If your organization has deployed Anthropic's Claude through the API, Claude for Work, Claude Code, or Claude Cowork, you are operating across multiple distinct attack surfaces that require independent security assessment. Signing an Enterprise agreement with Anthropic is the beginning of your security responsibility, not the end of it.
March 2026 made this concrete. Within five days, Anthropic experienced two significant security incidents: the accidental exposure of the Claude Mythos model through a CMS misconfiguration, followed by the Claude Code source leak through an npm packaging error. Neither incident compromised customer data directly. Both revealed that even the company building the model has operational security gaps, and your deployment inherits those risks alongside your own configuration decisions.
This guide is for security architects, CISOs, and AppSec leads who need to formally assess a Claude deployment. It covers the full product surface, maps each risk to specific assessment controls, and provides a 15-point checklist your team can execute.
Key Takeaways
- Claude has four distinct deployment models (API, claude.ai/Claude for Work, Claude Code, Cowork), each with a separate threat model
- The March 2026 double incident (Mythos leak + Code source exposure) demonstrates operational security risks that extend to enterprise customers
- The "Claudy Day" vulnerability chain showed that Claude.ai conversation history can be silently exfiltrated through prompt injection
- Claude Code introduces supply chain risks: CVE-2025-59536 allowed remote code execution through malicious project files
- Cowork's autonomous desktop agent operates with user-level system access, creating endpoint security risks that traditional SaaS assessments do not cover
- Zero-Data-Retention agreements only apply to API traffic, not to claude.ai web sessions or beta products
Why Claude Enterprise Security Requires Its Own Assessment
Most enterprise AI security reviews follow a pattern borrowed from traditional SaaS assessments: evaluate authentication, encryption, data retention, and compliance certifications. Claude checks those boxes. Anthropic holds SOC 2 Type II and ISO 27001 certifications, supports SAML 2.0 and OIDC SSO, offers SCIM provisioning, and provides optional zero-data-retention (ZDR) agreements.
The problem is that Claude is not a traditional SaaS product. It is four products, each with a fundamentally different threat model:
A security assessment that treats "Claude" as a single product will miss critical risks. Each deployment model requires its own evaluation scope.
The March 2026 Incidents: What They Mean for Enterprise Customers
The Mythos Model Leak (March 26, 2026)
A misconfiguration in Anthropic's content management system made nearly 3,000 unpublished assets publicly accessible and searchable. Among them were draft documents describing Claude Mythos, a model Anthropic described internally as "a step change" in capabilities, with dramatically higher scores on cybersecurity benchmarks compared to Claude Opus 4.6. Internal documents warned the model could "significantly heighten cybersecurity risks by rapidly finding and exploiting software vulnerabilities."
For enterprise security teams, the Mythos leak is instructive for two reasons. First, it was a basic SaaS misconfiguration, not a sophisticated attack. Anthropic's own content management system was not properly secured. Zscaler's analysis correctly identified this as a lesson in SaaS configuration governance. Second, the existence of a model with significantly enhanced vulnerability discovery capabilities changes the threat calculus for every organization using Claude. When Mythos enters general availability, enterprises will need to reassess whether their AI security controls account for a model that can autonomously find zero-day vulnerabilities at scale.
The Claude Code Source Leak (March 31, 2026)
Five days later, Anthropic accidentally included a debugging JavaScript sourcemap for Claude Code v2.1.88 in an npm package. Within hours, researcher Chaofan Shou discovered the sourcemap and posted a link publicly. The result: 512,000 lines of TypeScript across 1,900 files were downloaded from Anthropic's Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times.
Anthropic characterized this as "a release packaging issue caused by human error, not a security breach." While no customer data was compromised, the exposed codebase revealed Claude Code's internal architecture, security controls, and permission enforcement logic. Within days, Adversa AI discovered a deny-rule bypass in the bashPermissions.ts module, and a concurrent supply chain attack delivered trojanized npm packages mimicking the leaked code.
What to assess: If your developers use Claude Code, verify they are running version 1.0.111 or later (which patches CVE-2025-59536). Check whether any developer installed or updated Claude Code via npm between March 31, 2026, 00:21 UTC and 03:29 UTC, as malicious packages containing a Remote Access Trojan were distributed during that window. Review your npm audit logs for the affected axios versions (1.14.1 and 0.30.4).
