Anthropic adds MCP tunnels and self-hosted sandboxes to Claude Managed Agents for enterprise security

Anthropic has launched two new security features for Claude Managed Agents that allow enterprises to keep agent operations within their own network perimeters.

MCP tunnels enable private network routing

The MCP tunnels feature allows Claude Managed Agents to access Model Context Protocol (MCP) servers inside private networks without exposing them to the public internet. According to Anthropic, internal databases, private APIs, knowledge bases, and ticketing systems can become agent-accessible tools through a lightweight gateway that makes a single outbound connection with no inbound firewall rules required.

Traffic is encrypted end-to-end, and no public endpoints are created. MCP tunnels is currently available as a limited research preview requiring access approval.

Self-hosted sandboxes move tool execution on-premises

The self-hosted sandbox feature separates agent orchestration from tool execution. Anthropic's infrastructure continues to handle the agent loop, context management, and error recovery, while tool execution moves to customer-controlled environments or managed sandbox providers.

Sensitive files, packages, and services remain in customer infrastructure. Anthropic has partnered with Cloudflare, Daytona, Modal, and Vercel for managed sandbox options, though customers can also bring their own sandbox client. Self-hosted sandboxes launched as a public beta feature.

"Both the sandbox where an agent executes tools and the services it reaches run within the established boundaries of your enterprise, under your security and runtime controls," Anthropic stated.

Context: Recent Managed Agents updates

Anthropic launched Claude Managed Agents in April 2025 as a simplified way to build and deploy cloud-hosted AI agents. Earlier in May, the company added dreaming, outcomes, and multiagent orchestration features.

Karpathy joins Anthropic

Separately, OpenAI founding team member and research scientist Andrej Karpathy announced he has joined Anthropic. "I think the next few years at the frontier of LLMs will be especially formative," Karpathy stated on social media.

What this means

These features address a critical enterprise barrier to AI agent adoption: data security and network isolation. By allowing agents to operate entirely within private networks while maintaining Anthropic's orchestration layer, companies can deploy Claude agents without creating new security vulnerabilities. The self-hosted sandbox approach is particularly significant—it lets enterprises maintain zero-trust architectures while still leveraging cloud AI capabilities. Both features suggest Anthropic is prioritizing enterprise deployment over pure technical advancement, focusing on making existing capabilities deployable at scale rather than pushing frontier model performance.