engine lab

AI Agent Sandboxes: 30 Providers Compared

THE INFRASTRUCTURE OF AGENCY

Last updated - Maintained by engine.build

AI agent sandboxes are isolated environments where coding agents can run commands, install dependencies, browse the web, and modify files without touching your real machine.

This guide compares 30 hosted, platform-native, open-source, self-hosted, and local sandbox options across isolation model, startup time, persistence, pricing, SDKs, and deployment style.

dax
dax
@thdxr

guys i had a one of a kind idea for a business sandboxes for coding agents

6:20 PM · Apr 7, 2026

859

Have we reached peak agent sandbox yet? YC batches, cloud giants, indie devs, and probably some guy's mom are all building them.

Agent Sandboxes TL;DR

Expand Collapse

Agent sandboxes are isolated environments where AI agents can run code, use tools, and interact with a filesystem without affecting your system or other workloads. Think of it as giving each agent its own disposable computer. That computer can live in someone else's cloud, your own cloud, or locally on your machine. But the point is always the same: the agent can do whatever it needs to inside, and nothing escapes the boundary.

Some people use them for security, keeping untrusted code away from their real system. Others use them to offload work entirely, agents keep running in the cloud even when your laptop is shut. And unlike worktrees, sandboxes give each agent a full isolated OS, not just a separate branch, so agents can install packages, run servers, use browsers, and do things that would conflict or be unsafe on a shared machine.

Isolation Tech TL;DR

Expand Collapse

MicroVMs (Firecracker, Cloud Hypervisor)

MicroVMs are stripped-down virtual machines built specifically for running ephemeral, isolated workloads. Each sandbox gets its own Linux kernel, with isolation enforced by hardware virtualization (Intel VT-x / AMD-V) at the CPU level. This means a compromised sandbox cannot escape to the host or other sandboxes, even with a kernel exploit. Firecracker, built by AWS for Lambda and Fargate, is the most widely used microVM monitor in this space. It boots in under 125ms with less than 5MB memory overhead per instance by cutting everything a sandbox doesn't need: no PCI bus, no USB, no legacy devices. Cloud Hypervisor is similar but supports more features like PCI passthrough.

Kata Containers

Kata Containers is an orchestration framework that wraps microVM technology (Firecracker, Cloud Hypervisor, or QEMU) with a Kubernetes-compatible interface. You get hardware-level VM isolation, but your workloads look and feel like regular containers to your orchestration layer. The appeal is that you can slot VM-grade security into an existing container-based workflow without rearchitecting anything.

gVisor

gVisor, built by Google, takes a different approach. Instead of running a separate kernel in a VM, it inserts a user-space kernel called Sentry between the sandboxed application and the host kernel. When code makes a syscall, Sentry intercepts it, validates it, and either handles it in user space or proxies a safe subset to the host. This provides stronger isolation than standard containers without the overhead of a full VM. The tradeoff: some Linux syscalls aren't implemented in Sentry, which means ptrace, raw sockets, some ioctl calls, and native libraries that depend on them won't work.

KVM VMs (Full)

Traditional full virtual machines using KVM (Kernel-based Virtual Machine). Heavier than microVMs but with more features: full device emulation, nested virtualization, and broader OS support. Memory snapshots enable fast provisioning, and some VMMs support copy-on-write forking that can clone a running VM in under 1ms. These are real Linux VMs with systemd, multiple users, and full networking, not the stripped-down environments that microVMs provide.

libkrun

libkrun is a lightweight VMM from Red Hat that uses KVM on Linux and Hypervisor.framework on macOS. It's designed for running isolated workloads with minimal overhead, making it popular in the self-hosted/local sandbox space. The macOS support via Hypervisor.framework is a differentiator, since Firecracker is Linux-only.

OCI Containers

Standard Docker/OCI containers use Linux namespaces and cgroups for isolation. They share the host kernel, which makes them fast to start and lightweight on resources, but the isolation boundary is weaker. A container escape vulnerability means access to the host and potentially other containers. For trusted code or environments where speed matters more than security, containers are fine. For running untrusted AI-generated code, most providers layer additional isolation on top (Kata, gVisor, or a full VM).