Risk 1: Prompt Injection Across Claude's Attack Surface
Prompt injection is the primary AI-specific threat to any Claude deployment, and each Claude product presents a different injection surface.
Claude.ai / Claude for Work
The "Claudy Day" vulnerability chain, disclosed by Oasis Security, demonstrated a complete attack pipeline against Claude.ai. The attack worked by embedding invisible HTML tags in a URL parameter that pre-fills the Claude.ai chat box. When a user clicked the crafted link and pressed Enter, Claude executed hidden instructions alongside the visible prompt. By embedding an attacker-controlled API key in the hidden payload, the researchers directed Claude to search conversation history for sensitive information, write it to a file, and upload it to the attacker's Anthropic account via the Files API.
This attack chain exploited three separate weaknesses: invisible prompt injection via URL parameters, data exfiltration through the Anthropic Files API, and an open redirect on Claude.ai. Anthropic has patched the prompt injection component, but the architectural lesson remains. Any Claude deployment where employees accumulate sensitive information in conversation memory is at risk from future prompt injection variants that target the memory and history retrieval mechanisms.
Claude Code
Check Point Research documented CVE-2025-59536 and CVE-2026-21852, showing how malicious CLAUDE.md project configuration files could execute arbitrary commands before the trust dialog appeared. A single malicious commit in a repository could compromise any developer who cloned and opened the project. CVE-2025-59536 (CVSS 8.7) was patched in Claude Code 1.0.111, but the attack vector highlights a fundamental challenge: Claude Code operates with developer-level privileges and processes untrusted repository content by design.
Additionally, researchers from Johns Hopkins University demonstrated indirect prompt injection through GitHub pull request titles, issue descriptions, and comments, affecting Claude Code's security review functionality.
Claude Cowork
PromptArmor demonstrated in January 2026 that a Word document containing hidden prompt injection could trick Cowork into uploading sensitive files to an attacker's Anthropic account. Because Cowork operates as an autonomous desktop agent with file system access, the blast radius of a successful injection is significantly larger than in the chat or API products.
What to assess:
- Are employees using Claude.ai with persistent memory enabled? What categories of data accumulate in memory?
- Are Claude Code developers working with untrusted repositories? Is CLAUDE.md file content reviewed before project initialization?
- Are Cowork users processing documents from external parties while the agent has access to local files?
- Is there an AI-specific acceptable use policy that addresses prompt injection risks across all Claude products?
Risk 2: Data Handling and Retention
Anthropic's data handling varies significantly across products, and the security implications of each configuration are not always obvious.
API with Zero-Data-Retention (ZDR): Under a ZDR addendum, inputs and outputs are not stored at rest after the API response is returned. However, ZDR applies exclusively to traffic sent using your Enterprise or Team API key. Web sessions, Claude for Work UI interactions, and beta products are not covered unless explicitly added by contract. Anthropic still retains User Safety classifier results even under ZDR to enforce their usage policy.
Claude.ai / Claude for Work: Conversations are retained according to your Enterprise agreement's data retention settings. Memory contents persist across sessions unless explicitly cleared. Anthropic's privacy center states that organization data is retained for as long as needed to provide the service, plus a reasonable wind-down period after account termination.
Claude Code: According to Anthropic's documentation, Claude Code sends conversation transcripts, file contents read during sessions, and command outputs to Anthropic's API. Under Enterprise API plans with ZDR, this data is not retained. Under standard plans, retention policies apply.
Claude Cowork: Cowork activity is not captured in Anthropic's standard audit logs, Compliance API, or data exports. Anthropic explicitly states not to use Cowork for regulated workloads. This is a significant gap for organizations subject to HIPAA, PCI DSS, or financial services regulations.
What to assess:
- Does your ZDR agreement cover all Claude products in use, or only API traffic?
- Is conversation memory enabled in Claude for Work? What is the retention period, and who can access memory contents?
- Are developers using Claude Code under your Enterprise API key, or under personal accounts with different retention terms?
