Claude Managed Agents now run tools in customer-controlled sandboxes and MCP tunnels

Anthropic’s update to Claude Managed Agents changes where the risky part of an enterprise agent run happens. Starting May 19, companies can keep tool execution inside infrastructure they control through self-hosted sandboxes, while using MCP tunnels to connect Claude to private Model Context Protocol servers without exposing those systems to the public internet. Anthropic is still running the managed agent loop itself, according to the company’s product announcement. That makes this less a full “bring it on-prem” move than a split-control design. The model-facing orchestration layer — context management, error recovery, and the loop that decides what tool to call next — remains on Anthropic’s side. The execution environment where those tool calls actually run can now move inside the customer perimeter. ### So what actually changed inside Claude Managed Agents? (claude.com) Anthropic said Managed Agents can now “operate in a sandbox you control and connect to your private Model Context Protocol (MCP) servers.” In practice, that means two new pieces: self-hosted sandboxes for code execution and file operations, and MCP tunnels for reaching internal tools and services. Anthropic’s April 8 engineering post helps explain the split. (claude.com) The company described Managed Agents as separate components — a session, a harness, and a sandbox — rather than a single container. That architecture made it possible to swap where the sandbox runs without rewriting the whole service. ### What does “self-hosted sandbox” mean here? The sandbox is the execution environment where Claude runs code and edits files. (claude.com) Anthropic said customers can now run that sandbox on their own infrastructure or use managed providers including Cloudflare, Daytona, Modal, and Vercel. Resource sizing and the runtime image are set by the customer side, not Anthropic. That matters because the sandbox is where sensitive side effects happen. (anthropic.com) Anthropic said files, repositories, packages and services can stay inside the customer environment, where existing network policies, audit logging and security tooling are already in place. The Decoder reported that companies also choose their own CPU, memory and runtime image. ### What problem do MCP tunnels solve? (claude.com) MCP tunnels are for the other half of the problem: private connectivity. The Decoder reported that the feature connects agents to internal databases, APIs and other MCP servers on a private network through an encrypted channel. Anthropic’s announcement says the goal is to let agents reach services inside the enterprise boundary without turning those services into public endpoints. (claude.com) The Decoder said the tunnel works through a lightweight gateway that opens a single outbound connection and does not require inbound firewall rules. Anthropic’s post frames the same idea as keeping both the execution environment and the services it reaches within enterprise security boundaries. ### What stays under Anthropic’s control? Anthropic said the “agent loop that handles orchestration, context management, and error recovery stays on Anthropic’s infrastructure.” The Decoder reported the same point more bluntly: a fully on-premise deployment is not available. (claude.com) That means customers get more control over execution, secrets, egress and internal service access than they had with Anthropic-hosted tool runs, but they still do not get full control over the planner and policy layer driving those actions. (claude.com) That last point is an inference from the architecture Anthropic described, not a company quote. ### Who is this aimed at? Anthropic’s examples point at enterprise teams that want agent automation without moving sensitive systems outside their perimeter. (claude.com) The company said Amplitude is building an internal design tool on Managed Agents and Cloudflare, while Clay is using Managed Agents and Daytona for its GTM engineering agent, Sculptor. Those examples fit the buyers most likely to care about audit trails, runtime controls and private network access: companies that want hosted models but do not want Anthropic-hosted execution touching internal files or services directly. (claude.com) That framing is based on Anthropic’s product description and deployment examples. ### Is this generally available now? Anthropic said self-hosted sandboxes are in public beta on the Claude Platform. (claude.com) MCP tunnels are in research preview and require an access request. The announcement was published May 19, 2026.