V8 Isolates

V8 isolates run code inside the same process but in separate memory spaces enforced by the V8 engine. There's no VM, no container, no separate kernel. Startup is in milliseconds with megabytes of memory, roughly 100x faster and lighter than containers. The tradeoff is a narrower execution environment (JavaScript/Wasm only) and a more complex security surface: V8 bugs are more common than hypervisor vulnerabilities. Mitigations typically include rapid V8 patching, a second-layer Linux sandbox, Memory Protection Keys (hardware-enforced memory partitioning), and Spectre defenses.

Browser Sandboxes

The browser itself is the sandbox. The browser runtime is the kernel, Web APIs are the syscalls, and all computation happens on the user's device. Zero infrastructure cost, instant startup, and the isolation is strong - modern browsers enforce multi-process site isolation with OS-level sandboxing per renderer process. Limited to what browsers can do, but for certain use cases the simplicity is hard to beat.

This page covers every provider we could find, split into three categories:

  • Sandbox-native companies - it's their whole product
  • Platforms with sandboxes - sandboxes alongside other infrastructure
  • Open-source / self-hosted / local - projects you can run yourself, plus proprietary local tools clearly marked as such

Provider Overview

Sandbox-native providers

E2B

ISOLATION
Firecracker microVMs
FUNDING
$35M
PRICING MODEL
Usage + Plan

Open-source (Apache-2.0) sandbox platform built on Firecracker microVMs, with infrastructure self-hostable on AWS or GCP via Terraform. Sandboxes boot in under 200ms and run as full Linux environments with shell access, file I/O, and package management (pip, npm, apt). Pause/resume preserves complete state (filesystem, memory, processes) with indefinite retention and ~1s resume time. Separate Desktop Sandbox provides virtual Linux desktops with screen streaming and mouse/keyboard control for computer-use agents. Pro plan at $150/month with per-second billing ($0.000014/s per vCPU), up to 8 vCPUs, 8 GiB RAM, 24-hour sessions, and 1,100 concurrent sandboxes.

INFRASTRUCTURE
Managed
COLD START
~200ms
SDKS
TypeScriptPython

Daytona

ISOLATION
OCI Containers

Kata / gVisor optional

FUNDING
$31M
PRICING MODEL
Usage-based

Managed sandbox platform for AI-generated code execution and agent workflows, with BYOC options for teams that need deployment control. Sandboxes spin up in under 90ms with usage-based pricing across vCPU, memory, storage, and GPU resources. Full lifecycle control covers create, snapshot, restore, and resume operations, with built-in file system APIs, Git integration, LSP support, and real-time process output streaming. Virtual desktops support computer-use agents across Linux, macOS, and Windows. Daytona previously maintained an AGPL-3.0 open-source platform repo; that repo remains public and forkable, but core development moved to a private codebase in June 2026 and the old repo no longer receives updates.

INFRASTRUCTURE
Managed + BYOC
COLD START
~90ms
SDKS
PythonTypeScriptGoRubyJava

Blaxel

Spring 2025 Y
ISOLATION
Firecracker microVMs
FUNDING
$7.8M
PRICING MODEL
Usage-based

Sandboxes run in Firecracker microVMs with the root filesystem in RAM, auto-suspend after 15 seconds of inactivity with a full memory + filesystem snapshot, and resume in under 25ms with all processes intact, even after weeks. No compute charges while suspended, just snapshot storage at $0.20/GB/month. Co-locate your agent logic, MCP servers, and sandboxes on the same backbone to eliminate network hops between tool calls and execution. Built-in MCP server in every sandbox, real-time filesystem events, preview URLs with custom domains, dedicated egress IPs, and VPC peering. Open-source sandbox API, scales to 50,000+ concurrent sandboxes, SOC 2 and HIPAA compliant.

