# [How we contain Claude across products](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23article) Source HTML: [how-we-contain-claude-gpt5-chat-1.html](../webpages/how-we-contain-claude-gpt5-chat-1.html) Associated RDF: [how-we-contain-claude-gpt5-chat-1.ttl](../rdf/how-we-contain-claude-gpt5-chat-1.ttl) [Anthropic](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23anthropic) explains how it caps [blast radius](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23blastRadius) for increasingly capable [Claude](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23claude) agents through environment-first [Containment](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23containment), product-specific isolation, and overlapping defenses for model behavior and external content. ## Core Reading - [Risk-reward shifts as agent capability grows](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23riskReward): The article frames containment as the way to cap blast radius while preserving useful agent deployments. - [Three risk categories](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23riskCategories): User misuse, model misbehavior, and external attackers each require overlapping defenses. - [Three defense components](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23defenseComponents): The environment, the model, and external content are defended with different mechanisms and guarantees. - [Pattern 1: ephemeral container](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23patternEphemeral): claude.ai uses server-side gVisor containers with ephemeral filesystems and isolated infrastructure. - [Pattern 2: human-in-the-loop sandbox](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23patternHumanSandbox): Claude Code combines developer approvals with OS-level sandboxes and network-deny defaults. - [Pattern 3: local VM](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23patternLocalVm): Claude Cowork uses a VM boundary for code execution and host filesystem exposure controlled by mount modes. - [Allowlist as capability grant](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23allowlistLesson): The article treats every function available through an allowed domain as part of the attack surface. - [Trusting what the agent reads](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23toolTrust): MCPs, connectors, web content, and tool outputs require both supply-chain review and prompt-injection inspection. - [Looking ahead](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23futureRisks): Persistent memory poisoning, multi-agent trust escalation, and agent identity are identified as evolving risks. - [Summary principles](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23summaryPrinciples): Contain first, match isolation to user expertise, and prefer battle-tested primitives over custom components. ## Products and Architecture - [claude.ai](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23claudeAi): server-side code execution in ephemeral [gVisor](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23gvisor) containers. - [Claude Code](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23claudeCode): developer-local agent using approvals, [Seatbelt](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23seatbelt), [bubblewrap](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23bubblewrap), workspace write boundaries, and network-deny defaults. - [Claude Cowork](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23claudeCowork): knowledge-work agent using [local VM](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23localVm) isolation and mount modes. ## FAQ ### [What problem does the article address?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q1) [It explains how Anthropic caps the blast radius of increasingly capable Claude agents across multiple products.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a1) ### [What are the three risk categories?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q2) [The categories are user misuse, model misbehavior, and external attackers.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a2) ### [What are the three defense components?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q3) [The article highlights the environment, the model, and the external content the agent can reach.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a3) ### [Why is human-in-the-loop approval insufficient by itself?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q4) [Users approve many prompts, become fatigued, and may miss harmful actions, so probabilistic or attention-based oversight cannot stand alone.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a4) ### [What is the central role of containment?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q5) [Containment limits what the agent is able to reach or do through sandboxes, VMs, filesystem boundaries, and egress controls.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a5) ### [How does claude.ai contain code execution?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q6) [It runs code server-side in isolated gVisor containers with ephemeral per-session filesystems.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a6) ### [How does Claude Code differ from claude.ai?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q7) [Claude Code runs on a user's machine and needs shell, filesystem, and network access, so it relies on approvals plus OS-level sandboxing.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a7) ### [Why does Claude Cowork use a VM?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q8) [Cowork targets general knowledge workers, so it uses an always-on VM boundary rather than expecting users to judge low-level commands.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a8) ### [What lesson came from the allowlist incident?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q9) [A destination allowlist is also a capability grant; every reachable function on an allowed domain becomes part of the attack surface.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a9) ### [What risks does Anthropic identify as next?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23q10) [Persistent memory poisoning, multi-agent trust escalation, and cross-platform agent identity are highlighted as future concerns.](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23a10) ## Glossary - [Blast Radius](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-blast-radius): Maximum possible damage from an agent failure or compromise. - [Containment](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-containment): Hard environment-level limits on what an agent can access or affect. - [Egress Controls](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-egress-controls): Network rules that restrict data leaving an execution environment. - [Prompt Injection](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-prompt-injection): Malicious instructions embedded in content that the agent reads. - [Human-in-the-loop](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-human-loop): User approval or supervision of agent behavior. - [Approval Fatigue](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-approval-fatigue): Reduced attention caused by repeated permission prompts. - [MCP](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-mcp): Protocol and ecosystem for connecting agents to tools and data sources. - [Agent Identity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23term-agent-identity): The authorization model that determines whether an agent acts as itself, as a user, or both. ## Related Links - [Claude Code auto mode](https://www.anthropic.com/engineering/claude-code-auto-mode) - [Claude Mythos Preview](https://red.anthropic.com/2026/mythos-preview/) - [Claude Opus system card](https://assets.anthropic.com/m/64823ba7485345a7/Claude-Opus-4-5-System-Card.pdf) - [Eval awareness BrowseComp](https://www.anthropic.com/engineering/eval-awareness-browsecomp) - [Anthropic sandbox runtime](https://github.com/anthropic-experimental/sandbox-runtime) - [NIST AI agent identity and authorization](https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization) - [Six-agency guidance on agentic AI](https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF) - [ISO/IEC 42001](https://www.iso.org/standard/42001) ## Provenance Generated from [How we contain Claude across products](https://www.anthropic.com/engineering/how-we-contain-claude) using [kg-generator](https://github.com/OpenLinkSoftware/ai-agent-skills/tree/main/kg-generator) and [rdf-infographic-skill](https://github.com/OpenLinkSoftware/ai-agent-skills/tree/main/rdf-infographic-skill). SPARQL named graph IRI: `https://linkeddata.uriburner.com/DAV/demos/daas/how-we-contain-claude-gpt5-chat-1.ttl`.