AI Security Ops

We discuss the meaning of AI life In episode 42 of "BHIS Presents: AI Security Ops." Derek Banks is joined by Bronwen Aker and Brian Fehrman to break down Anthropic’s latest agentic desktop experiment: Claude Cowork.

Claude Cowork brings large language models directly onto the endpoint — giving Claude the ability to read, write, and organize files on your local machine. It’s designed to make powerful AI workflows accessible to non-technical users… but as with any tool that operates at the OS level, the security implications are significant.

We explore what happens when AI moves closer to your data, your filesystem, and your browser — and what that means for defenders.

We dig into:
- What Claude Cowork is and how it differs from Claude Code
- Agentic desktop tools vs. command-line workflows
- Local file access and OS-level interaction risks
- Skills, automation, and task iteration
- Chrome plugins and expanded attack surface
- Overly broad permissions and least-privilege concerns
- SaaS disruption and shifting trust boundaries
- Endpoint monitoring challenges
- The speed of AI releases vs. security review cycles
- Balancing innovation with responsible deployment

This conversation looks at the real-world operational and defensive considerations of agentic AI tools running directly on user systems. If you’re evaluating AI productivity tools inside your organization — or defending environments where they’re already being adopted — this episode will help you think through the risks and tradeoffs.

  • (00:00) - Intro & Episode Overview
  • (02:08) - What Is Claude Cowork?
  • (04:03) - Desktop Agents vs. Command Line Users
  • (06:12) - Agentic Workflows & Task Automation
  • (08:08) - Building Fast with Claude (Speed of Development)
  • (09:29) - Browser Plugins & Expanding Capabilities
  • (11:06) - Permission Models & “Just Give It Access to Everything”
  • (12:40) - SaaS Disruption & Enterprise Impact
  • (14:38) - Overly Broad File Access Risks
  • (16:27) - Organizational Disruption & Workforce Impact
  • (18:09) - Security Lag vs. Rapid AI Releases
  • (19:46) - Final Thoughts & Wrap-Up

Click here to watch this episode on YouTube.


Brought to you by:
Black Hills Information Security 
https://www.blackhillsinfosec.com

Antisyphon Training
https://www.antisyphontraining.com/

Active Countermeasures
https://www.activecountermeasures.com

Wild West Hackin Fest
https://wildwesthackinfest.com

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits
https://poweredbybhis.com


Creators and Guests

Host
Brian Fehrman
Brian Fehrman is a long-time BHIS Security Researcher and Consultant with extensive academic credentials and industry certifications who specializes in AI, hardware hacking, and red teaming, and outside of work is an avid Brazilian Jiu-Jitsu practitioner, big-game hunter, and home-improvement enthusiast.
Host
Bronwen Aker
Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.
Host
Derek Banks
Derek is a BHIS Security Consultant, Penetration Tester, and Red Teamer with advanced degrees, industry certifications, and broad experience across forensics, incident response, monitoring, and offensive security, who enjoys learning from colleagues, helping clients improve their security, and spending his free time with family, fitness, and playing bass guitar.

What is AI Security Ops?

Join in on weekly podcasts that aim to illuminate how AI transforms cybersecurity—exploring emerging threats, tools, and trends—while equipping viewers with knowledge they can use practically (e.g., for secure coding or business risk mitigation).

Derek Banks:

Welcome to AI Security Ops, the podcast where we cut through the hype and explore real world intersection of artificial intelligence and cybersecurity. Each week, we examine how AI is reshaping both sides of the security landscape, the threats we're facing, and the defenses that we're building. I'm Derek, and today we have Bronwen and Brian with us, and we're going to talk about Claude Cowork. So this is Anthropics AgenTic desktop tool that lets Claude read, write, and organize files directly on your machine. This is Spider Man embodied.

Derek Banks:

Right? If great power comes great responsibility, it's aimed at nontechnical users. But, you know, as you might guess, if you're watching this podcast, has some security implications to it. And so this show, as always, is brought to you by Black Hills Information Security and Antisyphon Training. PHIS helps organizations identify and close real world security gaps through pen testing, adversary emulation, red team, purple team, all kinds of security engagements.

