Anthropic ships some of the most capable agents in production. Claude Code edits source trees and runs shell commands. Claude desktop reads local files and reaches out to MCP servers. Claude Dispatch lets a phone drive a desktop computer remotely — clicking buttons, monitoring programs, auto-approving the next action. Each of these is a different surface, and each one is going to land on employee laptops whether the security team has signed off or not.
The Claude firewall is what makes that deployable. It treats Claude as a known agent class with a specific tool inventory and a specific risk profile, and it enforces what those agents can do at the kernel layer — before a write, a registry edit, or a network call lands.
What a Claude firewall actually has to govern
Claude isn't one binary. It's a family of agents with overlapping but distinct OS surfaces, and a useful Claude firewall has to model each one:
- Claude Code. A coding agent that edits files, runs shell commands, installs packages, calls out to MCP servers, and increasingly takes long-running actions across a developer's repo. The blast radius is the developer's filesystem, their shell history, every credential in their environment, and every internal service their machine can reach.
- Claude desktop. Reads local files for context, writes to a working directory, talks to user-configured MCP servers. The MCP layer is the under-modeled risk: a single prompt-injected document can convince the agent to call a tool the user never intended to authorize.
- Claude Dispatch. The capability that collapses the perimeter. A phone drives a desktop, clicking through dialogs and approving actions. The user-attended assumption that EDR and DLP both rely on stops being true.
- Sub-agents and background tasks. Claude can spawn its own helper agents and run them in parallel. Each one needs to inherit a policy, not invent its own.
The risk profile that's specific to Claude
Most of what makes Claude productive is also what makes it dangerous on an unmanaged endpoint. Tool use is broad and well-engineered. The model is good enough to chain steps that a human would have stopped to think about. MCP gives users a way to install new tools without IT visibility. And Claude Dispatch is the first widely-shipped capability that treats the desktop as a remote-controlled surface.
The combination matters. A Claude desktop instance with an attacker-supplied MCP server, driven over Dispatch from a phone the security team has never seen, is a real attack surface in 2026 — not a thought experiment. Prompt-time guardrails don't see it. Output classifiers don't see it. EDR sees a signed Anthropic binary writing files, which by EDR's lights is not a threat.
You're going to deploy Claude. The question isn't whether — it's whether the security team gets to set the policy for what it touches, or whether the developer who installed it does.
How Ospiri's Claude firewall works
Ospiri's agent firewall ships kernel-grade isolation for Claude across the same four scopes it enforces for every other agent — but with Claude-specific signatures and policy templates that reflect the way these agents actually behave in a corporate environment:
- Filesystem isolation with copy-on-write. When Claude Code edits a file in a sensitive directory, the firewall clones it into a sandbox. The agent gets the functionality it expects. The original tree is untouched until policy commits, discards, or escalates the change.
- Per-process network policy. Built on the Windows Filtering Platform. Allow Claude Code to reach GitHub and your internal package registry; block it from reaching Salesforce, the HRIS, or an unfamiliar MCP server somebody added yesterday.
- Registry isolation. Stops Claude or an MCP-installed helper from establishing persistence, modifying autoruns, or tampering with other software on the device.
- Object isolation. Constrains the IPC and inter-process surface. Sub-agents and Dispatch helpers inherit policy; they don't get to coordinate with arbitrary processes on the box.
- Continuous Claude signature coverage. Claude desktop, Claude Code, Dispatch helpers, and emerging Anthropic capabilities are tracked by the same signature pipeline that handles every other agent — so a new release doesn't show up as an unknown binary.
Claude Dispatch deserves its own policy class
Dispatch is the inflection point this category was built for. The endpoint is no longer where the human sits — it's a remotely-driven surface that another device is approving actions on. A Claude firewall has to detect when Dispatch is the active driver, attribute the action chain to the controlling device, and either tighten policy automatically or surface it to the SOC for review.
The default Ospiri policy for Dispatch sessions is restrictive: filesystem and registry writes are sandboxed, network egress is constrained to a permitted destination set, and any escalation requires either a policy match or an explicit admin approval. The agent keeps working. The blast radius doesn't leave the sandbox.
How this fits with EDR and DLP
A Claude firewall doesn't replace CrowdStrike, Zscaler, or your DLP — it sits one layer deeper. EDR won't flag a signed Anthropic binary writing files. DLP won't catch a Dispatch-driven UI action that copies content into a Slack window. The Claude firewall fills that gap by asking the question those tools can't: given that this is Claude, and given the environment it's running in, is this action within policy?