Anthropic faces cost and security scrutiny

Microsoft was reported on May 22 to be winding down most internal Claude Code licenses as rising spending on AI coding tools drew new scrutiny to Anthropic's economics. India Today, citing a report by The Information, said the software company was reducing internal use even as Microsoft was discussing supplying Maia AI chips to Anthropic. (blog.cloudflare.com) Anthropic also faced a separate security challenge this week. Cybernews reported on May 21 that a security researcher said Anthropic had fixed another Claude Code sandbox bypass without issuing a public advisory or CVE, raising new questions for customers about disclosure and containment. (platform.claude.com) Cloudflare, meanwhile, said on May 21 that it had added support for Anthropic's Claude Compliance API in its cloud access security broker product, giving enterprise security teams a new way to monitor Claude usage. ### Why does a Microsoft pullback matter if Anthropic still has enterprise momentum? (indiatoday.in) Microsoft's reported move matters because it puts a large internal buyer at the center of the cost debate. India Today said the company was winding down most Claude Code licenses for internal use as AI coding costs climbed. The report did not specify how many licenses were affected or whether any teams would retain access. Anthropic's own materials show why cost has become a live issue for customers. (cybernews.com) Its official pricing pages say Claude Opus 4.7 starts at $5 per million input tokens and $25 per million output tokens, while Anthropic says developers can lower bills with prompt caching and batch processing. Anthropic's API overview also says customers can choose between direct access and cloud platforms depending on infrastructure, compliance needs and pricing preferences. ### What was the security flaw researchers said Anthropic fixed? Cybernews reported that researcher Johann Rehberger criticized Anthropic after identifying what it described as a second major bypass in Claude's network sandbox. (indiatoday.in) According to the report, Rehberger said Anthropic fixed the issue without a public advisory or a CVE, and he argued users should have been notified. Cybernews had also reported earlier this month on another Claude Code security issue involving the product's Chrome extension. That report said researchers found a flaw that let a browser extension send instructions to the assistant and trigger actions using the victim's permissions, and said Anthropic's initial patch was bypassed within hours. (anthropic.com) ### What is Anthropic and Cloudflare offering enterprises instead? Cloudflare said on May 21 that its CASB now supports the Claude Compliance API, allowing security and compliance teams to monitor Claude activity from the Cloudflare dashboard without endpoint agents. (cybernews.com) The company said the integration is meant to give enterprise teams visibility into how sanctioned AI applications are being used. Cloudflare had already positioned Claude alongside ChatGPT and Gemini in its broader CASB tooling. In an earlier post, the company said those integrations were designed to scan for misconfigurations, sensitive data exposure and compliance issues across AI tools. (cybernews.com) ### Which questions are customers likely to press Anthropic on now? Enterprise customers evaluating Claude Code are likely to focus on spending controls, logging and sandbox reliability because those are the issues surfaced by this week's reports. Anthropic's documentation says pricing varies by model and access route, while Cloudflare's new integration points to demand for monitoring and compliance controls around Claude deployments. (blog.cloudflare.com) That connection is an inference based on the timing and substance of the announcements. Johann Rehberger's criticism, as reported by Cybernews, adds a second line of questioning around disclosure practices. (blog.cloudflare.com) Microsoft's reported internal license cuts add a separate commercial test: whether teams that like Claude Code's output will keep paying for it at scale. ### What comes next for buyers watching the story? Anthropic's next public signals are likely to come through its pricing documentation, product release notes and any further security disclosures tied to Claude Code. Cloudflare's CASB support for the Claude Compliance API is already live, according to the company's May 21 post, giving enterprise teams an immediate monitoring option while they assess broader deployment decisions. (platform.claude.com) (blog.cloudflare.com) (cybernews.com)