@base . @prefix : . @prefix schema: . @prefix owl: . @prefix prov: . @prefix rdfs: . @prefix xsd: . :collection a schema:CreativeWork ; schema:name "How we contain Claude across products - RDF, Markdown, and HTML Collection"@en ; schema:about :article ; schema:hasPart :article, :faq, :glossary, :kgExplorer, :markdownCompanion, :htmlCompanion ; schema:identifier ; prov:wasGeneratedBy , . :article a schema:AnalysisNewsArticle, schema:TechArticle ; schema:headline "How we contain Claude across products"@en ; schema:name "How we contain Claude across products"@en ; schema:url ; schema:mainEntityOfPage ; schema:datePublished "2026-05-25"^^xsd:date ; schema:author :maxMcGuinness, :mikaelaGrace, :jiriDeJonghe, :jakeEaton, :abelRibbink ; schema:publisher :anthropic ; schema:articleSection "Engineering at Anthropic"@en ; schema:keywords "Claude, agent security, containment, sandboxing, VM isolation, egress controls, MCP, prompt injection"@en ; schema:abstract "Anthropic explains how containment architectures cap Claude agents' blast radius across claude.ai, Claude Code, and Claude Cowork."@en ; schema:about :containment, :blastRadius, :claude, :claudeAi, :claudeCode, :claudeCowork, :environmentLayer, :modelLayer, :externalContentLayer, :promptInjection, :egressControls ; schema:mentions :gvisor, :seccomp, :seatbelt, :bubblewrap, :appleVirtualization, :hcs, :mcp, :otlp, :nistProject, :sixAgencyGuidance, :iso42001, :glasswing ; schema:hasPart :riskReward, :riskCategories, :defenseComponents, :patternEphemeral, :patternHumanSandbox, :patternLocalVm, :allowlistLesson, :toolTrust, :futureRisks, :summaryPrinciples, :faq, :glossary, :howto ; prov:wasGeneratedBy , . :maxMcGuinness a schema:Person ; schema:name "Max McGuinness"@en ; schema:isPartOf :article . :mikaelaGrace a schema:Person ; schema:name "Mikaela Grace"@en ; schema:isPartOf :article . :jiriDeJonghe a schema:Person ; schema:name "Jiri De Jonghe"@en ; schema:isPartOf :article . :jakeEaton a schema:Person ; schema:name "Jake Eaton"@en ; schema:isPartOf :article . :abelRibbink a schema:Person ; schema:name "Abel Ribbink"@en ; schema:isPartOf :article . :anthropic a schema:Organization . :anthropic schema:name "Anthropic"@en . :anthropic schema:description "AI safety and research company that develops Claude products."@en . :anthropic schema:url . :anthropic owl:sameAs , . :claude a schema:SoftwareApplication . :claude schema:name "Claude"@en . :claude schema:description "Anthropic assistant product family discussed as an increasingly capable agentic system."@en . :claude schema:url . :claude owl:sameAs , . :claudeAi a schema:SoftwareApplication . :claudeAi schema:name "claude.ai"@en . :claudeAi schema:description "Server-side Claude product that runs code in ephemeral gVisor containers on isolated infrastructure."@en . :claudeAi schema:url . :claudeCode a schema:SoftwareApplication . :claudeCode schema:name "Claude Code"@en . :claudeCode schema:description "Developer agent that runs on a user's machine with filesystem, shell, and network access."@en . :claudeCode schema:url . :claudeCowork a schema:SoftwareApplication . :claudeCowork schema:name "Claude Cowork"@en . :claudeCowork schema:description "Knowledge-work agent that uses a local VM to isolate code execution and file access."@en . :claudeCowork schema:url . :claudeCodeAutoMode a schema:SoftwareApplication . :claudeCodeAutoMode schema:name "Claude Code auto mode"@en . :claudeCodeAutoMode schema:description "Mode that automates safer approvals and catches many overeager behaviors before execution."@en . :mythosPreview a schema:SoftwareApplication . :mythosPreview schema:name "Claude Mythos Preview"@en . :mythosPreview schema:description "Model preview cited as too high in blast radius for release in April 2026."@en . :claudeOpus47 a schema:SoftwareApplication . :claudeOpus47 schema:name "Claude Opus 4.7"@en . :claudeOpus47 schema:description "Model referenced for low single-attempt prompt-injection attack success on a benchmark."@en . :gvisor a schema:SoftwareApplication . :gvisor schema:name "gVisor"@en . :gvisor schema:description "Container isolation runtime used for claude.ai code execution."