Derek Banks:

And also, if you weren't aware, managed detection and response through our SOC and Antisyphon . It delivers hands on practitioner led training built around real attacks and real tools so you can apply what you learn immediately. So let's get to Claude Cowork. So I've been talking for a minute. How about one of y'all describe what Claude Cowork is?

Brian Fehrman:

I'll go for it. So my understanding of Claude Cowork is it's basically the intention is to bring Claude Code more to the masses, if you will. So Claude code, for those of you who don't know, is, kind of an agentic type, implementation of Claude. So when we say Claude code, we're not talking about the Claude chat window that you go to through a website. What we're talking about is a is a plugin, or you can, you know, it's really an installation that you have on your system that can run, tasks in a more agentic type manner.

Brian Fehrman:

So you can have it iterate through on a code file making changes. You can kick off tasks with it to go, run certain tools, grab the output, summarize it. And so you're getting more into, to that agentic space versus just text generation, so to speak. And so all that is done either through, plugins through like Visual Studio Code or from the command line, style access. But the thing is is that the majority of computer users, I would go out on a limb here, probably not only have never used a command line, but probably don't even know that it exists.

Brian Fehrman:

Yeah. Yeah. You've got the people who open their computer and click through things, go to the website and whatever and, you know, maybe download files and that's as far as they get into the system. Then you have people who might know some shortcuts like command c, command v, whatever you're on. And then down here, you have people who have actually seen the console.

Brian Fehrman:

And so I think what Claude Cowork is trying to do is bring that implementation of Claude Code further up the stack so that the general population is going to be able to get in on these agentic capabilities. What do you guys think of that?

Bronwen Aker:

Well, one of the things because I've downloaded the Claude desktop app for Windows. And one of the the nice implementations that they've built into the app for people, especially for people who either are not familiar with the command line or who are not comfortable using the command line, is that the app, which is an electron app, we'll get to that in a moment, gives you access to chat, Cowork, or Claude code all within the same interface. So that's that's a nice feature for people who like you say, very few people who are computer users will actually use the command line, and probably the less technical people are not people that we want using the command line, at least not for for widespread tasks. So this is a good way to introduce them. And if they want to pursue it, then they can get more into more of the technical aspects of how to use this kind of stuff.

Brian Fehrman:

Yeah. And so, obviously, you know, the intent is for, people to be able to, do things like, and interact with, perform tasks that maybe, like dealing with files on their system that they can interact through the AI to have it perform actions for them. So, you know, write me up a report on, I don't whatever topic you like, the best place to get honey. I I don't know. You know, and have it go out and, you know, do what it needs to do and and create up a whole report for you locally that that you have on on your system, which I know that's oversimplifying things.

Brian Fehrman:

It's probably not the best use case for it. But you can also get into more of like the personal assistant aspects with this too as far as I understand that you can tie this into various external services so that it it looks more like an actual personal assistant who can I don't know? Maybe, I'm gonna guess probably do things with email, do things with purchasing, do things with setting up, you know, things on your behalf on the on the Internet and just trying to kinda automate away portions of your life, if you will.

Derek Banks:

Yeah. Or gain access to I think gaining access to, like, the data that's otherwise disparate is then getting it closer to your AI processing is really kinda, like, one of the key, like, things here, like, through connectors where you can, you know like, there's, like, say, like, an AWS connector or maybe, like, Notion or Jira or something along those lines where basically you can say, hey, Claude. Create a ticket to go do this. Right? And it goes and fills out everything, maybe even based on a skill or something that, you know, that your work has defined.

Derek Banks:

And basically, the idea is to bring, I think, both AI closer to data that's otherwise disparate and harder for folks to copy and paste into a chatbot or something like that. And then really integration, because I think one of the challenges that AI has had is getting closer to the data to do processing. Right? And I think that's what MCP and Skills and now called Cowork are are kind of are going down that route. And, you know, the the other providers, if they don't have something out today, won't be far behind.

