Anthropic moves Claude agent tool execution behind the firewall

Anthropic is making a practical change to Claude Managed Agents: the agent can still be orchestrated by Anthropic, but the tools it uses can now run inside infrastructure controlled by the customer. The company is also introducing MCP tunnels that connect agents to internal services without exposing those services to the public internet.

This is more than a product update. It answers the question many CIOs and CISOs are now asking: how do we let agents into operational work surfaces without sending code, files, APIs and credentials outside the control perimeter?

Anthropic describes two new mechanisms. The first is self-hosted sandboxes. Tool execution, including builds, file operations, code analysis, package installation and other actions, can move into a sandbox the customer controls directly or runs through a provider such as Cloudflare, Daytona, Modal or Vercel. Files and repositories can stay inside the enterprise boundary. Existing network policies, audit logging and security tools can remain in place. The customer also controls CPU, memory and the runtime image.

The second mechanism is MCP tunnels. MCP, or Model Context Protocol, is used to connect AI agents to tools, databases, knowledge bases, private APIs and ticketing systems. Anthropic says the tunnels let agents reach MCP servers inside a private network without inbound firewall rules and without public endpoints. A lightweight gateway opens one outbound connection, with end-to-end encryption.

That is the architecture many enterprises have been waiting for. Not because it solves everything. It does not. The agent loop, including orchestration, context management and error recovery, still runs on Anthropic’s infrastructure. This is not a full on-premise deployment. But the boundary moves. The most sensitive layer, where the agent actually reads files, runs tools and reaches internal systems, can sit closer to the customer’s own controls.

For executives, this is operational governance rather than AI theory. When an agent gets access to codebases, CRM data, tickets, analytics tools or financial data, it becomes an operational user. It has to be governed like any other privileged user: identity, least privilege, network segmentation, logging, data classification, secrets management and incident response.

The key issue is shared responsibility. Anthropic provides the model, the agent platform and the orchestration. The customer still has to decide where the agent is allowed to work, which systems it can reach, which secrets are injected, how traffic is inspected, and who can review the audit trail afterwards. An agent that can build, test, fetch data and write reports is not a chatbot. It is part of the operating model.

The provider list is also telling. Cloudflare points to microVMs, isolates, zero-trust secrets injection and control over outbound traffic. Vercel highlights VM security, VPC peering and a firewall that can inject credentials at the network boundary so they never enter the sandbox. Modal sells scalable AI sandboxes with CPU and GPU resources on demand. Daytona focuses on long-running, stateful sandboxes that can be paused and restored.

That shows where the agent market is moving. The model is no longer the whole product. The control surface around it matters just as much: where code runs, how tools are isolated, how networks are constrained, and how work can be audited later.

The risk is that companies read this as a green light for broad agent deployment. That would be premature. Self-hosted sandboxes are in public beta. MCP tunnels are still a research preview and require access. The right move is to test the architecture in bounded workflows before it touches systems involving money, personal data or production changes.

A sensible start is one concrete workflow: code analysis, internal documentation, reporting, incident handling or data enrichment. Give the agent a defined purpose, its own identity, narrow permissions, test data first, clear logging requirements and human approval before it takes actions that cost money, change systems or affect customers.

This is still an important step. Anthropic is effectively acknowledging that enterprise agents cannot become serious until customers get control over the runtime environment and private tools. The leadership question is no longer whether agents can do more. They can. The question is where they are allowed to do it, under which authorities, and how quickly they can be stopped when something goes wrong.

Sources and media

Primary source: Anthropic / Claude, “New in Claude Managed Agents: self-hosted sandboxes and MCP tunnels”, published May 19, 2026: https://claude.com/blog/claude-managed-agents-updates

Additional verification: The Decoder, “Anthropic adds self-hosted sandboxes and MCP tunnels to Claude Managed Agents”, May 19, 2026.

Media credit: Anthropic includes its own diagrams for sandboxes and MCP tunnels in the primary post. These are linked as source material and not rehosted by hogby.ai. Thumbnail: OpenAI Image 2 / hogby.ai.