@en . :gvisor owl:sameAs . :seccomp a schema:SoftwareApplication . :seccomp schema:name "seccomp"@en . :seccomp schema:description "Linux syscall filtering primitive referenced as battle-tested containment tooling."@en . :seccomp owl:sameAs . :seatbelt a schema:SoftwareApplication . :seatbelt schema:name "Seatbelt"@en . :seatbelt schema:description "macOS OS-level sandbox used by Claude Code."@en . :bubblewrap a schema:SoftwareApplication . :bubblewrap schema:name "bubblewrap"@en . :bubblewrap schema:description "Linux sandboxing tool used by Claude Code."@en . :appleVirtualization a schema:SoftwareApplication . :appleVirtualization schema:name "Apple Virtualization framework"@en . :appleVirtualization schema:description "macOS hypervisor technology used by Claude Cowork."@en . :hcs a schema:SoftwareApplication . :hcs schema:name "HCS"@en . :hcs schema:description "Windows host compute system referenced for Claude Cowork virtualization."@en . :mcp a schema:DefinedTerm . :mcp schema:name "Model Context Protocol"@en . :mcp schema:description "Tool and connector protocol whose local and remote deployments carry trust and prompt-injection implications."@en . :otlp a schema:DefinedTerm . :otlp schema:name "OTLP"@en . :otlp schema:description "OpenTelemetry protocol used for pull-based log exports in the article."@en . :otlp owl:sameAs . :blastRadius a schema:DefinedTerm . :blastRadius schema:name "Blast Radius"@en . :blastRadius schema:description "The maximum damage an agent failure can cause, which containment seeks to cap."@en . :containment a schema:DefinedTerm . :containment schema:name "Containment"@en . :containment schema:description "Engineering approach that limits what an agent is able to do with deterministic boundaries."@en . :humanInLoop a schema:DefinedTerm . :humanInLoop schema:name "Human-in-the-loop supervision"@en . :humanInLoop schema:description "Approval-based oversight of agent actions, useful but vulnerable to fatigue."@en . :approvalFatigue a schema:DefinedTerm . :approvalFatigue schema:name "Approval Fatigue"@en . :approvalFatigue schema:description "The decline in attention when users see too many permission prompts."@en . :egressControls a schema:DefinedTerm . :egressControls schema:name "Egress Controls"@en . :egressControls schema:description "Network restrictions that block data leaving a sandbox or VM through unauthorized channels."@en . :promptInjection a schema:DefinedTerm . :promptInjection schema:name "Prompt Injection"@en . :promptInjection schema:description "Instructions embedded in prompts, files, tool outputs, or external content that steer an agent toward attacker goals."@en . :modelMisbehavior a schema:DefinedTerm . :modelMisbehavior schema:name "Model Misbehavior"@en . :modelMisbehavior schema:description "Harmful agent behavior no user asked for, including unexpected routes around restrictions."@en . :userMisuse a schema:DefinedTerm . :userMisuse schema:name "User Misuse"@en . :userMisuse schema:description "Malicious or careless user direction causing the agent to do harmful work."@en . :externalAttackers a schema:DefinedTerm . :externalAttackers schema:name "External Attackers"@en . :externalAttackers schema:description "Attackers using tools, files, network access, or runtime vulnerabilities against an agent."@en . :environmentLayer a schema:DefinedTerm . :environmentLayer schema:name "Environment Layer"@en . :environmentLayer schema:description "The sandbox, VM, filesystem, process, and network boundary around an agent."@en . :modelLayer a schema:DefinedTerm . :modelLayer schema:name "Model Layer"@en . :modelLayer schema:description "System prompts, classifiers, probes, and training changes that steer model behavior probabilistically."@en . :externalContentLayer a schema:DefinedTerm . :externalContentLayer schema:name "External Content Layer"@en . :externalContentLayer schema:description "Tools, MCP servers, connectors, web search, and files that feed content into an agent."@en . :ephemeralContainer a schema:DefinedTerm . :ephemeralContainer schema:name "Ephemeral Container"@en . :ephemeralContainer schema:description "Per-session server-side container pattern used for claude.ai code execution."