Claude Managed Agents open self-hosted sandbox and MCP encrypted channel, Anthropic wants to bring the execution environment into the enterprise intranet

Anthropic announced on the 19th that Claude Managed Agents has added two enterprise features: self-hosted sandbox and MCP tunnel. The former allows tools to run from Anthropic's cloud to the customer's own infrastructure; the latter provides end-to-end encrypted connection for AI agents without exposing firewall ports externally.
(Background summary: Anthropic launches Claude Managed Agents: connect AI agent infrastructure, rent for $0.08/hour, significantly reduce development time)
(Additional background: What is Claude? Costs, features, Claude Code, Cowork full analysis — the most detailed guide for 2026 Anthropic)

Table of Contents

Toggle

• Sandbox goes outward: four partners each focus on different aspects
• MCP tunnel: unlocking the biggest hurdle for enterprise AI deployment
• Why this is more important than it looks

Anthropic announced on the 19th that Claude Managed Agents has added two enterprise features: self-hosted sandbox and MCP tunnel. This choice contrasts with the mainstream enterprise strategies of OpenAI and Google.

Most enterprise plans from the latter two require tools, data, or execution environments to be hosted in the vendor’s cloud; Anthropic instead adopts a reverse architecture of “orchestrate on our side, execute back to the customer.”

Sandbox goes outward: four partners each focus on different aspects

A “sandbox” is an isolated environment for AI agents to run tools. Imagine a virtual workspace that resets after each task, preventing the agent’s actions from affecting external systems or leaking sensitive data. Previously, this workspace was managed by Anthropic; now, control is handed back to the enterprise.

The architecture is clearly divided: Anthropic continues to handle the agent loop — that is, orchestration, context management, error recovery — the “brain” functions, while the actual tool execution moves to the customer’s own infrastructure.

Four partners each address different enterprise needs:

Cloudflare emphasizes lightweight and zero-trust security. Its solution uses microVMs combined with lightweight isolation (think of it as a lighter alternative to containers), supporting zero-trust credential injection (secrets are not stored on disk), auditable and modifiable outbound traffic, and connectivity to Cloudflare’s internal network.

Daytona positions itself as a “full-featured composable computer,” emphasizing long-running stateful execution: agents can pause and restore from the original state, avoiding progress loss due to task interruption. Supports SSH connections or preview URLs, suitable for workflows requiring manual review of intermediate results.

Modal is designed for AI workloads, with sandbox and existing functions, storage, networking sharing the same infrastructure, achieving sub-second startup times, and claiming scalability to hundreds of thousands of concurrent sandboxes. Supports on-demand CPU and GPU billing, ideal for large-scale parallel inference or training scenarios.

Vercel emphasizes isolation and data not landing locally. Its sandbox uses VM-level security isolation, combined with VPC peering (virtual private cloud peering, allowing two private networks to connect directly without public internet), and a “bring your own cloud” option, with millisecond startup times. The key design: credentials are injected at the network boundary by firewalls, never entering the sandbox itself.

MCP tunnel: unlocking the biggest hurdle for enterprise AI deployment

MCP (Model Context Protocol) is a standard interface for AI agents to connect to external tools and data. The problem is: the most valuable enterprise systems — internal databases, private APIs, knowledge bases, ticketing systems — are almost all behind firewalls and not exposed externally.

This creates a paradox: for agents to be truly useful, they must connect to these private systems; but to do so, enterprises must open inbound firewall rules or set up public endpoints, which security teams cannot accept.

The MCP tunnel directly solves this lock. Enterprises deploy a lightweight gateway inside their private network, which establishes a single outbound connection from inside to outside, rather than waiting for inbound connections. This means: no inbound firewall rules needed, no public endpoints, with full end-to-end encryption.

For security teams, this architecture is similar to a VPN reverse proxy: connections are initiated from inside, making it impossible for external parties to reach internal systems proactively. The agent accesses private MCP servers through this tunnel, effectively enabling internal system access within a compliant framework.

The MCP tunnel supports both Managed Agents and Messages API, centrally managed by organization admins via Claude Console’s workspace settings, eliminating the need for individual developer configuration.

Why this is more important than it looks

Returning to April this year. On April 8, Anthropic first launched Managed Agents, priced at about $0.08 per hour, positioned as “saving enterprises the time and cost of building their own agent infrastructure.” At the time, external interpretation focused mainly on the pricing model: an hourly fee for agent rental services.

This update reveals a deeper strategic intent: Anthropic aims to compete not just on “who uses Claude,” but on “who controls the architecture of enterprise AI infrastructure.”

Self-hosted sandbox options give enterprises with strict data sovereignty requirements — finance, healthcare, government — a viable option to try. The MCP tunnel solves the most common obstacle for AI agents in enterprise environments: how to connect to those “never open externally” internal systems.

Compute can be outsourced, data cannot. Anthropic chooses to keep data in place and send the agent’s “brain” inside.