Anthropic launches self-hosted sandboxes and MCP tunnels for Claude Managed Agents

Anthropic on May 19, 2026 launched two infrastructure features for Claude Managed Agents: self-hosted sandboxes and MCP tunnels. Both are in research preview and address enterprise concerns about data residency and private network connectivity that have been barriers to adopting Managed Agents in production.

What's new

Self-hosted sandboxes let teams run agent tool execution inside their own infrastructure rather than Anthropic's cloud sandboxes. The orchestration layer — where Claude reasons and decides what to do — stays on Anthropic's side, but the code execution, file access, and network calls happen within the customer's perimeter. This matters for workloads involving sensitive data that cannot leave a regulated environment. On May 29, 2026, Anthropic also made self-hosted sandboxes available on Claude Platform on AWS, alongside webhooks and multiagent orchestration parity.

MCP tunnels allow Managed Agent sessions to reach MCP servers running in a private network without exposing them to the public internet. MCP tunnels route through Anthropic's infrastructure, providing a controlled channel for internal tools — databases, internal APIs, code repositories — that cannot be deployed as public endpoints. The feature is independent of self-hosted sandboxes: a session running in Anthropic's cloud can still reach private MCP servers through a tunnel.

Other Managed Agents updates from the same release:

• With Claude Managed Agents, you can now update an agent's MCP server and tool configurations during an active session.
• Large tool outputs exceeding 100K tokens are automatically spilled to a file in the sandbox. The model receives a truncated preview with the file path and can read the full content directly.

Context

Claude Managed Agents launched on April 8, 2026 as a fully managed agent harness with secure sandboxing, built-in tools, and server-sent event streaming. Multiagent orchestration (where one agent spawns and coordinates subordinate sessions) and webhooks reached public beta on May 6. Memory for Managed Agents entered public beta on April 23.

Platform-specific self-hosted sandbox guides are available from Cloudflare, Daytona, Modal, and Vercel.

Why it matters

Self-hosted sandboxes change the enterprise adoption calculus for Managed Agents. Until this release, using Managed Agents meant accepting that tool execution — the bash calls, file reads, and network connections the agent makes — runs on Anthropic's cloud. For a financial services firm or healthcare organization with strict data-handling requirements, that's a hard constraint. Self-hosted sandboxes split the trust boundary: Anthropic keeps the model reasoning side, the customer keeps the execution side.

MCP tunnels address a parallel problem: many organizations have internal tools that will never be public endpoints. Without tunnels, teams had to either expose internal services publicly (a security concern) or forgo MCP-based tool integrations for Managed Agents. Tunnels remove that trade-off.

Together, the two features position Managed Agents as viable for regulated industries and security-conscious organizations that have been waiting for a clear path to keep sensitive operations within their own infrastructure.