Sandboxes + MCP Tunnels Land at Code with Claude London

Anthropic today launched self-hosted agent sandboxes (public beta) and MCP tunnels (research preview) at Code with Claude London — Anthropic's first dedicated developer event outside the United States. The announcement introduces a new architectural layer for Claude Managed Agents: the agent orchestration loop stays on Anthropic's infrastructure, while tool execution moves inside the customer's own cloud environment.

The timing is deliberate. Code with Claude London opened on the same morning as Google I/O 2026 at Shoreline Amphitheatre. Where Google spent its keynote on consumer-AI products — AI Mode for 1B users, the Spark personal agent, Universal Cart shopping — Anthropic spent its London stage on enterprise developer primitives. Both answers to "what does an AI agent need to do real work" reflect genuinely different bets on where enterprise trust gets earned.

This guide covers what shipped today, how the architecture split works, a provider-by-provider breakdown of the four sandbox partners (Cloudflare, Daytona, Modal, Vercel), how MCP tunnels expose private servers without inbound firewall rules, and the honest gaps still present at launch. Internal links to companion guides on AI transformation, enterprise agent reference architecture, and MCP server security best practices are woven throughout.

Anthropic announced two additions to Claude Managed Agents at Code with Claude London on May 19, 2026. Both ship under the umbrella of "perimeter-first" agent infrastructure — the idea that compliance, security, and data-residency requirements should be solved at the architecture level rather than negotiated case-by-case in enterprise contracts.

Self-hosted sandboxes (public beta)let teams configure Claude Managed Agents to execute tools inside their own cloud environment — Cloudflare, Daytona, Modal, Vercel, or a custom sandbox client the team already operates. The agent loop that handles context management, error recovery, and orchestration continues to run on Anthropic's infrastructure. What moves is tool execution: bash commands, file writes, API calls, code interpretation — any action the agent takes against the outside world now happens inside the customer perimeter.

MCP tunnels (research preview) solve a different problem. Private MCP servers — internal databases, knowledge bases, ticketing systems, proprietary APIs — have historically required either VPN exposure for cross-cloud agents (operationally painful) or a public endpoint with firewall rules (security surface). MCP tunnels replace both options with a single outbound encrypted connection initiated from inside the customer network. No inbound firewall modifications. No public endpoints. Tunnel administration runs through workspace settings in the Claude Console and applies to both Managed Agents and the Messages API.

The central architectural claim from the keynote is precise and worth unpacking carefully. According to Anthropic's product framing as reported by 9to5Mac: “The agent loop that handles orchestration, context management, and error recovery stays on Anthropic's infrastructure, while tool execution moves to your own configured environment.”

This is not "self-host Claude." The model weights, the agent loop, the context window management, and the error-recovery logic all remain on Anthropic's infrastructure. What changes is where the agent's outputs get executed. When Claude decides to run a bash command, write a file, call an API, or invoke a tool — that execution now happens inside the customer's sandbox, governed by the customer's security controls, DLP policies, IAM rules, and audit-log pipeline.

The practical implication for compliance teams is substantial. Before today, enterprise pilot delays of six to twelve weeks were routine at banks, insurers, healthcare providers, and regulated industrials because data-governance and infrastructure teams could not accept tool execution happening inside Anthropic's cloud. The split architecture addresses that objection at the platform level rather than through contractual carve-outs.

For a deeper architectural context — including how this pattern compares to other enterprise agent deployment models — see our enterprise agent platform reference architecture.

Anthropic launched with four named sandbox partners and a BYO (bring-your-own) sandbox path for teams that have already built sandboxing infrastructure in-house. Each partner uses a different isolation primitive, which is the decision input enterprise architects actually need — not just a list of logos.

The four day-one customer references map cleanly to the four launch providers: Amplitude (Design Agent) on Cloudflare, Clay (Sculptor GTM agent) on Daytona, DoorDash (internal productivity agent) on Modal, Rogo (financial-analyst agent) on Vercel, per reporting by Business News Today. These are not lab tests — Amplitude, DoorDash, and Rogo operate in compliance-sensitive environments where exactly this kind of perimeter control was the blockers.

