Claude Managed Agents adds self-hosted sandboxes and MCP tunnels for private networks

• Anthropic added two perimeter-focused features to Claude Managed Agents: self-hosted sandboxes are in public beta, while MCP tunnels are in research preview, according to claudeai's launch thread and the MCP tunnels announcement.
• Self-hosted sandboxes move tool execution into infrastructure you control, either on your own systems or with supported providers including Cloudflare, Daytona, Modal, and Vercel, as claudeai's sandbox post and ClaudeDevs' security update put it.
• MCP tunnels let agents reach private MCP servers through the company network without opening those servers to the public internet, per claudeai's tunnels post.
• The architecture split is the interesting part: Anthropic keeps the agent loop, session state, and recovery, while partners host the execution environment, a division that Modal's breakdown describes directly and testingcatalog's architecture screenshot visualizes.
• Anthropic also shipped two quieter Managed Agents changes, because ClaudeDevs' product update says live sessions can now swap tools, MCP servers, or vault IDs without restart, and MCP outputs above 100,000 tokens now spill into sandbox files.

Anthropic published an official launch post, self-hosted sandbox docs, a cookbook repo, and a bundled claude-api skill. Partners filled in the implementation details on their own surfaces, including Cloudflare's guide, Modal's launch post, Vercel's changelog, and Daytona's docs.

Anthropic's headline change is simple: the agent can keep using Claude Managed Agents' orchestration layer while running its tool calls inside a sandbox that sits in your own perimeter.

The official wording stays broad, but the rollout makes the target buyer obvious. Anthropic keeps talking about sensitive files, packages, and services staying inside infrastructure the customer controls, while AlphaSignalAI's summary frames the problem as execution-layer failures, not model quality.

The support matrix Anthropic named on day one was:

• Cloudflare
• Daytona
• Modal
• Vercel
• Your own infrastructure

That partner list also showed up in the new cookbooks repo, which ClaudeDevs' cookbook post said now includes onboarding examples for Cloudflare, Daytona, Docker, Modal, and Vercel.

MCP tunnels solve a narrower problem. They give Claude-managed agents a path to MCP servers inside a private network without exposing those servers to the public internet.

Anthropic put MCP tunnels in research preview, not beta, which is a useful signal about maturity. The feature is aimed at internal tool access, while self-hosted sandboxes are aimed at where code actually runs.

That separation matters because the two features cover different trust boundaries:

• Self-hosted sandboxes decide where tool execution happens.
• MCP tunnels decide how the agent reaches private services.
• Together they keep both execution and service access inside the company perimeter.

The strongest architecture clue came from launch-day partner posts. Modal's breakdown said Managed Agents splits the agent loop from the sandbox: Anthropic runs the loop, manages session state, and handles recovery, while the partner provides the execution environment.

That model explains why Anthropic can add security controls without turning Managed Agents into a pure self-hosted product. The orchestration plane stays with Anthropic. The risky, tool-calling part moves outward.

The partner posts are where the product gets concrete.

Across launch-day materials, the provider menu looked like this:

• Cloudflare offers either a full Linux container or a lighter-weight isolate, plus configurable network proxies, a headless browser, and even a dedicated email address, according to RLanceMartin's Cloudflare summary.
• Daytona gives each session its own sandbox, with mounted resources such as GitHub repos and customizable snapshots, per RLanceMartin's Daytona note.
• Modal emphasized custom images, secure networking primitives, and scale to 100,000-plus concurrent sandboxes, according to Modal's breakdown and RLanceMartin's Modal summary.
• Vercel said sessions run on the same Firecracker microVM architecture behind more than 1 billion deployments, with millisecond start times and firewall-brokered credentials, per vercel_dev's launch post.

The common pattern is that Anthropic is standardizing the agent loop while letting the execution layer inherit each provider's networking, isolation, and runtime model.

Anthropic slipped in two non-security changes the same day, and they are probably the most operationally useful details in the whole bundle.

First, live sessions can now swap tools, MCP servers, or vault IDs without restarting. Second, MCP tool outputs above 100,000 tokens are automatically offloaded into sandbox files.

Those are boring product notes, but they change how long-running agent sessions behave:

• Tooling can be reconfigured in place.
• Large MCP responses stop flooding the main context window.
• The new features ship alongside a refreshed claude-api skill, which RLanceMartin's Claude Code note said can be invoked from Claude Code with /claude-api to help onboard teams onto self-hosted sandboxes.