Blast Radius.
Anthropic engineers share what they've learned containing three AI products — and the surprising places the security model keeps breaking down.
Anthropic engineers share what they've learned containing three AI products — and the surprising places the security model keeps breaking down.
Diagram: Anthropic Engineering / "How we contain Claude across products"
Twelve months ago, Anthropic's engineers would have rejected granting Claude sufficient access to take down an internal service. Today that access is routine. The capability gain is real; the question is not whether to deploy, but how to contain. The engineering problem has shifted from "can the model do useful things?" to "how much damage can the model do, and to whom?"
The post covers three products — claude.ai, Claude Code, and Claude Cowork — each serving a different audience with a different threat model and a different containment architecture. The authors are candid about what broke: a vulnerability that fires before the user consents, a phishing email that bypassed every model-layer defense, and an egress allowlist that was conceptualised as a destination filter when it was actually a capability grant. Each failure is a lesson the latticework can hold.
The through-line is a design principle the authors return to repeatedly: environmental containment is deterministic; model-layer steering is probabilistic. When the probabilistic layer misses — and at scale, it will miss — the deterministic layer is the only thing that catches it. Build the fence first. Adjust the AI's instincts second.
Defense in depth — the military principle that no single defensive layer should be the last line of defense — gets a software engineering illustration in these three products. claude.ai runs in a gVisor container. Claude Code adds an OS-level sandbox on top of the human-in-the-loop. Cowork adds a full VM on top of that. The layers don't substitute for each other; they each fail in different ways, so their intersection fails in fewer.
Principle of least privilege — giving each system the minimum access required to function — appears most clearly in Cowork's key architecture: credentials live in the host keychain and never enter the VM. The agent runs with a scoped, per-session token that can be revoked independently of the user's own credentials. The design actively refuses to conflate "the user's identity" with "the agent's identity."
Blast radius — borrowed from explosive engineering and risk management — is the post's organising concept. Every design decision is evaluated not just on "does this work?" but on "when this fails, how much breaks?" The ephemeral container (claude.ai) has the smallest blast radius; the sealed VM (Cowork) is tuned to contain what an autonomous, non-technical-user-facing agent can reach. Matching containment strength to user technical capacity is the recurring design heuristic.
The assumption that human-in-the-loop is sufficient — that requiring user approval before risky actions makes the system safe — is the post's most important contradiction. Anthropic's telemetry showed users approved 93% of all permission prompts. The approval rate rose as users gained experience. The safeguard designed to catch dangerous actions was, over time, being rubber-stamped. The human was in the loop; the loop had no brake.
Perimeter security — the model that says you make a system safe by controlling its borders — fails in the egress-through-approved-domain incident. The VM correctly blocked all unapproved destinations. But api.anthropic.com was approved, and the Files API behind that domain was reachable, and a malicious file in the workspace could use that permitted path to exfiltrate arbitrary documents. The perimeter held; the blast radius was fully contained to what could reach the permitted exit.
And the pre-consent config-parsing vulnerability points at a more subtle broken model: the assumption that local files are trusted before the user trusts the folder. Claude Code read project-level configuration during startup — before the "Do you trust this folder?" prompt — because local files feel different from network requests. The vulnerability was discovered and fixed. The lesson is that trust boundaries must be enforced by when they are established, not by where the data came from.
The Anthropic team names the egress-allowlist failure mode explicitly, and it deserves to be a standalone model: capability grant disguised as destination filter. An allowlist that permits a domain implicitly permits everything that domain exposes. When you allow api.anthropic.com, you allow file upload, model inference, and every other endpoint behind that hostname. Conceptualising the allowlist as a destination filter gives you a false sense of containment; conceptualising it as a capability grant forces you to enumerate what you're actually permitting.
The pre-consent vulnerability names a second new model: trust-before-parse. Any system that reads or executes data from an untrusted source before establishing the trust boundary has already been compromised in the frame of that boundary. The fix always has the same shape: establish trust first, parse second. Treat project-open, config-load, and localhost listeners as inbound requests from an untrusted network — because they are.
The post's most sobering observation — that battle-tested hypervisors and syscall filters held while the team's own custom proxy failed in two separate products — encodes a third model: custom code is the attack surface. The parts of your system that have received the least adversarial scrutiny are the parts most likely to break. This is Chesterton's fence applied to security: the fence that's been there longest is usually there for a reason. The fence you built last Tuesday is the one to worry about.
When the deterministic boundary holds, you can relax oversight. When it doesn't, nothing else helps.Anthropic Engineering
The post ends with looking-ahead: persistent memory poisoning, multi-agent trust escalation, agent identity. Each of these is a version of the same underlying problem — an expanding blast radius chasing a hardening containment boundary. The containment wins, when it wins, by being deterministic. The latticework lesson is not that AI is dangerous. It is that every new capability deserves a blast-radius estimate before deployment, and a fence before the first request goes out.