Anthropic locks down Claude agents

Anthropic said on May 19 that Claude Managed Agents can now run with self-hosted sandboxes and connect to private systems through MCP tunnels, adding new controls aimed at enterprise customers with stricter security requirements. The update was announced in a Claude Platform post and presented at the company’s Code with Claude event in London. Anthropic said the changes let customers keep tool execution and private service access inside their own security perimeter while continuing to use the company’s managed agent service. ### What exactly changed in Claude Managed Agents? Anthropic said the two additions are self-hosted sandboxes and MCP tunnels. In the company’s description, self-hosted sandboxes let customers run the environment where agents execute tools on their own infrastructure or through managed providers such as Cloudflare, Daytona, Modal and Vercel. Anthropic said MCP tunnels let agents connect to private Model Context Protocol servers without exposing those servers to the public internet. (claude.com) May 19 was also the date Anthropic said self-hosted sandboxes entered public beta and MCP tunnels entered research preview. The company said the features are available on the Claude Platform, with MCP tunnel access requiring a request. ### If the agents are “managed,” what still runs on Anthropic’s side? Anthropic said the agent loop stays on its infrastructure even when tool execution moves into the customer’s environment. (claude.com) The company defined that loop as the part handling orchestration, context management and error recovery, while the sandbox is the execution environment where Claude can run code and edit files. Anthropic’s April 8 engineering post described Managed Agents as a hosted service for long-running work built around stable interfaces including the session, harness and sandbox. That architecture helps explain the latest update: the company can move execution boundaries without changing the higher-level managed service. ### Why are enterprises asking for this kind of setup? (claude.com) The New Stack reported that Anthropic framed the release around privacy, compliance and runtime control for organizations using agents in more sensitive environments. Anthropic’s own post said customers can keep sensitive files, packages and services inside their own infrastructure, where existing network policies, audit logging and security tooling are already in place. (anthropic.com) Anthropic also said outbound network requests can be controlled through zero-trust secrets injection, customizable proxies and connections to internal services over Cloudflare’s network. Those details point to the company’s pitch: keep agent access narrow, keep logs and policy enforcement where enterprises already manage them, and avoid opening internal MCP servers to the public internet. That is an inference from the product details Anthropic published. (thenewstack.io) ### What do MCP tunnels do that a normal connector does not? The New Stack said MCP tunnels work as a lightweight gateway deployed by the customer that makes a single outbound connection, with management handled through workspace settings in the Claude Console. Anthropic said the result is that agents can reach MCP servers inside a private network without those systems being publicly exposed. (claude.com) Anthropic introduced MCP in November 2024 as an open standard for connecting AI assistants to the systems where data lives, including business tools, content repositories and development environments. The new tunnel feature extends that model into private enterprise networks with tighter boundary controls. ### Which companies are already attached to the rollout? (thenewstack.io) Anthropic named Amplitude and Clay in its announcement as customers building on Managed Agents with sandbox providers. Anthropic said Amplitude is building an internal design tool with Managed Agents and Cloudflare, while Clay’s engineering agent uses Managed Agents and Daytona. Anthropic also named Cloudflare, Daytona, Modal and Vercel as supported sandbox-provider options in the launch materials. (anthropic.com) The company said customers can also bring their own sandbox client. ### What happens next for customers evaluating the feature? Anthropic said self-hosted sandboxes are now in public beta and MCP tunnels are available in research preview by request. (claude.com) Access and configuration run through the Claude Platform and Claude Console, according to the company’s May 19 product announcement.