Anthropic moves Claude agents inside the customer perimeter with self-hosted sandboxes and MCP tunnels

Anthropic has expanded its Claude Managed Agents platform with two enterprise-focused capabilities announced at the Code with Claude developer conference in London on May 19, 2026: self-hosted sandboxes, now in public beta, and MCP tunnels, available in research preview. The release lets enterprise customers run the tool-execution layer of an AI agent on their own infrastructure, or with managed providers including Cloudflare, Daytona, Modal, and Vercel, while the agent loop itself, including orchestration, context management, and error recovery, continues to run on Anthropic’s servers. The Model Context Protocol tunnels feature, in parallel, lets agents reach internal databases, private APIs, knowledge bases, and ticketing systems through a single outbound encrypted connection without exposing those servers to the public internet. The dual launch directly targets the compliance and network-control objections that have slowed enterprise rollouts of autonomous AI agents, and positions Anthropic against rivals offering more conventional API-hosted agent stacks. It also marks the company’s first developer event held outside the United States, signalling a clear European enterprise push.

What problem are self-hosted sandboxes and MCP tunnels actually solving for enterprise compliance teams?

The friction between AI agent ambition and enterprise security review has become the dominant production bottleneck for agentic deployments. Compliance, risk, and infrastructure teams at banks, insurers, healthcare providers, and regulated industrials have routinely held up agent pilots for six to twelve weeks while they assess where code executes, where files land, and which networks an agent traverses. The standard Managed Agents architecture, where tool calls executed inside Anthropic-managed containers, was operationally simple but politically difficult inside heavily regulated environments. Self-hosted sandboxes shift that execution layer into infrastructure the customer already controls, which means existing network policies, audit logging pipelines, data loss prevention controls, and identity systems automatically apply. Files, repositories, and runtime packages never leave the customer’s perimeter, and resource sizing for compute-heavy workloads such as long builds or model image generation is set by the customer rather than constrained by a hosted default.

MCP tunnels address an adjacent but distinct constraint. Enterprises with internal MCP servers, whether wrapping a private database, a proprietary ticketing system, or a knowledge base, have so far had only two options: expose those servers through a public endpoint, which security teams resist, or skip MCP integration entirely. The tunnel architecture sidesteps both. A lightweight gateway deployed inside the customer’s network establishes a single outbound encrypted connection to Anthropic’s routing infrastructure, and the agent reaches the private MCP server through that channel. No inbound firewall rules need to be opened, no public DNS entries need to be created, and traffic remains end-to-end encrypted. The feature is administered from workspace settings in the Claude Console by organisation admins and works with both Managed Agents and the Messages API, which broadens its addressable surface beyond the agentic product alone.

How does Anthropic’s split architecture compare with the way competing AI agent platforms handle execution and data residency?

The architectural choice Anthropic has made is a deliberate hybrid. Orchestration, context management, and error recovery stay on Anthropic-managed infrastructure, while tool execution and private network access move to the customer side. This is not a full on-premise deployment, and Anthropic is not pretending otherwise. Customers whose compliance posture requires that no telemetry or orchestration metadata touch external infrastructure will still find this insufficient. But for the much larger population of enterprises whose actual constraint is data residency and execution-environment control, the model is well-calibrated.

The competitive contrast is instructive. OpenAI’s enterprise agent stack remains primarily hosted, with agent execution running inside OpenAI’s cloud and integrations brokered through API connectors. Google’s Vertex AI agent offerings are tied tightly to Google Cloud and require workloads to sit inside that environment. AWS, through Bedrock and Claude Platform on AWS itself, offers infrastructure proximity but does not separate the orchestration layer from execution in the way Anthropic is now doing. The Anthropic approach effectively says: keep the model coordination with us, keep the data and the runtime with you. That separation gives enterprises a credible answer to compliance reviews without forcing them onto a single cloud platform, and it also avoids the operational overhead of standing up a true on-premise large language model deployment, which most enterprises are not equipped to maintain.

Which sandbox providers will benefit most from being inside Anthropic’s Managed Agents distribution channel?

The four launch partners, Cloudflare, Daytona, Modal, and Vercel, each occupy a different niche, and the Managed Agents distribution lift is material for all of them. Cloudflare brings microVM-based isolation, zero-trust secrets injection, customisable egress proxies, and the ability for agents to reach internal services over the Cloudflare network. Its scale and existing enterprise relationships make it the obvious choice for customers already standardised on Cloudflare Workers and Zero Trust. Amplitude is reportedly building its internal Design Agent on the Managed Agents and Cloudflare combination.

Daytona offers long-running stateful sandboxes accessible over SSH or authenticated preview URLs, and supports pause-and-restore with full state retention. That makes Daytona structurally suited to agents that work over hours rather than seconds, including Clay’s go-to-market engineering agent Sculptor. Modal is positioned for AI-native workloads, with sub-second container startup, on-demand CPU and GPU allocation, and the ability to scale to hundreds of thousands of concurrent sandboxes. DoorDash is reportedly building an internal productivity agent on Modal alongside Managed Agents. Vercel brings VM-level security combined with VPC peering and bring-your-own-cloud, with the Vercel Sandbox firewall injecting credentials at the network boundary so they never enter the sandbox itself. Rogo, a financial AI platform for institutional finance, is using the Vercel pairing for its analyst agent.

