{"data":{"id":"716c9c66-f294-4b54-a889-0488a013875c","title":"How we contain Claude across products","summary":"Anthropic published documentation explaining how they use multiple containment techniques to restrict what Claude can do across their products. They use process sandboxes (isolated execution environments), virtual machines (complete simulated computers), filesystem boundaries (limiting file access), and egress controls (preventing unauthorized data transfer) to prevent AI agents from accessing credentials, exfiltrating data (stealing information), or reaching unintended systems, even if a user, the AI model, or an attacker tries to find workarounds.","solution":"Anthropic implements containment through: gVisor for Claude.ai, Seatbelt (macOS) and Bubblewrap (Linux) for Claude Code, and full VMs using Apple's Virtualization framework (macOS) or HCS (Windows) for Claude Cowork. They also prevent credentials from entering sandboxes in the first place, ensuring they cannot be exfiltrated regardless of how an agent tries to access them.","labels":["security","safety"],"sourceUrl":"https://simonwillison.net/2026/May/30/how-we-contain-claude/#atom-everything","publishedAt":"2026-05-30T21:36:24.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"info","attackType":[],"issueType":"news","affectedPackages":null,"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Anthropic","Claude","Claude.ai","Claude Code","Claude Cowork"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-30T21:36:24.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}