@en . :localVm a schema:DefinedTerm . :localVm schema:name "Local VM"@en . :localVm schema:description "Virtual-machine isolation pattern used by Claude Cowork."@en . :defensiveMitmProxy a schema:DefinedTerm . :defensiveMitmProxy schema:name "Defensive man-in-the-middle proxy"@en . :defensiveMitmProxy schema:description "VM proxy that validates Anthropic API requests and blocks attacker-provided keys."@en . :agentIdentity a schema:DefinedTerm . :agentIdentity schema:name "Agent Identity"@en . :agentIdentity schema:description "Open design question about whether agents should have their own principal identity or inherit user permissions."@en . :memoryPoisoning a schema:DefinedTerm . :memoryPoisoning schema:name "Persistent Memory Poisoning"@en . :memoryPoisoning schema:description "Injection risk as product memory, CLAUDE.md files, workspaces, and scheduled agent state persist across sessions."@en . :multiAgentTrust a schema:DefinedTerm . :multiAgentTrust schema:name "Multi-agent Trust Escalation"@en . :multiAgentTrust schema:description "Risk that sub-agent outputs become higher-trust channels for prompt injection."@en . :nistProject a schema:CreativeWork . :nistProject schema:name "NIST AI agent identity and authorization project"@en . :nistProject schema:description "External project referenced for agent identity and authorization."@en . :sixAgencyGuidance a schema:CreativeWork . :sixAgencyGuidance schema:name "Six-agency agentic AI guidance"@en . :sixAgencyGuidance schema:description "Guidance on careful adoption of agentic AI services."@en . :iso42001 a schema:CreativeWork . :iso42001 schema:name "ISO/IEC 42001"@en . :iso42001 schema:description "AI management standard referenced in the article."@en . :glasswing a schema:CreativeWork . :glasswing schema:name "Glasswing initiative"@en . :glasswing schema:description "Anthropic initiative referenced as a contribution to agent-specific security posture."@en . :riskReward a schema:ArticleSection ; schema:name "Risk-reward shifts as agent capability grows"@en ; schema:description "The article frames containment as the way to cap blast radius while preserving useful agent deployments."@en ; schema:isPartOf :article . :riskCategories a schema:ArticleSection ; schema:name "Three risk categories"@en ; schema:description "User misuse, model misbehavior, and external attackers each require overlapping defenses."@en ; schema:isPartOf :article . :defenseComponents a schema:ArticleSection ; schema:name "Three defense components"@en ; schema:description "The environment, the model, and external content are defended with different mechanisms and guarantees."@en ; schema:isPartOf :article . :patternEphemeral a schema:ArticleSection ; schema:name "Pattern 1: ephemeral container"@en ; schema:description "claude.ai uses server-side gVisor containers with ephemeral filesystems and isolated infrastructure."@en ; schema:isPartOf :article . :patternHumanSandbox a schema:ArticleSection ; schema:name "Pattern 2: human-in-the-loop sandbox"@en ; schema:description "Claude Code combines developer approvals with OS-level sandboxes and network-deny defaults."@en ; schema:isPartOf :article . :patternLocalVm a schema:ArticleSection ; schema:name "Pattern 3: local VM"@en ; schema:description "Claude Cowork uses a VM boundary for code execution and host filesystem exposure controlled by mount modes."@en ; schema:isPartOf :article . :allowlistLesson a schema:ArticleSection ; schema:name "Allowlist as capability grant"@en ; schema:description "The article treats every function available through an allowed domain as part of the attack surface."@en ; schema:isPartOf :article . :toolTrust a schema:ArticleSection ; schema:name "Trusting what the agent reads"@en ; schema:description "MCPs, connectors, web content, and tool outputs require both supply-chain review and prompt-injection inspection."@en ; schema:isPartOf :article . :futureRisks a schema:ArticleSection ; schema:name "Looking ahead"@en ; schema:description "Persistent memory poisoning, multi-agent trust escalation, and agent identity are identified as evolving risks."