For the providers themselves, this is the kind of distribution arrangement that compounds. Each Managed Agents customer that adopts a self-hosted sandbox effectively becomes a managed-sandbox customer of one of these four, which means recurring revenue tied to actual agent compute. The Anthropic relationship also gives smaller players such as Daytona and Modal a halo of enterprise credibility they would otherwise need to manufacture through direct sales cycles.

What does this release signal about Anthropic’s broader enterprise strategy and the maturity of the agentic AI market?

The release sits inside a sequence of moves that makes Anthropic’s enterprise direction unusually legible. Claude Managed Agents itself launched on April 8, 2026, providing a hosted environment for long, tool-heavy agentic sessions. Built-in memory was added subsequently. The Claude Platform became generally available on Amazon Web Services. Each of these is a specific enterprise objection answered: persistence, hyperscaler proximity, and now execution control and private network reach. Taken together, they describe a company building deliberately toward production agent workloads rather than experimental ones.

The market context matters. Enterprise interest in agentic AI has consistently outrun production deployment because security, compliance, and infrastructure teams have not had the controls they require. The Linux Foundation’s recent finding that AI security readiness is now the single largest obstacle to enterprise adoption captures the constraint precisely. By moving the execution and connectivity layer into the customer perimeter, Anthropic is removing one of the most cited blocking objections in enterprise procurement.

There are still gaps. Self-hosted sandboxes are not yet supported on the Claude Platform on AWS deployment, which is a meaningful limitation for customers who selected AWS specifically for compliance reasons. Memory is not yet supported in self-hosted sessions, which constrains the use cases where persistent context matters. MCP tunnels remain in research preview with explicit as-is language attached to the documentation, meaning early adopters should treat it as a pre-production capability. And the architecture does not solve for organisations whose compliance posture requires that orchestration metadata also stay inside the perimeter, which remains a structural choice rather than a roadmap item.

What are the second-order risks and competitive responses likely to emerge from this architectural shift?

Three second-order dynamics are worth tracking. First, the closer enterprises move toward running Anthropic agents inside their own infrastructure, the harder switching costs become to unwind. Customers who configure sandbox providers, MCP tunnel gateways, audit logging integrations, and identity bridges around Claude Managed Agents will face meaningful re-engineering work to migrate to a competing model coordination layer. This is a deliberate lock-in mechanism dressed as flexibility, and it works.

Second, the four launch sandbox providers now have a defensible position inside Anthropic’s enterprise distribution funnel, which raises the strategic question of whether Anthropic will eventually acquire one of them, build its own first-party self-hosted sandbox, or maintain the multi-partner model. Each path has trade-offs. Acquiring a partner gives Anthropic vertical control but alienates the others. Building first-party erases the partner ecosystem advantage. Maintaining the multi-partner model preserves optionality but cedes a portion of the customer relationship.

Third, the competitive response from OpenAI, Google, and AWS will need to be infrastructure-level, not feature-level. Matching self-hosted sandboxes and private MCP tunnels at the marketing level is straightforward. Building the partner ecosystem, the gateway architecture, and the security review patterns that make enterprise compliance teams actually approve a deployment is a much longer cycle. Anthropic has a multi-quarter head start on that work, and the head start matters.

What are the key takeaways from Anthropic’s self-hosted sandboxes and MCP tunnels launch for enterprise agent buyers, infrastructure leaders, and competing platforms?

• Anthropic has formally separated the agent orchestration layer from the tool execution layer, allowing enterprises to keep code execution, files, and packages inside their own infrastructure while the agent loop continues to run on Anthropic’s servers.
• Self-hosted sandboxes are in public beta on the Claude Platform; MCP tunnels remain in research preview with access by request, which means enterprise procurement teams should treat the latter as pre-production for now.
• The four launch sandbox partners, Cloudflare, Daytona, Modal, and Vercel, each gain a meaningful distribution lift through Managed Agents, with reference customers including Amplitude, Clay, DoorDash, and Rogo.
• The release directly addresses the compliance bottleneck that has been the single largest obstacle to enterprise agent deployment, but does not constitute a full on-premise option because orchestration metadata still flows through Anthropic.
• MCP tunnels eliminate the need to expose private MCP servers to the public internet, which removes one of the most common security-review blocking objections raised against MCP-based integration.
• The launch is supported in both Managed Agents and the Messages API, which broadens its addressable surface beyond agentic workloads alone.
• Notable current gaps include lack of self-hosted sandbox support on Claude Platform on AWS and lack of Memory support in self-hosted sessions, both of which will constrain specific enterprise use cases until resolved.
• Competing platforms from OpenAI, Google, and AWS will need to respond at the architectural and partner-ecosystem level rather than the feature level, and Anthropic has a multi-quarter lead on that work.
• The architectural separation Anthropic has chosen creates meaningful switching costs for enterprises that build around it, which is a deliberate lock-in mechanism dressed as deployment flexibility.
• The Code with Claude London event itself signals an explicit European enterprise push, with regulated industries on the continent representing some of the most attractive long-term agent buyers.