INFRASTRUCTURE
Own infrastructure
COLD START
25ms resume
SDKS
TypeScriptPythonGo

Runloop

ISOLATION
MicroVMs
FUNDING
$7M
PRICING MODEL
Usage + Plan

Custom bare-metal hypervisor with double isolation (VM + container) and 10GB image startup in under 2 seconds. Devboxes are stateful cloud workstations with snapshot, suspend, and resume via API, so agents can checkpoint disk state and fan out into parallel exploration branches. Built-in benchmarking pipeline runs SWE-Bench, R2E-Gym, and custom evals orchestrated end-to-end, with scoring, regression detection, and a path to supervised and reinforcement fine-tuning. Networking locked down via egress policies and credential isolation through Agent Gateways so secrets never enter the sandbox. Free tier with $50 credits, Pro at $250/month plus usage ($0.108/CPU/hr, $0.0252/GB/hr), Enterprise adds VPC deployment and fine-tuning. SOC 2, HIPAA, GDPR compliant.

INFRASTRUCTURE
Bare metal + BYOC
COLD START
~100ms
SDKS
TypeScriptPython
FOUNDERS
Jonathan Wall Jonathan Wall
OpenComputer

OpenComputer

by Digger

ISOLATION
KVM VMs
FUNDING
$6.9M
PRICING MODEL
Usage-based

Managed long-running Linux VMs for coding agents, built around persistent state rather than disposable command execution. Each OpenComputer is a full KVM VM with its own kernel, filesystem, network stack, root access, and preview URLs. Golden snapshots give fast startup, while checkpoints let agents restore or fork workspaces for parallel exploration. The agent loop can run inside the VM alongside the code and services, reducing round trips between orchestration and execution.

INFRASTRUCTURE
Managed cloud
COLD START
~300ms
SDKS
TypeScriptPythonCLIRESTClaude Agent SDK

Freestyle

Summer 2024 Y
ISOLATION
KVM VMs
FUNDING
$M+
PRICING MODEL
Usage + Plan

Full Linux KVM virtual machines on Freestyle's own bare metal hardware, not containers or microVMs. ~300ms median cold start via memory snapshots; pause/resume in under 100ms with billing dropping to storage-only. The standout feature is live copy-on-write VM forking in ~320ms median, completely decoupled from machine size, so a 64GB VM forks as fast as a 1GB one. Real root access, nested virtualization, systemd, eBPF, and a complete networking stack in every VM. Beyond sandboxes, the platform bundles multi-tenant API-first Git hosting with GitHub sync, serverless TypeScript execution with sub-10ms cold starts, and deploy-from-git. YC-backed (S24) with additional undisclosed funding. Free tier available; paid plans start at $50/month plus usage ($0.04/vCPU-hour, $0.013/GiB-memory-hour).

INFRASTRUCTURE
Bare metal
COLD START
~300ms
SDKS
TypeScriptPython

Terminal Use

Winter 2026 Y
ISOLATION
Containers
FUNDING
$625K
PRICING MODEL
Plan-based

Not a generic sandbox, a deployment platform for long-running, stateful agents, closer to Vercel than E2B. You write three Python handlers (on_create, on_event, on_cancel), deploy with tu deploy, and get versioning, rollback, preview/production environments, and structured logs. The core primitive is the filesystem: persistent, decoupled from task lifetime, shareable across multiple agents, forkable for A/B testing, with presigned URLs for direct file upload/download. Built-in adapters for Claude Agent SDK and Codex SDK with Vercel AI SDK v6 message compatibility. Agent code runs in bubblewrap sandboxes with namespace isolation and manifest-based filesystem sync that only transfers changed files.

INFRASTRUCTURE
Undisclosed
COLD START
N/A
SDKS
PythonTypeScript
Celesto AI

Celesto AI

ISOLATION
Firecracker microVMs
FUNDING
N/A
PRICING MODEL
Plan-based

Managed agent platform built on top of their open-source SmolVM sandbox engine (listed separately in open-source below). The managed cloud adds what SmolVM alone doesn't: Agentor, an agent framework with MCP server support, agent-to-agent communication, and a Tool Search API that reduces context bloat by dynamically discovering relevant tools instead of stuffing all schemas into the LLM context. GateKeeper handles delegated OAuth so agents can securely access end-user resources (Gmail, Google Calendar, etc.) without touching raw credentials. SuperAuth provides OAuth-based authentication flows for agent tools and integrations. Includes deployment via celesto deploy, step-level audit trails, tracing, and monitoring for agents running minutes to days.

