What Is the Difference Between Claude Code, Claude Cowork, and Claude Desktop?
In a Claude Code vs Claude Cowork vs Claude Desktop comparison, the security differences that matter are where code runs, what each tool can reach, and what evidence it leaves behind. Claude Code runs in your terminal behind an operating-system sandbox, Claude Cowork runs in a local virtual machine for non-developers, and Claude Desktop is the native app that adds local connectors and hosts both. The control problem is the same across all three: an agent acting on your data and systems, not a chatbot answering a question.
Last updated: June 2026.
What Claude Code, Claude Cowork, and Claude Desktop are, and where each one runs
All three run Anthropic’s Claude, but they isolate work differently, and that isolation boundary is the first thing to evaluate. Claude Code is a command-line interface (CLI) and integrated development environment (IDE) tool for developers that runs on the user’s machine and can read files, run shell commands, and reach the network. Claude Cowork is an agentic desktop app for non-developers that runs its code and shell actions inside a local virtual machine (VM). Claude Desktop is the native macOS and Windows chat app, and it now hosts Chat, Cowork, and Code in one window.
Anthropic matches the containment to each surface. Chat code execution runs in a gVisor container on Anthropic’s own infrastructure, Claude Code uses an operating-system (OS) sandbox (Seatbelt on macOS, Bubblewrap on Linux), and Cowork runs a full local VM (Apple’s Virtualization framework on macOS, the Host Compute Service on Windows) (Anthropic, 2026). The pattern is deliberate: the more of your environment the agent can touch, the harder the boundary around it. Adoption is what makes the question urgent, with 88% of organizations now using AI in some form (Stanford HAI, 2026).
What each tool can reach: files, commands, MCP, and connectors
Reach is what turns a chat assistant into an actor on your data, and reach differs by surface. Claude Code reads your repository and developer environment, runs commands, uses Git, and connects to subagents and external systems. Claude Cowork reads and writes the local folders you grant it, runs code in its VM, can browse with the user’s authenticated session through the Claude in Chrome connector, runs scheduled tasks, and connects to external services. Claude Desktop adds local servers through desktop extensions and remote services through connectors.
The detail that matters most for Desktop concerns the Model Context Protocol (MCP), the open standard these tools use to reach external data and tools. A local MCP server installed through a desktop extension runs as a subprocess with the user’s own operating-system permissions, so it can perform any file operation the user can, gated only by a per-action approval prompt (Anthropic, 2026). That same MCP channel is what an attacker targets with a poisoned tool description or a hidden instruction. Aurascape’s research team, led by Principal Threat Research Engineer Qi Deng, found a hardcoded default secret in an MCP server framework that let anyone who knew the key forge tokens and control the agent’s tools remotely (Aurascape, 2026).
Most organizations cannot list the agents and tools already running in their environment. Only 21% keep a real-time inventory of their active AI agents (Cloud Security Alliance, 2026), which means new MCP servers and local clients tend to arrive faster than security teams catalog them.
Permissions, approvals, and why approval fatigue is not a control
Each tool leans on user approval, and user approval degrades fast at scale. Claude Code allows reads by default and asks before writes and shell commands; its auto mode hands those approvals to a model-based classifier that blocks roughly 0.4% of benign commands while letting about 17% of risky ones through. Claude Cowork shows its plan before acting and requires explicit permission before permanently deleting files. Claude Desktop prompts before each MCP tool action.
The weak point is human. Anthropic’s own telemetry shows users approved about 93% of permission prompts, and the more prompts they saw, the less attention they paid to each one. A control that depends on a tired user clicking approve is accountability transfer, not enforcement. One Anthropic red-team exercise made this concrete: an employee pasted a routine-looking prompt that instructed Claude Code to read local cloud credentials and send them to an external endpoint, and across 25 runs the agent completed the exfiltration 24 times. Containment, not supervision, is what bounded the damage.
Data retention and training: consumer accounts versus commercial terms
Where your prompts and code end up depends on the account, not the app, and this is the most common mistake in enterprise rollouts. On consumer plans (Free, Pro, and Max), if a user leaves the model-improvement setting on, conversations and coding sessions become eligible for training and are retained for up to five years; turning it off returns them to a 30-day window (Anthropic, 2026). Under Anthropic’s commercial terms (Team, Enterprise, and the application programming interface, or API), inputs and outputs are not used for training, and zero data retention (ZDR) is available to qualified accounts.
