Cloudflare, Anthropic launch secure execution sandboxes for Claude managed agents

Anthropic and Cloudflare used May 19 announcements to push Claude Managed Agents deeper into enterprise infrastructure. The two companies said Claude agents can now run tool execution inside isolated sandboxes rather than only in Anthropic-managed environments, while Anthropic separately added private Model Context Protocol, or MCP, connections for internal tools. The releases were published as Anthropic courts companies that want agents to act on internal systems without exposing those systems to the public internet. Cloudflare said its product is called Cloudflare Environments for Claude Managed Agents, and Anthropic said its own additions include self-hosted sandboxes and MCP tunnels. ### What exactly changed for Claude Managed Agents? Anthropic said on May 19 that Claude Managed Agents can now “operate in a sandbox you control and connect to your private Model Context Protocol (MCP) servers.” The company said the sandbox can run on a customer’s own infrastructure or through managed providers including Cloudflare, Daytona, Modal and Vercel. Anthropic said self-hosted sandboxes are in public beta, while MCP tunnels are in research preview and require requested access. (cloudflare.com) Cloudflare said its integration lets organizations “run core agent loops on the Claude platform” while using Cloudflare’s network and Workers platform to execute code, secure private connections and supply tools to agents. The company said each agent session is spun up in a secure sandbox through a Workers-based control plane. (claude.com) ### Where does the code actually run now? Cloudflare said developers can choose between Linux-based microVMs for more complex tasks and V8 isolate-based sandboxes for lighter workloads. In a separate blog post, Cloudflare said those lighter sandboxes can boot in milliseconds, while developers also get sandbox metrics, logs, SSH access to running machines and the ability to customize sandbox images. (cloudflare.com) Anthropic said the point of the change is to keep both tool execution and service access “within the established boundaries of your enterprise, under your security and runtime controls.” That means the managed agent loop can stay on Anthropic’s platform while execution and internal connectivity are pushed into infrastructure chosen by the customer. ### What problem are Anthropic and Cloudflare trying to solve? (blog.cloudflare.com) Cloudflare said enterprises want AI agents that are “secure and scalable” enough to work inside an organization, not just reason over prompts. In its press release, the company described the launch as part of work with Anthropic on the “last mile of AI connectivity,” referring to the connection between models and enterprise systems. (claude.com) VentureBeat reported that the new setup is aimed at letting Claude agents reach enterprise APIs without exposing credentials directly to the model runtime. That description aligns with Anthropic’s statement that private MCP servers can now be connected through tunnels instead of being opened to the public internet. (cloudflare.com) ### Why does private MCP access matter? Anthropic said MCP tunnels are designed for customers that already use internal MCP servers to expose company data or actions to models. The new option allows those servers to remain private while Claude Managed Agents connect through a controlled tunnel, rather than requiring firms to publish those endpoints externally. That matters because MCP has become one of the main ways AI systems connect to external tools and data sources. (venturebeat.com) In this release, Anthropic is not changing the protocol itself; it is changing how Claude agents reach MCP servers in enterprise environments. ### Who else is involved beyond Cloudflare? Anthropic named Daytona, Modal and Vercel alongside Cloudflare as managed providers for self-hosted sandboxes. (claude.com) Cloudflare’s announcement focused on its own Workers-based environment and private service connectivity, while Anthropic framed the broader update as giving customers more control over infrastructure choice. 9to5Mac, citing Anthropic’s announcement, reported the features were introduced as privacy and security controls for Claude Managed Agents. Cloudflare’s materials emphasized scale as well as isolation, saying the system is intended to support globally distributed agent workloads. ### What happens next? (cloudflare.com) Anthropic said self-hosted sandboxes are already in public beta on the Claude Platform, and MCP tunnels remain in research preview with access by request. Cloudflare said developers can start using Cloudflare Environments for Claude Managed Agents through the new integration announced May 19. (cloudflare.com) (9to5mac.com)