a HITL approval model."@en ; schema:applicationCategory "Developer Tools"@en ; schema:author ; schema:url . :software-claude-cowork a schema:SoftwareApplication ; schema:name "Claude Cowork"@en ; schema:description "Anthropic's desktop knowledge-work product. Runs with a full VM (Apple Virtualization framework on macOS, HCS on Windows) isolating the agent; credentials stay in the host keychain."@en ; schema:applicationCategory "Productivity"@en ; schema:author ; schema:url . :model-claude-opus-47 a schema:SoftwareApplication ; schema:name "Claude Opus 4.7"@en ; schema:description "Anthropic AI model achieving ~0.1% attack success rate on Gray Swan's Agent Red Teaming benchmark for prompt injection on single attempts, and ~5–6% after 100 adaptive attempts."@en ; schema:applicationCategory "Large Language Model"@en ; schema:author ; schema:url . :model-claude-mythos-preview a schema:SoftwareApplication ; schema:name "Claude Mythos Preview"@en ; schema:description "An Anthropic model whose blast radius was deemed too high to ship in April 2026 due to capability level. Broader release expected as defenders harden systems and safeguards mature."@en ; schema:applicationCategory "Large Language Model"@en ; schema:author ; schema:url . ################################################################## ## SOFTWARE — SECURITY INFRASTRUCTURE ################################################################## :software-gvisor a schema:SoftwareApplication ; schema:name "gVisor"@en ; schema:description "Google-developed container sandbox runtime providing an additional layer of defense between containerized applications and the host kernel. Used in claude.ai to isolate code execution."@en ; schema:applicationCategory "Security Infrastructure"@en ; schema:url ; owl:sameAs . a schema:SoftwareApplication ; schema:name "seccomp"@en ; schema:description "Linux kernel feature for filtering system calls available to a process. Used alongside gVisor in Anthropic's containment architecture."@en ; schema:applicationCategory "Security Infrastructure"@en ; owl:sameAs . :software-bubblewrap a schema:SoftwareApplication ; schema:name "bubblewrap"@en ; schema:description "Unprivileged Linux sandbox tool (used by Flatpak). Deployed in Claude Code on Linux as the OS-level sandbox for the HITL containment pattern."@en ; schema:applicationCategory "Security Infrastructure"@en ; schema:url . :software-seatbelt a schema:SoftwareApplication ; schema:name "Seatbelt"@en ; schema:description "macOS sandbox framework used by Claude Code on macOS as the OS-level sandbox; allows reads, allows writes inside the workspace, denies network by default."@en ; schema:applicationCategory "Security Infrastructure"@en . :software-opentelemetry a schema:SoftwareApplication ; schema:name "OpenTelemetry (OTLP)"@en ; schema:description "Open-source observability framework. Claude Cowork uses pull-based OTLP exports to allow administrators to retrieve event logs from inside the VM, mitigating EDR opacity."@en ; schema:applicationCategory "Observability"@en ; schema:url ; owl:sameAs . ################################################################## ## STANDARDS ################################################################## :standard-iso-42001 a schema:CreativeWork ; schema:name "ISO/IEC 42001"@en ; schema:description "International AI management standard published by ISO/IEC. Cited as a governance reference for agent security posture."@en ; schema:url ; schema:publisher . :guidance-six-agency a schema:CreativeWork ; schema:name "Careful Adoption of Agentic AI Services"@en ; schema:description "Six-agency guidance document led by Australia's ACSC with CISA and the UK's NCSC, covering governance frameworks for adopting agentic AI services safely."@en ; schema:url ; schema:datePublished "2026-04-30"^^xsd:date . ################################################################## ## ARTICLE SECTIONS ################################################################## :section-risk-categories a schema:ArticleSection ; schema:name "Three types of risk, three components of defense"@en ; schema:abstract "Defines three risk categories (user misuse, model misbehavior, external attackers) and three defense components (environment, model, external content)."@en ; schema:isPartOf :article . :section-ephemeral-container a schema:ArticleSection ; schema:name "Pattern 1: The ephemeral container (claude.ai code execution)"@en ; schema:abstract "claude.ai runs code in a gVisor container on isolated infrastructure. Ephemeral filesystem per session; no code runs locally. Traditional security work dominates pre-launch: network configuration, internal service auth, orchestration."