Anthropic on May 19, 2026 announced two additions to Claude Managed Agents, its hosted infrastructure for long-running agentic sessions: self-hosted sandboxes, released in public beta, and MCP (Model Context Protocol) tunnels, released as a research preview. <cite index="9-11">The features were unveiled at the company's Code with Claude event in London</cite>, Anthropic's first developer conference held outside the United States.
The release addresses an enterprise pain point in deploying autonomous AI (Artificial Intelligence) agents: <cite index="3-5">organizations want to use autonomous agents but cannot allow execution environments or internal systems to leave their security perimeter</cite>.
Self-hosted sandboxes
With the new sandbox option, <cite index="2-3,2-4">customers keep sensitive files, packages, and services in their own infrastructure or with a managed sandbox provider, while the agent loop that handles orchestration, context management, and error recovery stays on Anthropic's infrastructure and tool execution moves to the customer's configured environment</cite>. Anthropic notes that <cite index="2-5,2-6">inside the customer perimeter, network policies, audit logging, and security tooling are already in place, and files and repositories don't leave; customers also control compute, with resource sizing and the runtime image set on their side</cite>.
Supported managed providers at launch include Cloudflare, Daytona, Modal, and Vercel. <cite index="3-7,3-8">Daytona offers long-running, stateful environments accessible over SSH or preview URLs; Modal emphasizes AI-focused workloads with scalable CPU (Central Processing Unit) and GPU (Graphics Processing Unit) allocation; and Vercel combines sandbox isolation with VPC (Virtual Private Cloud) peering and credential injection at the network boundary</cite>. Anthropic cited two early customers: <cite index="2-9">Rogo, an AI platform for institutional finance, is building an analyst agent on Managed Agents and Vercel Sandbox</cite>, and <cite index="2-30">Clay's GTM engineering agent, Sculptor, builds, tests, and monitors workflows autonomously on Managed Agents and Daytona</cite>.
The split deployment retains limits. <cite index="1-18">A fully on-premise deployment of the agents isn't possible</cite>, and <cite index="9-20">self-hosted sandboxes are not yet available on the Claude Platform on AWS, and Memory is not yet supported in self-hosted sessions</cite>.
MCP tunnels
The second feature targets connectivity to internal systems. <cite index="2-10,2-11,2-12">With MCP tunnels, agents reach MCP servers inside a private network without exposing them to the public internet; internal databases, private APIs, knowledge bases, and ticketing systems become tools agents can call through a lightweight gateway deployed by the customer that makes a single outbound connection, with no inbound firewall rules, no public endpoints, and traffic encrypted end to end</cite>.
<cite index="2-13,2-14">MCP tunnels is supported in Managed Agents and the Messages API, and is managed from workspace settings within the Claude Console by organization admins</cite>. Access is gated: <cite index="9-30,9-31,9-32">MCP tunnels are in research preview, not public beta; users must request access, and the documentation uses explicit "as-is" language</cite>.
Context
<cite index="4-11">Claude Managed Agents was launched on April 8</cite>, 2026, and the new features extend that platform rather than replace it. Anthropic frames the architecture as a separation of concerns between agent orchestration and execution. <cite index="8-4,8-5,8-6">Anthropic isn't the only model provider making this bet; OpenAI added local execution to its Agents SDK in April in response to similar demand, though the architectural distinction Anthropic draws is a split where the agent loop runs on Anthropic's infrastructure while tool execution runs on the enterprise's own system</cite>.