Skip to content

Anthropic Documents Sandbox Architecture for Claude Across Products

In a nutshell: Anthropic isolates Claude agents through multi-layered sandboxes (gVisor, Seatbelt, Bubblewrap, VMs) with explicit boundaries for data access, filesystem, and egress control.

Anthropic has published a detailed overview of its sandbox techniques, which isolate Claude.ai, Claude Code, and Cowork. The documentation reveals multi-layered containment strategies and also discloses previously unrecognized security gaps.

Anthropic has released comprehensive technical documentation of its sandbox implementations, showing how Claude agents are isolated across various product environments. The containment model operates on multiple layers: process sandboxes, virtual machines, filesystem boundaries, and egress controls are intended to set hard limits on what an agent can achieve.

The concrete implementation varies depending on deployment: Claude.ai uses gVisor for containerization, Claude Code uses Seatbelt (macOS) or Bubblewrap (Linux) for local isolation depending on the platform, while Claude Cowork deploys full VMs – on macOS via Apple’s Virtualization Framework, on Windows via Hyper-V Container Services (HCS). A core principle is the assumption that credentials must never reach the sandbox – this ensures they cannot be exfiltrated regardless of the cause (user error, model exploit, or attacker).

The documentation is noteworthy because it also reveals previously overlooked risks. One example is an exfiltration vector via the API route api.anthropic.com/v1/files, which Anthropic subsequently identified and remediated. This underscores that even sandbox designs with a strong security focus can develop gaps – and that transparency about these issues is essential for CTOs and security teams to assess risks realistically.

With this publication, Anthropic signals a rare willingness to provide detailed documentation of containment strategies. This makes technical decisions comprehensible and establishes trust foundations for enterprise deployments. In parallel, Anthropic is working on its open-source project Anthropic Sandbox Runtime (srt), which CTOs can evaluate for their own sandbox requirements.


Source: simonwillison.net · Published May 30, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.0.

Share on: