Anthropic Just Moved AI Agents Inside Your Firewall: What Self-Hosted Sandboxes and MCP Tunnels Mean for CTOs

The single biggest reason AI agent pilots die in security review isn't the model. It's the boundary. And Anthropic just moved it.

On May 19, 2026, at Code with Claude London, Anthropic announced two additions to its Claude Managed Agents platform: Self-Hosted Sandboxes (now in public beta) and Model Context Protocol (MCP) Tunnels (in research preview). According to Anthropic's announcement, both features address the same root problem: enterprises want autonomous agents, but their security teams won't allow agent execution environments or internal systems to leave the corporate security perimeter.

That's not a niche concern. It's the objection that kills most regulated-industry agent pilots before they start. This release doesn't work around it. It removes it.

What Anthropic Actually Shipped

The two features solve related but distinct problems. Understanding both is worth a few minutes of a chief technology officer's (CTO's) time.

Self-Hosted Sandboxes put the agent execution environment inside the customer's boundary. A Claude Managed Agent runs inside a sandbox the customer controls. Both the environment where the agent executes tools and the Model Context Protocol (MCP) servers it connects to stay inside the enterprise's established security and runtime controls. The customer decides where the sandbox lives: on their own infrastructure, or through managed compute providers Anthropic has pre-validated: Cloudflare, Daytona, Modal, or Vercel. Each provider handles isolation and compute; the customer retains runtime control and security policy.

MCP Tunnels solve the complementary problem. An enterprise might be comfortable running the sandbox internally, but still need agents to reach services sitting on a private network. The old approach would have required punching a hole in the firewall: a public endpoint, inbound rules, exposed surface area. MCP Tunnels work differently. The customer deploys a lightweight gateway inside their network. That gateway makes a single outbound connection. No inbound firewall rules. No public endpoints. Traffic is encrypted end-to-end. The agent in Anthropic's cloud reaches internal services through that outbound tunnel, not through an exposed inbound port.

Together, the two features make a specific architecture possible: agent executes inside your boundary, reaches private systems without exposing them, and never forces production data to leave the perimeter to reach vendor infrastructure.

Key Facts

• Self-Hosted Sandboxes are in public beta: agents run inside the enterprise's own infrastructure or via Cloudflare, Daytona, Modal, or Vercel (Anthropic, May 2026).
• MCP Tunnels use a single outbound connection from a customer-deployed gateway, with no inbound firewall rules and end-to-end encryption (Anthropic, May 2026).
• Both features were announced May 19, 2026, at Code with Claude London as additions to Claude Managed Agents.

Why the Perimeter Was the Real Blocker

Most CTO conversations about AI agents focus on capability: what the model can do, how it handles tool use, whether it hallucinates on your domain. Those are real questions. But in regulated environments, the capability conversation often doesn't happen at all because the architecture conversation ends it first.

Security teams in financial services, healthcare, and government-adjacent organizations operate under explicit data residency and boundary requirements. Sending query context, retrieved documents, or intermediate outputs to a vendor's cloud infrastructure is often prohibited outright. Not by preference. By policy, sometimes by regulation.

The traditional model for cloud-based AI agents put the execution environment in the vendor's cloud. Your data had to travel to where the agent lived. That's the architectural assumption this release breaks.

InfoQ's coverage framed the MCP Tunnels feature as a private-network access solution that doesn't require VPN infrastructure or inbound exposure. The New Stack highlighted the sandbox flexibility as a way to run Claude agents in environments where Anthropic's managed compute was previously off-limits.

For CTOs who have been watching agent capability mature while waiting for the security architecture to catch up, this is the catch-up.

The Architecture Shift in One Sentence

Old model: ship your data to where the agent lives. New model: run the agent where your data lives, or let the agent reach your data through a controlled outbound channel.

This distinction matters architecturally because it separates two concerns that were previously coupled: where the agent's reasoning happens (the model) and where agent execution and data access happens (the sandbox and MCP connections). The model still runs in Anthropic's infrastructure. The execution context, the tools, the data access, the outputs, can now stay inside the customer's boundary.

That separation is what makes this architecture viable for regulated use cases. The model vendor sees query inputs and outputs, as it always did. But internal service calls, retrieved documents, and intermediate tool results don't need to transit the public internet.

This is architecturally distinct from the fleet governance and control-plane conversation happening in parallel across the industry. Microsoft's Agent 365 platform addresses agent identity, visibility, and oversight across a fleet: who's running what agent, what did it do, can you block it. The Anthropic announcement addresses something earlier in the stack: where does the agent execute and how does it reach internal systems. Both concerns are real; they belong on different parts of the CTO's checklist.

For more context on the governance layer, the Gartner coding-agent realignment piece covers the procurement and vendor dependency angle that compounds these architecture decisions.

The Agent Perimeter Checklist

Before authorizing a Claude Managed Agents deployment in a regulated or security-sensitive environment, a CTO should get clear answers to these six questions. Call it the Agent Perimeter Checklist.

