Anthropic Adds Self-Hosted Sandboxes and MCP Tunnels — Claude Managed Agents Get Real Enterprise Infrastructure

Anthropic Just Closed the Enterprise Agent Infrastructure Loop

At the Code with Claude conference in London on May 19, 2026, Anthropic announced two new features for Claude Managed Agents that together turn the agent platform into something enterprises with strict data-residency, network-isolation, and sandbox-control requirements can actually deploy in production. The first is self-hosted sandboxes — agent tool execution now runs on the customer's own infrastructure or on a managed provider like Cloudflare, Daytona, Modal, or Vercel, while Anthropic keeps the orchestration loop running on its side. The second is MCP tunnels, a new way to expose Model Context Protocol servers inside a private network to a Claude agent without opening any inbound firewall rules. Self-hosted sandboxes are in public beta starting today; MCP tunnels are available in research preview by request.

For enterprise security architects, infrastructure leaders, and the developers shipping Claude-powered agents into regulated environments, this is the announcement that converts Claude Managed Agents from a promising platform into a deployable enterprise system. The two features were the most-requested items on the Claude Managed Agents roadmap, and shipping them together is the kind of move that tells the market Anthropic has internalized the enterprise security feedback loop.

Self-Hosted Sandboxes — Tool Execution Stays Inside Your Walls

The defining feature of a managed agent platform is that the model loop, the tool dispatch, and the tool execution all happen somewhere. Self-hosted sandboxes pull the tool execution piece out of Anthropic's infrastructure and place it inside the customer's environment — either directly on the customer's own VPC, or through a managed sandbox provider that the customer has already approved. The orchestration layer that handles planning, context management, retries, and error recovery remains on Anthropic's side, but no customer files, packages, or secrets ever leave the customer's network.

The Four Launch Sandbox Providers

The initial launch supports Cloudflare, Daytona, Modal, and Vercel as managed sandbox providers — a careful selection that covers the three most common deployment models. Cloudflare gives customers a serverless edge-style sandbox at the closest network location. Daytona and Modal cover the cloud-native development workload pattern, where the sandbox needs full Linux primitives and persistent context across tool calls. Vercel covers the front-end and edge-function workload pattern. Customers who want to host the sandbox themselves on their own Kubernetes clusters can do that through a direct deployment, too.

Why Self-Hosted Sandboxes Solve the Hardest Enterprise Adoption Question

The single hardest question in enterprise AI agent adoption has been: where exactly does my data go? Self-hosted sandboxes give the right answer — sensitive files, internal packages, and secret material stay inside the customer's network the whole time, and the only thing crossing the boundary is the model's reasoning trace. That is the security architecture that satisfies regulated industries like financial services, healthcare, and government, which have historically been the slowest to adopt frontier AI agent infrastructure because they could not get a clear answer on data residency.

MCP Tunnels — Private MCP Servers Without Inbound Firewall Rules

The second feature in the announcement is MCP tunnels, which solve the equally hard problem of how a managed agent reaches the customer's private internal systems. Model Context Protocol is the open standard Claude agents use to call tools, and enterprises run dozens of MCP servers internally — databases, ticketing systems, knowledge bases, internal APIs, source code search, build systems, observability stacks. Until today, exposing any of those to a managed agent meant either a VPN tunnel or a public endpoint behind some kind of authentication layer. MCP tunnels remove both options in favor of a much cleaner architecture: the customer deploys a small gateway inside their network, the gateway makes a single outbound connection to Anthropic, and the agent reaches the internal MCP servers through that outbound channel.

The Outbound-Only Network Design

The outbound-only design is the security property that matters most. No inbound firewall rules need to change. No public endpoints need to be created. No VPN tunnels need to be managed. The encrypted channel handles the authentication, the routing, and the traffic shaping on its own. For enterprise security teams that already operate strict egress controls, the MCP tunnel pattern matches the way the rest of their infrastructure is already shaped — the agent looks like another outbound API client, and that is exactly the kind of system the existing security tooling already monitors well.

How the Two Features Work Together

The combination of self-hosted sandboxes and MCP tunnels is what makes the announcement structurally important. With both features deployed, an enterprise can run a Claude Managed Agent that thinks inside Anthropic's orchestration loop, executes tool calls inside the enterprise's own sandbox environment, and reaches internal MCP servers through a private outbound tunnel. The model gets to be a frontier-quality agent, the enterprise keeps the data and infrastructure inside its own perimeter, and the operational story for the security team stays clean. That is the architectural pattern enterprise AI has been waiting for.

Why the Code with Claude Conference Was the Right Venue

Announcing the two features at a developer conference rather than in a press release is the kind of distribution choice that matches the audience. The enterprise security architects and platform engineers who care most about self-hosted sandboxes and MCP tunnels are the same people who attend Code with Claude. They want to see the configuration story, the deployment story, and the operational story end to end. The conference format gives Anthropic the chance to walk through all three with the practitioners who will actually deploy the features.

What to Watch Over the Next Quarter

For enterprises evaluating Claude Managed Agents, the two features remove the largest remaining blockers to production deployment. The watch items over the next quarter are the customer case studies that emerge from regulated industries, the additional managed sandbox providers that get added to the supported list, and the broader ecosystem of MCP gateway implementations that the community will start to build. For everyone tracking the enterprise AI agent space in 2026, the May 19 announcement is the kind of structural milestone that turns the conversation from "interesting platform" to "production-ready infrastructure."

Sources: Anthropic blog, "New in Claude Managed Agents," May 19, 2026; The New Stack, May 19, 2026; The Decoder, May 19, 2026; 9to5Mac, May 19, 2026.