Problema
The big blocker for enterprise agents is not that they reason little. It’s that executing actions near private data, repositories, internal APIs and business systems is dangerous if everything lives in an opaque box.
The new features of Claude Managed Agents in May 2026 attack exactly that point: self-hosted sandboxes, MCP tunnels and partners like Cloudflare to run tools within a controlled perimeter.
The architecture starts to separate into pieces: the model reasons, the harness orchestrates, the sandbox executes and the network governs.
Tesis
The agent perimeter is becoming a product category.
During 2024 and 2025, many companies were asking which model to choose. In 2026, the mature question is another: where the agent runs, what it can touch, how it accesses internal systems and what gets recorded.
Claude Managed Agents with external sandboxes expresses a more serious architecture: the “brain” can be managed by Anthropic, but the agent’s hands can run on client infrastructure or specialized providers.
Framework
A mature agentic architecture separates five responsibilities:
- Model: decides, reasons, plans and requests tools.
- Harness: maintains the session, manages errors and coordinates steps.
- Sandbox: runs code, manipulates files and executes processes.
- Connectivity: accesses private APIs, databases and MCP servers.
- Observability: records actions, arguments, results and exceptions.
Mini-case: a company wants an agent to review incidents, read a private repo and run tests. With a self-hosted sandbox, the files and dependencies can stay within the perimeter. With MCP tunnels, the agent reaches internal tools without exposing them publicly. The improvement is not only technical; it is political. Security can accept a design with visible limits.
Measurable signal: percentage of agent actions executed in environments with network policy, logs and secret control.
Position: agents do not become enterprise by having a better model. They become enterprise when their execution has architecture.
Por que importa ahora
Anthropic announced that Claude Managed Agents can operate in sandboxes controlled by the client or by providers like Cloudflare, Daytona, Modal and Vercel. It also introduced MCP tunnels to connect agents to private MCP servers without exposing them to the public internet.
Cloudflare, for its part, positions its sandboxes as the secure and scalable execution layer for those agents.
This anticipates a less visible war than the model war: who controls the runtime, the permissions, the network and the observability of the agentic work.
Anti-ejemplo
“If the provider manages the agent, we are already safe.”
Not necessarily. Managing the loop does not equal controlling all effects. Real security lives at the boundary between reasoning, tool, data, secret and action. If that boundary is not designed, the company depends on implicit trust.
Protocolo (3 pasos)
- Draw the execution path. From prompt to tool, file, network and output.
- Isolate by type of work. Do not use the same sandbox for exploration, build, sensitive data and production.
- Make the secret visible. Not the secret value, but who injects it, where it lives and what action it enables.
| Component | Critical question | Common mistake |
|---|---|---|
| Harness | who recovers from failures | homemade loop without logs |
| Sandbox | where code runs | shared environment |
| MCP tunnel | which internal tool it touches | public endpoint |
| Secrets | who injects them | cleartext variables |
Relacionado
- Agent Reliability Score: how to know if an agent deserves autonomy
- Human Escalation Design: when an agent should ask for help and when it should go solo
- MCP in the enterprise: the standard that prevents agent chaos
Fuentes consultadas
- New in Claude Managed Agents: self-hosted sandboxes and MCP tunnels
- Announcing Claude Managed Agents on Cloudflare
- Scaling Managed Agents: decoupling the brain from the hands
Proximo paso
If you are evaluating managed agents, don’t ask for a demo first. Ask for the execution diagram: model, harness, sandbox, secrets, network, logs and rollback.
Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.