Anthropic's engineering team detailed the containment behind its three Claude surfaces, and the honest part is which bits failed.
Each product gets a different boundary: claude.ai runs on gVisor, Claude Code uses Seatbelt on macOS and Bubblewrap on Linux, and Cowork spins up a full virtual machine through Apple's Virtualization framework or Windows HCS. The reported pattern across deployments is that standard primitives like gVisor, seccomp and hypervisors held firm, while Anthropic's own proxy code was where containment broke. The costliest failures weren't misaligned models but trust dialogs that fired too late and allowlists drawn too wide.
For anyone shipping an agent with filesystem or network access, the takeaway is to lean on boring, hardened isolation and treat your own custom glue as the likely weak point.