Anthropic adds self-hosted sandboxes, MCP tunnels

Anthropic on May 19 said Claude Managed Agents can now run in self-hosted sandboxes and connect to private Model Context Protocol servers through MCP tunnels, adding two new deployment options for companies that want tighter control over where agents execute and what internal systems they can reach. The company published the update in a product post and in Claude Platform release notes the same day. Code with Claude London is taking place on May 19, according to Anthropic’s event page, which lists Claude Platform and Managed Agents sessions on the agenda. Social posts tied the product update to that London developer event. The announcement expands Anthropic’s Managed Agents product, which the company described in April as a hosted service for long-horizon agent work built around separable components including a session, a harness and a sandbox. (claude.com) ### What changed in Claude Managed Agents? Anthropic said “starting today” Managed Agents can operate in “a sandbox you control” and connect to private MCP servers. The company said self-hosted sandboxes are available in public beta on the Claude Platform, while MCP tunnels are in research preview and require access requests. (claude.com) The May 19 release notes also said Managed Agents sessions can now update MCP server and tool configurations while a session is active, and outputs above 100,000 tokens from agent_toolset and MCP tools are automatically spilled to a file in the sandbox. (anthropic.com) ### What does “self-hosted sandbox” mean here? Anthropic said the agent loop — including orchestration, context management and error recovery — remains on Anthropic’s infrastructure, while tool execution moves to infrastructure chosen by the customer. (claude.com) The company said that setup lets files, repositories and services stay inside the customer’s existing security perimeter. The product post said customers can run the sandbox on their own infrastructure or use managed providers including Cloudflare, Daytona, Modal and Vercel. (platform.claude.com) Anthropic also said customers control resource sizing and the runtime image for compute-heavy work such as long builds or image generation. Anthropic’s earlier engineering write-up on Managed Agents described the sandbox as the execution environment where Claude can run code and edit files, separate from the session and harness layers. (claude.com) ### How do MCP tunnels work? Anthropic’s documentation said MCP tunnels connect Claude to MCP servers running inside a private network “without opening inbound ports or exposing services to the public internet.” The docs say traffic flows over an outbound-only connection, so customers do not need to expose services publicly or allowlist Anthropic IP ranges on the origin. (claude.com) The same documentation says the tunnel stack runs inside the customer network and includes Cloudflare’s `cloudflared` tunnel agent plus an Anthropic proxy component. (anthropic.com) Anthropic said the system uses hostname-based routing, and each exposed MCP server gets a hostname under the customer’s tunnel domain. Anthropic also said MCP tunnels are provided “as-is” in research preview, with no uptime, support or continuity commitment, and that the transport depends on Cloudflare. (platform.claude.com) ### Why is Anthropic framing this around enterprise boundaries? Anthropic said both the sandbox where an agent executes tools and the services it reaches can now run “within the established boundaries of your enterprise, under your security and runtime controls.” The company said that inside those boundaries, network policies, audit logging and security tooling remain in place. (platform.claude.com) The company’s earlier Claude Code security post described sandboxing in terms of filesystem isolation and network isolation, saying both are needed to reduce the risk of prompt-injected agents modifying sensitive files or exfiltrating data. (platform.claude.com) That post concerned Claude Code rather than Managed Agents, but it shows the security model Anthropic has been building toward. ### Where can developers see or use it next? (claude.com) Anthropic’s Code with Claude London page says livestream sessions are running on May 19 and include talks on getting to production faster with Claude Managed Agents and building production-ready agents. Anthropic’s product post and platform docs now contain the rollout details, provider list and tunnel setup requirements. (claude.com) (anthropic.com)