For most of 2025 and early 2026, the same pattern played out across every regulated enterprise that wanted to ship a Claude agent. Engineering loved it. Security flagged it. Legal escalated it. The pilot froze for six to twelve weeks while data-governance teams tried to reconcile a beautiful agent loop with a non-starter constraint: tool execution was happening inside Anthropic's cloud, touching files and services that were never supposed to leave the corporate perimeter.
On May 19, 2026, at Code with Claude London, Anthropic shipped the answer. Self-hosted sandboxes for Claude Managed Agents went into public beta, alongside MCP tunnels in research preview. The pitch is simple and the architecture is even simpler: keep the agent's brain on Anthropic's infrastructure, move the hands inside your perimeter. For MENA banks, healthcare providers, government contractors, and any team operating under data residency rules, this is the unlock that turned a 12-week pilot conversation into a 12-day one.
The brain-hands split
Until now, Claude Managed Agents ran the entire loop on Anthropic-managed cloud sandboxes. The agent reasoned about a task, called a tool, the tool executed inside Anthropic's environment, and the result fed back into the next reasoning step. Clean, fast, and a hard sell to any compliance officer who actually reads vendor contracts.
Self-hosted sandboxes split that loop in half. Anthropic still owns what they call the orchestration layer — context management, model inference, error recovery, the agent's actual decision-making. You own the execution layer — every bash, read, write, edit, glob, and grep call, the filesystem the agent touches, and the network egress from the sandbox. Sensitive files never leave your network. Internal services never get exposed. The agent reasons about your private data without your private data ever crossing into Anthropic's cloud.
Anthropic's own framing — "decoupling the brain from the hands" — is the right mental model. The brain is portable and stateless. The hands stay home.
Four managed providers, four shapes of sandbox
You can build the execution layer yourself on top of any container runtime, but Anthropic shipped first-party integrations with four managed sandbox providers. They are not interchangeable; each one optimizes for a different shape of workload.
Cloudflare brings microVM isolation, zero-trust secrets injection, and customizable egress proxies. The agent runs inside lightweight isolates on Cloudflare's network and can reach internal services through Cloudflare Tunnel without exposing them publicly. Good fit for teams already running their stack on Cloudflare and wanting the network controls that come with it.
Daytona offers long-running, stateful sandboxes accessible over SSH or authenticated preview URLs, with pause-and-restore that retains full state between sessions. Built for agents that need to keep a working environment alive across turns — IDE-like workflows, multi-day analyses, anything where rebuilding state every session would be wasteful.
Modal is the AI-workload specialist. Sub-second startup on any container image, hundreds of thousands of concurrent sandboxes, CPU and GPU on demand. If the agent triggers expensive builds, runs image generation, or trains small models as a tool call, Modal is the one that absorbs the spike without warning you about quota.
Vercel combines VM-level security with VPC peering and bring-your-own-cloud. The Vercel Sandbox firewall injects credentials at the network boundary, meaning the sandbox itself never sees the secret material it uses to authenticate outbound calls. Strong fit for teams already running Next.js or Vercel Functions and wanting agent execution to inherit the same VPC and IAM posture.
You are not locked in. The self_hosted environment is a work queue — any process that can poll the queue, run a tool call, and post a result back qualifies as a worker. The four providers exist because they did the integration work upfront.
How it actually works
Under the hood, the architecture is a queue. When you create a session targeting a self-hosted environment, Anthropic enqueues a work item. Your worker — running on your infrastructure — claims the item, downloads the agent's skills, executes tool calls locally, and posts results back. The agent loop on Anthropic's side waits for those results and continues reasoning.
There are two worker patterns. Always-on workers poll the queue continuously, ideal for steady-state load. Webhook-triggered workers wake on a session.status_run_started event and start polling, ideal for bursty or low-volume workloads where keeping a poller alive is wasteful.
Creating an environment is a single API call:
const client = new Anthropic();
const environment = await client.beta.environments.create({
name: "self-hosted",
config: { type: "self_hosted" }
});
console.log(environment.id);Running an always-on worker with the TypeScript SDK is equally compact:
import Anthropic from "@anthropic-ai/sdk";
import { EnvironmentWorker } from "@anthropic-ai/sdk/helpers/beta/environments";
const environmentKey = process.env.ANTHROPIC_ENVIRONMENT_KEY!;
const environmentId = process.env.ANTHROPIC_ENVIRONMENT_ID!;
const client = new Anthropic({ authToken: environmentKey });
await new EnvironmentWorker({
client,
environmentId,
environmentKey,
workdir: "/workspace"
}).run();The worker authenticates with an environment key scoped to a single environment, not your full Anthropic API key. This matters: the API key on a worker host would expose an organization-wide credential to whatever the agent decides to do with bash. The environment key cannot create environments, cannot start sessions, and cannot read other workspaces. It is the minimum credential the worker needs to do its job.
