Last updated - Maintained by engine.build
AI agent sandboxes are isolated environments where coding agents can run commands, install dependencies, browse the web, and modify files without touching your real machine.
This guide compares 30 hosted, platform-native, open-source, self-hosted, and local sandbox options across isolation model, startup time, persistence, pricing, SDKs, and deployment style.
Have we reached peak agent sandbox yet? YC batches, cloud giants, indie devs, and probably some guy's mom are all building them.
Agent sandboxes are isolated environments where AI agents can run code, use tools, and interact with a filesystem without affecting your system or other workloads. Think of it as giving each agent its own disposable computer. That computer can live in someone else's cloud, your own cloud, or locally on your machine. But the point is always the same: the agent can do whatever it needs to inside, and nothing escapes the boundary.
Some people use them for security, keeping untrusted code away from their real system. Others use them to offload work entirely, agents keep running in the cloud even when your laptop is shut. And unlike worktrees, sandboxes give each agent a full isolated OS, not just a separate branch, so agents can install packages, run servers, use browsers, and do things that would conflict or be unsafe on a shared machine.
MicroVMs are stripped-down virtual machines built specifically for running ephemeral, isolated workloads. Each sandbox gets its own Linux kernel, with isolation enforced by hardware virtualization (Intel VT-x / AMD-V) at the CPU level. This means a compromised sandbox cannot escape to the host or other sandboxes, even with a kernel exploit. Firecracker, built by AWS for Lambda and Fargate, is the most widely used microVM monitor in this space. It boots in under 125ms with less than 5MB memory overhead per instance by cutting everything a sandbox doesn't need: no PCI bus, no USB, no legacy devices. Cloud Hypervisor is similar but supports more features like PCI passthrough.
Kata Containers is an orchestration framework that wraps microVM technology (Firecracker, Cloud Hypervisor, or QEMU) with a Kubernetes-compatible interface. You get hardware-level VM isolation, but your workloads look and feel like regular containers to your orchestration layer. The appeal is that you can slot VM-grade security into an existing container-based workflow without rearchitecting anything.
gVisor, built by Google, takes a different approach. Instead of running a separate kernel in a VM, it inserts a user-space kernel called Sentry between the sandboxed application and the host kernel. When code makes a syscall, Sentry intercepts it, validates it, and either handles it in user space or proxies a safe subset to the host. This provides stronger isolation than standard containers without the overhead of a full VM. The tradeoff: some Linux syscalls aren't implemented in Sentry, which means ptrace, raw sockets, some ioctl calls, and native libraries that depend on them won't work.
Traditional full virtual machines using KVM (Kernel-based Virtual Machine). Heavier than microVMs but with more features: full device emulation, nested virtualization, and broader OS support. Memory snapshots enable fast provisioning, and some VMMs support copy-on-write forking that can clone a running VM in under 1ms. These are real Linux VMs with systemd, multiple users, and full networking, not the stripped-down environments that microVMs provide.
libkrun is a lightweight VMM from Red Hat that uses KVM on Linux and Hypervisor.framework on macOS. It's designed for running isolated workloads with minimal overhead, making it popular in the self-hosted/local sandbox space. The macOS support via Hypervisor.framework is a differentiator, since Firecracker is Linux-only.
Standard Docker/OCI containers use Linux namespaces and cgroups for isolation. They share the host kernel, which makes them fast to start and lightweight on resources, but the isolation boundary is weaker. A container escape vulnerability means access to the host and potentially other containers. For trusted code or environments where speed matters more than security, containers are fine. For running untrusted AI-generated code, most providers layer additional isolation on top (Kata, gVisor, or a full VM).
V8 isolates run code inside the same process but in separate memory spaces enforced by the V8 engine. There's no VM, no container, no separate kernel. Startup is in milliseconds with megabytes of memory, roughly 100x faster and lighter than containers. The tradeoff is a narrower execution environment (JavaScript/Wasm only) and a more complex security surface: V8 bugs are more common than hypervisor vulnerabilities. Mitigations typically include rapid V8 patching, a second-layer Linux sandbox, Memory Protection Keys (hardware-enforced memory partitioning), and Spectre defenses.
The browser itself is the sandbox. The browser runtime is the kernel, Web APIs are the syscalls, and all computation happens on the user's device. Zero infrastructure cost, instant startup, and the isolation is strong - modern browsers enforce multi-process site isolation with OS-level sandboxing per renderer process. Limited to what browsers can do, but for certain use cases the simplicity is hard to beat.
