Domain 1 · Task Statement 1.3

The Sandbox & Security Model

TL;DR

Understand Cowork's layered security architecture — the VM sandbox, directory scoping, deletion protection, network controls, and the compliance gaps that make it unsuitable for regulated workloads.

What You Need to Know

Cowork doesn't run tasks on your operating system. Every task executes inside an isolated virtual machine (VM) — a temporary, self-contained environment sitting between Claude and your actual computer. Picture a reinforced room. Claude works inside it. If something goes wrong — a script error, a bad command, malicious content buried in a file — the damage stays in that room. Your OS, your applications, your files outside it: untouched.

That VM is the foundation, and every other security mechanism layers on top of it.

Directory Scoping: The Primary Security Mechanism

When you start a Cowork session, you choose which folder Claude can access. This is directory scoping, and it's the single most important security decision you make. Claude cannot see, read, or write anything outside that folder. Not your Desktop. Not your Documents. Not your Downloads. A prompt that instructs Claude to navigate to /Users/yourname/Documents/secrets.txt? The VM's file-system boundaries block it outright. That path doesn't exist inside the sandbox.

This is a hard boundary, not a suggestion. Enforcement happens at the VM level, not through the model's instruction-following. A prompt injection hidden in a malicious PDF cannot convince Claude to escape the scoped folder because the VM physically lacks access to those paths. The protection is architectural, not behavioural.

[!]

Instructions Are Not Security Boundaries

Never rely on natural-language instructions like "Do not open the Confidential folder" as a substitute for directory scoping. Instructions operate at the model layer — they can be overridden by prompt injections, forgotten across long conversations, or ignored due to model error. Directory scoping operates at the VM layer. No prompt, however cleverly crafted, can override it.

Deletion Protection: Narrower Than You Think

Cowork includes a deletion protection protocol. When Claude attempts to permanently remove a file, a system-level permission prompt appears that it cannot bypass. You must click "Allow" before the deletion proceeds.

Now here is what trips people up. Deletion protection does not cover editing, overwriting, renaming, or moving files. Claude can rewrite the entire contents of a file — replacing your 40-page report with a single sentence — without triggering any prompt. Rename files, restructure folders, overwrite data: all silent. Only permanent file removal triggers the system prompt.

This distinction comes up on the exam repeatedly. Candidates who conflate "deletion protection" with "modification protection" consistently choose the wrong answer.

Network Egress Controls

You can configure an allowlist in Settings to restrict which domains Claude can contact. If your organisation needs Cowork to communicate only with internal services, the allowlist is how you enforce that.

But there's a critical exception. Cowork's built-in web search tool operates independently of your egress settings. Even with a strict allowlist, web search can still reach the broader internet. Not a bug — this is how the feature is currently designed. If your security posture demands complete network isolation, you need to account for it. It catches people off guard.

[!]

Exam Nuance: Web Search and Egress

If a question describes a locked-down network configuration and asks whether Claude can still access external websites, the answer is yes — through the web search tool. Egress controls restrict tool-initiated network calls, but web search has its own pathway.

Local History Storage and the Compliance Gap

Standard Claude chat conversations flow through Anthropic's servers and get captured by enterprise compliance infrastructure: Audit Logs, Compliance API, Data Exports. Cowork works differently. Cowork conversation history is stored locally on your device — not on Anthropic's servers.

The consequence is significant. Cowork activity is currently excluded from all three enterprise compliance tools. Audit Logs don't capture it. The Compliance API doesn't surface it. Data Exports don't include it. As far as compliance is concerned, Cowork activity is invisible.

That makes Cowork unsuitable for regulated workloads: HIPAA-covered healthcare data, financial services subject to SEC or FCA record-keeping, legal work with retention obligations. If your organisation operates under any framework requiring auditable records of AI-assisted work, Cowork cannot meet those requirements today. This isn't a configuration issue you can fix. It's a platform limitation Anthropic will need to address.

[!]

The Compliance Gap Is a Key Exam Topic

Expect at least one exam question where an administrator assumes their existing compliance setup covers Cowork. It doesn't. The correct answer always identifies the compliance gap and recommends against using Cowork for regulated data until Anthropic closes it.

Computer Use: Outside the VM

Most Cowork tasks run safely inside the sandboxed VM. Computer Use breaks that model entirely. When you enable it, Claude steps outside the VM to interact directly with your desktop — controlling your mouse, typing on your keyboard, clicking through browser tabs, operating desktop applications.

The risk profile changes categorically. Inside the VM, a prompt injection hidden in a file can only affect the sandbox. With Computer Use active, that same injection could instruct Claude to click links in your browser, interact with open applications, or navigate to untrusted websites. This is exactly why Computer Use requires separate per-application permissions: it operates in your real environment, not the sandbox.