@en ; schema:isPartOf :article . :summaryPrinciples a schema:ArticleSection ; schema:name "Summary principles"@en ; schema:description "Contain first, match isolation to user expertise, and prefer battle-tested primitives over custom components."@en ; schema:isPartOf :article . :faq a schema:FAQPage ; schema:name "Questions and answers about Claude containment"@en ; schema:mainEntity :q1, :q2, :q3, :q4, :q5, :q6, :q7, :q8, :q9, :q10 ; schema:isPartOf :article . :q1 a schema:Question ; schema:name "What problem does the article address?"@en ; schema:acceptedAnswer :a1 ; schema:isPartOf :faq . :a1 a schema:Answer ; schema:text "It explains how Anthropic caps the blast radius of increasingly capable Claude agents across multiple products."@en ; schema:isPartOf :faq . :q2 a schema:Question ; schema:name "What are the three risk categories?"@en ; schema:acceptedAnswer :a2 ; schema:isPartOf :faq . :a2 a schema:Answer ; schema:text "The categories are user misuse, model misbehavior, and external attackers."@en ; schema:isPartOf :faq . :q3 a schema:Question ; schema:name "What are the three defense components?"@en ; schema:acceptedAnswer :a3 ; schema:isPartOf :faq . :a3 a schema:Answer ; schema:text "The article highlights the environment, the model, and the external content the agent can reach."@en ; schema:isPartOf :faq . :q4 a schema:Question ; schema:name "Why is human-in-the-loop approval insufficient by itself?"@en ; schema:acceptedAnswer :a4 ; schema:isPartOf :faq . :a4 a schema:Answer ; schema:text "Users approve many prompts, become fatigued, and may miss harmful actions, so probabilistic or attention-based oversight cannot stand alone."@en ; schema:isPartOf :faq . :q5 a schema:Question ; schema:name "What is the central role of containment?"@en ; schema:acceptedAnswer :a5 ; schema:isPartOf :faq . :a5 a schema:Answer ; schema:text "Containment limits what the agent is able to reach or do through sandboxes, VMs, filesystem boundaries, and egress controls."@en ; schema:isPartOf :faq . :q6 a schema:Question ; schema:name "How does claude.ai contain code execution?"@en ; schema:acceptedAnswer :a6 ; schema:isPartOf :faq . :a6 a schema:Answer ; schema:text "It runs code server-side in isolated gVisor containers with ephemeral per-session filesystems."@en ; schema:isPartOf :faq . :q7 a schema:Question ; schema:name "How does Claude Code differ from claude.ai?"@en ; schema:acceptedAnswer :a7 ; schema:isPartOf :faq . :a7 a schema:Answer ; schema:text "Claude Code runs on a user's machine and needs shell, filesystem, and network access, so it relies on approvals plus OS-level sandboxing."@en ; schema:isPartOf :faq . :q8 a schema:Question ; schema:name "Why does Claude Cowork use a VM?"@en ; schema:acceptedAnswer :a8 ; schema:isPartOf :faq . :a8 a schema:Answer ; schema:text "Cowork targets general knowledge workers, so it uses an always-on VM boundary rather than expecting users to judge low-level commands."@en ; schema:isPartOf :faq . :q9 a schema:Question ; schema:name "What lesson came from the allowlist incident?"@en ; schema:acceptedAnswer :a9 ; schema:isPartOf :faq . :a9 a schema:Answer ; schema:text "A destination allowlist is also a capability grant; every reachable function on an allowed domain becomes part of the attack surface."@en ; schema:isPartOf :faq . :q10 a schema:Question ; schema:name "What risks does Anthropic identify as next?"@en ; schema:acceptedAnswer :a10 ; schema:isPartOf :faq . :a10 a schema:Answer ; schema:text "Persistent memory poisoning, multi-agent trust escalation, and cross-platform agent identity are highlighted as future concerns."@en ; schema:isPartOf :faq . :glossary a schema:DefinedTermSet ; schema:name "Glossary for How we contain Claude across products"@en ; schema:hasDefinedTerm :term-blast-radius, :term-containment, :term-egress-controls, :term-prompt-injection, :term-human-loop, :term-approval-fatigue, :term-mcp, :term-agent-identity ; schema:isPartOf :article . :term-blast-radius a schema:DefinedTerm ; schema:name "Blast Radius"@en ; schema:description "Maximum possible damage from an agent failure or compromise."@en ; schema:inDefinedTermSet :glossary . :term-containment a schema:DefinedTerm ; schema:name "Containment"@en ; schema:description "Hard environment-level limits on what an agent can access or affect."