info@agency-os.ai Design system v0.1 Fast · accessible · tokenized

Anthropic Just Published How They Sandbox Claude, and Every AI Builder Should Read It

Anthropic released detailed documentation of Claude’s sandbox architectures across products. It’s a new standard for agent security transparency that operators building with AI need to understand.

Locked server rack with layered security barriers representing Claude sandbox containment architecture

Anthropic just did something almost nobody does in AI. They published a detailed, honest breakdown of exactly how they sandbox Claude across every product. Not a marketing page. Not a vague “we take security seriously” blog post. Actual documentation of the containment architectures, the tools they use, and even the security gaps they missed along the way.

If you’re building anything with AI agents (for your business or your clients), this is required reading. It sets the bar for what agent security transparency should look like.

What happened

  • Anthropic published a comprehensive overview of how they contain Claude across Claude.ai, Claude Code, and Claude Cowork.
  • They use different sandbox techniques depending on the product: gVisor for Claude.ai, Seatbelt (macOS) and Bubblewrap (Linux) for Claude Code, and full virtual machines for Claude Cowork.
  • The documentation covers process sandboxes, VMs, filesystem boundaries, and egress controls. The goal is to set a hard boundary on what an agent can reach.
  • They openly discussed past security risks they missed, including an exfiltration vector through their own API endpoint (api.anthropic.com/v1/files).
  • Anthropic’s open source tool, Anthropic Sandbox Runtime (srt), is now mature enough for serious use, according to Simon Willison’s assessment.

Why the containment approach matters

Here’s the core idea behind Anthropic’s design: if credentials never enter the sandbox, they can’t be stolen. Period. It doesn’t matter if the cause is a confused user, a model finding a “creative” workaround, or an actual attacker. The boundary is the boundary.

That’s a fundamentally different philosophy from “trust the model to behave.” It assumes the model will misbehave (or be tricked into misbehaving) and builds walls accordingly.

5 things every operator should take from Anthropic’s sandbox docs

  1. Different products need different containment. Anthropic doesn’t use one sandbox for everything. Claude.ai (cloud-hosted) uses gVisor, a container-level sandbox from Google. Claude Code (running on your laptop) uses OS-level tools like Seatbelt and Bubblewrap. Claude Cowork spins up a full virtual machine. Match your containment to your deployment context.
  2. Egress controls are just as important as input controls. Most people worry about what goes into the agent. Anthropic worries just as much about what comes out. They restrict where the agent can send data. If you’re running agents that touch client data, you should be doing the same.
  3. Your own API can be an attack surface. Anthropic discovered that their own /v1/files endpoint could be used as an exfiltration path. Think about that. The company building the model found a hole in their own infrastructure. If Anthropic can miss it, so can you. Audit everything, including your own tools.
  4. Transparency builds trust faster than marketing. Simon Willison, one of the most respected voices in the AI developer community, called this out as a model for the industry. His complaint has always been that sandboxing products are “rarely thoroughly documented.” Anthropic fixed that. You can too.
  5. Open source tooling is catching up. Anthropic’s sandbox runtime (srt) is now mature enough for production use. If you’re building agent systems and haven’t looked at it yet, now is the time. Free, open source, and battle-tested by the company that built Claude.

The hot take

Most companies selling AI agent platforms today have zero public documentation on how they actually contain their agents. That’s not an oversight. It’s a choice. And it’s the wrong one. Anthropic just made every competitor’s vague “enterprise-grade security” claim look embarrassing. Within a year, publishing your containment architecture will be table stakes. The companies that don’t will look like they have something to hide. Because they probably do.

The Agency OS play

If you’re building AI agents for clients, or even just running them internally, here’s what you should do this week. First, read Anthropic’s full sandbox documentation. Not a summary. The actual docs. Understand the difference between process-level sandboxing, OS-level sandboxing, and full VM isolation. Know when each one is appropriate. This is the vocabulary your technical clients will start using soon.

Second, audit your own agent deployments right now. Ask three questions: Can this agent access credentials it doesn’t need? Can it send data to destinations you haven’t explicitly allowed? Could your own internal APIs be used as an exfiltration path? If you can’t answer all three confidently, you have work to do. Start with egress controls. They’re the easiest win and the most commonly skipped.

Third, write up your own security documentation and make it public. Even if it’s short. Even if it’s simple. A clear, honest page explaining how you contain your agents will separate you from every competitor still hiding behind buzzwords. If you run a law firm deploying AI on case files, a healthcare practice with patient data in the loop, or a finance team letting agents touch spreadsheets, your clients deserve to know how you keep their data inside the fence. Borrow Anthropic’s format. Cover what sandbox you use, what the agent can and can’t reach, and what you’ve tested. That one page will do more for client trust than any sales deck you’ve ever built.

Translate: