By ByteBot
Anthropic shipped two infrastructure features for Claude Managed Agents on May 19 that tackle the real reason enterprises haven’t deployed AI agents at scale: self-hosted sandboxes (now in public beta) and MCP tunnels (research preview). Tool execution stays inside your network. Private MCP servers connect without a public endpoint. The blocker most teams have been waiting on is gone — at least partly.
The Problem These Features Actually Solve
Before this release, running Claude Managed Agents meant tool execution happened on Anthropic’s servers. That’s fine for consumer apps and internal prototypes. It’s a non-starter for any organization that handles regulated data, has strict network policies, or simply doesn’t want code running on someone else’s infrastructure.
The numbers back this up. A Cloud Security Alliance survey from April 2026 found that 88% of organizations reported confirmed or suspected AI agent security incidents in the past year. Separately, 46% of IT teams cite integration with existing internal systems as their primary deployment blocker. These aren’t edge cases — this is the majority of the market.
Anthropic’s answer is a clean architectural split: keep orchestration, context handling, and error recovery on their side; move tool execution to infrastructure you control. That’s what both features deliver, in different ways.
Self-Hosted Sandboxes: Your Network, Your Rules
Self-hosted sandboxes move the execution layer — where agents run code, access files, and make network calls — off Anthropic’s servers and onto yours. The agent loop still runs on Anthropic’s platform. What changes is where things actually happen.
You get control over network policies, audit logging, runtime configuration, data residency, and compute sizing. Files and repos never leave your environment. For teams running compute-heavy tasks like long builds or image generation, you also control the CPU and memory allocation rather than fighting shared cloud limits.
If you’d rather not manage the execution infrastructure yourself, four managed providers are certified for this setup today: Cloudflare, Daytona, Modal, and Vercel. The Cloudflare integration is the most fully-featured at launch, adding egress control, browser access, and custom tool support on top of the base sandbox.
Self-hosted sandboxes work through an environment worker — a process you run that claims tool execution requests from a queue Anthropic populates, runs them locally, and posts results back. You can run it as an always-on process or trigger it via webhook. The setup is a single API call to create the environment, then deploy the worker alongside your existing infra.
curl -sS https://api.anthropic.com/v1/environments -H "x-api-key: $ANTHROPIC_API_KEY" -H "anthropic-beta: managed-agents-2026-04-01" -H "content-type: application/json" -d '{"name":"self-hosted","config":{"type":"self_hosted"}}'Status: public beta. Available now for all Claude Managed Agents users. Full setup instructions are in the self-hosted sandboxes documentation.
MCP Tunnels: Connect Internal Systems Without a Public Endpoint
The second feature solves a different problem: how do you let a Claude agent query your internal Jira instance, your private database, or your internal knowledge base — without punching a hole in your firewall or spinning up a public endpoint for a system that was never meant to be public?
MCP tunnels work through a lightweight gateway you deploy inside your private network. That gateway opens a single outbound connection to Anthropic’s tunnel edge — no inbound firewall rules, no public endpoint, no allowlisting Anthropic’s IP ranges. Traffic is end-to-end encrypted using mTLS, and Anthropic adds its own encryption layer on top. Cloudflare operates the transport layer but cannot read request or response payloads; your team holds the inner TLS certificate.
Once a tunnel is running, any internal system you expose through an MCP server — databases, private APIs, ticketing systems, documentation wikis — becomes a tool your Claude agents can call. The tunnel works with both Claude Managed Agents and the Messages API, and is managed through org admin controls in the Claude Console.
Status: research preview. You’ll need to request access before you can use it. Details and the request form are in the MCP tunnels documentation.
Why This Is Happening Now
Anthropic isn’t alone in this push. At Google I/O on the same day, Google launched Antigravity 2.0 with built-in agent sandboxing. The day before, OpenAI announced an on-premises Codex deployment with Dell for enterprise environments. The enterprise AI agent market is converging on a “hybrid” model: managed intelligence at the cloud layer, controlled execution inside the customer’s perimeter.
Anthropic’s specific bet is that enterprises trust their own orchestration less than they trust Anthropic’s — so keeping the agent loop managed while giving back execution control is the right tradeoff. That’s a reasonable position. Whether it’s the right one for every organization depends on how much you want Anthropic’s infrastructure in your critical path.
What Changes for Developers
If you’re building production agents on Claude Managed Agents, self-hosted sandboxes removes the reason to avoid it for internal tools and regulated workloads. The Cloudflare managed option means you don’t need to stand up new infrastructure — you’re adding a configuration layer to an existing provider relationship most teams already have.
MCP tunnels are the more transformative feature in the long run. Turning internal systems into agent-callable tools without a public endpoint changes what’s possible architecturally. The research preview status means you’re still early — but if your use case involves private internal tools, getting on the waitlist now makes sense.
Both features are documented on Anthropic’s official blog post, which includes migration notes and links to full API reference documentation.
