Claude Managed Agents Adds Self‑Hosted Sandbox and MCP Tunnel for Enterprise‑Grade Security

In production environments, AI agents that invoke tools must carry authentication tokens, creating a risk comparable to giving a robot the keys to a front door; if the agent is compromised, the credentials can be exposed, discouraging integration with internal APIs and databases.

Anthropic addresses this risk with two mechanisms: a self‑hosted sandbox and a Model Context Protocol (MCP) tunnel, both designed to keep credential control at the network perimeter.

Self‑hosted sandbox

The sandbox separates the agent’s control layer—responsible for orchestration, context management, and error recovery and running in Anthropic’s cloud—from the execution layer that performs tool calls on the enterprise’s own infrastructure. Because tool execution occurs locally, the agent never holds unlocking credentials.

According to Anthropic, this split design works with existing security and compliance tooling, allowing organizations to continue monitoring tool invocations, auditing access logs, and keeping sensitive files and code repositories entirely within their boundary. Enterprises also provision compute resources (CPU, memory, GPU) that match workload demands, enabling long‑running builds or image‑generation tasks with appropriate capacity.

Cloudflare provides micro‑VMs and lightweight isolation for large‑scale sandboxes; outbound requests are controlled by the enterprise, zero‑trust key injection is supported, and the Cloudflare network can connect to internal services. Amplitude uses this for internal agent design.

Daytona offers a composable long‑state compute environment that handles both short and long tasks, provides SSH access during a session, and can pause and resume with full state preservation. Clay uses it for its GTM workflow automation agent.

Modal is tailored for AI workloads, integrating seamlessly with its functions, storage, and networking components; containers start in under a second and can scale to hundreds of thousands of concurrent sandboxes, with on‑demand CPU and GPU allocation.

Vercel’s sandbox has been adopted by Rogo for a financial‑analysis agent, enhancing the security of proprietary data handling.

Model Context Protocol (MCP) tunnel

The MCP tunnel creates a lightweight, one‑way outbound connection from the enterprise network to a private MCP server. Credentials never pass through the agent’s context, yet internal databases, private APIs, knowledge bases, and ticketing systems become callable tools.

The connection is initiated from inside the network, requires no inbound firewall rules, remains end‑to‑end encrypted, and is managed by organization administrators through the Claude Console, providing clearer permission controls.

Comparison with other approaches

OpenAI’s Agents SDK added local execution in April, but Anthropic’s architecture separates the agent’s “brain” (control layer) from its “hands” (execution layer) more radically, making the design distinct from existing sandbox solutions.

Implications for orchestration teams

Decoupling where tools run (sandbox) from how they reach internal resources (MCP tunnel) gives enterprises fine‑grained workflow control: different tools can be assigned to different environments, permissions can be separated, and failures are isolated to the affected component.

The self‑hosted sandbox is currently in public beta; the MCP tunnel is in a research preview that requires an access request. Organizations already using Claude can migrate tool execution to their own infrastructure via the sandbox and evaluate the MCP tunnel for secure internal connectivity.

Documentation: https://platform.claude.com/docs/en/managed-agents/self-hosted-sandboxes