Anthropic adds MCP tunnels and self-hosted sandboxes to secure Claude Managed Agents

Anthropic enhances Claude Managed Agents with two new privacy and security features - 9to5Mac

Anthropic is introducing two new features for Claude Managed Agents that give users more control over the security and privacy. Anthropic unveiled Claude Managed Agents in April, greatly simplifying the work required to build and deploy cloud-hosted AI agents. Earlier this month, Managed Agents went even further with new dreaming, outcomes, and multiagent orchestration features. Now Anthropic is adding two additional new features for May: MCP tunnels and self-hosted sandboxes. "Both the sandbox where an agent executes tools and the services it reaches run within the established boundaries of your enterprise, under your security and runtime controls," Anthropic says. The new MCP tunnels feature allows Claude Managed Agents users to route services through a private network. With MCP tunnels, your agents reach MCP servers inside your private network without exposing them to the public internet. Internal databases, private APIs, knowledge bases, and ticketing systems become tools your agents can call. A lightweight gateway you deploy makes a single outbound connection, no inbound firewall rules, no public endpoints, and traffic encrypted end to end. MCP tunnels is a limited research preview, so requesting access is required before getting started for now. Meanwhile, the new self-hosted sandbox feature lets you easily set boundaries for Claude Managed Agents. With self-hosted sandboxes, you keep sensitive files, packages, and services in your own infrastructure or with a managed sandbox provider. The agent loop that handles orchestration, context management, and error recovery stays on Anthropic's infrastructure, while tool execution moves to your own configured environment. Self-hosted sandbox supports bringing your own sandbox client or using one of Anthropic's partners: Cloudflare, Daytona, Modal, and Vercel. Self-hosted sandboxes arrive as a public beta feature. You can learn more about both updates to Claude Managed Agents here. Recent Anthropic news: Separately, research scientist and OpenAI founding team member Andrej Karpathy has joined Anthropic after being independent for some time:

Securing AI agent credentials with MCP tunnels

The reason enterprises have been slow to connect AI agents to internal APIs and databases isn't the models -- it's the credentials. In most production deployments, the agent carries authentication tokens with it as it executes tool calls, which means a compromised or misbehaving agent takes the keys with it. Anthropic is addressing that problem with two new capabilities for Claude Managed Agents: self-hosted sandboxes, which let teams run tool execution inside their own infrastructure perimeter, and MCP tunnels, which connect agents to private MCP servers without exposing credentials in the agent's context. Together they move credential control to the network boundary rather than leaving it inside the agent. Right now, self-hosted sandboxes are available to Claude Managed Agent users in public beta, while MCP tunnels are currently in research preview. Anthropic isn't the only model provider making this bet. OpenAI added local execution to its Agents SDK in April in response to similar demand. The architectural distinction Anthropic draws is a split: the agent loop runs on Anthropic's infrastructure, while tool execution runs on the enterprise's own system -- a separation that existing sandbox approaches, including OpenAI's, don't make. The architecture problem in sandboxes and agents MCP moved to enterprise production faster than the security architecture around it matured. In most deployments, credentials travel through the agent itself as it executes tool calls against internal systems -- meaning a compromised or misbehaving agent has everything it needs to cause damage. Self-hosted sandboxes, such as those offered on Claude Managed Agents, help keep files and packages within an enterprise's infrastructure. The agentic loop -- orchestration, context management and error recovery -- moves to the platform, and ideally, enterprises control compute resources. This allows the agent to complete tool calls without holding the keys that unlock it. Private network connectivity works similarly -- a lightweight outbound-only gateway inside the organization's network, with no credentials passing through the agent. Orchestration teams get some control For orchestration teams, the capabilities represent more than just a security update; they help agents run better. But the first thing they need to understand is how this split architecture can affect their deployment. Since sandboxes determine tool execution locations and the resources agents access, and MCP tunnels tell agents how to reach internal systems, these are separate concerns -- splitting them up enables enterprises to map agents' workflows more effectively. For teams already on Claude Managed Agents, the practical starting point is sandboxes -- move tool execution onto your own infrastructure and test the boundary before touching MCP tunnels, which are still in research preview. Teams evaluating the platform for the first time should treat the sandbox architecture as the primary technical differentiator: it's the piece that changes the threat model, not just the deployment model.