Anthropic announced two new additions to Claude Managed Agents on May 19, 2026, live from the Code with Claude developer event in London: self-hosted sandboxes, now in public beta, and MCP tunnels, available as a research preview by request. Both features push the agent runtime and its tool calls inside the customer's own security perimeter, while leaving orchestration, context management and error recovery on Anthropic's infrastructure.
Key Highlights
- Self-hosted sandboxes let Claude agents execute tools on the customer's own infrastructure or on managed providers Cloudflare, Daytona, Modal and Vercel.
- MCP tunnels connect agents to Model Context Protocol servers inside a private network through a single outbound, end-to-end encrypted connection.
- No inbound firewall rules, no public endpoints and no data exfiltration from internal systems are required.
- Tunnels work with both the Managed Agents and the Messages API.
Details
Until now, Claude Managed Agents executed their tool calls inside Anthropic-hosted sandboxes. That worked for prototypes, but enterprise security teams pushed back as soon as agents needed to touch internal source code, customer data or proprietary APIs. The new release is Anthropic's answer.
With self-hosted sandboxes, sensitive files, packages and services stay on infrastructure the customer already controls. Each provider exposes a different shape: Cloudflare ships microVM and isolate-based sandboxes with zero-trust secrets and customizable proxies, Daytona offers stateful long-running computers with SSH and preview URL access plus pause and restore, Modal provides fast-startup AI workloads with on-demand GPU and CPU resources, and Vercel adds VM security with VPC peering and millisecond cold starts.
MCP tunnels solve the second half of the problem. Internal MCP servers, ticketing systems, knowledge bases and private APIs no longer need a public endpoint to be reachable by an agent. A lightweight gateway, deployed by the customer, opens a single outbound connection that is end-to-end encrypted. The agent gets the same access it would over the public internet, without anything new being exposed.
Impact
For enterprise teams, the announcement removes one of the most common blockers to putting AI agents in production: the security review. Engineers can now point an agent at internal services that were previously off-limits, without sending data to a third-party cloud and without opening inbound holes in the corporate network. Compliance, audit logging and network isolation policies that already cover the rest of the stack apply automatically to the agent runtime.
Anthropic also signaled clear customer demand. "Claude Managed Agents let us replicate the power of a local agent with reliability and versioning of a cloud agent," said Ryan Chang of Clay. Strib Walker of Rogo added that the change lets the team "leverage best-in-class infrastructure while focusing on tools, data, and product."
Background
Claude Managed Agents launched earlier in 2026 as a way to operate long-running, multi-tool Claude workflows in the cloud, with Anthropic handling orchestration. The Model Context Protocol, originally open-sourced by Anthropic in late 2024, has since become a de facto standard for connecting LLMs to internal tools, with adoption across OpenAI, Google and dozens of independent vendors. Self-hosted sandboxes and MCP tunnels are the natural enterprise step: they keep the developer ergonomics of the hosted product, while moving the trust boundary back to where chief information security officers want it.
What's Next
Self-hosted sandboxes are immediately available in public beta to all Managed Agents customers. MCP tunnels are gated behind a research preview request form. Anthropic has not disclosed pricing changes for either feature, and the announcement does not yet cover air-gapped or on-premise deployments, which remain the next obvious request from regulated industries.
Source: Anthropic