Claude Code vs. Claude Cowork: Security Model, Evidence, and Control Plane
Claude Code and Claude Cowork share agentic DNA, but they do not create the same security evidence. One lives close to the terminal and repository. The other expands into desktop work, plugins, connectors, files, and asynchronous collaboration.
Thesis
An enterprise should normalize Claude Code and Cowork into one policy language, while preserving the differences in hook fidelity, action provenance, inventory confidence, and residual blind spots.
Technical readout
Shared policy, different evidence quality
Both surfaces should report user, host, session, tool, payload, policy, and verdict. The differences are where the action originates, which path exposes it, and how much of the workspace inventory can be collected without extra installation.
runtime location
Is the action occurring in a terminal/repo workflow, a desktop task workflow, a browser path, or a connector path?
Preserve source_tool and runtime-specific metadata instead of flattening everything into a generic Claude event.
hook fidelity
Can the surface block before execution, or is the event only available after the action?
Claude Code can provide high-fidelity hook events for tool use. Cowork coverage depends on supported plugin/hook paths and companion controls for browser, computer-use, and connector routes.
inventory confidence
Can the endpoint reliably report configured skills, plugins, MCP servers, and workstation state?
Use SessionStart and workstation check-in for lightweight inventory where possible, and reserve heavier gateway deployment for managed MCP control paths.
policy portability
Can one security team write controls for secrets, destructive commands, risky MCP tools, and data egress across both products?
Normalize Read, Write, Edit, Bash-like, WebFetch, Prompt, MCP server, MCP tool, and plugin operations into one policy evaluator.
Research artifact
Security model comparison
This is the table enterprise buyers actually need: not which product is more exciting, but which controls can be relied on for each surface.
Local coding loop: repo navigation, file edits, tests, shell commands, IDE/CLI interaction, MCP tool calls.
Delegated desktop work: long-running tasks, workspace files, plugins, connectors, project memory, browser/computer paths.
Use one policy model, but always preserve source_tool and workflow context.
Strong where Claude Code hooks expose PreToolUse events with tool payloads before execution.
Strong where Cowork plugin hooks expose tool events. Variable where work routes through remote connectors, browser, or screen interaction.
Show control confidence per surface instead of making blanket coverage claims.
SessionStart and lightweight scan paths can report host, skills, configured MCP servers, plugins, repo, and CLI environment.
Cowork plugin/posture can report workspace and plugin state where local artifacts are available.
Display inventory separately from observed activity so analysts understand what is configured versus what was used.
Destructive shell commands, secret reads, database operations, repository writes, CI/CD and cloud-tool access.
Data movement through local files, plugins, connectors, desktop apps, browser context, and async tasks assigned from anywhere.
Treat both as agent runtimes with different blast-radius shapes.
Research artifact
Feature parity reality map
Parity should mean consistent policy outcomes where the event exists, not pretending every agent exposes the same telemetry.
Claude Code file read/write
Visibility
High when hooks are installed and the tool event includes path and workspace context.
Control
Runtime Shield path restrictions, sensitive reads, write blocks, command extraction, and audit trails.
Known limit
OS-level edits outside Claude Code still need endpoint or file-system controls.
Claude Code MCP calls
Visibility
High for observed tool calls, with server/tool naming and bounded payload summaries.
Control
MCP activity, tool policy, redaction, and optional gateway paths for managed upstream servers.
Known limit
Configured MCP inventory requires scan/check-in or gateway-managed registration.
Cowork plugin actions
Visibility
High after successful plugin hook install, app restart, and live evaluate requests.
Control
Cowork source attribution, semantic normalization, path/tool policy, and activity evidence.
Known limit
Manifest drift, cached workspaces, and unsupported plugin paths require status checks and remediation.
Cowork remote connectors and screen use
Visibility
Variable because some requests originate outside the local machine or happen through screen/browser actions.
Control
Use AgentKeeper where hooks or gateways observe the action, then pair with SaaS logs, managed browser, and identity policies.