Choosing between these five options is primarily a function of three variables: the isolation primitive your security team will approve (microVM vs container vs workspace VM), whether the agent workload requires GPU access or stateful resumption, and which cloud or vendor ecosystem your team already operates in. Teams on Vercel who already have SOC 2 Type II in place should default to the Vercel integration. Teams running GPU-bound pipelines should evaluate Modal. Teams with complex egress requirements should start with Cloudflare. Teams running multi-week autonomous agents should look at Daytona.

MCP tunnels solve a different problem from self-hosted sandboxes. While sandboxes control where tool execution happens, tunnels control how agents reach private resources — databases, internal APIs, knowledge bases, ticketing systems — without those resources needing to be exposed to the public internet.

The mechanism, as described in The New Stack's reporting: a lightweight gateway you deploy inside your network makes a single outbound encrypted connection to Anthropic's infrastructure. No inbound firewall rule modifications. No public endpoint creation. Traffic is encrypted end-to-end. Agents on Anthropic's side reach private MCP servers through that tunnel; the servers themselves never become reachable from the public internet.

The analogy to prior art is useful. Cloudflare Tunnel and Tailscale Funnel established the "outbound-only gateway" pattern for web traffic. MCP tunnels apply that pattern specifically to the MCP transport layer — using the MCP 2025-11-25 specification (stdio and Streamable HTTP transports) rather than arbitrary HTTP. Administration runs through the Claude Console workspace settings and the tunnels apply to both Managed Agents and the Messages API — meaning even non-agentic Messages API calls can reach private servers through a configured tunnel.

For engineering teams evaluating whether MCP tunnels reduce the security review surface compared with running a VPN-exposed MCP server, see our guide on MCP server security best practices. The tunnel pattern eliminates the inbound-exposure surface but introduces a dependency on Anthropic's gateway availability and encryption implementation — factors your security team should evaluate during the research preview period.

Code with Claude London opened on May 19, 2026 at a Riverside venue in London — Anthropic's first dedicated developer conference outside the United States and its first in Europe, per reporting by Fortune. The event was heavily oversubscribed, drawing enterprise customers, startup workers, and Claude enthusiasts. Format mirrored the San Francisco and New York City Code with Claude editions.

The Day 1 Claude Platform agenda covered multi-agent orchestration, outcomes, memory, dreaming, advisor strategy, Claude Managed Agents, self-hosted sandboxes, and MCP tunnels. Claude Code sessions covered routines, auto mode, work trees, memory, agents view, remote control, and improved desktop workflows.

The most-cited stage data point came from Spotify: more than 99% of Spotify engineers use AI coding tools every week, 94% report higher productivity, PR frequency is up 76%, and 2.5 million automated maintenance PRs have been merged via fleet management. These numbers serve as the empirical floor for the "agents work at production scale" thesis that frames the sandbox and tunnel announcements — cited via Fortune's reporting, not as Anthropic's own figures.

Two on-stage quotes from Fortune capture the cultural register Anthropic aimed for. Fiona Fung, Head of Engineering at Anthropic: “Pick your noisiest workflow and ask if it's still serving its purpose.” Boris Cherny, Head of Claude Code: “I buy my veggies at a farmer's market. There's always room for that.” Both land in the same frame — AI does the grunt work; humans retain judgment over what matters.

For context on what was previewed before the event, see our pre-event preview of Code with Claude London.

The most structurally interesting thing about May 19, 2026 is the name collision. Google announced its “Managed Agents API” at Google I/O. Anthropic announced its “Claude Managed Agents” self-hosted mode at Code with Claude London. Two of the three frontier labs released enterprise agent primitives with the same product name on the same day — with architecturally opposite implementations.

The architectural delta is the trust spectrum. Google says: trust the runtime — we've isolated it, our security posture is your security posture. Anthropic says: bring the runtime to you — your security controls apply by default, we handle orchestration only. Neither position is wrong. They reflect different primary customers. Google's model optimizes for teams that want zero infrastructure overhead and trust Google's cloud security team. Anthropic's model optimizes for regulated industries, multi-cloud enterprises, and teams where data-residency requirements make vendor-cloud tool execution a non-starter.