- Is Cowork deployed in any regulated business unit? If so, how is data handling compliance documented given the lack of audit log coverage?
Risk 3: Claude Code Supply Chain Security
Claude Code introduces a category of risk that does not exist in the chat or API products: software supply chain compromise.
Claude Code operates in developer terminals with the permissions of the signed-in user. It reads repository context (including configuration files, environment variables, and source code), executes shell commands, and modifies files. This creates two distinct supply chain risks.
Inbound risk (malicious input to Claude Code): Attackers can embed prompt injection in repository files, dependency manifests, or CI/CD configurations that Claude Code processes. The CLAUDE.md attack vector (CVE-2025-59536) is one example. Any file that Claude Code reads during a session is a potential injection surface. This includes README files, package.json, Dockerfiles, and comments in source code.
Outbound risk (Claude Code generating vulnerable code): Like all LLM coding assistants, Claude Code may suggest code that contains security vulnerabilities. The GitGuardian 2025 State of Secrets Sprawl report found that AI-assisted code commits have a 3.2% secret incidence rate compared to 1.5% for non-AI-assisted commits, more than double. Code generated by Claude Code should be subject to the same security review process as human-written code.
What to assess:
- Is Claude Code usage tracked centrally, or are developers using personal installations?
- Are Claude Code versions enforced through MDM or development environment policies?
- Does your CI/CD pipeline include secrets scanning that covers AI-assisted commits?
- Are developers aware that repository files (including CLAUDE.md) can contain prompt injection payloads?
- Is there a process for reviewing Claude Code suggestions before they enter production branches?
Risk 4: Claude Cowork Endpoint Security
Cowork transforms Claude from a remote service into a local autonomous agent. It reads files on the employee's machine, browses the web, executes system commands, and can run scheduled tasks without continuous human supervision. For security teams accustomed to assessing cloud SaaS products, this represents a fundamentally different threat model.
The key risks are:
Autonomous execution without oversight: Employees can initiate a Cowork task and step away, leaving an AI agent executing actions with user-level system privileges and no human in the loop. Consequential actions, including file modifications, network requests, and command execution, can occur without timely review.
MCP server attack surface: Cowork connects to Model Context Protocol (MCP) servers that extend its capabilities. Local MCP servers run with system-level access. Remote MCP servers introduce network attack surface and require authentication that may not be properly configured. For a deeper look at MCP-specific risks, see our MCP security enterprise guide.
Shadow AI through Cowork: Cowork is easy to install and requires no IT involvement. In organizations without formal AI governance, employees may be running Cowork with zero organizational visibility. Unlike Claude for Work web sessions, Cowork activity is not captured in standard audit logs or compliance exports.
What to assess:
- Is Cowork deployed formally, or are employees self-installing it?
- Are managed-settings.json policies deployed via MDM to enforce organization-wide Cowork configuration?
- Which MCP servers are employees connecting to, and what data do those servers access?
- Is there an endpoint detection and response (EDR) policy that accounts for AI agent behavior patterns?
- Has Cowork been excluded from regulated workloads where audit logging is required?
Risk 5: Access Control and Audit Logging
Anthropic provides enterprise-grade identity management through SAML 2.0/OIDC SSO and SCIM provisioning. However, access control gaps emerge when you examine the full Claude deployment surface.
Identity fragmentation: An employee may access Claude through four different channels: the web UI (Claude for Work), the API (through an integrated application), Claude Code (in their terminal), and Cowork (on their desktop). Each channel may use a different authentication mechanism. SSO enforcement on Claude for Work does not prevent a developer from using a personal Anthropic API key with Claude Code.
Audit log gaps: Claude for Work provides conversation audit logs for Enterprise customers. Claude Code under an Enterprise API key is covered by API usage logs. Cowork, as noted above, is not covered by standard audit logging. This means a security team may have visibility into 60% of Claude usage while 40% operates without audit trail.
What to assess:
- Is SAML SSO enforced across all Claude access points, with direct login disabled?
- Is SCIM provisioning active so that offboarded employees lose access automatically?
- Are API keys centrally managed with rotation policies, or are developers generating personal keys?
