Anthropic Ships Self-Hosted Sandboxes and MCP Tunnels for Claude Managed Agents

On May 19, at its Code with Claude London event, Anthropic shipped two updates to Claude Managed Agents aimed squarely at enterprise blockers. Self-hosted sandboxes — now in public beta — let companies run tool execution on their own infrastructure or through managed providers like Cloudflare, Daytona, Modal, and Vercel, while Anthropic continues to host the orchestration loop, context management, and error recovery. Compute sizing and runtime images are set on the customer side, so long builds, image generation, or heavy data work get the CPU and memory the workload actually needs. The second feature, MCP tunnels (research preview), lets agents reach internal Model Context Protocol servers via a single outbound encrypted gateway — no inbound firewall rules, no public endpoints, end-to-end encryption. MCP tunnels are supported in Managed Agents and the Messages API.

For supply chain and operations teams, this is the boundary that mattered. The standard objection to letting a vendor-managed agent touch a warehouse system has been "we are not opening an inbound path from Anthropic into our network" — a defensible position that historically forced either a proxy build-out or a no-go. An outbound-only tunnel plus customer-side tool execution removes the architectural objection without forcing the data graph into a third party. The remaining work — identity, audit, kill switches, policy on which agents reach which systems — is still operator work. But the room where that conversation happens just shifted from "should we" to "how do we." For anyone running a Claude-based agent program, request access to MCP tunnels and start the security-review conversation now; the integration patterns will set quickly once a few enterprises ship.