AI agents sound exciting until you remember they may need to run code, touch private systems, browse the web, send emails, and make decisions inside a company’s infrastructure. That is where things can get messy fast. Cloudflare and Anthropic are now trying to make that a little less terrifying.
Cloudflare has announced a collaboration with Anthropic to launch Cloudflare Environments for Claude Managed Agents. The idea is to let organizations run agent loops on Claude while relying on Cloudflare’s network and developer platform for code execution, browser automation, private connectivity, observability, and custom tools.
In plain English, Claude can handle the thinking, while Cloudflare provides the locked-down workspace where the agent actually does things.
The announcement is tied to a new Cloudflare blog post that goes into much more detail about what the companies are building together. According to Cloudflare, developers can now run Claude Managed Agents while using Cloudflare Sandboxes, Browser Run, Dynamic Workers, Agents SDK, and Cloudflare Containers as the execution layer.
Anthropic apparently describes the arrangement as “decoupling the brain from the hands.” Claude remains the “brain” running on Anthropic infrastructure, while the “hands” – the code execution, sandboxing, networking, and tooling – can run on Cloudflare.
That matters because the next wave of AI is not just about chatbots answering questions. Businesses want agents that can interact with systems, pull data, write code, automate workflows, browse websites, and take actions independently. But letting an AI agent roam around company systems without tight controls is asking for trouble.
Cloudflare says its Workers-based control plane can spin up secure sandboxed environments for each agent session. Developers can choose between traditional Linux microVMs or lightweight V8 isolate-based sandboxes that boot in milliseconds and cost less to run.
The company seems especially focused on scale. Cloudflare argues that if businesses eventually deploy tens of thousands, or even millions, of concurrent agents, spinning up a full virtual machine for each one becomes wasteful. Using V8 isolates instead could make large-scale agent deployments far more practical.
Cloudflare is also leaning hard into the security angle, which feels necessary if AI agents are going to be trusted with sensitive workloads. The platform includes customizable outbound proxies, Zero Trust controls, Workers VPC, Cloudflare Mesh, post-quantum encrypted networking, policy-based egress filtering, and secret injection so agents can access services without directly handling credentials.
The company says businesses can define policies per tenant, per agent, or based on custom metadata. In theory, that gives organizations tighter control over what agents can touch and where they can connect.
One thing Cloudflare seems to understand is that companies are not going to trust autonomous agents unless they can watch everything those agents do. That is why the platform leans so heavily into logs, sandbox visibility, browser recordings, audit trails, and even SSH access into running environments. If an AI agent starts behaving strangely, businesses are going to want receipts, not excuses.
One of the more interesting additions is Browser Run. Cloudflare says Claude agents can use browser-related tools such as browser_search, browser_execute, screenshot, browse, and fetch_to_markdown to interact with modern websites like a human would. That includes rendering JavaScript-heavy sites, filling out forms, taking screenshots, and browsing the web through Cloudflare-hosted browsers.
The integration also includes email support. Agents can reportedly send, read, and manage emails using Cloudflare’s Email Service, effectively giving each AI agent its own inbox and email identity.
There is even support for custom tools. Cloudflare encourages developers to fork the integration repo and add capabilities like hosting generated files on R2 object storage, running edge inference with Workers AI, or spinning up applications dynamically.
Matthew Prince, Cloudflare’s co-founder and CEO, said, “The true potential of AI agents will only be realized when they can safely interact with the real world at massive scale. By partnering with Anthropic, we are giving developers the ability to execute code and access private data securely, backed by the speed and scale of our global network.”
That is the sales pitch, anyway. The real test will be whether companies trust these environments enough to use them for meaningful work instead of tiny demos. A sandbox is useful, but AI agents still need strict limits, strong logging, careful permissions, and humans who understand what is being automated.
Still, this is the kind of infrastructure work the AI industry badly needs. The hype around autonomous agents has often moved much faster than the security model surrounding them. If businesses are going to deploy Claude-powered agents at scale, the boring stuff matters: isolation, auditability, networking, permissions, observability, and cost.
Cloudflare Environments for Claude Managed Agents may not be as flashy as a new chatbot demo, but it could end up being more important. AI agents will only become useful in the real world if companies can trust where they run, what they can access, and how they behave once unleashed.