- What percentage of Claude usage is covered by audit logs? What products or channels are blind spots?
- Is there a SIEM integration consuming Claude audit data for anomaly detection?
Compliance Mapping
SOC 2: Anthropic's SOC 2 Type II report is available under NDA. Your assessment should verify that your deployment configuration aligns with the controls described in that report, particularly around data retention, access management, and change management for API integrations.
HIPAA: Anthropic offers a HIPAA Business Associate Agreement for qualifying Enterprise deployments. However, a BAA is a necessary but not sufficient condition for compliance. Cowork explicitly should not be used for regulated workloads. Claude Code sessions that process PHI require ZDR agreements. Audit log retention must meet HIPAA's six-year requirement.
EU AI Act: Claude qualifies as a general-purpose AI model subject to GPAI transparency requirements under the EU AI Act. If your organization uses Claude for high-risk decisions (HR screening, credit assessment, biometric processing), additional obligations apply, including documentation of the AI system's intended purpose, performance metrics, and known limitations. See our EU AI Act compliance guide for detailed implementation guidance.
NIST AI RMF: The GOVERN and MAP functions of NIST AI RMF should be applied to Claude deployments to document AI system characteristics, intended uses, and risk tolerances. The MEASURE function applies to ongoing monitoring of Claude's behavior in production.
Claude Enterprise Security Assessment Checklist
A formal assessment of a Claude deployment should validate the following controls across all active products:
Authentication and access:
- [ ] SSO (SAML 2.0/OIDC) enforced, direct login disabled
- [ ] SCIM provisioning active with automated deprovisioning
- [ ] API keys centrally managed with rotation policy (90-day maximum)
- [ ] Claude Code usage tracked and version-controlled via MDM
- [ ] ZDR agreement in place and verified to cover all active products
- [ ] Acceptable use policy addresses all Claude products specifically
- [ ] Memory settings reviewed and configured per organizational policy
- [ ] Conversation log retention meets longest applicable compliance requirement
- [ ] Adversarial testing conducted against Claude integrations processing external content
- [ ] CLAUDE.md and repository configuration files reviewed for injection payloads
- [ ] Cowork document processing tested with crafted prompt injection samples
- [ ] All developers on Claude Code 1.0.111+ (CVE-2025-59536 patched)
- [ ] npm audit logs reviewed for March 31, 2026, trojanized package window
- [ ] Secrets scanning covers AI-assisted commits in CI/CD pipeline
- [ ] Cowork deployment inventory completed
- [ ] MCP server connections audited and approved
- [ ] managed-settings.json policies deployed for organization-wide configuration
- [ ] Cowork excluded from regulated workloads requiring audit logging
How BeyondScale Assesses Your Claude Deployment
A formal AI security assessment of a Claude deployment goes beyond checking Anthropic's compliance certifications. We assess each product surface independently: mapping data flows through API integrations, testing prompt injection resistance in Claude for Work configurations, reviewing Claude Code supply chain controls in developer environments, and evaluating Cowork endpoint exposure.
Our assessment methodology follows the OWASP LLM Top 10 framework, covering prompt injection (LLM01), data leakage (LLM06), and supply chain vulnerabilities (LLM05) as they apply specifically to Claude's architecture.
The output is audit-grade evidence: a risk-rated findings report with remediation guidance that your security team can execute and your auditors can review. If your team needs an independent assessment of your Claude deployment, or if you are expanding from ChatGPT or Copilot and need to understand how Claude's threat model differs, book an AI security assessment with our team.
External sources referenced in this guide: Oasis Security "Claudy Day" Disclosure | Check Point Research CVE-2025-59536 | SecurityWeek Claude Code Vulnerability | Zscaler Mythos Leak Analysis | VentureBeat Claude Code Source Leak | Fortune Mythos Disclosure | PromptArmor Cowork File Exfiltration | OWASP LLM Top 10
BeyondScale Team
AI Security Team, BeyondScale Technologies
Security researcher and engineer at BeyondScale Technologies, an ISO 27001 certified AI cybersecurity firm.
Want to know your AI security posture? Run a free Securetom scan in 60 seconds.
Start Free Scan
