How Operant Endpoint Protector Secures Claude Code, the Claude CLI, and Claude Cowork

Claude Code, the Claude CLI, and Claude Cowork have become standard parts of how engineering and operations teams work — compressing delivery cycles and handling tasks that used to need dedicated tooling. Most security teams aren't looking to restrict them. They're looking to govern them.

The challenge is structural. Each surface runs locally, executes autonomously, and operates at a semantic layer that conventional tooling — EDR, CASB, DLP, network monitoring — was never built to inspect. Anthropic provides meaningful compliance tooling for its managed cloud surfaces, but Claude Code, the CLI, and Cowork each sit outside what those native controls can see. Here's where the gaps are, and how Operant Endpoint Protector closes them.

Anthropic's native controls do exactly what they're designed to do

Anthropic ships real compliance tooling. The Claude Compliance API, released in May 2026 with 28 security platform integrations, gives programmatic access to Claude Enterprise session data — conversation logs, usage events, admin actions — a genuine observability layer for managed claude.ai and API sessions. For Cowork, which sits outside the Compliance API entirely, Anthropic provides an OpenTelemetry stream for operational telemetry.

The distinction is in the name: this is compliance tooling, and compliance is post-hoc. Both produce records a SOC team reviews after the fact — they don't inspect an agent loop as it runs, block a shell command before it executes, or strip a credential before it reaches the model. Because the output is logs, anything they surface arrives on the SOC team's timeline, which — given the volume of AI activity most teams now ingest — can mean weeks or months later, if the signal is caught at all. By then the credential is already exfiltrated, the endpoint already compromised. That's not a criticism; it's a category difference. Compliance observability and runtime security are different layers, and all three Claude surfaces execute at the layer the compliance tooling was never built to reach: the local device. That's where Endpoint Protector operates, in real time.

Claude Code: autonomous execution on the developer's machine

Claude Code is a terminal-based coding agent that reads your codebase, runs shell commands, writes files, queries systems through MCP, and pushes to repositories — autonomously, in a loop, on the developer's machine. That's what makes it useful, and what makes it the highest-exposure Claude surface most organizations have deployed.

In practice

A developer debugging a connection error pastes a .env file into the session — connection strings, API keys, cloud credentials — straight into the model's context. Another clones a dependency whose README hides instructions (indirect prompt injection), and Claude Code follows them, issuing a shell command that exfiltrates data. Neither developer meant to create an exposure event; both did.

These aren't hypothetical: CVE-2025-59536 (CVSS 8.8) showed how malicious instructions in Claude Code config files could lead to remote code execution and credential exfiltration. The attack surface is the agent's core function — reading and acting on content from its environment — and it all runs locally, where post-hoc logging can't see it in the moment.

How Endpoint Protector addresses it

Endpoint Protector installs natively on macOS, Windows, and Linux and integrates with your IdP, operating at the device layer in real time.

• Agent loop tracing records every prompt, tool call, and response.
• PII and credential auto-redaction strips secrets, API keys, and regulated data from prompts before they reach the model, without interrupting the developer.
• CodeInjectionGuard inspects every shell command before execution, blocking patterns consistent with exfiltration, destructive operations, or malicious installs — and preserving the full trace for review.

The control point is before the action, not in a log read afterward.

The Claude CLI: conversational surface, autonomous execution

Developers increasingly build directly in the terminal with the Claude CLI, prompting it as an interactive development environment rather than a chat window. The conversational feel is exactly what makes its security profile easy to underestimate: underneath, the CLI runs autonomous agent loops, executes shell commands, and takes actions the developer may not observe in real time.

The challenges mirror Claude Code but are amplified — execution is less transparent, the loop is faster, and automatic skill loading enlarges the attack surface by default.

In practice

A developer prompts the CLI to scaffold a project, pull dependencies, and wire up integrations — a sequence it executes autonomously without surfacing each step. The developer sees the result, not the environment files read, the network requests issued, or the systems touched along the way.

The sharper risk is skills: the CLI auto-loads extensions that can carry prompt injection payloads or reverse shell patterns from a compromised author. An unvetted community skill now has autonomous execution capability inside the same trusted context as everything else — on a machine with access to internal systems and credentials.

How Endpoint Protector addresses it

• Agent loop tracing applies to the CLI as it does to Claude Code.
• Every skill the CLI loads is surfaced, scored for reputation, and held against policy before it executes.
• CodeInjectionGuard inspects CLI-generated shell commands — including those from skills — for reverse shells, exfiltration calls, and other indicators of compromise, blocking them before execution.

For developers prompting fast, it's a silent safety layer: workflow unaffected, security with real-time visibility into what happens between each prompt and response.

Claude Cowork: autonomous AI for business users, with an extensive plugin ecosystem

Cowork is a desktop AI assistant for the people outside engineering — HR, legal, finance, operations. It reads and writes files, automates browser tasks, and connects to external systems through MCP and a fast-growing plugin ecosystem.

That makes it something distinct: a single autonomous agent consolidated across the entire business SaaS stack a knowledge worker touches — HRIS, CRM, contract repository, finance system, email, chat, document store. One agent, one set of credentials, reaching across all of it and acting, not just answering.

The data those teams handle is among the most sensitive in the organization, and Cowork is now the connective tissue across it.

In practice

• HR drafts a restructuring plan with a spreadsheet of names, compensation, and performance ratings.
• Legal uploads a draft contract with internal negotiation notes.
• Finance pastes in figures holding material non-public information.

In each case, sensitive data enters a Claude session on a personal laptop, processed by an agent with file system access and live connections into business systems.

And because Cowork reads files and drives the browser, any document it touches — a malicious PDF, a poisoned template, a compromised page — can redirect its behavior across whatever apps and plugins it's connected to.

How Endpoint Protector addresses it

Operating at the device layer, Endpoint Protector captures Cowork activity regardless of what API-level telemetry sees.

• Data classification policies — PII, PHI, PCI — apply to Cowork sessions just as they do to Claude Code and the CLI.
• Sensitive data can be flagged or redacted inline.
• Audit trails are generated at the endpoint in real time.

The result is a unified record across all three Claude surfaces.

Operant is the only vendor with full coverage of Cowork — from the prompt the user types, through the files and browser actions Cowork executes, to every MCP server and plugin it connects to.

A note on MCP

All three surfaces support MCP connections — where Claude moves from responding to acting.

A Claude Code session on an internal GitHub MCP has repository access; a Cowork session on a company Slack MCP can read and post on the user's behalf. An unvetted community MCP server becomes a conduit to whatever it can reach.

Operant's MCP Gateway governs this across all three tools:

• Live registry of every MCP server and plugin in use.
• Reputation and data-scope scoring for each.
• Behavioral baselines that flag tool calls outside an agent's established pattern.

As the skill and plugin ecosystem grows, an unmanaged MCP footprint is one of the fastest-growing sources of silent, unaudited access into internal systems.

Wherever Claude runs

Coverage isn't limited to the local surfaces.

Operant supports Claude on Amazon Bedrock and Google Vertex AI, with Microsoft Azure AI Foundry coming soon — so teams standardizing on Claude through a hyperscaler get the same runtime governance there as on the endpoint.

The goal is consistent control wherever Claude executes.

The practical starting point is a discovery run: deploy Endpoint Protector, let it inventory every Claude tool, MCP connection, and agent in active use, and work from an accurate picture. Most teams find that inventory meaningfully larger than their IT records reflect.

Operant AI offers a 7-day free trial at operant.ai.