Anthropic Head of Claude Code Boris Cherny presenting on stage at Code with Claude London, May 19, 2026 Anthropic / Michael Knief via AP Content Services
by VibecodedThis

Anthropic Adds Self-Hosted Sandboxes and MCP Tunnels to Claude Managed Agents

Announced at Code with Claude London on May 19, self-hosted sandboxes let enterprises run agent tool execution on their own infrastructure. MCP tunnels let agents reach private servers without opening firewall ports.

Share

At its Code with Claude London event on May 19, Anthropic announced two additions to Claude Managed Agents: self-hosted sandboxes, now in public beta, and MCP tunnels, now in research preview.

Both features target the same basic problem: enterprises want to use autonomous agents against their own internal systems, but can’t do that if files, services, and secrets have to leave their network.

Self-hosted sandboxes

By default, Claude Managed Agents runs tool execution on Anthropic’s infrastructure. Self-hosted sandboxes let you move that execution to your own environment while Anthropic continues handling orchestration, context management, and error recovery.

The practical effect is that sensitive files, packages, and internal services stay inside your perimeter. You control the network policies, audit logging, and what external systems the agent can reach. You also pick your own CPU and memory configuration.

Anthropic has certified four managed sandbox providers for companies that don’t want to build their own:

  • Cloudflare: MicroVMs with zero-trust secrets and customizable egress controls
  • Daytona: Full, stateful compute with SSH access and session restoration
  • Modal: Cloud platform for AI workloads, including GPU resources and sub-second startup
  • Vercel: VM security with VPC peering and millisecond startup

A few organizations have already been running this in early access. Clay uses Daytona-backed sandboxes for Sculptor, their GTM agent, specifically because they need filesystem control and package installation. Rogo runs workflows in Vercel Sandbox with firewall-injected credentials for institutional finance data. Amplitude’s team built their Design Agent on Cloudflare infrastructure in two days.

One thing worth noting: this is not a fully on-premise deployment. Anthropic’s agent loop, which handles context, orchestration, and recovery logic, still runs on Anthropic’s infrastructure. If your requirement is that even the model and orchestration run inside your walls, this doesn’t meet it. What it does give you is control over execution environments and the data that flows through them.

MCP tunnels

The second feature solves a different problem. Connecting Claude Managed Agents to internal systems — databases, private APIs, ticketing systems — typically means either exposing those systems to the public internet or setting up a VPN. Neither is great.

MCP tunnels sidestep this by using a lightweight gateway you deploy inside your network. The gateway makes a single outbound connection to Anthropic’s infrastructure, encrypted end to end. No inbound firewall rules, no public endpoints. Claude’s agents call your MCP server through that tunnel.

The feature also works with the Messages API, not just Managed Agents, which matters if you’re building agent workflows directly against the API.

MCP tunnels are currently in research preview with restricted access. You can request access through a form on the Claude Platform.

Access and documentation

Self-hosted sandboxes is available in public beta. Anthropic has posted setup documentation at platform.claude.com/docs and published GitHub cookbooks covering sandbox configuration for each of the four supported providers. You can also deploy and test through the Claude Console.

MCP tunnels require submitting an access request before getting started.

Sources: Anthropic blog, The Decoder, InfoQ, 9to5Mac

Share