Rather than keeping all agent activity inside Anthropic’s cloud, the company is splitting responsibilities between its orchestration layer and customer-controlled runtime environments. Anthropic continues handling the agent loop, context management, and error recovery, while actual tool execution happens inside infrastructure managed either directly by customers or through providers including Cloudflare, Daytona, Modal, and Vercel.
The shift reflects growing enterprise demand for AI systems that can operate on proprietary data without forcing organizations to hand over sensitive assets or internal tooling. Anthropic said files and repositories remain inside a customer’s existing perimeter, where companies can continue using their own network policies, audit systems, and security controls.
The company is also giving enterprises more authority over runtime configuration. Customers can define compute resources, runtime images, and environment sizing themselves, allowing agents to handle heavier workloads such as builds or image generation without relying entirely on Anthropic-managed infrastructure.
Each infrastructure partner approaches the problem differently. Cloudflare is positioning its microVM and isolate-based system around observability and network controls, including customizable proxies and zero-trust secrets injection. Daytona emphasizes long-running, stateful sandboxes that can remain active for hours, while Modal focuses on scaling AI workloads with shared infrastructure primitives and GPU access. Vercel, meanwhile, is pitching its sandbox architecture around security boundaries and credential isolation.
Anthropic paired the launch with customer examples meant to show how enterprises are already using the system internally. Clay said its “Sculptor” GTM engineering agent runs on Managed Agents with Daytona, while Rogo is building an analyst agent for institutional finance using Managed Agents alongside Vercel Sandbox. Amplitude said it built an internal design agent using Managed Agents and Cloudflare infrastructure.
The MCP tunnels feature addresses a separate but related problem: how AI agents securely interact with private enterprise systems. Anthropic’s approach relies on a lightweight gateway deployed by customers that creates a single outbound encrypted connection, avoiding inbound firewall changes or public endpoints.
That setup allows Claude agents to reach internal MCP servers tied to databases, ticketing systems, private APIs, and knowledge repositories while keeping those systems off the open internet. Anthropic said MCP tunnels work with both Managed Agents and the Messages API and are administered through workspace settings inside the Claude Console.
The release highlights how competition in enterprise AI is increasingly shifting away from raw model performance alone and toward deployment architecture, governance, and operational control. As companies push agents into more sensitive workflows, concerns around security boundaries, observability, and infrastructure ownership are becoming central to adoption decisions.
Anthropic framed the new capabilities as a way for enterprises to maintain tighter control while still using managed agent infrastructure. “Both the sandbox where an agent executes tools and the services it reaches run within the established boundaries of your enterprise, under your security and runtime controls,” the company said.
The company also signaled that it sees enterprise infrastructure flexibility as a key part of the next phase of agent adoption. Beyond the current rollout, Anthropic said it is providing documentation, setup guides, and deployment tooling for organizations looking to integrate Managed Agents into their own environments.
This analysis is based on reporting from Claude.
Image courtesy of Claude.
This article was generated with AI assistance and reviewed for accuracy and quality.
