Skip to content
Back to Magazine
automation-aiops 4 min read

Claude Managed Agents + Cloudflare: the perimeter becomes a product

Does this apply to your company?

Free 30-min AI diagnostic →

Key Takeaways

  • - Model: decides, reasons, plans and requests tools.
  • - Harness: maintains the session, manages errors and coordinates steps.
  • - Sandbox: runs code, manipulates files and executes processes.
  • - Connectivity: accesses private APIs, databases and MCP servers.

Decision

Separate reliable automation from fragile demo before granting it autonomy.

Room

Operations review, architecture, security or platform.

Risk

Adding speed with no observability, rollback, ownership or stop criterion.

Agent prompt: identify guardrails, control points, likely failures and autonomy criteria

Problema

The big blocker for enterprise agents is not that they reason little. It’s that executing actions near private data, repositories, internal APIs and business systems is dangerous if everything lives in an opaque box.

The new features of Claude Managed Agents in May 2026 attack exactly that point: self-hosted sandboxes, MCP tunnels and partners like Cloudflare to run tools within a controlled perimeter.

The architecture starts to separate into pieces: the model reasons, the harness orchestrates, the sandbox executes and the network governs.

Tesis

The agent perimeter is becoming a product category.

During 2024 and 2025, many companies were asking which model to choose. In 2026, the mature question is another: where the agent runs, what it can touch, how it accesses internal systems and what gets recorded.

Claude Managed Agents with external sandboxes expresses a more serious architecture: the “brain” can be managed by Anthropic, but the agent’s hands can run on client infrastructure or specialized providers.

Framework

A mature agentic architecture separates five responsibilities:

  • Model: decides, reasons, plans and requests tools.
  • Harness: maintains the session, manages errors and coordinates steps.
  • Sandbox: runs code, manipulates files and executes processes.
  • Connectivity: accesses private APIs, databases and MCP servers.
  • Observability: records actions, arguments, results and exceptions.

Mini-case: a company wants an agent to review incidents, read a private repo and run tests. With a self-hosted sandbox, the files and dependencies can stay within the perimeter. With MCP tunnels, the agent reaches internal tools without exposing them publicly. The improvement is not only technical; it is political. Security can accept a design with visible limits.

Measurable signal: percentage of agent actions executed in environments with network policy, logs and secret control.

Position: agents do not become enterprise by having a better model. They become enterprise when their execution has architecture.

Por que importa ahora

Anthropic announced that Claude Managed Agents can operate in sandboxes controlled by the client or by providers like Cloudflare, Daytona, Modal and Vercel. It also introduced MCP tunnels to connect agents to private MCP servers without exposing them to the public internet.

Cloudflare, for its part, positions its sandboxes as the secure and scalable execution layer for those agents.

This anticipates a less visible war than the model war: who controls the runtime, the permissions, the network and the observability of the agentic work.

Anti-ejemplo

“If the provider manages the agent, we are already safe.”

Not necessarily. Managing the loop does not equal controlling all effects. Real security lives at the boundary between reasoning, tool, data, secret and action. If that boundary is not designed, the company depends on implicit trust.

Protocolo (3 pasos)

  1. Draw the execution path. From prompt to tool, file, network and output.
  2. Isolate by type of work. Do not use the same sandbox for exploration, build, sensitive data and production.
  3. Make the secret visible. Not the secret value, but who injects it, where it lives and what action it enables.
ComponentCritical questionCommon mistake
Harnesswho recovers from failureshomemade loop without logs
Sandboxwhere code runsshared environment
MCP tunnelwhich internal tool it touchespublic endpoint
Secretswho injects themcleartext variables

Relacionado

Fuentes consultadas

Proximo paso

If you are evaluating managed agents, don’t ask for a demo first. Ask for the execution diagram: model, harness, sandbox, secrets, network, logs and rollback.


Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.

claude cloudflare managed-agents mcp-tunnels
Cite this article

Berthelius, V. (2026). “Claude Managed Agents + Cloudflare: the perimeter becomes a product”. BRTHLS Magazine. https://www.brthls.com/magazine/claude-managed-agents-perimeter-product-en

Fractional CAIO · Free diagnostic

Is your company ready to operate with AI?

30 minutes. No pitch. An honest read on where you are and what to move first.

Book free diagnostic