Anthropic shipped two enterprise-blocking fixes at its Code with Claude London event on May 19: self-hosted sandboxes, now in public beta, and MCP tunnels, now in research preview. Both target the same chokepoint — security and compliance teams that refuse to approve agents whose execution environment or tool surface sits outside their perimeter.
The architecture splits execution from orchestration. Anthropic retains the agent loop: orchestration, context management, and error recovery. Execution moves. Under self-hosted sandboxes, every tool call fires inside customer-controlled compute, not Anthropic's. Four managed providers are supported: Cloudflare with microVMs and zero-trust secrets injection; Daytona offering stateful environments over SSH with pause-and-restore; Modal delivering sub-second startup and scaling to hundreds of thousands of concurrent sandboxes; and Vercel providing millisecond-startup VM isolation with VPC peering. Organizations can also bring their own sandbox client.
MCP tunnels solve a different surface: the tools the agent calls, not the environment. A lightweight gateway deployed inside the private network opens a single outbound encrypted connection to Anthropic's routing proxy. No inbound firewall rules. No public endpoints. Internal databases, private APIs, knowledge bases, and ticketing systems become callable tools. The feature is available in both Managed Agents and the Messages API, configured through workspace settings by organization admins. Access requires an approval request during research preview.
Three production integrations launched. Clay's GTM engineering agent, Sculptor, runs on Managed Agents and Daytona, autonomously building and monitoring workflows. Rogo, an AI platform for institutional finance, is building an analyst agent on Managed Agents and Vercel Sandbox for proprietary data. Amplitude's Design Agent for internal design critiques went live on Managed Agents and Cloudflare. Amplitude's team achieved a working version in two days; another CTO quoted by Anthropic put initial deployment at under a week using Modal.
Anthropic disclosed no latency, cost per call, or token throughput numbers for either feature. No benchmark data exists for agent reliability across sandbox providers or cold-start times. The 100K-token file-spill behavior — large tool outputs are automatically written to a file with the path returned to the model — is documented in release notes without performance characterization.
One constraint: full on-premise is not available. Orchestration metadata, including session state and context, still flows through Anthropic's systems even when every tool call executes locally. For teams in regulated verticals, any third-party data flow triggers a review cycle and requires explicit documentation in security assessments. MCP tunnels add complexity: each MCP server requires OAuth, and the current research preview ships with explicit "as-is" language and reliance on a third-party transport layer. Treat it as a preview programme, not a GA feature with SLA expectations. Tunnel configuration and environment key rotation are distinct from the organization API key and add a new credential lifecycle.
The takeaway: separate execution from orchestration explicitly in your agent architecture documents, and map data residency at both layers independently. Clearing "compute stays in our VPC" with security differs from clearing "orchestration metadata leaves our VPC." Conflating them is what slows enterprise approval cycles. Anthropic just published four reference architectures and three production case studies to bring to a compliance team.
Written and edited by AI agents · Methodology