Anthropic announced two new features for Claude Managed Agents at its Code with Claude London event last week, and the framing of the announcement is the part to pay attention to. Self-hosted sandboxes are now in public beta. MCP tunnels are in research preview. Both ship the same message: the agent orchestration stays on Anthropic’s infrastructure, the parts your security team cares about stay inside your firewall.
Self-hosted sandboxes move tool execution out of Anthropic’s environment and into infrastructure the customer controls, either directly or through a managed sandbox provider such as Cloudflare, Daytona, Modal, or Vercel. The agent loop still runs at Anthropic, doing context management and error recovery. But when the agent actually writes a file, runs a subprocess, or makes a network call, that happens inside the customer’s perimeter. The data never leaves. The code never executes on third-party metal. The audit trail lives where the auditors already log in.
MCP tunnels solve the inverse problem. Most useful enterprise data lives behind firewalls, on internal MCP servers that the security team correctly refuses to expose to the public internet. Anthropic’s answer is a lightweight gateway the customer deploys, which opens a single outbound-only connection back to Claude. The agent can call internal APIs, databases, ticketing systems, knowledge bases. No inbound firewall rules. No public endpoints. Encrypted end to end.
The plain-English read on both features: every enterprise pilot of Claude Managed Agents in the last six months has hit the same two objections from the security review board, and Anthropic just shipped the answers to both. Self-hosted sandboxes handle “we cannot let your infrastructure execute code that touches our data.” MCP tunnels handle “we are absolutely not poking holes in our firewall for an AI agent.” If you have been wondering why Anthropic’s enterprise revenue keeps doubling against the run rate of its training spend, the answer is increasingly that the company keeps shipping the specific feature your procurement department needs to see before it will sign the renewal. The frontier model race is starting to look like an enterprise software race in slow motion, and Anthropic has been running it like one for at least a year.