INFRASTRUCTURE
Managed
COLD START
~500ms
SDKS
Python

Box

by ASCII

ISOLATION
Ubuntu VMs
FUNDING
N/A
PRICING MODEL
Usage + Plan

Managed Ubuntu VM sandboxes for agents with SSH/SCP, CLI, HTTP API, and TypeScript/Python SDKs. Boxes run on Hetzner CX33-class VMs with Docker, GitHub CLI, Claude Code, Codex, Chrome, and common language toolchains preinstalled. The product is optimized for long-running agent workflows: boxes can be stopped, resumed from filesystem snapshots, forked, exposed through HTTPS preview URLs, and used through a browser desktop stream. Pricing is simple VM-time billing with a monthly minimum.

INFRASTRUCTURE
Hetzner Cloud
COLD START
N/A
SDKS
CLIHTTP APITypeScriptPythonSSH

Isorun

ISOLATION
Firecracker microVMs
FUNDING
N/A
PRICING MODEL
Usage-based

Managed Firecracker microVM runtime for agents and untrusted code. Isorun creates isolated Linux VMs from OCI images, exposes command/file/port APIs, and adds agent-oriented lifecycle features like hibernate/resume, snapshot/restore, and forking. It also supports network policies, host-side credential injection, audit trails, and adapters for MCP, OpenAI Agents, and LangChain. The product is early, with a small public SDK and limited public company information.

INFRASTRUCTURE
Managed
COLD START
Milliseconds
SDKS
TypeScriptMCPOpenAI AgentsLangChain
FOUNDERS
Emir Beganović Emir Beganović

Platforms with sandboxes

Modal

ISOLATION
gVisor
FUNDING
$111M
PRICING MODEL
Usage + Plan

General-purpose serverless AI platform with a dedicated sandbox product for executing untrusted and agent-generated code. Sandboxes scale to 20,000+ concurrent containers with sub-second cold starts, gVisor isolation, and auto-shutdown on idle. Three levels of snapshotting: filesystem (persistent, delta-based), directory (mountable into running sandboxes), and full memory snapshots that restore processes mid-execution. Secure-by-default networking with CIDR-based egress control, encrypted TCP tunnels, authenticated HTTP/WebSocket access via connect tokens, and custom domain support. Pure usage-based pricing (CPU at ~$0.14/core/hour, memory at ~$0.024/GiB/hour) on top of a free or paid plan. Beyond sandboxes, Modal supports GPU inference, model training, batch processing, cron jobs, and web endpoints.

INFRASTRUCTURE
Managed (OCI)
COLD START
<1s
SDKS
PythonJavaScriptGo

Sprites

by Fly.io

ISOLATION
Firecracker microVMs
FUNDING
$111M
PRICING MODEL
Usage-based

Standalone sandbox product by Fly.io with its own domain, CLI, and SDKs. Built on the thesis that ephemeral sandboxes are obsolete: Sprites are persistent Firecracker microVMs with 100GB NVMe-backed storage that survives between sessions, so agents install dependencies once, not every run. Creation takes 1-2 seconds, checkpoints complete in ~300ms via copy-on-write metadata operations, and VMs auto-sleep after 30 seconds of inactivity with billing frozen until wake. Granular cgroup-level billing charges for actual CPU cycles and resident memory, not allocated resources, so a 4-hour coding session costs ~$0.44. Native MCP support at sprites.dev/mcp. Beyond sandboxes, Fly.io is a global bare-metal app hosting platform with managed databases, GPU support, and edge networking across 30+ regions.

