Anthropic Details Sandboxing Techniques Across Claude Products

Anthropic published a detailed overview of sandboxing techniques used across its Claude product line, including Claude.ai, Claude Code, and Cowork. The post explains how the company constrains agent actions through process sandboxes, virtual machines, filesystem boundaries, and egress controls to prevent credential exfiltration and other risks. Claude.ai employs gVisor, Claude Code uses Seatbelt on macOS and Bubblewrap on Linux, and Claude Cowork runs full VMs via Apple's Virtualization framework on macOS and HCS on Windows. The article also discusses past security misses, such as the api.anthropic.com/v1/files exfiltration vector. Simon Willison, the author of the link post, notes that Anthropic's open-source Sandbox Runtime (srt) tool has matured enough for serious use. The post was published on 30th May 2026.