On May 19, at Code with Claude London, Anthropic shipped two capabilities for Claude Managed Agents that have been on every enterprise team's wishlist since agentic workflows became real: self-hosted sandboxes in public beta and MCP tunnels in research preview. For the first time, vibecoders can tell Claude to execute code inside their own infrastructure, and connect Claude to internal APIs without punching holes in their firewall.
Before this change, every file read, every bash command, every API call made by a Claude Managed Agent happened on Anthropic's compute. That was fine for most side projects. It was a nonstarter for anyone working in healthcare, finance, legal tech, or any regulated context where data residency actually matters.
Why Tool Execution Location Became the Blocker
The reason enterprises have been slow to connect AI agents to internal APIs is not skepticism about the models. It is credentials. In most production agent deployments, authentication tokens travel with the agent as it executes tool calls. A misbehaving or compromised agent carries those credentials wherever it goes. When execution happens off-site, that is a meaningful exposure.
The same problem showed up for smaller teams trying to connect Claude to private data. Pointing an agent at a Postgres database behind a VPN meant either punching a public endpoint through the firewall or giving up on that integration entirely. Neither option is good. Most teams defaulted to "give up on it" and worked around the limitation.
The MCP protocol solved the standardization problem for tool connections, but it did not solve the perimeter problem. You could define a private MCP server, but to make it reachable by a cloud agent, you still had to expose it to the public internet.
Self-hosted sandboxes split the agent into two halves: the orchestration layer (context management, error recovery, reasoning) stays on Anthropic's infrastructure, while tool execution (code runs, file reads, API calls) moves into your environment. The model brain stays outside; the agent's hands reach inside your network. MCP tunnels solve a parallel problem: they let private MCP servers receive calls from Claude without any public endpoint.
That architectural distinction matters because most compliance regimes care about where data is processed, not where the model inference happens. HIPAA, SOC 2, and EU data residency requirements focus on the actual execution environment. Moving tool execution inside the customer perimeter is the thing that makes regulated use cases viable.
How Self-Hosted Sandboxes Actually Work
The mechanism is straightforward once you see the shape of it. You run a process called an environment worker inside your infrastructure. Anthropic populates a work queue with tool execution requests as the agent session runs. Your worker polls that queue, claims incoming requests, runs them locally inside a container or VM you control, and posts the results back to Anthropic's orchestration layer.
The worker can run continuously as an always-on process, or you can trigger it via webhook when a session starts (specifically when session.status_run_started fires). Either way, the agent session keeps running on Anthropic's side while your worker handles the actual execution.

Anthropic supports four managed providers if you don't want to run bare compute yourself. Cloudflare handles it with microVMs and zero-trust networking with controlled outbound traffic. Daytona gives you full stateful machines that persist between turns and can be paused with full state preserved. Modal targets AI workloads specifically, with sub-second startup on custom containers and GPU access for teams doing compute-heavy tasks. Vercel adds VPC peering and credential injection at the network boundary, which is useful if you're already running Vercel infrastructure and want to keep credential management centralized.
The self-hosted sandbox option is in public beta. You don't need to apply. If you're using Claude Managed Agents, you can configure a self_hosted environment type today.
What MCP Tunnels Solve
Private MCP servers are the piece that makes the agent genuinely useful for internal tooling. Your Jira instance, your internal Postgres database, your GitHub Enterprise server, your on-premise ticketing system. These are the tools where most real work actually lives. They are also the tools you absolutely cannot expose to the public internet.
MCP tunnels let you connect Claude to MCP servers running inside your private network without making them publicly reachable. The mechanism is a lightweight gateway you deploy inside your network. That gateway opens a single outbound connection to Anthropic's tunnel edge. No inbound firewall rules. No public endpoint. No IP allowlisting required on your side.
Pulse analysis and practical guides for vibecoders on every Anthropic release
Read more pulse postsThe security model is layered. Traffic is end-to-end encrypted using mutual TLS (mTLS). Anthropic adds its own encryption layer on top of that. Cloudflare operates the transport layer but cannot read request or response payloads because your team holds the inner TLS certificate. The private MCP server never sees traffic from arbitrary internet sources. It only receives calls that have passed through the tunnel gateway you control.
What this changes in practice: a Claude agent can now call your internal ticketing API, retrieve data from your private database, or read from a knowledge base that lives behind your VPN, without you opening a single inbound port. The agent treats your internal tools the same way it treats any other MCP server.
MCP tunnels are currently in research preview, which means you need to request access through the Claude platform. Access is not instant, but Anthropic has been granting it to teams with concrete use cases.

What This Unlocks For Vibecoders
The clearest immediate use case is regulated-industry teams who have been watching Claude Managed Agents from the sidelines. Healthcare teams building clinical documentation workflows can now run agent tool execution in HIPAA-compliant infrastructure. Legal teams can connect agents to privileged case management systems without external exposure. Financial services teams working under data localization requirements can keep execution inside their approved zones.
Beyond regulated industries, self-hosted sandboxes matter for any team that has made irreversible mistakes with cloud agents. When execution happens on your infrastructure, your existing monitoring, your existing network egress controls, and your existing incident response playbooks all apply to agent activity. That is a lot of observability and control you gain without any additional tooling.
For solo builders and indie hackers, the MCP tunnel capability is the more immediately useful one. If you're building a product that needs to connect Claude to a customer's private systems (their CRM, their internal API, their on-premise database), MCP tunnels give you a clean way to do that without asking customers to open firewall ports.
Assuming self-hosted sandboxes give you complete isolation. Agent orchestration still runs on Anthropic's servers. Input prompts, tool call descriptions, and results all travel through Anthropic's infrastructure as part of the session. What stays local is tool execution: the actual file operations, network calls, and compute. If your compliance requirement is that no prompt text touches external servers, self-hosted sandboxes don't solve that. They solve the data-movement problem for tool outputs and execution environments.
The pricing model is $0.08 per session-hour on top of standard API token costs for the agent. That is the runtime charge for the orchestration layer. Your environment worker's compute costs are separate and billed by whichever infrastructure you choose. For a team doing a handful of long agent sessions per day, the runtime cost is a rounding error. For teams planning high-volume automation, budget both the API tokens and the $0.08/hour runtime before committing to architecture decisions.
What This Means For You
The two features address different blockers but point at the same shift: the assumption that AI agents must run entirely in the cloud is ending. Anthropic is splitting the agent architecture in a way that lets the hard parts (orchestration, context, reasoning) stay in the cloud while the sensitive parts (execution, credential handling, data access) move wherever your compliance requirements demand.
- If you're building for regulated clients: Start with the public beta sandbox documentation at platform.claude.com and evaluate which managed provider fits your existing infrastructure.
- If you're connecting agents to internal tools: Apply for MCP tunnels access with a specific use case. Vague requests take longer. Describe exactly which private system you need to connect and why.
- If you're an indie hacker: MCP tunnels give you a clean pitch to customers: Claude can reach their internal systems without them opening firewall ports. That removes a common objection in enterprise sales.
- If you haven't started with Managed Agents yet: Self-hosted sandboxes and the dreaming/outcomes features from Code with Claude San Francisco mean the platform has grown considerably since its initial launch. Worth revisiting if you evaluated it early and moved on.
Weekly analysis for vibecoders on every Anthropic capability release
Read more pulse posts