INFRASTRUCTURE
Bare metal
COLD START
1-2s
SDKS
TypeScriptGoCLI

Northflank

ISOLATION
Kata Containers

gVisor fallback

FUNDING
$24.9M
PRICING MODEL
Usage-based

Full-stack cloud platform with sandboxing as a first-class capability. Choose your isolation technology per workload: Kata Containers (dedicated kernel via microVM) or gVisor (user-space syscall interception). Any OCI container image works without modification, sessions run indefinitely with no time caps, and BYOC deployment is self-serve across AWS, GCP, Azure, bare metal, and five other providers. CPU at $0.01667/vCPU-hr with per-second billing, GPUs available at $2.74/hr for H100s all-inclusive. Beyond sandboxes, Northflank runs your full stack: databases (Postgres, Redis, MongoDB, MySQL), APIs, GPU inference, CI/CD, scheduled jobs, with SSO, RBAC, and audit logging from a single control plane.

INFRASTRUCTURE
Managed + BYOC
COLD START
Seconds
SDKS
Any OCI containerJavaScript

Namespace

ISOLATION
Containers
FUNDING
$23M
PRICING MODEL
Usage-based

Persistent dev environments running on Namespace's own bare metal (AMD EPYC, AmpereOne, Apple M4 Pro) across US and EU data centers, with 25-100 Gbps inter-node networking and local NVMe. Devboxes serve both human developers and AI coding agents from the same Dockerfile-based environment definition, with one-click Claude Code enablement. Auto-pause when idle, resume in seconds, per-minute billing from $0.004/min (4 vCPU/8 GB). Same underlying platform that powers Buildkite Hosted Agents and Warp Background Agents. Beyond devboxes, Namespace provides CI runners (Buildkite integration), Docker image builders, and native macOS/Windows compute across Linux (amd64/arm64), macOS, and Windows.

INFRASTRUCTURE
Bare metal
COLD START
On-demand
SDKS
Any (Dockerfile)

Claude Managed Agents

by Anthropic

ISOLATION
Containers
FUNDING
$67.3B
PRICING MODEL
Usage-based

$0.08/session-hr + tokens

Claude-only managed agent runtime where you define what the agent should do and Anthropic runs everything: model, harness, sandbox, and orchestration. Define agents via natural language or YAML, connect to external services through MCP, and deploy with built-in sandboxed code execution, credential management via secure proxy, scoped permissions, and end-to-end session tracing. Sessions run autonomously for hours with state that persists through disconnections. Agents can spin up and direct other agents for parallel work (research preview). Pricing is standard Claude API token rates plus $0.08 per active session-hour (idle time excluded), with web search at $10 per 1,000 queries.

INFRASTRUCTURE
Managed
COLD START
N/A
SDKS
PythonTypeScriptCLI

Sandbox

by Vercel

ISOLATION
Firecracker microVMs
FUNDING
$863M
PRICING MODEL
Usage + Plan

Backed by the same Firecracker infrastructure that runs 2.7M Vercel deployments daily, each sandbox gets a dedicated microVM with its own kernel, filesystem, and network. Billing is "Active CPU" only, so I/O wait time is excluded, which Vercel claims cuts costs up to 95% for agent workloads that spend most of their time waiting on LLM or API calls ($0.128/vCPU-hr active, $0.0212/GB-hr memory). Pro plans support 2,000 concurrent sandboxes with snapshotting for instant environment restore. Credential brokering keeps secrets outside the sandbox boundary entirely, injecting them at the proxy layer so untrusted code never touches raw API keys. Open-source CLI and TypeScript/Python SDKs; free tier includes 5 hrs active CPU/month. Beyond sandboxes, Vercel is the dominant frontend/fullstack deployment platform, known for Next.js hosting, edge functions, and the v0 AI code generation tool.

INFRASTRUCTURE
Managed
COLD START
Milliseconds
SDKS
TypeScriptPython

Sandboxes

by Cloudflare

ISOLATION
Containers + V8 Isolates
FUNDING
Public
PRICING MODEL
Usage-based

Two sandbox tiers on the same global network: Dynamic Workers (V8 isolates) start in single-digit milliseconds with a few MB of memory for JavaScript/TypeScript execution, while Sandbox SDK (containers) provides full Linux environments with shell access, custom Docker images, and preview URLs. Dynamic Workers have no concurrency limits and run on the same thread as the parent Worker; Sandbox SDK supports any language and scales to zero when idle. Both run across 300+ edge locations on the $5/month Workers Paid plan with usage-based billing, egress control, and credential injection built in. Beyond sandboxes, Cloudflare is a publicly traded infrastructure company best known for its CDN, DDoS protection, and DNS, with a developer platform spanning Workers, R2, D1, KV, Queues, Durable Objects, and Workers AI.

