At Code w/ Claude London on May 19, 2026, Anthropic shipped two updates to Claude Managed Agents that change the enterprise-AI conversation: self-hosted sandboxes (public beta) and MCP tunnels (research preview). Tool execution can now run inside your VPC. Internal MCP servers can be reached without opening inbound firewall ports. The agent loop still runs on Anthropic’s infrastructure — but everything sensitive moves inside your perimeter.
That changes the comparison with Google Antigravity Managed Agents (announced at Google I/O 2026) and OpenAI Frontier (launched in February). This is the 8-dimension CISO comparison you can take into your Q3 procurement meeting.
What Anthropic actually shipped on May 19
Two features, both architecturally significant.
Self-hosted sandboxes (public beta). The agent loop, context management, error recovery, and session state stay on Anthropic. Tool execution — the part where the agent actually reads a file, runs a script, or makes an API call — moves to your infrastructure or to a managed provider you choose. Per Anthropic’s announcement, the four supported managed providers at launch are Cloudflare, Daytona, Modal, and Vercel. Or you can run on your own Kubernetes cluster in your VPC.
MCP tunnels (research preview). Your agent can now call private MCP servers — internal databases, ticketing systems, the messy stack of internal APIs every enterprise actually runs on — without exposing any of them to the public internet. A lightweight gateway in your network opens a single outbound TLS connection to Anthropic via Cloudflare. No inbound firewall openings. Three layers of encryption: outer mTLS between Anthropic and Cloudflare, inner TLS between Anthropic and your gateway proxy (Cloudflare never sees payload), and OAuth on each MCP server. Per VentureBeat’s coverage, credential control moves to the network boundary instead of living in the agent.
Source: Anthropic Blog — New in Claude Managed Agents: self-hosted sandboxes and MCP tunnels
The X reaction from enterprise architects was the loudest signal. @kiyo_ai_allin posted on May 22: “MCP Tunnels: アウトバウンド1本だけ。エンドtoエンド暗号化。社内データを Claude に触らせる最大の壁が消えた” — translated: “MCP Tunnels: just one outbound connection, end-to-end encrypted. The biggest wall to letting Claude touch internal data has come down.” Anthropic’s @PriyankaPhatak shared the launch post the same day at 2,109 views. The Hacker News thread had low traction (only ~5 points), which itself is signal: this isn’t viral-builder news, it’s quiet-enterprise news. The CISO mailing list gets it; the indie hacker timeline doesn’t.
The honest caveat Anthropic itself documents: Managed Agents is not yet eligible for Zero Data Retention (ZDR) or HIPAA BAA, because the session orchestration on Anthropic’s side retains conversation history and event logs. Self-hosted sandboxes keep tool execution local, but the agent loop’s state still lives in Anthropic’s US workspace. For ultra-regulated workloads, that’s a real constraint to weigh.
The 8 dimensions every CISO is actually weighing
This is the comparison table I’d put on screen in a Q3 procurement meeting. Each row scored on what’s publicly documented today.
| Dimension | Claude Managed Agents | Google Antigravity | OpenAI Frontier |
|---|---|---|---|
| 1. Execution isolation | Self-hosted sandbox in your VPC (Kubernetes), or managed (Cloudflare/Daytona/Modal/Vercel). Anthropic-hosted container is also an option. | Google-hosted ephemeral Linux sandboxes by default; “Local Only” mode for sensitive workloads uses local models (Gemma/Llama). | Cloud + local runtime support; isolation mechanics not fully public. Same security foundation as other OpenAI enterprise offerings. |
| 2. Network perimeter / private-tool access | MCP tunnels = outbound-only, no inbound firewall rules. Three-layer encryption. Best in class. | Default mode requires no external network/credential access unless explicitly configured. No MCP-tunnel-equivalent published. | Agents connect to external apps with admin-defined permission scopes; no published private-network MCP pattern yet. |
| 3. Identity & access management | API keys + workspace permissions. MCP servers use OAuth/bearer per tool. | Google Cloud IAM for the Gemini Enterprise Agent Platform. | Each agent gets an “employee ID” that integrates with enterprise IAM. Strongest at human-style governance. |
| 4. Data residency | US workspace geo today. inference_geo available on Messages API but not Managed Agents yet. Self-hosted sandbox keeps tool execution local. | Anchored to GCP region you select; enterprise residency controls apply. | Built on OpenAI enterprise stack; regional deployments supported; per-agent pinning not detailed publicly. |
| 5. Data retention | Managed Agents not ZDR-eligible today (session history retained); explicit caveat. Self-hosted sandbox files can stay local. | Zero-retention agreement for enterprise users; code sent for inference not stored or used for training (per third-party security analysis). | Enterprise-grade separation between enterprise data and training corpora. No explicit Frontier-specific ZDR toggle published. |
| 6. Audit logging | Session event logs + traces in Claude Console — every tool call, message, status update. | Mission Control audit logs track developer, files accessed, code generated (per third-party reviews). | “Agent actions are visible and auditable” — HR-style oversight, performance tracking, action records per agent. |
| 7. Compliance certifications | Anthropic enterprise posture documented separately; Managed Agents specifically excludes ZDR + HIPAA BAA today. | Inherits GCP compliance (SOC, ISO, HIPAA, etc. depending on region/configuration). | SOC 2 Type II, ISO 27001/27017/27018/27701, CSA STAR — most explicit current compliance footprint. |
| 8. Customer-controlled execution + private tools | Best in class — self-hosted sandboxes + MCP tunnels are first-class, productized features. | Local Only mode exists per third-party analysis; not yet documented as a first-class product page. | Agents can integrate with internal systems through admin-defined scopes; no published equivalent of “tool execution in your VPC”. |
Source: VentureBeat — Securing AI agent credentials with MCP tunnels
The honest one-sentence takeaway: Anthropic is currently the only vendor with a productized story for “agents that execute tools inside our perimeter and call our private APIs without exposing them publicly.” Google has the local-only-mode for the most sensitive end of the spectrum (where models run on your hardware too, with no data leaving), but it’s documented mostly by third-party reviewers, not in Google’s official product page yet. OpenAI Frontier has the strongest compliance certifications and the most-mature identity-mapping model (“each agent has an employee ID”) but doesn’t yet have a private-tool MCP equivalent.