For stronger isolation, run each session in its own container. The ant CLI supports an --on-work hook that calls a spawn script per claimed item, letting you launch a fresh Docker container — or a Cloudflare microVM, or a Modal sandbox — for each session. Filesystem and resource limits are reset between runs, which matters when the agent is touching arbitrary code or untrusted input.
When to combine with MCP tunnels
Self-hosted sandboxes control where the agent's code runs. MCP tunnels control how the agent reaches MCP servers in your network. They are orthogonal — a cloud-sandbox session can still call private MCP servers through a tunnel, and a self-hosted session can call public MCP servers if it wants to. Use both when you need execution and tool access to stay inside your boundary.
The tunnel itself is a lightweight gateway that makes a single outbound connection to Anthropic with end-to-end encryption. No inbound firewall rules. No public endpoints. The MCP server sits on a private subnet and the agent reaches it without anything in your DMZ changing. For teams who have spent years arguing about whether to expose an internal API to a SaaS vendor, this is a quietly enormous improvement.
Real enterprise patterns
Anthropic surfaced three customer examples at launch, and each one maps to a different pattern worth borrowing.
Amplitude built a Design Agent that generates on-brand UI and marketing assets. Self-hosting gave them tighter observability over what the agent was producing and full audit trails of every tool call — both required when the output ships to customers under their brand.
Clay built Sculptor, a GTM engineering agent that autonomously builds and tests outbound workflows. The proprietary signal data Clay's customers care about never crosses out of Clay's infrastructure, even when Claude is the one orchestrating the workflow.
Rogo built an analyst agent for institutional finance. The data is non-negotiably internal — client portfolios, transaction histories, regulatory filings. Self-hosting was not a feature, it was the only architecture that would have cleared their compliance review.
The shared pattern: anywhere the data sensitivity is high enough that "trust the vendor's perimeter" was never going to fly, self-hosting flips the question from "can we use AI agents?" to "where do we want to run the workers?"
What's still missing
The honest version: this is public beta, and a few things are not there yet. Memory — the long-term session memory that lets agents recall context across runs — is not supported in self-hosted mode. MCP tunnels are in research preview behind a request form. The Python and TypeScript SDKs have full worker helpers; C#, Java, PHP, and Ruby need to fall back to the ant CLI for the always-on pattern.
Realistic expectation: most of these will land over the next quarter. The architecture is sound and the documentation is shipped. Memory in self-hosted mode is the one to watch — it requires a different storage model and is not a trivial extension.
What this means for MENA enterprises
For teams in Tunisia, Saudi Arabia, the UAE, and the wider region, the practical impact is large. Data residency requirements that used to make Claude Managed Agents a non-starter — banking regulators that require customer data to stay in-country, healthcare laws that prohibit PHI from leaving the national perimeter, government contracts with explicit cloud-locality clauses — now have a clean path forward. You run the worker on a local VM, in a regional Cloudflare or Vercel zone, or on your own bare-metal kit. The agent still gets the full Claude Opus 4.7 reasoning loop. The data never leaves.
The bigger shift is cultural. The conversation with the CIO stops being "are we comfortable with our customer data going to an AI vendor" and becomes "where are we deploying the workers and who owns the keys." That is a conversation enterprises already know how to have. It is the same conversation they had about Kubernetes, about Terraform, about Postgres. Self-hosted sandboxes pull AI agents into a category enterprises already understand: managed control plane, customer-owned execution.
Where to start
If you are already using Claude Managed Agents on Anthropic's cloud sandboxes, the migration is small. Create a self-hosted environment, generate an environment key, run a worker on any machine that can reach api.anthropic.com, and point a new session at the environment. Your existing agent, prompts, and skills work unchanged.
If you have not deployed agents yet because compliance kept stalling the pilot, this is your moment. Pick the provider that matches your stack — Cloudflare for network-native teams, Vercel for Next.js shops, Modal for compute-heavy workloads, Daytona for stateful long-running sessions — and prototype an agent against non-production data. The platform-level objection is gone. The remaining work is the one you would have done anyway: deciding which workflows are worth automating, which tools the agent gets to call, and who owns the audit log when it does.
For most MENA enterprises, the bottleneck for the last year has not been the model. It has been the perimeter. As of May 2026, that bottleneck is solved.