INFRASTRUCTURE
Bare metal
COLD START
Milliseconds
SDKS
TypeScript
AWS Lambda MicroVMs

Lambda MicroVMs

by AWS

ISOLATION
Firecracker microVMs
FUNDING
Public
PRICING MODEL
Usage-based

AWS Lambda MicroVMs is a managed Firecracker-based compute primitive for running user-generated or AI-generated code in isolated, stateful environments. You build a MicroVM from a Dockerfile, snapshot the initialized environment, and restore dedicated instances on demand with explicit run, suspend, resume, and terminate lifecycle hooks. Suspended environments stop compute billing while retaining state through snapshots, with memory and disk state preserved for up to 8 hours. It is AWS-native infrastructure rather than a sandbox SaaS, with regional, lifetime, architecture, and resource-shape constraints.

INFRASTRUCTURE
AWS Lambda
COLD START
Near-instant
SDKS
AWS SDKsCLICDKCloudFormation

Open source / Self-hosted / Local

OpenSandbox

by Alibaba

ISOLATION
OCI Containers

Kata / gVisor / Firecracker optional

GITHUB STARS
⭐ -
LICENSE
Apache 2.0

Open-source (Apache 2.0) sandbox platform from Alibaba. Runs on Docker locally or Kubernetes at scale with a custom operator providing pre-warmed resource pools, batch sandbox creation, and optional task orchestration. SDKs in Python, Java/Kotlin, TypeScript/JavaScript, and C#/.NET talk to a standardized OpenAPI protocol, so switching runtimes requires zero code changes. Supports gVisor, Kata Containers, and Firecracker microVM isolation, per-sandbox egress controls, and a built-in Jupyter-based code interpreter for Python, Java, JavaScript, TypeScript, Go, and Bash. Ships with ready-made integrations for Claude Code, Gemini CLI, Codex CLI, LangGraph, Playwright, VNC desktops, and RL training workloads.

INFRASTRUCTURE
Self-hosted
COLD START
Variable
SDKS
PythonJavaTypeScriptC#

Microsandbox

Fall 2026 Y
ISOLATION
libkrun microVMs
GITHUB STARS
⭐ -
LICENSE
Apache 2.0

Microsandbox boots a real VM in under 100ms, with no daemon, no server, and no root. It uses libkrun microVMs instead of containers, giving each sandbox its own kernel and hardware-level isolation. The SDK is three lines of code: pick an image, set CPU/memory, call create(). Secrets never enter the guest; the VM sees only placeholders. Runs standard OCI images, ships SDKs for Rust, TypeScript, and Python, and includes an MCP server so any agent can manage its own sandboxes. Works with Claude Code, Cursor, Codex, Gemini CLI, and GitHub Copilot out of the box. Apache 2.0, self-hosted, YC-backed.

INFRASTRUCTURE
Local
COLD START
<100ms
SDKS
RustTypeScriptPython

sandboxd

ISOLATION
Docker containers

cap-drop + read-only rootfs

GITHUB STARS
⭐ -
LICENSE
MIT

Open-source backend for self-hosted AI app builders and preview environments. sandboxd turns a single Docker host into many isolated dev containers, each with its own workspace, memory limits, lifecycle API, built-in coding agents, and Traefik-powered preview URL. It focuses on the practical platform loop: create, build, preview, sleep, wake, and persist. Isolation is hardened Docker/runc, not a VM boundary, so it is best for authenticated users or dedicated hosts rather than anonymous hostile workloads.