The name collision matters for procurement teams evaluating both platforms in the same quarter. Request vendors clarify what “managed agent” means in their specific proposal — whether tool execution runs inside the vendor's cloud or inside yours is the load-bearing architectural decision, not a footnote.

For the Google side of the collision — the Interactions API, the antigravity-preview-05-2026 default agent, and the AGENTS.md + SKILL.md configuration model — see our Google Managed Agents API deep dive. For a complete breakdown of what else Google announced at I/O 2026, see our complete Google I/O 2026 announcement guide.

On February 4, 2026, Anthropic published “Claude is a space to think” — the canonical essay articulating the company's stance on Claude's relationship to users. The essay's most-quoted line: “Claude will remain ad-free. Our users won't see ‘sponsored’ links adjacent to their conversations with Claude.” The essay is not new this week. It was not published today. The London keynote leaned on it — Anthropic reasserted the stance on stage — but the commitment to remaining ad-free is nearly four months old.

The restatement timing is not accidental. Google I/O's May 19 keynote featured ad-integrated AI products — Universal Cart shopping that connects AI Mode to Google's advertising business, consumer AI features that are structurally adjacent to ad revenue. By reasserting the February 4 essay from a London stage on the same morning, Anthropic positioned enterprise contracts and paid subscriptions as its complete business model — structurally opposite the consumer-ads architecture that Google's developer day was partly built around.

The same day, Anthropic announced that Andrej Karpathy had joined as a research scientist — a research-talent signal layered on top of the product announcements, without direct connection to the sandbox or tunnel launches. And KPMG announced a strategic alliance to integrate Claude across its 276,000-person workforce — the third proof point of the day that Anthropic's enterprise momentum extends well beyond developer tooling.

For enterprise teams weighing the compliance and governance implications of these moves, our SOC 2 controls mapping for agentic AI provides the audit framework for evaluating vendor commitments against your organization's control environment.

Anthropic was transparent about what isn't available yet. Three gaps are documented in the launch coverage and one structural limitation applies to how the sandbox client is scoped.

These gaps are predictable for a first-day public beta — the priority was enabling the trust architecture (tool execution in your perimeter) before optimizing for platform breadth (every cloud, every memory model). For teams currently on AWS who need self-hosted sandboxes, the practical options are to wait for AWS support, evaluate the BYO sandbox path with a proxy layer, or run a parallel Cloudflare or Modal pilot on a non-AWS workload to build operational experience before the AWS integration lands.

Three signals from the public beta maturity arc are worth watching.

AWS support closure.The AWS gap is the single largest blocker for enterprise teams whose infrastructure is AWS-native. Anthropic hasn't published a timeline, but the gap is explicitly documented in launch coverage as a near-term roadmap item rather than a "not planned" note. The Vercel Sandbox (Firecracker on Amazon Linux 2023) and the BYO path suggest the infrastructure patterns for AWS alignment already exist — the question is operational readiness and certification.

Memory in self-hosted sessions. Session memory is a core differentiator for autonomous agents running multi-step, multi-day workflows. Its absence in self-hosted mode means teams need workarounds — external vector stores, manual context injection, or session-stitching logic — that add operational complexity. Adding memory to self-hosted sessions is likely a pre-GA requirement.

MCP tunnels GA. The research preview label means protocol and auth-model iteration is still in flight. Teams evaluating MCP tunnels as a production pattern should track the MCP 2025-11-25 specification changelog — specifically the OAuth 2.1 + PKCE authorization model — because the tunnel auth handshake is likely built on that foundation and may shift before GA. Our guide on the Claude Agent SDK production patterns covers the auth-integration surface in detail.

The counter-programming interpretation for forward-looking product strategy: Anthropic is building the enterprise-perimeter primitives in 2026 that will define which platform regulated industries default to in 2027. The compliance-bottleneck problem ("six to twelve weeks of pilot delays") is a large enough TAM blocker that solving it structurally — rather than contractually — is the right product priority. AWS support, memory in self-hosted, and MCP tunnels GA are the three milestones that convert the launch thesis from a compelling pitch into a default enterprise choice.