Claude agents can run on customers' infrastructure in Anthropic's new self-hosted sandboxes

Anthropic said on May 19 that Claude Managed Agents can now run in self-hosted sandboxes on customer-controlled infrastructure, adding a deployment option aimed at companies that want agents to execute tools inside their own security perimeter. The company said the feature is available in public beta on the Claude Platform, while a related product called MCP tunnels is in research preview. Anthropic said both products are meant to let enterprises keep more control over where agent actions run and which internal services they can reach. The announcement was published in a Claude blog post and follows Anthropic’s broader push into managed agent products. ### What exactly is Anthropic moving onto customer infrastructure? Anthropic said the sandbox where an agent executes tools can now run on a customer’s own infrastructure or through managed sandbox providers, while the “agent loop” remains on Anthropic’s systems. That means orchestration, context management and error recovery stay with Anthropic, but code execution and file operations can be pushed into an environment the customer configures. (claude.com) The May 19 post said both the sandbox and the services the agent reaches can operate “within the established boundaries of your enterprise, under your security and runtime controls.” Anthropic said that setup is intended to keep sensitive files, packages and internal services inside the customer’s perimeter rather than moving them onto Anthropic-run infrastructure. ### If Anthropic still runs part of it, what stays with Anthropic? (claude.com) Anthropic said the split is deliberate. In its April 8 engineering post on Managed Agents, the company described the product as a hosted service for “long-horizon agent work” built around separate components including a session, a harness and a sandbox. Anthropic said that architecture lets it change the implementation underneath while keeping interfaces stable. (claude.com) The May 19 announcement said self-hosted sandboxes extend that design by moving tool execution out of Anthropic’s environment without moving the full managed service. Anthropic said customers keep local control over runtime images, resource sizing and existing security tooling such as network policies and audit logging. ### Which providers are supported at launch? Anthropic named four supported providers in the launch post: Cloudflare, Daytona, Modal and Vercel. (anthropic.com) Anthropic also said customers can bring their own sandbox client instead of using one of those providers. Cloudflare was described by Anthropic as offering microVMs and isolates, with outbound network requests controlled through zero-trust secrets injection, customizable proxies and connections to internal services over Cloudflare’s network. (claude.com) Anthropic said Daytona offers long-running, stateful sandboxes; Modal provides a cloud platform for AI workloads with CPU and GPU resources on demand; and Vercel combines VM security, VPC peering and bring-your-own-cloud options. ### What problem is Anthropic saying this solves? Anthropic said companies using agents for internal tools or regulated workloads often need execution to happen inside their own environment, where network controls, observability and governance are already in place. The company said files and repositories do not leave the customer perimeter in the self-hosted setup. Anthropic’s earlier engineering writing on Claude Code and Managed Agents has framed sandboxing as a safety and autonomy mechanism. (claude.com) In those posts, Anthropic said isolation reduces the risk that an agent can access sensitive information or make unsafe network calls outside intended boundaries. ### And what are MCP tunnels in the same announcement? Anthropic said MCP tunnels let Claude Managed Agents connect to private Model Context Protocol servers. (claude.com) The company launched that feature in research preview, with access by request, alongside the self-hosted sandbox beta. The next step is on Anthropic’s platform roadmap rather than a dated general release. As of May 19, self-hosted sandboxes were available in public beta on the Claude Platform, and Anthropic said MCP tunnels remained in research preview for customers requesting access. (anthropic.com) (claude.com)