Claude Managed Agents Gains MCP Tunnels and Self-Hosted Sandboxes for Enterprise Privacy

Anthropic Tightens Enterprise Security for Claude Managed Agents

On May 19, 2026, Anthropic announced two new security and privacy features for Claude Managed Agents: MCP tunnels and self-hosted sandboxes. Both additions are aimed squarely at enterprise customers in regulated industries — finance, healthcare, legal, government — who need AI agents to operate over sensitive internal systems without exposing private infrastructure to the public internet.

Claude Managed Agents, which entered public beta in April 2026, provides a fully managed cloud runtime for long-running AI agent workflows. The new features extend that framework with controls that allow organizations to keep sensitive data and code execution within their own infrastructure perimeter.

---

Feature Overview

1. MCP Tunnels — Private Network Agent Connectivity

MCP tunnels solve one of the primary adoption blockers for enterprise AI agents: how to let an agent interact with internal systems (databases, private APIs, knowledge bases, ticketing systems) without opening inbound firewall rules or publishing private endpoints to the internet.

The mechanism works through a single outbound connection from the customer's network to Anthropic's infrastructure. This lightweight gateway pattern is well-established in developer tooling — it is the same approach used by services like Cloudflare Tunnel and ngrok — and requires no inbound firewall changes on the customer side.

Key characteristics:

• Routes internal MCP servers through a private network channel
• End-to-end encrypted traffic
• No inbound firewall rules or public endpoint exposure required
• Lightweight gateway that establishes one persistent outbound connection

As of May 19, MCP tunnels are in limited research preview; interested organizations must request access to participate.

2. Self-Hosted Sandboxes — Customer-Controlled Code Execution

The second feature addresses a complementary concern: where agent tool execution actually happens. In the standard Claude Managed Agents architecture, both the agent loop (orchestration, context management, error recovery) and tool execution run on Anthropic's infrastructure.

Self-hosted sandboxes split this architecture: Anthropic's infrastructure handles the agent loop, while tool execution moves to the customer's configured environment. Organizations bring their own sandbox provider or use one of four supported integrations:

Customer-provided sandbox clients are also supported for organizations with existing execution environments.

This split reduces the data surface area on Anthropic's side: sensitive files, proprietary packages, and internal services stay within the customer's environment throughout tool execution. The feature is available in public beta.

3. Architectural Separation as a Compliance Pattern

The combination of MCP tunnels and self-hosted sandboxes creates an end-to-end model where the agent's intelligence (the model itself, the orchestration loop, context management) runs on Anthropic's servers, but all data access and code execution remain within the customer's infrastructure. This architectural pattern is directly aligned with compliance frameworks like SOC 2, HIPAA, and financial data regulations that require customer data not to leave a controlled environment.

---

Usability Analysis

For enterprise security and compliance teams, the self-hosted sandbox in public beta is immediately actionable. Organizations already using Cloudflare, Modal, or Vercel as compute providers can configure their existing environments as agent execution targets without standing up new infrastructure.

The MCP tunnels feature, while still in limited preview, addresses a blocker that has prevented many internal deployment discussions from proceeding. The single-outbound-connection model is familiar to network engineers and does not require escalated firewall change approvals — a practical advantage in large organizations where security change management is a bottleneck.

For development teams building agent workflows against internal APIs, MCP tunnels effectively remove the need to stage a publicly accessible development environment for testing, reducing security exposure during the build phase as well as in production.

---

Pros and Cons

Pros:

• MCP tunnels eliminate the need for inbound firewall exceptions — the most common network security objection to internal AI agent deployments
• End-to-end encryption on tunnel traffic meets baseline enterprise security requirements
• Self-hosted sandboxes support four major compute providers and custom clients, covering most existing enterprise environments
• Architectural separation (Anthropic handles orchestration, customer handles execution) maps cleanly to common compliance frameworks
• Self-hosted sandbox is already in public beta, allowing immediate testing without a waitlist

Cons:

• MCP tunnels remain in limited research preview; broad production availability timeline is not yet announced
• The split architecture introduces operational complexity — customers must maintain their own sandbox environments and monitor both Anthropic's orchestration layer and their own execution layer
• No pricing details released for either feature; enterprise cost modeling is not yet possible
• Self-hosted sandbox adds deployment overhead for smaller teams without dedicated infrastructure

---

Outlook

Anthropist's strategy with Claude Managed Agents is becoming clearer: build a fully managed orchestration layer for enterprises and progressively transfer data control back to the customer at each point where compliance or sovereignty concerns would otherwise block adoption.

MCP tunnels and self-hosted sandboxes are two points on that spectrum. Future additions may include audit logging exported to customer-owned storage, fine-grained model behavior controls per tenant, and on-premises agent loop deployments for air-gapped environments.

The broader context is the enterprise AI agent market, where Anthropic competes with Microsoft Copilot Studio, Amazon Bedrock AgentCore, and Google's Vertex AI Agent Builder. Each platform is converging on similar security patterns because regulated industry customers demand them. Anthropic's advantage here is the specificity of the MCP integration — the Claude-native protocol lowers the integration ceiling for teams already building on MCP-compatible tools.

---

Conclusion

MCP tunnels and self-hosted sandboxes are targeted additions for enterprise teams who have been interested in Claude Managed Agents but blocked by data residency or network security requirements. The self-hosted sandbox in public beta is ready for evaluation now; MCP tunnels require requesting limited preview access. Organizations in regulated industries evaluating AI agent infrastructure should prioritize testing these features against their specific compliance constraints.

Editor's Verdict

Claude Managed Agents Gains MCP Tunnels and Self-Hosted Sandboxes for Enterprise Privacy earns a solid recommendation within the claude space.

The strongest case for paying attention is MCP tunnels remove the inbound firewall requirement — the most common network security blocker for enterprise AI agent deployments, which raises the bar for what readers should now expect from peers in this space. Reinforcing that, end-to-end tunnel encryption meets baseline enterprise security standards without additional configuration adds practical value rather than just headline appeal. The broader signal worth registering is straightforward: the single-outbound-connection MCP tunnel pattern is architecturally identical to established developer networking tools (Cloudflare Tunnel, ngrok), which means enterprise network engineers will recognize it immediately — reducing security review friction. On the other side of the ledger, MCP tunnels in limited research preview only; production availability timeline not announced is a real constraint, not a marketing footnote, and it should factor into any serious decision. Layered on top of that, split architecture increases operational complexity — teams must manage both Anthropic's orchestration and their own sandbox environments narrows the set of teams for whom this is an obvious yes.

For Anthropic and Claude users, alignment-focused teams, and developers already invested in the Claude ecosystem, this is a serious evaluation candidate, not just a curiosity to bookmark. For everyone else, the safer posture is to monitor coverage and revisit once the use cases that matter to your team are demonstrated in the wild.