1. Where does the agent execute tools? Does the execution environment sit in the vendor's cloud, in your own infrastructure, or with a managed provider you've approved? Self-Hosted Sandboxes make this answerable for Claude agents. It wasn't answerable before.

2. How does the agent reach internal systems? Does access require inbound firewall rules or public endpoints? MCP Tunnels answer this with "no inbound rules, single outbound connection." That's an architecture your security team can evaluate on its merits.

3. What data transits the public internet? Map exactly which data leaves the boundary: inputs to the model (yes, these reach Anthropic), tool call parameters (now potentially contained in your sandbox), and retrieved internal documents (now reachable via the outbound tunnel without exiting your network).

4. Who controls the runtime? Can you apply your organization's security policies, logging requirements, and termination controls to the environment where the agent executes? With self-hosted sandboxes, you can.

5. What is your data residency posture? If regulatory requirements specify that certain data classes can't leave a geographic boundary, does your sandbox configuration respect that? The managed provider options (Cloudflare, Daytona, Modal, Vercel) have different availability zones and data residency commitments. Verify before deploying.

6. Is there an audit trail for agent actions? Can you reconstruct what the agent did, what internal systems it called, and what data it touched? This isn't purely about the sandbox; it also requires your MCP server implementations to emit useful logs. But the sandbox architecture is the foundation that makes meaningful logging possible.

These questions apply to any enterprise agent deployment, not just Anthropic's. But the Self-Hosted Sandboxes and MCP Tunnels features are the first time the answers to questions 1 through 4 have been genuinely satisfying for Claude agents in regulated environments.

The agentic AI governance analysis for revenue operations covers related concerns about agent oversight at the business-unit level, which pairs well with this infrastructure-layer checklist.

What's Still in Preview and What That Means

Self-Hosted Sandboxes are in public beta, which means the feature is generally available for testing but may not carry production SLA commitments. MCP Tunnels are in research preview, meaning access requires an application and the API surface is likely to change. CTOs should treat the tunnel feature as something to design for now but not ship to production on a tight timeline.

The managed provider ecosystem (Cloudflare, Daytona, Modal, Vercel) gives organizations that can't operate bare-metal sandboxes a realistic path to a compliant compute environment without waiting for full general availability of Anthropic's own managed infrastructure.

For organizations already using Rework to coordinate the operational workflows that agents will eventually plug into, the sandbox architecture question is worth raising now: which workflows are candidates for agent execution, and do those candidates meet the perimeter requirements your security team will apply?

Frequently Asked Questions

What is a self-hosted AI agent sandbox?

A self-hosted AI agent sandbox is an isolated execution environment, controlled by the customer, where an AI agent runs its tool calls and computations. Instead of executing inside the AI vendor's cloud infrastructure, the agent runs inside a compute environment the customer owns or has contracted with an approved provider. This keeps agent execution, tool calls, and intermediate outputs inside the customer's security boundary.

What is an MCP tunnel?

An MCP tunnel is a private network access mechanism for Model Context Protocol (MCP) servers. Rather than exposing internal MCP servers to the public internet through inbound firewall rules, the customer deploys a lightweight gateway inside their network. That gateway makes one outbound connection to the AI agent infrastructure. The agent reaches internal services through that tunnel without requiring any inbound exposure. Traffic is encrypted end-to-end.

Does this mean Anthropic never sees my internal data?

Not exactly. The underlying model (Claude) still processes inputs and produces outputs; those requests do reach Anthropic's infrastructure. What Self-Hosted Sandboxes and MCP Tunnels change is that tool execution, internal service calls, and retrieved documents can stay within the enterprise network rather than transiting to the vendor's cloud. The boundary of what Anthropic sees shifts, but the model interaction itself is still cloud-based. Organizations with strict data-handling requirements should review Anthropic's data processing agreements alongside the sandbox architecture.

What CTOs Should Do This Week

Three moves that cost little and set up the architecture conversation:

• Request access to MCP Tunnels. The feature is in research preview, meaning access is gated. Getting into the preview now means your team evaluates the architecture while it's still shaping. The feedback loop with Anthropic during preview periods is faster than post-GA.

• Run the Agent Perimeter Checklist against your highest-priority agent use case. You probably have a pilot that stalled or died in security review. Apply the six questions above to that specific use case. Where did it fail the checklist? Does this architecture address those gaps? That exercise takes an afternoon and gives you a concrete conversation to have with your CISO.

• Map your sandbox provider options to your data residency requirements. If your organization has geographic or regulatory constraints on where compute can run, check Cloudflare, Daytona, Modal, and Vercel's data residency commitments now. Don't wait until you're mid-procurement to discover a mismatch.

The agent pilot that died in security review six months ago may now have a viable path. That's worth half a day to find out.

Learn More

• Microsoft Agent 365 Is Live: Why Every CTO Now Needs an AI Agent Control Plane
• Gartner Says the AI Coding-Agent Market Is Realigning
• Granola and the MCP Enterprise API: A CTO Briefing
• Agentic AI and the Governance Gap