Derek Banks:

And and I I personally, I think this kind of stuff, even though we'll get to the security flaws here in a second, I'm sure, I don't think this genie is getting back in the bottle. I think it'll be a slower adoption rate than it was with, like, technical folks. Right? Like, oh my gosh. This thing can code really well.

Derek Banks:

And then people started figuring out, it can analyze log files. It can secure shell into servers and fix it for me. It can do all this kind of stuff. Talking about the command line version, It won't be long before some, you know, enterprising folks in that, you know, like the mid tier section that you described earlier, the folks who can do a pivot table in Excel and analyze data, it won't be long before they're like, hey, Claude, take all of these spreadsheets and give me the five key insights for this business or something like that. To me, that's where the real power, especially when you like, if you haven't used Opus 4.6, it's pretty capable.

Derek Banks:

It's pretty scary. And so it's only gonna get better too. And so I I think that's really the the thing is there'll be some, like, slow adoption through the spring, but I bet by the summer, there's a lot more hype going around this. And now fun fact, Anthropic claims that they pretty much coated the whole thing in ten days with Claude Cowork. That would be Claude Cowork.

Derek Banks:

That's awesome. Yeah. Yeah. That's

Bronwen Aker:

not scary at all.

Brian Fehrman:

Yeah. I definitely agree on the rapid adoption, for this type of technology because you think about it, I mean, vendors have been trying to do this for a little bit now. So think about Cortana with Windows. I mean, that was years before AI was even close to the capabilities that I think that they were hoping to have when they shoved Cortana into Windows, which in my opinion, like, think everyone just found annoying and like, it was immediate like shut off, like disable and

Derek Banks:

haven't used Windows. I've used Windows always been annoying. Is it still a thing? Like, okay.

Bronwen Aker:

It's it's still built into the OS.

Derek Banks:

It's like a

Bronwen Aker:

Yeah.

Derek Banks:

It's I gotcha.

Bronwen Aker:

Still there.

Brian Fehrman:

Yeah.

Bronwen Aker:

One of the other things in terms of this implementation and adoption, I the the partnerships that Anthropic has made with Google and with other, organizations, Notion, PayPal, AWS, have have they're very smart. And, with the Google partnership, having the Chrome plug in mean, think about how many people use the Chrome browser and how many people have Gmail accounts.

Derek Banks:

Yeah. They're probably measured in the billions. You know?

Bronwen Aker:

And now through a plug in that can be added into Chrome, now they have Claude enhanced agentic activity. I mean, they can use that that plug in to say, okay, Claude, go to this website and look for all of the various, forms in which ground coffee is being sold from this particular vendor and tell me which one has the best price per pound.

Derek Banks:

Oh, it won't even do that. Right? It'll it'll do that, but then it'll spawn a sub agent that has your credit card and just go ahead and buy it and ship it to your house, which has lots of financial implications that we're not gonna talk about in this show. Not yet.

Bronwen Aker:

No. There'll a different episode. Another time.

Derek Banks:

Yeah. But let's talk about now. But it it I I personally think this is a great thing, and I think Anthropic is, like, on the cutting edge. But usually those pioneers take the arrows. And so let's talk about how it can go wrong.

Brian Fehrman:

Mhmm. Yeah. So one of the things that I I think is a little bit funny is that they seem to have front and center about how it run the code runs within a VM isolated environment, which is great, but yet also make it very clear that it also has access to your file system.

Derek Banks:

That's what I thought. Like, was like, okay. So protect me from an RCE. Great.

Brian Fehrman:

Great. Yeah.

Derek Banks:

Mhmm. Yeah. But that's not the point.

Brian Fehrman:

Yeah. But so in all fairness, it is only the files that you granted access to. I'm gonna imagine that a lot of people are probably just they're not gonna wanna do granular permissions and probably just gonna be like, hey, just give it access to everything.

Derek Banks:

Pulling back

Brian Fehrman:

slash of clicking okay. You know?

Derek Banks:

Yep. Yep. Just the whole thing.

Bronwen Aker:

And that is that is one of both the the scary and cool things about Claude Cowork. I mean, I I haven't I haven't pulled the trigger on this one yet, but one of the things that I'm looking at is I've collected ebooks for years, and I have tons of duplications.

