Back to blog
GuideMay 29, 2026·8 min read

Claude Managed Agents on Your Own Infrastructure: The Self-Hosted Worker

Anthropic's Claude Managed Agents let Claude run the agent loop for you. With self-hosted sandboxes, you keep the part that matters for security on your own box: every tool call executes inside an isolated OmniRun Firecracker microVM that you control. Here is how it works and how to set it up.

The Brain and the Hands

A Claude Managed Agent is split into two halves. The brain is the model and the agent loop -- the part that reasons, plans, and decides which tool to call next. Anthropic hosts that. You do not run inference, manage context windows, or orchestrate the loop.

The handsare the tools: bash, read, write, edit, glob, grep. Those touch real files and run real commands. With self-hosted sandboxes, the hands run on your infrastructure instead of Anthropic's. A worker process you operate polls Anthropic's work queue, picks up each tool call, and executes it inside an OmniRun Firecracker microVM on your own box.

Why VM Isolation in Your Perimeter Matters

When an agent runs a tool call, it is executing code that the model generated. For trusted, first-party repositories that may be fine. But the moment an agent operates on sensitive code, customer data, or anything you would not hand to a third party, two questions matter: where does the execution happen, and how well is it isolated.

Self-hosted with OmniRun

  • Each tool call runs in its own Firecracker microVM with a dedicated kernel, the same isolation model behind AWS Lambda and Fargate
  • Hardware-level isolation via KVM -- a kernel exploit in one call cannot reach another
  • The files and repos stay inside your perimeter
  • With internet: false the sandbox has no route out at all -- or lock egress to an allow-list of hosts with the opt-in SNI proxy

Tool calls running off-box

  • Code and files leave your network to execute somewhere you do not control
  • You inherit whatever isolation the provider offers, often shared-kernel containers
  • Harder to satisfy data-residency and on-premise requirements

Self-hosting the hands gives you VM-grade isolation and keeps the data physically inside your boundary. You get both at once.

How to Get Started

There are three moving parts: a self-hosted environment, a worker, and a Claude session pointed at that environment.

1. Create a self-hosted environment

In your Anthropic account, create an environment of type self_hosted. This tells Anthropic to dispatch tool calls to a queue your worker will drain, rather than running them on Anthropic-managed sandboxes. You connect that environment to your OmniRun credentials so the worker knows where to launch microVMs.

2. Run the worker

The worker is Anthropic's antCLI driving OmniRun's per-session spawn script. It polls the queue and hands each claimed session to omnirun-spawn.sh, which launches a fresh OmniRun microVM. Install the CLI and start polling:

# Install Anthropic's worker CLI (ant)
curl -fsSL https://github.com/anthropics/anthropic-cli/releases/download/v1.10.0/ant_1.10.0_linux_amd64.tar.gz | tar -xz -C /usr/local/bin ant

# Point it at your self_hosted environment (key generated once in the Console)
export ANTHROPIC_ENVIRONMENT_KEY=sk-ant-oat01-...
export ANTHROPIC_ENVIRONMENT_ID=env_...

# Poll the queue. Each claimed session runs in a fresh OmniRun microVM (via spawn.sh)
ant beta:worker poll --on-work ./omnirun-spawn.sh

The agenttemplate ships the tools Claude expects. It is an 8 GB image, so agent sandboxes restore from snapshot in a few seconds (sub-5s) rather than the sub-second times you see with the tiny playground templates. Run the worker on the box where you want the execution to land -- your own hardware, or OmniRun's EU-hosted (Hetzner) infrastructure.

3. Point a session at it

Start a Claude Managed Agent session and select your self_hosted environment. From there it behaves like any other Claude agent session: Claude reasons and calls tools, and each call quietly runs in one of your microVMs. The experience is identical -- the difference is purely where the hands operate.

Compliance Posture

Because tool execution stays inside your boundary, this architecture fits regulated workloads well. OmniRun sandboxes are EU-hosted on Hetzner data centers, or you can run the worker on your own hardware entirely.

On the model side, the setup is eligible for Anthropic's Zero Data Retention (ZDR) and HIPAA-BAA programs. The architecture supports them; eligibility itself is configured on the Anthropic side of the relationship.

Honest Limitations

A few things are worth being clear about before you build on this:

  • Persistent Memory is not yet available with self-hosted sandboxes. Each tool call starts from a clean snapshot, so anything written to disk does not carry across the boundary unless you persist it yourself.
  • The model still runs at Anthropic. Self-hosting moves tool execution, not inference. Your prompts and the conversation flow through Anthropic's API. If your concern is the model seeing prompts, that is governed by your Anthropic data agreement, not by where the sandboxes run.

The Bottom Line

Claude Managed Agents with self-hosted sandboxes give you the convenience of Anthropic running the agent loop without giving up control of where code executes. The brain stays at Anthropic; the hands run in Firecracker microVMs inside your own perimeter, each tool call isolated at the hardware level. For teams with data-residency or untrusted-code concerns, that split is the whole point.

Run Claude's hands on your box

Free tier includes 25 sandbox-hours per month, no credit card required. Get a key and start the worker in minutes.

Explore Claude Managed Agents

Further Reading