The real exposure is shadow usage. An employee running Claude Code or Claude Desktop on a personal account moves source code and sensitive data under consumer rules, with a five-year retention window and a training-eligible default. The fix is entitlement: bind usage to the enterprise tenant before the first prompt, so company work never lands on a consumer account. AI usage control covers that enforcement layer in depth.
Monitoring and audit evidence: the Claude Cowork gap
The three tools do not produce the same audit trail, and one of them produces almost none your security team can reach. On Enterprise plans, Claude.ai chat and Claude Code activity flow into audit logs and the Compliance API. Claude Cowork does not. Anthropic’s documentation states that Cowork activity is not captured in the Compliance API, audit logs, or data exports, and that its conversation history sits locally on each user’s machine, outside standard retention and central management (Anthropic, 2026).
Cowork can stream operational events to a security information and event management (SIEM) system through OpenTelemetry, but Anthropic is explicit that this does not replace audit logging for compliance. There is a second, structural blind spot: once an agent runs inside a sandbox or VM, endpoint detection and response (EDR) tooling cannot see inside it, leaving teams with after-the-fact logs rather than live visibility. For regulated work, Cowork is the surface to govern most carefully, and native logging alone is not enough.
Claude Code vs Claude Cowork vs Claude Desktop: a side-by-side comparison
Read the differences in one place. The table below compares the three on the dimensions a security or engineering leader uses to set policy. Anthropic ships changes to these products frequently, so confirm current behavior in the official documentation before you finalize controls.
| Dimension | Claude Code | Claude Cowork | Claude Desktop |
|---|---|---|---|
| Primary user | Developers | Non-developer knowledge workers | Anyone using the native chat app |
| Where it runs | Local terminal or IDE (web version runs in Anthropic-managed VMs) | Local desktop app | Local desktop app (hosts Chat, Cowork, and Code) |
| Code and command execution | OS sandbox (Seatbelt or Bubblewrap) | Isolated local VM | Server-side gVisor for chat code; local MCP servers run with the user’s permissions |
| Default file access | Reads repo and environment; writes and shell require approval | Reads and writes only the folders you grant | Chat alone has none; local MCP and extensions reach files you allow |
| Authenticated web browsing | Through configured network access | Through the Claude in Chrome connector | Through connectors |
| MCP, connectors, subagents | MCP servers, subagents, hooks | MCP, connectors, plugins, subagents, scheduled tasks | Local MCP via desktop extensions; remote MCP via connectors |
| Permission model | Reads allowed; writes and bash need approval; auto-mode classifier | Plan shown before acting; deletion protection | Per-action approval for each MCP tool call |
| Data retention by account | Consumer training-eligible, up to 5 years if enabled; commercial not trained, ZDR available | Same account rules; conversation history also stored locally | Same account rules |
| Enterprise audit logs and Compliance API | Captured | Not captured | Chat captured |
| Admin controls | Managed policies and permission rules (Enterprise) | Org-wide on/off toggle; OpenTelemetry to SIEM | Desktop-extension allowlist; connector controls |
The pattern across the rows is clear: these are different isolation models for different users, not three settings of one tool, and the audit and data-handling story changes with each. None of them gives a central security team one inline control point across all three surfaces. That is the gap to close.
How to govern Claude Code, Claude Cowork, and Claude Desktop across the enterprise
Governing these tools is not about deciding which one is safest. It is about placing one inline control point across all three, wherever each runs. Six steps put that in place.
- Inventory which Claude surfaces and MCP servers are actually in use, and do not assume it is only the sanctioned ones.
- Decide per surface where execution and data access are acceptable (terminal sandbox, local VM, desktop connectors) and which surfaces are off-limits for regulated data.
- Bind usage to the enterprise tenant and commercial terms, and redirect personal accounts so company work is never retained for training.
- Inspect both legs inline: the model channel that carries prompts and responses, and the tool-execution channel that carries MCP tool calls.
- Close the audit gap, especially for Cowork, with conversation-level records that do not depend on each tool’s native logging.
- Test and monitor continuously as Anthropic ships new modes such as auto mode, scheduled tasks, and computer use, so policy keeps pace.
