Simon Carter
Agents & Automation

Claude Managed Agents Now Run Tool Execution on Your Own Infrastructure

Anthropic splits agent orchestration from tool execution, letting enterprises run agent 'hands' in their own sandboxes while Claude's 'brain' stays on Anthropic.

agents automation category

The single biggest obstacle to deploying AI agents inside a regulated enterprise is not the model quality. It is the question of where the agent actually runs. If the execution environment touches external infrastructure, the conversation with the security and compliance team tends to end quickly.

Anthropic has taken a direct shot at that problem. Announced at its Code with Claude developer conference in London on 19 May 2026, two new features for Claude Managed Agents let organisations keep tool execution inside their own perimeter, and connect agents to internal systems without opening those systems to the internet.

The core idea: separating the brain from the hands

Anthropic describes it this way themselves: the agent logic stays with Anthropic (the brain), the execution layer moves to wherever you need it (the hands).

In practice, Claude’s orchestration loop, the part that manages context, decides what tools to call, handles errors, and maintains the conversation state, continues to run on Anthropic’s infrastructure. What changes is where those tool calls actually execute. With self-hosted sandboxes, that execution happens on compute you control.

It is a meaningful architectural distinction. The agent can read your files, run your code, and call your services without those operations ever leaving your environment.

Self-hosted sandboxes

Self-hosted sandboxes are now in public beta and available to all Claude for Work and API customers. You can configure them in the Claude Console under Settings → Managed Agents → Sandboxes.

You run an environment worker process on your own infrastructure. When a Managed Agents session is assigned to your sandbox, Anthropic’s control plane queues the session and sends tool execution requests to your worker. Those requests run locally. The results flow back to Anthropic so the model can see what happened and decide what to do next. Tool inputs and outputs still pass through Anthropic’s control plane, which is the limitation worth being honest about: this is not a fully air-gapped deployment.

If you would rather not manage the infrastructure yourself, four managed providers are supported out of the box:

  • Cloudflare for microVM isolation and zero-trust networking
  • Daytona for long-running stateful environments accessible over SSH
  • Modal for AI workloads that need scalable CPU and GPU allocation
  • Vercel for sandbox isolation combined with VPC peering and credential injection

Cloudflare, Modal, and Vercel are one-click configurations in the Console. Daytona and custom clients require manual setup of the endpoint and authentication token. You also control resource sizing and the runtime image, so agents doing heavy compute work like long builds or image generation get the capacity they actually need.

One thing to note: self-hosted sandboxes are not yet available on the Claude Platform on AWS, and Memory is not supported in self-hosted sessions yet.

MCP tunnels

The second feature, MCP tunnels, is in research preview. You need to request access, and Anthropic is rolling it out to organisations in regulated industries first, with general availability expected in the coming months.

The problem MCP tunnels solve is straightforward. Your internal databases, private APIs, knowledge bases, and ticketing systems are not on the public internet, and should not be. But if an agent cannot reach them, its usefulness drops considerably.

MCP tunnels let a Claude agent call an MCP server sitting inside your private network without you having to expose that server publicly. A lightweight gateway process runs inside your network and makes a single outbound connection to Anthropic’s tunnel infrastructure. No inbound firewall rules are needed. No public endpoints are created.

The security setup is worth understanding. Traffic is encrypted end-to-end using mutual TLS. Anthropic adds its own encryption layer on top of that. Cloudflare operates the transport layer but cannot read request or response payloads. Your team holds the inner TLS certificate.

MCP tunnels work with both Managed Agents and the Messages API. For Managed Agents, a tunnelled server appears in the agent’s tool list exactly like a public MCP server. For the Messages API, you reference it by tunnel ID in the tool configuration. Organisation admins manage tunnels from workspace settings in the Claude Console.

What this means in practice

A few real deployments give a sense of where this is heading. Rogo, an AI platform for institutional finance, is building an analyst agent using Managed Agents for reasoning and Vercel for secure data handling. Clay’s engineering agent, Sculptor, uses Daytona for building and monitoring workflows. DoorDash is building an internal productivity agent on Modal. Amplitude is using Managed Agents with Cloudflare for a design agent producing production UI and marketing assets, with tighter observability than a fully external setup would allow.

These are not toy use cases. They are exactly the kind of agents that have historically stalled in procurement and security review.

What to keep in mind

Self-hosted sandboxes and MCP tunnels are independent features. A session running in Anthropic’s cloud sandboxes can still reach private MCP servers through a tunnel. A self-hosted session can use either tunnelled or public MCP servers. Neither feature requires changes to existing Managed Agents integrations.

The honest caveat: if your compliance requirement is that absolutely nothing touches external infrastructure, this does not fully satisfy it. Orchestration metadata still flows through Anthropic. Anthropic is transparent about this, describing the split explicitly rather than overstating what self-hosted means here.

For the majority of enterprise deployments where the concern is about execution environment security and internal data access rather than total isolation, these two features remove what has been the most common blocker. That is a practical step forward, even if it is not the last one.

Claude Managed Agents itself only launched in April 2026. The pace of follow-on features suggests Anthropic is treating the enterprise deployment story as a priority right now, not a future roadmap item.