Anthropic shipped two changes to Claude Managed Agents on May 19 that move agent execution off Anthropic's servers and into customer infrastructure: self-hosted sandboxes (public beta) and private MCP tunnels (research preview). The orchestration loop still runs on Anthropic, but tool calls, file reads, and database lookups now happen on networks the customer controls.
Try it: wire Claude to your own sandbox in 30 minutes
Pull the claude-cookbooks self-hosted sandboxes recipe, pick a provider that matches how you already deploy (Cloudflare Workers if you want microVMs with secrets injection, Modal if you need GPU bursts for image or video generation, Vercel if your stack is already on it, Daytona if you want SSH-accessible long-running boxes), and point the Messages API at that sandbox URL. Your agent's Python or Bash tool then runs inside your VPC, not on Anthropic infra. For MCP tunnels you deploy a small outbound gateway and request preview access; no inbound firewall holes required.
Why it matters
This is a posture shift, not a feature. Until today, the practical answer to "can I let Claude touch our private database" was "open a public endpoint with auth on top, or don't bother." Self-hosted sandboxes mean the working file, the rendered video, the temp directory full of API keys never leaves your network. Combined with MCP tunnels, it removes the last enterprise blocker for shipping autonomous agents on top of internal data, while keeping Anthropic responsible for the planning loop. Independent coverage from InfoQ frames it the same way: control is the product.
Key details
Self-hosted sandboxes are documented in the Claude platform docs and ship with four launch partners. Cloudflare offers microVM sandboxes with zero-trust secret injection and customizable egress proxies. Daytona runs full composable computers reachable over SSH or authenticated preview URLs. Modal delivers sub-second startup, GPU and CPU on demand, and scales to hundreds of thousands of concurrent sandboxes. Vercel adds VPC peering, millisecond startup, and credential injection at the network boundary. MCP tunnels, documented separately, push end-to-end encrypted traffic through a single outbound gateway so internal databases, ticketing systems, and private knowledge bases become reachable to agents without public endpoints. The New Stack notes both features were debuted at Code with Claude in London.
What to do next
If you already run agents through the Messages API, swap one tool-execution path to a self-hosted sandbox on your current cloud and measure latency and cost against the default hosted sandbox. If you have an internal MCP server gated behind a VPN today, request MCP tunnel preview access so you can stop maintaining the VPN bridge. If you publish creator tools, the same plumbing now lets you offer "bring your own infra" deployments where customer files never round-trip Anthropic.