Aurascape approaches this from the interaction layer, so the same policy follows the user whether they open Claude Desktop, run Claude Code in a terminal, or hand a task to Claude Cowork. The AI Proxy inspects the model channel and applies context-aware policy with the full set of actions: allow, coach, warn, block, and redact. The Zero-Bypass MCP Gateway verifies and signs every tool call on the tool-execution channel, so an unsigned call cannot reach the tool or the model, with cross-call data lineage tracking information across chained actions (Aurascape, 2026). It discovers these clients across the network, endpoint, and API planes, including local agents that network-only and identity-only tools miss, and its patented agents continuously crawl the web to recognize new AI tools as they launch, so a new client is cataloged before the first employee uses it.
Aurascape applies consistent coverage to desktop and non-browser agents such as Claude Code (Aurascape, 2026), deploys across MCP clients and servers with role-based endpoint controls and observability into every agent call (Aurascape, 2026), and produces conversation-level interaction records for audit and effectiveness, governed by role-based access control (RBAC) for privacy, which closes the gap Cowork’s native logging leaves open. It stays additive to your existing security service edge (SSE), data loss prevention (DLP), and secure web gateway (SWG) stack, with no rip-and-replace, and it governs sanctioned, licensed use as well as shadow usage, using Intentions and entitlement to allow the approved enterprise tenant while controlling what each user can do inside it. The same approach extends across the build side in secure AI coding assistants.
Mapped to the controls security teams ask for, the division of labor looks like this.
| Control need | Native to the Claude products | How Aurascape governs it |
|---|---|---|
| Inventory of which Claude clients and MCP servers are in use org-wide | Per-device install plus admin allowlists for Desktop and Cowork extensions | Discovers AI apps, agents, and MCP servers across network, endpoint, and API planes, including local clients like Claude Code |
| Inline content policy on prompts and responses | On-device allow or deny prompts; no central content policy across tools | AI Proxy inspects the model channel inline and applies allow, coach, warn, block, redact |
| Control of agent tool calls and MCP execution | Sandbox, VM, and per-action approval per tool | Zero-Bypass MCP Gateway verifies and signs every tool call so unsigned calls cannot run |
| Enterprise audit evidence, including Cowork | Chat and Code feed audit logs and the Compliance API; Cowork is not captured | Conversation-level interaction records for audit and effectiveness, governed by RBAC for privacy |
Frequently asked questions
Is Claude Cowork safe for regulated or sensitive data?
Not without added controls. Anthropic’s documentation states that Claude Cowork activity is not captured in audit logs, the Compliance API, or data exports, and its conversation history is stored locally on the user’s machine outside standard retention. For HIPAA, GDPR, or SOC 2 work, treat Cowork as the surface that needs the most governance, route its operational events to your SIEM, and put an inline control point in front of the model and tool-execution channels rather than relying on the app’s native logging.
Does Claude Code or Claude Desktop send my source code to Anthropic for training?
It depends on the account. On consumer plans with the model-improvement setting on, code and prompts are eligible for training and retained up to five years; under commercial terms (Team, Enterprise, and the API), they are not used for training, and zero data retention is available to qualified accounts. The practical risk is employees using personal accounts for company code, which moves that code under consumer rules.
Can security teams see what Claude did on an employee’s machine?
Partially, and not uniformly. Chat and Claude Code activity reach Enterprise audit logs and the Compliance API, Cowork does not, and once an agent runs inside a sandbox or VM your endpoint tools cannot watch the work directly. A control point on the network and tool-execution path gives you inline visibility and records across all three surfaces, independent of each tool’s own logging.
Do these tools replace the need for an AI security platform?
No. Claude Code, Claude Cowork, and Claude Desktop contain what an agent can reach on one device. They do not give a security team one inline control point, a cross-tool inventory, or consistent audit evidence across the enterprise. That governance layer is additive, sitting across the model and tool-execution channels for every Claude surface at once.
Aurascape governs Claude Code, Claude Cowork, and Claude Desktop from one interaction layer, so the same policy and the same records follow your people across the terminal, the desktop app, and every agent task, without depending on each tool’s own logging. A short demo with your security team can show your real Claude traffic decoded and governed inline, including the MCP tool calls and the Cowork sessions your current stack does not see.
See how Aurascape governs every Claude surface in the live path →
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.