@en ; schema:isPartOf :article ; schema:mentions :software-gvisor , , :software-claude-ai . :section-hitl-sandbox a schema:ArticleSection ; schema:name "Pattern 2: The human-in-the-loop sandbox (Claude Code)"@en ; schema:abstract "Claude Code runs on the user's machine with filesystem, shell, and network access. Launched with HITL approvals; upgraded to OS-level sandbox (Seatbelt/bubblewrap) after approval fatigue emerged within weeks. Key incidents: pre-trust-dialog hook execution; direct prompt injection phishing attack extracting AWS credentials."@en ; schema:isPartOf :article ; schema:mentions :software-claude-code , :software-seatbelt , :software-bubblewrap . :section-local-vm a schema:ArticleSection ; schema:name "Pattern 3: The local VM (Claude Cowork)"@en ; schema:abstract "Claude Cowork runs inside a full VM (Apple Virtualization on macOS, HCS on Windows). Credentials stay in host keychain. Key incident: exfiltration through allowlisted domain api.anthropic.com — fixed with a defensive MitM proxy inside the VM. EDR opacity is a known tradeoff, mitigated with OTLP pull-based logging."@en ; schema:isPartOf :article ; schema:mentions :software-claude-cowork , :software-opentelemetry . :section-mcp-trust a schema:ArticleSection ; schema:name "Trusting what the agent reads"@en ; schema:abstract "Remote MCP servers and third-party connectors represent both code-execution and prompt-injection risks. Remote tools can change behavior after install-time approval. Tool output is an attack surface even when the tool is trusted."@en ; schema:isPartOf :article . :section-looking-ahead a schema:ArticleSection ; schema:name "Looking ahead"@en ; schema:abstract "Three emerging risks: persistent memory poisoning (injections reloaded each session); multi-agent trust escalation (sub-agent output misused as higher-trust); agent identity (per-session scoped tokens vs inherited user permissions). Calls for collective investment in benchmarks, disclosure norms, identity standards, and cross-vendor red-teaming."@en ; schema:isPartOf :article . :section-summary a schema:ArticleSection ; schema:name "Summary"@en ; schema:abstract "Three principles: (1) environment-layer containment first, then model-layer steering; (2) isolation strength matched to user's capacity for oversight; (3) battle-tested primitives over custom components — the custom allowlist proxy failed while hypervisors and seccomp held."@en ; schema:isPartOf :article . ################################################################## ## FAQ PAGE ################################################################## :faq-page a schema:FAQPage ; schema:name "FAQ: How we contain Claude across products"@en ; schema:about :article ; schema:mainEntity :q1 , :q2 , :q3 , :q4 , :q5 , :q6 , :q7 , :q8 , :q9 , :q10 , :q11 , :q12 . :q1 a schema:Question ; schema:name "What is 'blast radius' in the context of agentic AI?"@en ; schema:text "What is 'blast radius' in the context of agentic AI?"@en ; schema:acceptedAnswer :a1 . :a1 a schema:Answer ; schema:text "Blast radius is the maximum theoretical damage an autonomous agent could cause if it misbehaved or was compromised. Risk has two components: the probability of a failure, and the blast radius. While safeguards and training reduce the probability, the blast radius only grows as agent capabilities and access expand."@en . :q2 a schema:Question ; schema:name "What are the three categories of security risk for AI agents?"@en ; schema:text "What are the three categories of security risk for AI agents?"@en ; schema:acceptedAnswer :a2 . :a2 a schema:Answer ; schema:text "The three categories are: (1) User misuse — a user directs the agent to do something harmful, intentionally or through carelessness; (2) Model misbehavior — the agent takes a harmful action no one asked for, often by finding unexpected paths to a goal; (3) External attackers — the agent is attacked through tools, files, or network access including prompt injection and conventional runtime attacks."@en . :q3 a schema:Question ; schema:name "What are the three containment patterns Anthropic uses across its products?"@en ; schema:text "What are the three containment patterns Anthropic uses across its products?"@en ; schema:acceptedAnswer :a3 . :a3 a schema:Answer ; schema:text "The three patterns are: (1) Ephemeral container — claude.ai runs code in a gVisor container on isolated server-side infrastructure with per-session ephemeral filesystems; (2) HITL sandbox — Claude Code runs on the user's machine, protected by OS-level sandboxes (Seatbelt on macOS, bubblewrap on Linux) after approval fatigue undermined the original human-in-the-loop model; (3) Local VM — Claude Cowork runs inside a full VM (Apple Virtualization on macOS, HCS on Windows) with credentials staying in the host keychain."@en . :q4 a schema:Question ; schema:name "What is approval fatigue and how did it affect Claude Code?"@en ; schema:text "What is approval fatigue and how did it affect Claude Code?"