Back to blog
ComparisonMay 29, 2026·7 min read

Self-Hosted vs Anthropic-Hosted Claude Agents: Where Should Tool Calls Run?

With Claude Managed Agents, Anthropic runs the agent loop and the model no matter what. The decision you actually make is where the tool callsexecute — the bash commands, file edits, and scripts the agent runs. That choice is the difference between code leaving your perimeter and code staying inside it.

What's the same either way

Both options are still “managed” agents. Anthropic hosts the model, runs the agent loop, manages skills, and decides which tools to call. Your prompts and the conversation flow through Anthropic's API in both cases — governed by your Anthropic data agreement (ZDR and HIPAA-BAA programs apply to that side regardless of where tools run).

Self-hosting does not change the agent's behavior, the model, or the developer experience of building the agent. It changes one thing: the machine the tool calls execute on.

The one difference: where the hands run

Self-hosted (OmniRun): tool calls run on your infrastructure

  • Each tool call executes in a dedicated Firecracker microVM on a box you control — its own Linux kernel, the same isolation model behind AWS Lambda
  • The repositories, files, and credentials the agent touches stay inside your network perimeter
  • Run it in the EU (Hetzner) or on your own hardware; pick the egress posture (air-gap, open, or an opt-in allow-list)

Anthropic-hosted: tool calls run on Anthropic's infrastructure

  • Zero infrastructure to run — nothing to operate
  • Code and files execute on managed infrastructure outside your network
  • Fastest path to a working agent when data locality and perimeter control are not requirements

Isolation and data residency

Self-hosting on OmniRun gives every tool call hardware-level isolation via KVM: a kernel exploit in one call cannot reach another, because there is no shared kernel to cross. Sandboxes are air-gapped by default — with internet: false there is no network route out at all. When an agent does need outbound, you can lock it to an allow-list of hosts with the opt-in SNI egress proxy instead of opening the whole internet.

Because the VMs run where you put them, you get genuine data residency — EU on Hetzner, or your own data center. That is the property regulated teams usually need and cannot get from off-box execution.

When to choose which

Choose Anthropic-hosted when you want the shortest path to a working agent and the code it runs is not sensitive — prototypes, public data, internal tooling without compliance constraints.

Choose self-hosted when the agent touches code, secrets, or customer data that must stay in your perimeter; when you need EU residency or air-gap; or when you want per-tool-call VM isolation and an egress allow-list you control. OmniRun is the execution backend for that case.

How to switch

Self-hosting is a configuration choice, not a rewrite. Create a self_hostedenvironment in the Anthropic Console, run the worker on your box (we ship a systemd unit), and point a session at that environment. The agent is identical — its tool calls just land in your microVMs. The self-hosted worker guide and the setup reference walk through it end to end.

Keep the hands at home.

Run Claude's tool calls in isolated microVMs on your own infrastructure. Free tier, no credit card.

Get Free API Key

Further Reading