Somebody recently asked me whether they should use Anthropic's hosted agent sandbox or use their own infrastructure instead. The question is good, especially given all the recent emphasis on AI safety.
It's likely that a lot of people who talk about AI safety have never had to manage infra or security for production software.
A Simple Analogy
For an audience that's heard of containers and VMs — even if they couldn't explain them with clear definition — the analogy is very simple to understand:
Hosted sandbox is like a container. Self-hosted sandbox is like a VM.
A container is lightweight, isolated, and easy to spin up — but it's confined; it lives inside a host OS with its own set of rules. A VM is a full computer in your own environment — more capable, but the setup, the infrastructure, the patching, the hardening, and the running of it are all on you.
Hosted vs self-hosted are similar. Both are isolated execution environments. The choice is who owns the infrastructure and who's accountable for its management.
Hosted sandbox
With a hosted agent sandbox — the default in Claude Managed Agents — Anthropic runs the execution layer. The agent's code, filesystem, and network all sit in Anthropic's private cloud. Their team handles infra, security, image hardening, multi-tenant isolation, capacity planning, and everything else that comes with running secure compute.
You get defaults that protect you but you don't get full sovereignty.
One nuance worth flagging: hosted ≠ isolated from your stuff. Anthropic shipped MCP tunnels alongside the self-hosted option (in research preview) — a controlled channel through which a hosted sandbox can reach into your private services. You can still let the agent call your internal APIs and read from your private databases without ever leaving Anthropic's cloud.
Self-hosted sandbox and the Cloud analogy
Self-hosted sandboxes move the execution layer into your infrastructure. The orchestration — the agent loop Claude runs — still stays on Anthropic's side. But the sandbox itself, the agent's working environment, the filesystem it reads and writes, the network egress it makes — all of that stays in your environment.
If you've worked with AWS, you already know this pattern. It's literally the same shape as the AWS Shared Responsibility Model: AWS is responsible for security of the cloud; you're responsible for security in the cloud. Anthropic applied the same model at the AI agent layer:
- Anthropic owns security of the orchestration — control plane, session integrity, multi-tenant isolation, agent-context minimization.
- You own security in the sandbox — image hardening, network egress, service key rotation.
They didn't invent a new model; they adopted the most-taught one in cloud security and pointed it at agent sandboxes.
The Anthropic security docs make your three responsibilities explicit:
- Sandbox image hardening. Drop unnecessary Linux capabilities, run as non-root, use a read-only root filesystem. Anthropic does not inspect your image.
- Network egress controls. Without VPC and firewall restrictions, in Anthropic's own words: “a compromised tool execution can reach arbitrary external hosts.”
- Service key storage and rotation. The environment service key authorizes polling the work queue and submitting results. Rotation is on you.
Notice what self-hosted gives you and what it asks of you. It gives you sovereignty — the agent's code and execution never leave your environment. It asks you to staff for three things that any mature AWS team should already be doing — but if you aren't doing them, you're now signing up for them.
Making the decision
Knowing this makes the decision less complex than it usually is. Run a short operational check:
- Can someone on your team harden a container image? Easier said than done.
- Can they configure VPC egress controls? Most workloads don't have this.
- Can they manage and rotate a service key on a sane schedule? Most teams don't have this.
If the answer to all three is yes, self-hosted is a real option. If any answer is no, you don't have a sandbox problem yet — you have a skills gap and hosted is the right call until you've solved it.
The shared-responsibility model is a feature. It tells you exactly what you're taking on.
It's not just Anthropic
This isn't an Anthropic-specific pattern; it's the pattern all major providers are using. AWS offers Bedrock AgentCore Runtime as a secure, serverless hosting environment for agents, with separate Code Interpreter and Browser Tool features. Google launched Agent Engine and Agentspace at Cloud Next 2026. Vercel ships an official Sandbox integration for Claude Managed Agents — each session runs in a fresh microVM with credential brokering.
Different providers, same pattern: a hosted runtime that's secure by default, and a self-hosted option for teams who can hold up the shared-responsibility side of the deal.
Summary
VMs and containers both have their place. So do hosted and self-hosted agent sandboxes. The right answer is whichever side of the shared-responsibility line your team is actually ready for and what all things the agent is suppose to do - not whichever option was demoed in the last tech keynote.