Known limit
No local hook can guarantee visibility into every remote connector or pixel-level desktop decision.
Research artifact
Common event envelope
The reason a single policy model works is that AgentKeeper converts different agent payloads into a comparable event envelope.
Source-specific event
evidenceClaude Code, Cowork, Cursor, Codex, or another supported runner emits native hook or tool context.
Fields include source_tool, hook_event_name, tool_name, host, session_id, cwd, and bounded raw context.
Semantic normalization
evidenceAgentKeeper maps the native payload into Read, Write, Edit, Bash-like, WebFetch, Prompt, MCP, or plugin activity.
Policy sees operation type, paths, command strings, URLs, server names, tool names, and argument summaries.
Policy resolution
evidenceThe strictest applicable policy from org defaults, teams, groups, policy packs, and runtime shield controls wins.
The stored event includes verdict, severity, reason, rule, pack, mode, and action-specific evidence.
Fleet-level review
evidenceAnalysts inspect activity, inventory, workstation ownership, sessions, and MCP/plugin posture at enterprise scale.
Rows aggregate by tool, source, host count, last seen, severity, policy state, and activity volume.
Claude Code is close to the developer control point
Claude Code usually sits where security teams already understand risk: a developer workstation, a repository, a shell, a package manager, a test command, a cloud CLI, and an MCP configuration. That makes its actions easier to bind to code ownership, repo trust, CI/CD, local credentials, and endpoint behavior.
It also means high-value security evidence is available at the exact moment the agent proposes an operation. A PreToolUse event can be evaluated before a file read, write, command, or MCP tool call runs. That is the right place to block credential reads, unsafe writes, destructive commands, and forbidden tool calls.
Cowork expands the surface beyond developer workflow
Cowork moves agentic work into Claude Desktop and broadens the task shape. The agent can operate against files, projects, plugins, connectors, browser paths, and in some modes desktop applications. That is valuable for enterprise knowledge work, but it changes the evidence model.
A product that secures Cowork has to be honest about route-specific visibility. Local plugin actions can be high fidelity when hooks are live. Remote connector actions and screen-mediated work may require SaaS logs, browser controls, identity restrictions, endpoint telemetry, or gateway placement to complete the story.
The policy language should be shared
Security teams should not have to write one set of controls for Claude Code and a different set for Cowork if the underlying risk is the same. Reading ~/.ssh, writing a production config, running a destructive command, or calling a database export tool should map to the same policy vocabulary where the event is observable.
AgentKeeper's model is to normalize source-specific events into common operations while retaining provenance. That gives analysts enterprise-scale views without erasing the difference between a terminal tool call and a Cowork plugin call.
The UI should teach coverage confidence
At one workstation, a unified event feed feels enough. At an enterprise with thousands of developers, the UI must separate observed activity, configured inventory, source surface, policy mode, and coverage confidence. Otherwise, a blank inventory table can be misread as no risk, and a busy activity feed can be misread as complete control.
The comparison is not a winner-take-all product contest. Claude Code and Cowork are different runtimes. AgentKeeper should make both safer by showing the truth of each one.
Technical model
One control plane, two evidence profiles
Claude Code and Cowork can share policy vocabulary, but the product should preserve which runtime generated each event.
Evidence overlay
agent intent layer
t+00
prompt
t+01
tool call
t+02
policy verdict
t+03
process
t+04
file/network
endpoint behavior layer
exec
open
connect
Signals in the model
Claude Code
Developer terminal, repository, shell, file edits, MCP tools, and SessionStart inventory.
Claude Cowork
Desktop workspace, delegated tasks, files, plugins, connectors, local MCP paths, and collaboration flows.
AgentKeeper normalized action
Read, write, command, web fetch, prompt, MCP call, plugin event, policy, verdict, and evidence.
Enterprise review
Search by user, host, source tool, session, policy pack, MCP server, plugin, repo, and verdict.
Normalize for policy. Preserve provenance for investigation and buyer trust.
Sources and inspiration