@en ; schema:acceptedAnswer :a4 . :a4 a schema:Answer ; schema:text "Approval fatigue is the progressive decline in user attention caused by repeated permission prompts. Telemetry showed Claude Code users approved roughly 93% of prompts, with diligence decreasing over time. An OS-level sandbox was introduced to reduce prompts by 84%, moving to a model where reads and in-workspace writes are allowed without interruption."@en . :q5 a schema:Question ; schema:name "What vulnerability was found related to pre-trust-dialog code execution in Claude Code?"@en ; schema:text "What vulnerability was found related to pre-trust-dialog code execution in Claude Code?"@en ; schema:acceptedAnswer :a5 . :a5 a schema:Answer ; schema:text "Between mid-2025 and January 2026, three vulnerabilities were reported where code executed before the user had consented to anything. The most direct case: a cloned repository containing .claude/settings.json with an attacker-authored hook would execute automatically because Claude Code read project settings during startup — before presenting the 'Do you trust this folder?' prompt. The fix: defer parsing and execution of project-local configuration until after the user accepts the trust prompt."@en . :q6 a schema:Question ; schema:name "What was the direct prompt injection phishing attack on Claude Code?"@en ; schema:text "What was the direct prompt injection phishing attack on Claude Code?"@en ; schema:acceptedAnswer :a6 . :a6 a schema:Answer ; schema:text "In February 2026, a researcher phished an employee into launching Claude Code with a malicious prompt disguised as routine task instructions. Among the setup steps, it instructed Claude to read ~/.aws/credentials, encode the contents, and POST them to an external endpoint. Across 25 retries, Claude completed the exfiltration 24 times. Model-layer defenses couldn't catch it because the user was the one typing the instruction. Only egress controls and filesystem boundaries would have blocked it."@en . :q7 a schema:Question ; schema:name "How was data exfiltrated through an allowlisted domain in Claude Cowork?"@en ; schema:text "How was data exfiltrated through an allowlisted domain in Claude Cowork?"@en ; schema:acceptedAnswer :a7 . :a7 a schema:Answer ; schema:text "A malicious file in the user's mounted workspace carried hidden instructions and an attacker-controlled API key. Claude read workspace files and called Anthropic's Files API using the attacker's key. The egress proxy passed the traffic because the destination was api.anthropic.com — an allowlisted domain. The fix: a defensive man-in-the-middle proxy inside the VM that only passes requests carrying the VM's own provisioned session token, rejecting attacker-embedded keys."@en . :q8 a schema:Question ; schema:name "Why did Anthropic move the Claude Cowork agent loop outside the VM?"@en ; schema:text "Why did Anthropic move the Claude Cowork agent loop outside the VM?"@en ; schema:acceptedAnswer :a8 . :a8 a schema:Answer ; schema:text "In the original full-VM mode, any VM startup failure made Cowork completely unusable. Moving the agent loop outside the VM (host-mode) allows Claude to still respond to the user and help debug issues when the VM crashes. Security impact was minimal because the VM still enforces filesystem and network controls over any code executed by the agent inside it."@en . :q9 a schema:Question ; schema:name "Why does Claude Cowork's VM isolation create problems for enterprise EDR?"@en ; schema:text "Why does Claude Cowork's VM isolation create problems for enterprise EDR?"@en ; schema:acceptedAnswer :a9 . :a9 a schema:Answer ; schema:text "The same VM isolation that keeps Claude contained also prevents host-based endpoint detection and response (EDR) software from inspecting what happens inside the guest. From the EDR's perspective, Claude Cowork is an opaque hypervisor process. The current mitigation is pull-based OTLP log exports so admins can retrieve event logs after the fact — not the same as live monitoring."@en . :q10 a schema:Question ; schema:name "What is the principle about custom components versus battle-tested primitives?"@en ; schema:text "What is the principle about custom components versus battle-tested primitives?"@en ; schema:acceptedAnswer :a10 . :a10 a schema:Answer ; schema:text "Battle-tested hypervisors, syscall filters, and container runtimes (gVisor, seccomp, bubblewrap) have survived far more adversarial attention than anything newly built. Across all three deployments described, the standard primitives held while custom components around them exposed flaws — the custom allowlist proxy failed in both claude.ai (most consequential incident) and Cowork (exfiltration via api.anthropic.com)."@en . :q11 a schema:Question ; schema:name "What is persistent memory poisoning and why is it a growing concern?"@en ; schema:text "What is persistent memory poisoning and why is it a growing concern?"