INFRASTRUCTURE
Self-hosted Docker
COLD START
N/A
SDKS
HTTP APICLI
OpenShell

OpenShell

by NVIDIA

ISOLATION
Containers + MicroVMs

Landlock / seccomp / policy proxy

GITHUB STARS
⭐ -
LICENSE
Apache 2.0

NVIDIA OpenShell is an open-source runtime for autonomous AI agents with a gateway control plane, sandbox supervisor, declarative YAML policy engine, credential providers, inference routing, CLI, and TUI. Sandboxes can run through Docker, Podman, Kubernetes, or an opt-in MicroVM driver using libkrun on macOS/Linux and QEMU for GPU-backed Linux sandboxes. OpenShell applies layered controls: Landlock filesystem restrictions, seccomp syscall filtering, unprivileged agent processes, network namespaces, and a policy proxy that evaluates outbound traffic by destination, binary identity, HTTP method/path, SSRF rules, and inference routing. Network and inference policy can be hot-reloaded on running sandboxes, while filesystem and process policy are locked at creation. Supports Claude Code, OpenCode, Codex, Copilot CLI, OpenClaw, Ollama, custom containers, file upload/download, port forwarding, logs, and experimental GPU passthrough. Apache 2.0, active Rust codebase, but explicitly alpha and single-player today.

INFRASTRUCTURE
Local + Kubernetes
COLD START
Undisclosed
SDKS
CLIPythonHelm
SmolVM

SmolVM

by Smol Machines

ISOLATION
libkrun (KVM / Hypervisor.framework)
GITHUB STARS
⭐ -
LICENSE
Apache 2.0

SmolVM boots a dedicated Linux VM per workload in under 200ms using libkrun, a library VMM - no daemon, no Docker, no privileged setup. Every sandbox gets its own kernel on the platform's native hypervisor (Hypervisor.framework on macOS, KVM on Linux), providing real hardware isolation rather than container namespaces. Network is off by default; when enabled, egress can be locked to specific hostnames. Workloads pack into single .smolmachine files that run on any matching-architecture host with zero dependencies. Ships a CLI and an embedded Node.js SDK (NAPI-RS) for in-process VM management, with 4 vCPUs and 8 GiB elastic RAM as defaults. Apache 2.0, supports macOS Apple Silicon and Intel plus Linux x86_64 and aarch64.

INFRASTRUCTURE
Local
COLD START
<200ms
SDKS
Node.jsCLI
Zeroboot

Zeroboot

ISOLATION
Firecracker + KVM
GITHUB STARS
⭐ -
LICENSE
Apache 2.0

Zeroboot forks a full KVM virtual machine in 0.79ms. It works by mmap-ing a Firecracker memory snapshot with MAP_PRIVATE, giving each sandbox copy-on-write pages at the OS level. Each fork is a real hardware-isolated VM using ~265KB of actual memory, not a container. 1,000 concurrent forks complete in 815ms. Written in Rust, self-hostable on any Linux box with KVM, with Python and TypeScript SDKs and a managed API in early access at api.zeroboot.dev. Apache 2.0.

INFRASTRUCTURE
Local
COLD START
~0.8ms fork
SDKS
PythonTypeScriptCLI

Agent Safehouse

ISOLATION
macOS sandbox-exec

Seatbelt profiles

GITHUB STARS
⭐ -
LICENSE
Apache 2.0

Agent Safehouse wraps local coding agents in macOS sandbox-exec policies so they can read and write only what they need. It starts from deny-all, grants read/write access to the selected project directory, allows read-only toolchain access, and blocks sensitive paths like SSH keys, shell profiles, browser data, other repos, and arbitrary home-directory files unless explicitly enabled. Ships as a Homebrew package or single Bash script, with composable policy profiles for major agents and integrations. It is not a VM and does not provide Docker-style isolation, but it has near-zero overhead and makes local YOLO-mode agents much safer on macOS.

INFRASTRUCTURE
Local macOS
COLD START
Instant
SDKS
ShellCLI
FOUNDERS
Gondolin

Gondolin

by Earendil Works

ISOLATION
QEMU microVMs

krun experimental

GITHUB STARS
⭐ -
LICENSE
Apache 2.0

Gondolin runs untrusted agent code inside local Linux microVMs while keeping network and filesystem access mediated by a TypeScript host control plane. QEMU is the default backend, with experimental libkrun support. The guest gets a real Linux environment, but outbound HTTP/TLS traffic flows through programmable host-side policy hooks, secrets are injected only for allowed destinations, and VFS mounts can be implemented in JavaScript. Includes CLI and TypeScript SDK, snapshots/resume, SSH, ingress gateways, custom images, and a Pi extension example. Best thought of as a programmable sandbox toolkit for agent runtimes rather than a hosted platform.