The exam tests this boundary explicitly. When a question describes a task running "in Cowork," your first job is to determine whether it's a standard VM task or a Computer Use task. The security implications are entirely different.

Defence in Depth — The Full Picture

Cowork's security isn't a single wall. It's a series of overlapping layers:

  1. VM isolation — contains execution, prevents OS-level damage
  2. Directory scoping — restricts file access to a specific folder
  3. Deletion protection — requires explicit permission for file removal (but not modification)
  4. Plan review — shows you every planned action before execution; your chance to catch mistakes
  5. Network egress controls — restricts outbound network access (with the web search exception)
  6. Computer Use permissions — separate per-application consent for desktop interaction

None of these layers is perfect on its own. The VM doesn't prevent prompt injections — Anthropic uses classifiers to flag them, but describes the residual risk as "non-zero." Directory scoping cannot protect files inside the shared folder from being overwritten. Deletion protection doesn't cover edits. The system holds up because where one layer fails, another catches it.

Common Mistakes

Common Mistake

Granting access to your home directory (~/) or Documents folder for convenience — exposing SSH keys, credentials, hidden configuration files, and private documents to the sandbox.

Instead: Create a dedicated working folder containing only the files you want processed. Copy files in, point Cowork at that folder, copy results out. Directory scoping is your primary security control.

Common Mistake

Believing 'deletion protection' means Claude cannot change your files — then assuming documents are safe from modification because you saw the deletion prompt once.

Instead: Deletion protection covers permanent file removal only. Claude can freely rewrite, overwrite, rename, and restructure files within the scoped folder. Review the execution plan before allowing changes and keep backups of anything important.

Common Mistake

Assuming your organisation's enterprise compliance infrastructure (Audit Logs, Compliance API, Data Exports) covers Cowork activity — then processing regulated data in Cowork.

Instead: Verify that Cowork is excluded from all three compliance tools. Do not use Cowork for HIPAA, financial, or legally regulated workloads until Anthropic adds compliance coverage. Use standard Claude Chat for regulated work.

A team lead asks Cowork to clean up a shared project folder containing both active work and sensitive HR documents.

Before

Look through my computer and find all the invoices I haven't paid yet, then clear out any old junk files.

After

Using only the 'Q3-Invoices' folder, identify files with 'Unpaid' in the filename. Create a summary table listing vendor, amount, and due date. Do not move, rename, or delete any files — just provide the summary.

Hands-On Activity

Hands-On Activity

Explore Sandbox Boundaries

10 min

Test the three core security mechanisms — directory scoping, deletion protection, and plan review — by deliberately probing each boundary in a safe, controlled folder.

What you will learn

  • Confirm that Claude cannot see files outside the shared folder
  • Trigger the deletion protection prompt and observe what it does (and doesn't) cover
  • Practise reviewing an execution plan before allowing changes
  1. 01

    Create a folder called 'Sandbox-Lab' on your Desktop. Inside it, create a text file called 'Inside.txt' with any content. Then create another text file called 'Outside.txt' in a different location (e.g., your Documents folder). Open Cowork and point it at 'Sandbox-Lab'. Ask Claude: 'What files can you see in this folder?'

    Why: This demonstrates directory scoping — the primary security boundary. Claude's VM only has access to the shared folder.

    Expected: Claude reports only Inside.txt. It has no knowledge of Outside.txt or any other file on your system, regardless of what you ask.

  2. 02

    Ask Claude to create a new file called 'Scratch.txt' inside Sandbox-Lab. Once it exists, ask: 'Now delete Scratch.txt permanently.'

    Why: This triggers the deletion protection protocol — the system-level permission prompt that Claude cannot bypass.

    Expected: A system 'Allow/Deny' prompt appears. Claude pauses and cannot proceed until you explicitly click Allow. Note: if you instead asked Claude to overwrite the file's contents with an empty string, no prompt would appear — that's the gap deletion protection doesn't cover.

  3. 03

    Ask Claude: 'Reorganise this folder by creating subfolders for each file type and moving files into them.' Wait for the execution plan to appear but do NOT click Run. Expand the plan and read every planned action.

    Why: Plan review is your final safety check before any changes happen. In real work, this is where you catch mistakes — wrong file targets, unintended deletions, overly broad reorganisations.

    Expected: A detailed plan listing every intended read, write, create, and move operation. No changes have been made to your files yet. You are in full control of whether to proceed, modify the plan, or cancel entirely.

Practice Question

Practice Question

A financial analyst needs Cowork to summarise 50 PDF invoices stored in a folder that also contains a subfolder called 'Private_Salary_Data'. What is the most secure approach?

Sources