The 4 managed sandbox providers — which one to pick
If you don’t want to run sandboxes on your own Kubernetes cluster, Anthropic’s four launch partners give you turnkey options. Picking between them depends mostly on what your team already runs.
Cloudflare Sandboxes (cloudflare.com/sandbox). Container-based isolation, runs close to the edge via Workers. TypeScript/JavaScript primary. Pricing usage-based: billed via Cloudflare Containers (CPU on active usage, memory/disk on provisioned capacity), plus Workers/Durable Objects/logs. Base plans around $5/month. Pick this if your team is already on Cloudflare, your sandboxes are short-lived, you care about MicroVM-grade isolation and egress controls, and you’re already in the Cloudflare audit-log world.
Modal Sandboxes (modal.com). High-scale Python workloads with CPU + GPU support. Programmatic sandbox lifecycle. Starter tier $0 + compute charges (~$0.000039 per core-second); team plans start in the low hundreds per month. Pick this if your agents do real ML work, your sandboxes need GPU acceleration, or your team is Python-heavy and already uses Modal for batch jobs.
Vercel Sandbox (vercel.com/docs/sandbox). Ephemeral sandbox execution tightly integrated with Next.js and the Vercel platform. Fast startup. Free Hobby tier; Pro from $20/month + usage; Enterprise custom. Runtime caps: 45 minutes on Hobby, 5 hours on Pro/Enterprise; no GPU. Pick this if your agents are calling your existing Next.js APIs, your team lives in Vercel already, and your sandbox jobs fit inside the 5-hour cap.
Daytona (daytona.io). VM or container isolation for persistent dev and agent sandboxes. Python and TypeScript supported. Open-source core; hosted is usage-based with generous startup credits ($30K+ in tens-of-thousands ranges for early-stage teams). Pick this if you want long-lived persistent agent environments, want the option of self-hosting the same software you’d otherwise pay for, or your team is a YC/early-stage startup eligible for the credit program.
The honest order of operations for most enterprises: start with Cloudflare if you already use Workers, Modal if your agents need Python/GPU compute, Vercel if your stack is Next.js-anchored, Daytona for the maximum vendor-portability story.
What MCP tunnels actually look like in practice
Anthropic’s MCP tunnel docs describe the topology in detail. Three components in your network:
cloudflared— the tunnel agent. Initiates outbound-only connections to Anthropic’s tunnel edge on Cloudflare. Outbound 7844/TCP+UDP only.- Proxy — Anthropic’s routing component you deploy inside your perimeter. Terminates the inner TLS layer using a certificate whose private key you hold. Validates that incoming requests come from Anthropic’s IP ranges before forwarding.
- MCP servers — your private internal MCP servers, on whatever ports you configure. The proxy routes to them by subdomain (e.g.,
docs.your-tunnel-domainroutes to your docs MCP server,tickets.your-tunnel-domainroutes to your ticketing MCP server).
Traffic flow on every request:
- Anthropic’s backend establishes a connection over the Cloudflare-managed tunnel using outer mTLS (validated by Anthropic IP + Cloudflare’s transport security).
- Inside that connection, Anthropic and your proxy negotiate a second TLS session — inner TLS — with a certificate you control. Cloudflare cannot see the payload, only timing/byte-volume metadata.
- Your proxy forwards the request to the appropriate MCP server, where application-layer OAuth or bearer-token auth enforces per-tool permissions.
The three-layer setup is what makes this materially different from “just put your MCP server on a public URL and require an OAuth token.” Public exposure is one layer of risk; MCP tunnels eliminate that layer entirely.
Where the comparison breaks for your specific buyer profile
Three real-world profiles, three different right answers.
