Anthropic just shifted where Claude Managed Agents actually run their tools. The agent loop still lives on Anthropic’s side, but execution can now happen inside your own infrastructure or with a managed sandbox provider you pick. For teams that have been holding back on agentic work because of data residency or audit requirements, this is the missing piece.
The launch covers two things. Self-hosted sandboxes go to public beta. MCP tunnels enter research preview behind a request-access form.
What Actually Changed With Claude Managed Agents
The split is clean. Anthropic keeps the orchestration, context management, and error recovery that make agents reliable across long tasks. You take over the part where tools execute, files get written, and packages get installed.
That separation matters more than it sounds. Plenty of enterprise agent projects stall not because the model fails, but because security review never approves the runtime. Moving the sandbox inside your perimeter means existing network policies, audit logs, and DLP tooling already apply. Nothing new to certify.
You also size the compute yourself. Long builds, image generation, repo-wide refactors, any workload that previously hit ceilings now gets whatever CPU, memory, or GPU you allocate.
The Four Sandbox Providers Worth Knowing
If you don’t want to run your own infrastructure, four managed options launched alongside the beta.
Cloudflare
Runs sandboxes on microVMs and lighter isolates. The pull here is egress control: zero-trust secrets injection, customizable proxies for auditing or rerouting traffic, plus direct access to internal services over Cloudflare’s network. Amplitude is already building its internal Design Agent on this stack.
Daytona
Full composable computers, long-running and stateful. The same primitive handles a 30-second task or an agent grinding away for six hours. Sessions stay reachable over SSH or a signed preview URL, and you can pause one and restore it later with state intact. Clay’s Sculptor, their GTM workflow agent, runs here.
Modal
Built specifically for AI workloads. Sub-second container startup on any image, scales to hundreds of thousands of concurrent sandboxes, GPU on demand. If you already use Modal for inference, the sandbox primitive slots into the same networking and storage you’ve configured.
Vercel
VM-grade isolation with VPC peering and bring-your-own-cloud. The interesting trick is credential injection at the firewall boundary, so secrets never enter the sandbox itself. Rogo is building an analyst agent for institutional finance on this combo.
MCP Tunnels Solve The Private API Problem
MCP tunnels handle the other half of the enterprise blocker: reaching internal systems without poking holes in your firewall.
You deploy a lightweight gateway inside your network. It makes one outbound connection to Anthropic. Your agent can then call internal databases, private APIs, knowledge bases, or your ticketing system as MCP tools, all encrypted end to end. No public endpoints. No inbound firewall rules. No VPN gymnastics for the model.
Workspace admins manage tunnels from the Claude Console. The feature works with both Managed Agents and the raw Messages API.
Why This Lands Differently Than Previous Agent Releases
Most agent platforms ask you to choose between control and capability. Self-hosted sandboxes split the difference in a way that actually works for regulated buyers.
Sai Yandapalli at Modal mentioned getting a working version up in under a week. Will Newton at Cloudflare said two days. Those numbers track with what the underlying primitive looks like: you wire up a sandbox client, point at an MCP endpoint, and the rest is configuration.
The real test is how it behaves under load with a noisy production workload and a security team auditing every call. That answer comes in a few months once the public beta has miles on it.
Getting Started
Self-hosted sandboxes are live in public beta right now. MCP tunnels need the request-access form for the research preview. Anthropic has cookbooks for each of the four supported providers, and you can deploy an initial agent directly from the Claude Console.
Worth a serious look if you’ve been on the fence about putting agents into production.