Derek Banks:

Oh, you're one of those. So am I.

Bronwen Aker:

Yeah. Oh, Oh, no. I'm a data hoarder.

Derek Banks:

Like, why do

Bronwen Aker:

I need

Derek Banks:

68 gig of ebooks that I've read, like, 500 mega of?

Bronwen Aker:

Yeah. Humble Bundle is

Derek Banks:

my nemesis. I don't buy them anymore.

Bronwen Aker:

Are they evil or what? I love them, and I hate them. But so I have ebooks. I have I have digital music that I've acquired or ripped from various sources, and I've got you looking days still.

Brian Fehrman:

Wow. Nice.

Bronwen Aker:

I know. Right?

Derek Banks:

So, yeah.

Bronwen Aker:

I I have email messages archived from the nineteen nineties on my desk.

Derek Banks:

I I did get rid of all that. Actually, I burned it all to a CD, and I don't know where it is. But anyway

Bronwen Aker:

But, I mean, so for for processes like that or for for going through and analyzing things, it's it's a wonderful tool. If I can turn around and say, hey hey, Claude, go into this folder where I keep all of my financials and help me identify recurring expenses that are that are coming out every month. I mean, that's that's a wonderful way. We, we've talked elsewhere about disruption in some of the software as a service providers possibly having, an economic impact on their their game. Imagine if I don't have to use Rocket Money or one of these other analysis tools to figure out where my recurring expenses are.

Bronwen Aker:

And this can be done on an individual level. It can be on a a small business or a corporate level. But with great power comes great responsibility. So now that same app has access to all of that very sensitive information.

Derek Banks:

Yeah. I think that it won't be long before, you know, there's more stuff security wise built in. So for example, I know that our SOC basically has essentially a home baked, so to speak, kind of agent EDR in their their clawed code install that they use. I know that Daniel Meisler's PAI, Personal AI Infrastructure, has security hooks. And actually, one fired on me.

Derek Banks:

I showed Brian the other day. I was like, look. It went to go delete test files and the security hook said don't go do that. And so I think that people are paying attention to the security stuff, but it's gonna be slower than the actual functionality. And so stuff like prompt injection, technically indirect prompt injection, where if you're going off and you're getting, I would imagine, like third party skills or if someone sends you an email that has embedded prompt injection stuff, and that's a that's a risk, right, if it's processing that data.

Derek Banks:

And so what what the the show notes say 17.8% of the time is what Anthropic says that prompt injection succeeds. And that's their current, like, stat. That's actually pretty high from like, I would have thought it would have been lower. Right? We mentioned overly broad file access and and now deletion of of of data.

Derek Banks:

And I think that, you know, that that I could delete data. But the other thing, and this is always near and dear to my heart, I point this out a lot of times, is there's no logging.

Bronwen Aker:

Yeah. That's a big, big

Derek Banks:

So if you are working for any of the frontier companies and you stumble across this, please start instituting logging into these things. As someone who's done forensics and incident response, I would greatly appreciate and know what the agent did. That would be very helpful. So, alright. What else?

Derek Banks:

I think you kinda touched on the the second order risk. And I think John just wrote a John Strand just wrote a blog post that he was talking about in the news last night about the coming SaaS apocalypse. Right? I think that we're poised. And maybe it won't happen.

Derek Banks:

We'll see what happens in the future. But I think companies that have technical teams are going to start to realize that some of the SaaS products that they pay for that have always been too expensive for them to code in house are no longer gonna be expensive for them to code in house. And they're gonna ditch mid market. Like, I still think the big cloud providers will still have, you know, their market share. Like, they're gonna replace AWS.

Derek Banks:

Right? But it might replace your time card system, right, or your your payroll system or something like that. And as a pen tester, I think this is great news because everyone will have bespoke software with flaws on it. I like this idea. As someone who participates in our economy, I think it's very bad news.

Derek Banks:

Like, it's gonna it's disruption. I should bad news. Right? But it's going to be there's going to be disruption, I guess, what I'm getting at.

