When you try to let an AI agent write and run code on your actual infrastructure, everything changes. It isn't a fun playground sandbox ...
When you try to let an AI agent write and run code on your actual infrastructure, everything changes. It isn't a fun playground sandbox anymore. You are handing an unpredictable model a live terminal shell, and one weird loop or bad regex could wipe out a production database.
Most people panic and lock the agent down in a local Docker container. But orchestrating those containers for hundreds of users is a nightmare, cold starts take forever, and trying to track what the agent actually did inside that box means writing a massive amount of custom logging.
That is why Cloudflare threw their hat in the ring with Anthropic to launch Claude Managed Agents (CMA).
The division of labor is basic: Anthropic keeps the LLM brain on their servers to handle the logic. But the moment Claude needs to touch a file, install a package, or execute a script, it talks to a control plane running on your own Cloudflare account. Cloudflare handles the heavy infrastructure work—the execution layer.
Choosing the Right Execution Layer: Dynamic Workers vs. Sandboxes
The actual runtime options are where you have to make choices, though. They give you standard Dynamic Workers (V8 isolates) which boot in milliseconds. These are great for light text parsing or quick JavaScript execution because they don't cost much.
But the minute your agent needs to install a random python library with pip or interact with a filesystem, those isolates fail. For that, you have to swap over to their full Sandboxes—which are stateful Linux microVMs. Those give you a real bash environment, but they consume more resource tokens and require an R2 bucket (BACKUP_BUCKET) to snapshot the environment state.
If you are expanding your stack to support complex automations, it's a good idea to browse available setups or consult technical services to plan your hardware and container footprints before scaling.
Mitigating Security Risks: Zero-Trust Proxying & Credential Injection
Security is the biggest headache with autonomous setups. If an agent needs to hit an API like Stripe, giving it the raw token is risky. If a user tricks your agent with a prompt injection attack, they can just ask the model to print the key.
Cloudflare uses Outbound Workers as a zero-trust proxy to stop this. The agent says "send this payload to Stripe," and the network layer injects the secret authorization header on its way out. The model never touches the raw string, so there is nothing for a user to extract.
Network Boundary Control
But it isn't completely foolproof. If you use Cloudflare Mesh and Workers VPC to let the agent query your private internal databases, you still have to build tight egress allowlists. If you don't explicitly lock down those boundaries, a clever prompt could manipulate the agent into scanning other open ports on your internal network. For a deeper breakdown of managing these cloud environments, you can read more technical analysis over at ATXSoft Network Security and check out their Infrastructure Optimization Guide.
Debugging and Auditing Agent Behavior with Browser Run
The best feature for anyone who has to maintain these systems is the logging. They route the agent's web browsing through Browser Run (a headless Chrome instance). It saves actual video playbacks of the DOM interactions.
When a customer complains that the agent went into an infinite loop and scrambled their settings page, you don't have to guess by parsing raw stack traces. You just hit play and watch exactly where the agent clicked.
It is a big upgrade from trying to build your own secure container grid on AWS or GCP from scratch. It won't magically make an AI model write perfect code, but it means that when the agent inevitably breaks something, it breaks it inside an isolated yard instead of tearing down your whole house.
Frequently Asked Questions
What is the difference between Claude Managed Agents on Anthropic vs. Cloudflare Sandboxes?
Anthropic’s default Managed Agents run on infrastructure managed entirely by Anthropic. The Cloudflare integration decouples the system, leaving the LLM orchestrator ("the brain") with Anthropic while migrating the code execution runtime ("the hands") to secure sandboxes inside your own Cloudflare account.
How do Outbound Workers protect against prompt injection?
If an attacker tricks the agent into exposing its environment variables, standard API keys stored in the container would leak. By routing requests through an Outbound Worker proxy, the keys are injected into headers after the request leaves the agent's sandbox.
Do Cloudflare Sandboxes persist state across multiple sessions?
Dynamic Workers (isolates) rely on Lightweight Durable Object storage for fast, transient tasks. For deep state persistence with full Linux MicroVM sandboxes, the system creates snapshots stored automatically in a dedicated Cloudflare R2 bucket (BACKUP_BUCKET_NAME), allowing the agent to resume its exact environment state across session restarts.
References & Citations
Cloudflare Architecture & Tooling Release: Nomitch, M., et al. (2026). Announcing Claude Managed Agents on Cloudflare. Cloudflare Official Developer Blog. Available at: https://blog.cloudflare.com/claude-managed-agents/
Platform Configurations and Repository Setup: Cloudflare Developer Ecosystem. (2026). Control Plane Deployment for Claude Managed Agents on Cloudflare Runtime. GitHub Repository Workspace. Available at: https://github.com/cloudflare/claude-managed-agents