INFRASTRUCTURE
Local
COLD START
<1s
SDKS
TypeScriptCLI

E2B

ISOLATION
Firecracker microVMs
GITHUB STARS
⭐ -
LICENSE
Apache 2.0

The full infrastructure powering E2B Cloud, open-sourced under Apache-2.0. Self-hostable via Terraform on GCP (stable) or AWS (beta). Includes the API server, sandbox orchestrator, environment daemon (envd), authentication, dashboard API, database layer, reverse proxy, and observability via OpenTelemetry. Built on Firecracker microVMs orchestrated through Nomad and Consul. Requires Terraform, Packer, Docker, a Cloudflare account, and a PostgreSQL database (Supabase supported). Heavier to deploy than Docker Compose alternatives but gives you the exact same production infrastructure that runs e2b.dev. The separate SDK repo (e2b-dev/E2B, 11.6k stars) provides Python and TypeScript clients.

INFRASTRUCTURE
Self-hosted (Terraform on GCP/AWS)
COLD START
~200ms
SDKS
PythonTypeScript
SmolVM (Celesto)

SmolVM

by Celesto

ISOLATION
Firecracker microVMs
GITHUB STARS
⭐ -
LICENSE
Apache 2.0

SmolVM is a self-hosted sandbox engine that runs each AI agent session in its own Firecracker microVM - hardware-level isolation, not containers. VMs boot in ~572ms, execute commands in ~43ms, and full lifecycle is ~3.5s. Includes built-in browser sessions with CDP access and live-view, domain-level network egress controls via nftables, VM snapshots, and OpenClaw GUI support. Ships as a pip package with a CLI and Python SDK, with ready-made tool wrappers for OpenAI Agents, LangChain, and PydanticAI. Apache 2.0, no account required, runs on your own infrastructure.

INFRASTRUCTURE
Local
COLD START
~572ms
SDKS
Python
LIFO

Lifo

ISOLATION
Browser (V8/Web APIs)
GITHUB STARS
⭐ -
LICENSE
MIT

Lifo runs a full Unix environment inside a browser tab with zero boot time - no VM, no container, no cloud round-trip. It maps POSIX interfaces directly onto Web APIs: IndexedDB becomes the filesystem, Fetch becomes the network stack, and the JS runtime becomes the process model. The @lifo-sh/core npm package exposes a Sandbox.create() API that boots a shell with 58+ commands (grep, awk, curl, tar, node, etc.), a virtual filesystem with IndexedDB persistence, and a Node.js compatibility layer shimming 15 stdlib modules. Git operations work in-browser via isomorphic-git, and the same sandbox runs in Node.js with optional host filesystem mounts. MIT licensed, entirely client-side, zero infrastructure cost.

INFRASTRUCTURE
Client-side / Node.js
COLD START
Instant
SDKS
JavaScript

Sandboxes

by Docker

ISOLATION
MicroVMs
GITHUB STARS
⭐ -
PRICING MODEL
Proprietary

Closed-source release repo

Docker Sandboxes gives coding agents a disposable local microVM with its own filesystem, network, and private Docker daemon, so agents can install packages, modify configs, build images, run Compose, and start containers without touching the host Docker daemon or broader machine. Workspaces are mounted into the sandbox, changes are visible immediately, and sandbox state persists across stop/start until removed. The public GitHub repo is for releases and issues only: Docker Sandboxes itself is proprietary, not open source. The sbx CLI supports Claude Code, Codex, Gemini CLI, OpenCode, Copilot, Cursor, Kiro, Droid, Docker Agent, and shell sessions, plus branch/worktree mode for parallel agents. Network traffic routes through a host proxy for policy enforcement and credential injection.

INFRASTRUCTURE
Local
COLD START
Undisclosed
SDKS
CLITemplatesKits