@en ; schema:acceptedAnswer :a11 . :a11 a schema:Answer ; schema:text "Persistent memory poisoning is a threat where an injection lands in persistent agent state — product memory, CLAUDE.md files, mounted workspaces, or scheduled-agent state directories — and is reloaded at every session start. As more agent state survives sessions, it mirrors post-exploitation persistence mechanisms. Good classifiers on session startup will need to become more commonplace."@en . :q12 a schema:Question ; schema:name "What is multi-agent trust escalation?"@en ; schema:text "What is multi-agent trust escalation?"@en ; schema:acceptedAnswer :a12 . :a12 a schema:Answer ; schema:text "Multi-agent trust escalation is the risk that if a sub-agent's output is treated as higher-trust than raw tool results (because it came from 'us'), a prompt injection in the sub-agent introduces a new, elevated-trust vector into the main agent. There is a tradeoff: sub-agents can isolate untrusted content, but assigning them higher trust creates a new attack surface."@en . ################################################################## ## DEFINED TERM SET (GLOSSARY) ################################################################## :defined-term-set a schema:DefinedTermSet ; schema:name "Key Concepts from 'How we contain Claude across products'"@en ; schema:hasDefinedTerm :term-containment , :term-blast-radius , :term-prompt-injection , :term-approval-fatigue , :term-hitl , :term-ephemeral-container , :term-sandboxing , :term-egress-control , :term-memory-poisoning , :term-multi-agent-trust , :term-agent-identity , :term-defense-in-depth , :term-canary-string . :term-containment a schema:DefinedTerm ; schema:name "Containment"@en ; schema:description "An agent security strategy that caps the blast radius by enforcing access boundaries — sandboxes, virtual machines, filesystem limits, and egress controls — rather than relying solely on supervising agent behavior."@en ; schema:inDefinedTermSet :defined-term-set . :term-blast-radius a schema:DefinedTerm ; schema:name "Blast Radius"@en ; schema:description "The maximum theoretical damage an autonomous agent could cause if it misbehaved or was compromised. Containment strategies aim to set a hard ceiling on this value independent of agent behavior."@en ; schema:inDefinedTermSet :defined-term-set . :term-prompt-injection a schema:DefinedTerm ; schema:name "Prompt Injection"@en ; schema:description "An attack where malicious instructions are embedded in content the agent reads — tool outputs, files, web pages, or README files — causing the agent to act on the attacker's instructions instead of the user's."@en ; schema:inDefinedTermSet :defined-term-set ; owl:sameAs . :term-approval-fatigue a schema:DefinedTerm ; schema:name "Approval Fatigue"@en ; schema:description "The progressive decline in user diligence caused by repeated per-action permission prompts. Anthropic telemetry showed Claude Code users approved ~93% of prompts, becoming less attentive over time, motivating the shift to OS-level sandboxes."@en ; schema:inDefinedTermSet :defined-term-set . :term-hitl a schema:DefinedTerm ; schema:name "Human-in-the-Loop (HITL)"@en ; schema:description "A supervision strategy where a human reviews and approves agent actions at each step. Effective when users have the expertise to evaluate what the agent is about to do; subject to approval fatigue at scale."@en ; schema:inDefinedTermSet :defined-term-set . :term-ephemeral-container a schema:DefinedTerm ; schema:name "Ephemeral Container"@en ; schema:description "A container that exists only for the duration of a session and has no persistent filesystem. Used by claude.ai for code execution, providing strong isolation but limiting persistent workspace capabilities."@en ; schema:inDefinedTermSet :defined-term-set . :term-sandboxing a schema:DefinedTerm ; schema:name "Sandboxing"@en ; schema:description "An isolation mechanism that restricts the resources and capabilities accessible to a process. Anthropic uses OS-level sandboxes (Seatbelt on macOS, bubblewrap on Linux) to contain Claude Code without requiring per-action approvals."@en ; schema:inDefinedTermSet :defined-term-set . :term-egress-control a schema:DefinedTerm ; schema:name "Egress Control"@en ; schema:description "Network controls that restrict what destinations an agent can communicate with. Conceptualized as a capability grant rather than just a destination filter: every function reachable through any allowlisted domain becomes an attack surface."@en ; schema:inDefinedTermSet :defined-term-set . :term-memory-poisoning a schema:DefinedTerm ; schema:name "Persistent Memory Poisoning"@en ; schema:description "An attack where a malicious injection lands in agent state that persists across sessions — CLAUDE.md files, product memory, workspace files — causing the agent to be compromised on every subsequent startup."