Claude's Managed Agents now run inside your corporate network — sandboxes + MCP tunnels
At 'Code with Claude' in London, Anthropic shipped two security features for Managed Agents. You can now run Claude agents without your code and internal systems ever leaving your network. It looks like the unlock for enterprise adoption.
- Self-hosted Sandboxes — public beta
- MCP Tunnels — research preview
- Announced 2026.05.19
Why another security feature, now?
Claude Managed Agents have been around since last year. But one thing kept holding them back: "you had to put your code and your DB on Anthropic's infrastructure." That's exactly where compliance teams in finance, public sector, and healthcare couldn't sign off.
| Before May 19 (100% external) | After May 19 (customer control) | |
|---|---|---|
| Tool execution | Anthropic infra | Customer infra / in-network |
| Files & repos | All external | Never leave |
| Private MCP | No access | Reachable via tunnel |
| Inbound firewall | Exception needed | No change |
Self-hosted sandboxes — you pick where the tools run
Self-hosted sandboxes are an option that puts the tool execution environment on your own infrastructure. Anthropic still owns orchestration, context management, and recovery logic, but the actual code execution and file reads happen only inside your VMs. It's out in public beta.
Sandbox providers (public beta) — Anthropic → 4 providers:
- Cloudflare — microVM + zero-trust secrets
- Daytona — long-running, stateful workloads
- Modal — sub-second cold start
- Vercel — VPC peering + ms startup
Self-hosting is also possible.
In other words, "let Anthropic run the agent smartly, but the hands move inside our network" is now possible. Teams that need a compliance sign-off just pick one of four options.
Sandbox & MCP impact — in numbers
- Run location: Customer (VPC / on-prem)
- Provider options: 4+ (self-hosting included)
- MCP Tunnel stage: RP (research preview)
- Inbound ports: 0 (outbound only)
MCP tunnels are still a research preview, so you have to request access separately. Stage aside, both share the same design: "don't open any inbound ports, use an encrypted outbound channel only." It's a structure security teams can accept easily.
Now you can reach private MCP servers
Until now, MCP could practically only connect to servers sitting on the public internet. Internal wikis, in-house Jira, internal DBs — all blocked. MCP tunnels flip that.
How it works:
- Stand up one lightweight gateway inside your network — single outbound encrypted connection only
- Anthropic's infra reaches in only through that gateway — no inbound firewall rule needed
- Managed per workspace from the Claude Console — org admin toggles it
- Not GA yet — access request required (research preview state)
How regulated teams will read this
This looks like the first announcement that lets finance, gaming, and enterprise teams blocked by a "no code leaves the building" policy actually put a Managed Agents pilot up for internal approval.
- Rule 1 — Sensitive data stays in the sandbox, only external APIs go to Anthropic. The data boundary is enforced in code.
- Rule 2 — MCP tunnels are waiting on GA. In the meantime, even running a sandbox-only PoC is worthwhile.
"Orchestration on Anthropic, the hands inside our network. A design enterprises can accept easily."
— Eddy · announcement notes
The real takeaway is "now there's a picture compliance teams can actually sign off on." How fast it reaches GA is the next thing to watch.
Sources & References
Official announcement
- claude.com/blog — New in Claude Managed Agents (2026.05.19)
- anthropic.com/news — Code with Claude London
Coverage
- The New Stack — MCP tunnels & self-hosted sandboxes
- InfoQ — MCP tunnels for private agent access
- The Decoder — Sandboxes + MCP tunnels
Disclaimer: A summary of an external announcement. Not a hands-on review. No ads, no affiliates.
Original with full infographics and visual structure: https://jessinvestment.com/claudes-managed-agents-now-run-inside-your-corporate-network/
Top comments (0)