Bronwen Aker:

Well, and and one of the advantages of the larger SaaS providers, they are going to get regular updates when the regulations change for payroll or sales taxes or whatever else is going on. People who are rolling their own systems using whatever now have taken on the burden of that maintenance and I don't think a lot of people realize that.

Derek Banks:

So Or and if they do, they can just get ClaudeCode to fix it. Right?

Bronwen Aker:

Yeah. But how many people do you think know to code in that kind of awareness? And that's and that's not even that's not a security issue. That's just a a development issue.

Derek Banks:

I I But it is overhead. Less than half. Less than half. But yeah. I mean, I'm just guessing.

Derek Banks:

But yeah. So I other Oh, go ahead.

Bronwen Aker:

And then then there's the other thing, and I'm I touched on it, but it isn't in the the show notes that we have written up. When I was looking into the app, it's an electron app. Nothing wrong here.

Derek Banks:

Yeah. Historically, there have been definitely electron issues too. I mean but I mean, to that point though, I I I try and not pick on the new AI stuff for those kinds of things as much because have you ever PIP installed something as root? What's the difference? I mean, it's then we're talking about supply chain kind of stuff.

Derek Banks:

Right? And so I get that it's a risk, but it's not exclusive to to AI. Aside from the fact that all this stuff is coming out so fast without a thought of security.

Brian Fehrman:

Yep. Yeah.

Derek Banks:

So But I mean

Brian Fehrman:

It looks like, you know

Derek Banks:

Go ahead.

Brian Fehrman:

No. I was just gonna say, mean, yeah. Mean, it looks like though at least with, you know, even I I picked on the sandbox thing a little bit. But even that though, it shows that they are like paying more attention to it. Right?

Brian Fehrman:

Thinking about like some of the security implications and and and I think that that can maybe lead us into our final talking points for wrapping up the show here, which is I mean, what what do people really need to be concerned about? And like what I mean, what are, you know, what do you need to do or not do, like, in in the situations if you're gonna be using this? And honestly, I would say to just sum it all up, I mean, really what it comes down to is be careful what you give it access to. Understand that that that is the real risk. It's not necessarily the AI itself.

Brian Fehrman:

It's not the the models in the back that's not Those aren't really the risk here. It is what you are hooking this up to, what you're allowing it to have access to, not only on your system, but also when you're hooking it up to third parties that it can reach out to and talk to. So just, know, understand of of the risks associated with giving it access to those things and just be careful. Don't give it access to more than what you need to. And other than that, I mean, it's I'm, you know

Bronwen Aker:

I think

Brian Fehrman:

there's that one other

Derek Banks:

I'd like to point out before we go and that's not here on the page, don't think. But the risk of not using it. Right? If you decide that, okay, this stuff's not for me, realize that AI and things are changing with AI very quickly and you run the risk of losing out and being behind. And we were talking briefly before we started the recording about, like, you know, essentially the personal AI usage gap.

Derek Banks:

Right? And, like, the the comments that are coming from some folks that, how come Derek does stuff that's magic and I can't get it to do anything? It's because I've been using it for a long time. And the best advice that I can give to folks is just dive in and start using it. Be careful and put it on test systems, whatever you need to do.

Derek Banks:

But if your company is telling you that, hey, we're not gonna use this stuff because we're afraid, I would strongly urge you to put together something to tell them about the risk of not using it and falling behind because I think that is a real thing.

Bronwen Aker:

I know I've had this exact conversation with a bunch of pen testers and fortunately the frontier providers are also providing documentation on how to use their stuff and Anthropic has their whole series of courses about how to better use their tools and I've gone through several of them and it's good material. It it lays it out. It's well organized. And if you're not investing that time, you're going to get left behind.

Derek Banks:

And if you don't like Claude or Anthropic for some reason, go try Codex. I hear it's just as good. Yeah. With that

Brian Fehrman:

We have options.

Derek Banks:

Yeah. And with that, let's wrap this thing up. I will not miss the tagline this time. And in the honor of Joff, keep on prompting.