Anthropic has expanded its Claude Managed Agents platform with two enterprise-focused capabilities: self-hosted sandboxes and MCP tunnels. The release aims to address a recurring challenge in enterprise AI deployments, where organizations want to use autonomous agents but cannot allow execution environments or internal systems to leave their security perimeter.
Self-hosted sandboxes, now available in public beta, allow tool execution to run on infrastructure controlled by the customer or through managed providers such as Cloudflare, Daytona, Modal, and Vercel. While Anthropic continues to manage orchestration, context handling, and recovery logic, the actual execution of tools and workloads happens within customer-controlled environments.
The approach provides enterprises with better control over network policies, audit logging, runtime configuration, and data residency. It keeps repositories, files, and services within the existing infrastructure, allowing organizations to manage compute sizing and runtime images for resource-intensive tasks like long-running builds and image generation.
The supported sandbox providers expose different infrastructure models. Cloudflare focuses on microVMs, zero-trust networking, and controlled outbound traffic. Daytona offers long-running, stateful environments accessible over SSH or preview URLs. Modal emphasizes AI-focused workloads with scalable CPU and GPU allocation, while Vercel combines sandbox isolation with VPC peering and credential injection at the network boundary.
Anthropic also introduced MCP tunnels, currently available in research preview. The feature enables Managed Agents and the Messages API to connect to private Model Context Protocol (MCP) servers without exposing them to the public internet. Instead of opening inbound firewall rules, organizations deploy a lightweight gateway that establishes an outbound encrypted connection to Anthropic infrastructure.
The company positions MCP tunnels as a way to expose internal databases, APIs, ticketing systems, and knowledge bases to agents while maintaining existing security boundaries. The feature is managed through organization settings in the Claude Console.
The announcement reflects growing enterprise demand for operational controls around AI agents, particularly in regulated environments where security reviews often slow deployment. Daksh Trehan commented:
The compliance team is the real bottleneck for production agents, not the model. Self-hosted sandboxes and MCP tunnels are the layer that lets agents actually run inside the customer's perimeter instead of behind a sandbox the security team takes six weeks to clear.
Questions also emerged around how the new networking model integrates with Anthropic’s broader infrastructure. One developer asked:
How can we make tunnels work with anthropic connectors that run through anthropic infrastructure?
The release reflects a broader trend in the AI industry of separating orchestration from execution. Newer architectures enable enterprises to maintain their own execution environments, data access, and network controls while depending on external providers for model coordination and agent management.