Anthropic is making a sharper enterprise pitch: keep the orchestration managed, but pull code execution and private tool access back inside your own network boundary.
A lot of managed-agent announcements still sound like a capability list.
Better tools. More autonomy. More connectors. More workflow magic.
But the enterprise question usually lands somewhere less glamorous: where is the agent actually running, what can it reach, and whose boundary owns the risk when it starts touching real systems?
Anthropic's self-hosted sandboxes matter because they answer that question more directly than most managed-agent launches do.
The company is keeping orchestration on Anthropic's side while letting customers move tool execution into infrastructure they control. That sounds like plumbing, but it is exactly the kind of plumbing that decides whether a managed-agent product stays in pilot mode or becomes viable for serious internal work.
Anthropic's documentation now describes self-hosted sandboxes as an option for Managed Agents. Instead of running tools and code inside Anthropic-managed cloud containers, customers can run that work inside their own environment.
The practical implication is straightforward.
If a team wants Anthropic to coordinate the agent but does not want agent code execution, filesystem activity, or network egress happening inside vendor-managed infrastructure, Anthropic now has a clearer answer than "wait for roadmap updates" or "build the whole thing yourself."
That is a real product shift.
Anthropic also makes a useful distinction that buyers should not blur.
Self-hosted sandboxes decide where execution happens.
MCP tunnels decide how Anthropic reaches private MCP servers inside your network.
Those are not the same control surface.
Anthropic says a hosted session can still reach private MCP servers through tunnels, and a self-hosted session can use tunneled or public MCP servers. In other words, teams now have separate levers for execution location and private-tool connectivity.
That is more mature than the usual all-or-nothing agent pitch.
It means buyers can reason about the architecture in pieces:
Those are better questions than simply asking whether a vendor "supports agents."
The deeper story is not self-hosting by itself.
It is a middle path.
Fully vendor-hosted agents are easier to start with, but they often run into security, compliance, or internal-service reach limits. Fully self-built orchestration gives teams maximum control, but it also means owning more operational complexity.
Anthropic is trying to occupy the space in between: managed orchestration on one side, customer-controlled execution on the other.
That makes the product more relevant to teams that already like managed-agent ergonomics but keep getting blocked by boundary concerns.
We have seen the same buying pressure show up in other places too, whether it is self-hosted coding agents, sandbox runtime density, or governance-heavy AI deployments. The common theme is simple: once agents stop being demos, control surfaces become more important than promises of raw autonomy.
This does not remove the hard parts.
Self-hosting tool execution still leaves teams responsible for worker lifecycle, runtime policy, auditing, secrets handling, and the practical messiness of connecting private systems cleanly.
It also does not mean every managed-agent workload belongs inside a private boundary. Some tasks are fine in vendor-managed environments. Others are not. The point is that the decision is becoming explicit.
Teams evaluating this should stay disciplined about at least four things.
First, worker operations. Anthropic describes always-on and webhook-triggered worker patterns. That is real infrastructure, not just a checkbox in a dashboard.
Second, scope creep. Once private access becomes possible, teams may overconnect internal systems too quickly.
Third, policy clarity. If your organization cannot explain which tools an agent may reach and why, self-hosting will not save you.
Fourth, false equivalence. MCP tunnels solve a connectivity problem. Self-hosted sandboxes solve an execution-boundary problem. Keep those conversations separate.
Anthropic is helping define the next phase of managed agents.
The winning platforms may not be the ones with the loudest "autonomous" marketing. They may be the ones that let customers place execution, networking, and approvals on the side of the boundary that makes operational sense.
That is why this update matters.
It tells buyers that managed agents are becoming less about whether the vendor can demo complex behavior and more about whether the architecture can survive contact with enterprise reality.
This article was researched and drafted with AI assistance, then reviewed and edited for clarity, accuracy, and editorial quality.