@en ; schema:inDefinedTermSet :defined-term-set . :term-multi-agent-trust a schema:DefinedTerm ; schema:name "Multi-Agent Trust Escalation"@en ; schema:description "A risk in multi-agent systems where a sub-agent's output is treated as higher-trust than raw tool results, creating a new prompt injection vector with elevated trust. Tradeoff between isolation benefit and new attack surface."@en ; schema:inDefinedTermSet :defined-term-set . :term-agent-identity a schema:DefinedTerm ; schema:name "Agent Identity"@en ; schema:description "The question of whether an autonomous agent should possess its own principal identity (with per-session scoped tokens) or act as an extension of the user (inheriting user permissions). Likely a blend of both approaches."@en ; schema:inDefinedTermSet :defined-term-set . :term-defense-in-depth a schema:DefinedTerm ; schema:name "Defense in Depth"@en ; schema:description "A security strategy using overlapping layers of defense so that when one layer fails, others compensate. Anthropic applies this across the environment, model, and external content layers — no single layer is sufficient alone."@en ; schema:inDefinedTermSet :defined-term-set ; owl:sameAs . :term-canary-string a schema:DefinedTerm ; schema:name "Canary String"@en ; schema:description "A detectable token embedded in content to reveal whether an agent has read it without authorization. Used by Anthropic when a malicious prompt payload was shared on internal Slack — a canary was added to detect if any agent reading Slack had picked it up."@en ; schema:inDefinedTermSet :defined-term-set . ################################################################## ## HOWTO ################################################################## :howto-secure-agentic-deployment a schema:HowTo ; schema:name "How to Secure an Agentic AI Deployment"@en ; schema:description "A guide distilling Anthropic's engineering lessons from deploying claude.ai, Claude Code, and Claude Cowork — covering containment design, user trust modeling, primitive selection, and MCP security."@en ; schema:step :howto-step-1 , :howto-step-2 , :howto-step-3 , :howto-step-4 , :howto-step-5 , :howto-step-6 . :howto-step-1 a schema:HowToStep ; schema:name "Design for containment at the environment layer first"@en ; schema:text "Set a hard boundary on what the agent can reach before addressing model-layer behavior. Process sandboxes, VMs, filesystem limits, and egress controls are deterministic — they get hit when all probabilistic defenses miss. Incidents of data exfiltration (AWS credentials phish, api.anthropic.com allowlist bypass) were only stoppable at the environment layer."@en ; schema:position 1 . :howto-step-2 a schema:HowToStep ; schema:name "Match isolation strength to the user's capacity for oversight"@en ; schema:text "Determine whether your users can accurately evaluate what the agent is about to do. A developer who reads bash can use a HITL sandbox; a non-technical knowledge worker cannot. Answering this wrong in either direction — too much friction for experts, too much trust for non-experts — is its own failure mode."@en ; schema:position 2 . :howto-step-3 a schema:HowToStep ; schema:name "Prefer battle-tested primitives over custom components"@en ; schema:text "gVisor, seccomp, Seatbelt, and hypervisors have been hardened against well-resourced adversaries for far longer than agentic AI has existed. In every deployment described, standard primitives held while custom components around them (custom proxies, allowlist logic) exposed flaws. Build your custom work narrowly around proven foundations."@en ; schema:position 3 . :howto-step-4 a schema:HowToStep ; schema:name "Treat project-open and config-load events as untrusted inbound requests"@en ; schema:text "Never implicitly trust input that arrives before a user consent boundary, simply because it feels local. Defer parsing and execution of project-local configuration — settings files, hooks, localhost listeners — until after the user has explicitly accepted a trust prompt. Vulnerabilities in Claude Code arose precisely because config was parsed before trust was established."@en ; schema:position 4 . :howto-step-5 a schema:HowToStep ; schema:name "Reconceptualize egress allowlists as capability grants"@en ; schema:text "Every function reachable through any allowlisted domain is now an attack surface. Allowing api.anthropic.com means allowing file uploads to arbitrary Anthropic accounts. Implement a defensive man-in-the-middle proxy that enforces token provenance, not just destination, for any traffic to domains you must permit."@en ; schema:position 5 . :howto-step-6 a schema:HowToStep ; schema:name "Budget early for EDR visibility and persistent memory classifiers"@en ; schema:text "VM isolation reduces EDR visibility — budget for that conversation with enterprise security teams before launch. As agent state increasingly persists across sessions (memory, CLAUDE.md, workspace), deploy classifiers at session startup to detect poisoned persistent state before it steers the agent."@en ; schema:position 6 .