Profile 1 — Financial services (banks, asset managers, RIA platforms). Data residency is hard-locked, audit trails must be schema-validated, and AI workloads can’t carry session state outside your security perimeter under most regulatory readings. Anthropic Managed Agents falls short here today because session orchestration retains state in the US workspace — that’s an honest dealbreaker for some regulators. The right pick depends on whether your regulator accepts ephemeral session-state retention (most do) or requires it stay inside your VPC end-to-end (some do, especially EU/Switzerland). Google Antigravity with regional residency pinning, or OpenAI Frontier with its certification stack, may fit better here in 2026.
Profile 2 — Healthcare (hospital IT, clinical-trial platforms, payer organizations). HIPAA BAA is the gating question. Right now, Anthropic Managed Agents is not BAA-eligible (per its own docs). Google Cloud’s HIPAA-eligible services include Gemini deployments in certain configurations. OpenAI has BAAs available for some enterprise deployments. If HIPAA is on the table, Anthropic is on the bench until BAA eligibility ships.
Profile 3 — Federal / classified workloads. None of the three vendors are FedRAMP-High yet for their Managed Agent products specifically. Google Cloud has the deepest FedRAMP footprint overall (some Gemini services FedRAMP-High); OpenAI has FedRAMP-Moderate authorization for some services; Anthropic’s authorization position is moving but Managed Agents specifically isn’t there yet. If you need IL5 or higher, this isn’t a decision you’re making in 2026 — it’s a 2027 conversation.
For everything that isn’t one of those three profiles — most SaaS companies, most enterprise IT shops, most platform teams — the answer is closer to “all three work; pick the one that matches your model preference.”
What this can’t fix
It can’t replace your own threat modeling. “Tool execution inside our VPC” is a real architectural improvement, but your agent is still calling code that someone wrote. If your tool definitions allow shell access, network access, or filesystem writes that an attacker could abuse, an attacker can still abuse them. Sandboxing the execution doesn’t sandbox the tool design.
It can’t make ZDR or BAA appear by wishing. Anthropic’s documentation is explicit that Managed Agents specifically isn’t ZDR-eligible today. That changes when Anthropic ships ZDR support for the session layer — when, not if, but the “when” is on Anthropic’s roadmap, not yours.
It can’t replace the audit conversation with your security team. Self-hosted sandboxes mean your security team can see the logs. They still need to actually look at the logs. Audit logging is a tool, not a substitute for SOC processes.
It doesn’t make the AI vendor-lock-in question go away. Even with self-hosted execution, you’re depending on Anthropic’s orchestration layer staying available, maintaining its API contracts, and not changing its pricing in a way that makes the deal uneconomic mid-contract. The Claude Code billing change announced May 13 (effective June 15) is a fresh reminder that vendor terms can shift. Build your architecture so swapping orchestration providers is possible, even if you don’t expect to do it.
The bottom line
Anthropic, Google, and OpenAI are all competitive on managed-agent infrastructure today. The differentiator at the CISO desk in May 2026 is whether you need agents that execute tools inside your perimeter and call your private APIs without exposing them publicly — and on that specific question, Anthropic is the only one with a productized answer this week.
For most enterprises evaluating in Q3, that specificity matters more than the broader certification footprint. Picking a vendor that hasn’t shipped the perimeter story yet because its compliance stack is bigger means you’ll keep waiting for the perimeter story to ship. Picking Anthropic now means you get the perimeter story today and watch for the ZDR/BAA story to ship next.
If you want to go deeper on the MCP architecture itself — how to design custom MCP servers, when to use MCP tunnels vs putting MCP servers on the public internet, how to audit MCP server quality — our MCP Tools course covers the protocol end-to-end. For the broader AI architecture decisions this raises (single-vendor dependency, swap-cost minimization, the rolling impact of each vendor’s roadmap), AI Fundamentals is the structural primer.
The bigger question to put on your security team’s calendar: which of your internal systems should be reachable by agents, under what audit controls, with what kill-switch latency? That conversation is the one that decides whether the May 19 announcement matters for your stack. The technology is here; the policy is still on you.
Sources
- Anthropic — New in Claude Managed Agents: self-hosted sandboxes and MCP tunnels
- Anthropic Platform Docs — MCP tunnels architecture and security
- Anthropic Platform Docs — Managed Agents data residency
- VentureBeat — Securing AI agent credentials with MCP tunnels
- InfoQ — Anthropic Introduces MCP Tunnels for Private Agent Access to Internal Systems
- The New Stack — Anthropic debuts MCP tunnels and self-hosted sandboxes to lock down AI agent infrastructure
- The Decoder — Anthropic adds self-hosted sandboxes and MCP tunnels to Claude Managed Agents
- 9to5Mac — Anthropic enhances Claude Managed Agents with two new privacy and security features
- Testing Catalog — Anthropic launches secure sandboxes and private MCPs
- Cloudflare — Sandbox SDK and Containers documentation
- Modal — Modal Sandboxes documentation
- Vercel — Vercel Sandbox documentation
- Daytona — Daytona for agent sandboxes
- Google Cloud — Gemini Enterprise Agent Platform
- OpenAI — Frontier enterprise agent platform
- Constellation Research — OpenAI Frontier coverage
- Reworked — OpenAI Frontier agent platform overview