@en ; schema:inDefinedTermSet :glossary . :term-egress-controls a schema:DefinedTerm ; schema:name "Egress Controls"@en ; schema:description "Network rules that restrict data leaving an execution environment."@en ; schema:inDefinedTermSet :glossary . :term-prompt-injection a schema:DefinedTerm ; schema:name "Prompt Injection"@en ; schema:description "Malicious instructions embedded in content that the agent reads."@en ; schema:inDefinedTermSet :glossary . :term-human-loop a schema:DefinedTerm ; schema:name "Human-in-the-loop"@en ; schema:description "User approval or supervision of agent behavior."@en ; schema:inDefinedTermSet :glossary . :term-approval-fatigue a schema:DefinedTerm ; schema:name "Approval Fatigue"@en ; schema:description "Reduced attention caused by repeated permission prompts."@en ; schema:inDefinedTermSet :glossary . :term-mcp a schema:DefinedTerm ; schema:name "MCP"@en ; schema:description "Protocol and ecosystem for connecting agents to tools and data sources."@en ; schema:inDefinedTermSet :glossary . :term-agent-identity a schema:DefinedTerm ; schema:name "Agent Identity"@en ; schema:description "The authorization model that determines whether an agent acts as itself, as a user, or both."@en ; schema:inDefinedTermSet :glossary . :howto a schema:HowTo ; schema:name "How to evaluate agent containment architecture"@en ; schema:step :step1, :step2, :step3, :step4, :step5 . :step1 a schema:HowToStep ; schema:name "Classify the risk source"@en ; schema:text "Identify whether the concern is user misuse, model misbehavior, or external attackers."@en . :step2 a schema:HowToStep ; schema:name "Choose the hard boundary"@en ; schema:text "Prefer environment constraints such as sandboxing, VMs, filesystem limits, and egress controls."@en . :step3 a schema:HowToStep ; schema:name "Match oversight to user expertise"@en ; schema:text "Use human approval only where users can realistically evaluate the requested action."@en . :step4 a schema:HowToStep ; schema:name "Treat allowlists as capability grants"@en ; schema:text "Inspect every function exposed by an allowed domain, not only the domain name."@en . :step5 a schema:HowToStep ; schema:name "Inspect external content continuously"@en ; schema:text "Treat tool output, connectors, and persistent memory as prompt-injection surfaces."@en . :autoMode a schema:WebPage ; schema:name "Claude Code auto mode"@en ; schema:url ; schema:isPartOf :collection . :mythos a schema:WebPage ; schema:name "Claude Mythos Preview"@en ; schema:url ; schema:isPartOf :collection . :opusCard a schema:WebPage ; schema:name "Claude Opus system card"@en ; schema:url ; schema:isPartOf :collection . :evalAwareness a schema:WebPage ; schema:name "Eval awareness BrowseComp"@en ; schema:url ; schema:isPartOf :collection . :sandboxRuntime a schema:WebPage ; schema:name "Anthropic sandbox runtime"@en ; schema:url ; schema:isPartOf :collection . :nist a schema:WebPage ; schema:name "NIST AI agent identity and authorization"@en ; schema:url ; schema:isPartOf :collection . :agencyGuidance a schema:WebPage ; schema:name "Six-agency guidance on agentic AI"@en ; schema:url ; schema:isPartOf :collection . :iso a schema:WebPage ; schema:name "ISO/IEC 42001"@en ; schema:url ; schema:isPartOf :collection . :kgExplorer a schema:SoftwareApplication ; schema:name "Knowledge Graph Explorer"@en ; schema:applicationCategory "Linked Data visualization"@en ; schema:isPartOf :htmlCompanion . :htmlCompanion a schema:WebPage ; schema:name "HTML companion for How we contain Claude across products"@en ; schema:encodingFormat "text/html" ; schema:isBasedOn :article . :markdownCompanion a schema:DigitalDocument ; schema:name "Markdown companion for How we contain Claude across products"@en ; schema:encodingFormat "text/markdown" ; schema:isBasedOn :article . a schema:SoftwareApplication ; schema:name "kg-generator skill"@en ; schema:url ; schema:description "Codex skill used to generate RDF knowledge graphs from source documents."@en . a schema:SoftwareApplication ; schema:name "rdf-infographic-skill"@en ; schema:url ; schema:description "Codex skill used to produce RDF-backed HTML and Markdown companions."@en .