This page covers every provider we could find, split into three categories:
Open-source (Apache-2.0) sandbox platform built on Firecracker microVMs, with infrastructure self-hostable on AWS or GCP via Terraform. Sandboxes boot in under 200ms and run as full Linux environments with shell access, file I/O, and package management (pip, npm, apt). Pause/resume preserves complete state (filesystem, memory, processes) with indefinite retention and ~1s resume time. Separate Desktop Sandbox provides virtual Linux desktops with screen streaming and mouse/keyboard control for computer-use agents. Pro plan at $150/month with per-second billing ($0.000014/s per vCPU), up to 8 vCPUs, 8 GiB RAM, 24-hour sessions, and 1,100 concurrent sandboxes.
Kata / gVisor optional
Managed sandbox platform for AI-generated code execution and agent workflows, with BYOC options for teams that need deployment control. Sandboxes spin up in under 90ms with usage-based pricing across vCPU, memory, storage, and GPU resources. Full lifecycle control covers create, snapshot, restore, and resume operations, with built-in file system APIs, Git integration, LSP support, and real-time process output streaming. Virtual desktops support computer-use agents across Linux, macOS, and Windows. Daytona previously maintained an AGPL-3.0 open-source platform repo; that repo remains public and forkable, but core development moved to a private codebase in June 2026 and the old repo no longer receives updates.
Sandboxes run in Firecracker microVMs with the root filesystem in RAM, auto-suspend after 15 seconds of inactivity with a full memory + filesystem snapshot, and resume in under 25ms with all processes intact, even after weeks. No compute charges while suspended, just snapshot storage at $0.20/GB/month. Co-locate your agent logic, MCP servers, and sandboxes on the same backbone to eliminate network hops between tool calls and execution. Built-in MCP server in every sandbox, real-time filesystem events, preview URLs with custom domains, dedicated egress IPs, and VPC peering. Open-source sandbox API, scales to 50,000+ concurrent sandboxes, SOC 2 and HIPAA compliant.
Custom bare-metal hypervisor with double isolation (VM + container) and 10GB image startup in under 2 seconds. Devboxes are stateful cloud workstations with snapshot, suspend, and resume via API, so agents can checkpoint disk state and fan out into parallel exploration branches. Built-in benchmarking pipeline runs SWE-Bench, R2E-Gym, and custom evals orchestrated end-to-end, with scoring, regression detection, and a path to supervised and reinforcement fine-tuning. Networking locked down via egress policies and credential isolation through Agent Gateways so secrets never enter the sandbox. Free tier with $50 credits, Pro at $250/month plus usage ($0.108/CPU/hr, $0.0252/GB/hr), Enterprise adds VPC deployment and fine-tuning. SOC 2, HIPAA, GDPR compliant.
Jonathan Wallby Digger
Managed long-running Linux VMs for coding agents, built around persistent state rather than disposable command execution. Each OpenComputer is a full KVM VM with its own kernel, filesystem, network stack, root access, and preview URLs. Golden snapshots give fast startup, while checkpoints let agents restore or fork workspaces for parallel exploration. The agent loop can run inside the VM alongside the code and services, reducing round trips between orchestration and execution.
Full Linux KVM virtual machines on Freestyle's own bare metal hardware, not containers or microVMs. ~300ms median cold start via memory snapshots; pause/resume in under 100ms with billing dropping to storage-only. The standout feature is live copy-on-write VM forking in ~320ms median, completely decoupled from machine size, so a 64GB VM forks as fast as a 1GB one. Real root access, nested virtualization, systemd, eBPF, and a complete networking stack in every VM. Beyond sandboxes, the platform bundles multi-tenant API-first Git hosting with GitHub sync, serverless TypeScript execution with sub-10ms cold starts, and deploy-from-git. YC-backed (S24) with additional undisclosed funding. Free tier available; paid plans start at $50/month plus usage ($0.04/vCPU-hour, $0.013/GiB-memory-hour).
Not a generic sandbox, a deployment platform for long-running, stateful agents, closer to Vercel than E2B. You write three Python handlers (on_create, on_event, on_cancel), deploy with tu deploy, and get versioning, rollback, preview/production environments, and structured logs. The core primitive is the filesystem: persistent, decoupled from task lifetime, shareable across multiple agents, forkable for A/B testing, with presigned URLs for direct file upload/download. Built-in adapters for Claude Agent SDK and Codex SDK with Vercel AI SDK v6 message compatibility. Agent code runs in bubblewrap sandboxes with namespace isolation and manifest-based filesystem sync that only transfers changed files.
Managed agent platform built on top of their open-source SmolVM sandbox engine (listed separately in open-source below). The managed cloud adds what SmolVM alone doesn't: Agentor, an agent framework with MCP server support, agent-to-agent communication, and a Tool Search API that reduces context bloat by dynamically discovering relevant tools instead of stuffing all schemas into the LLM context. GateKeeper handles delegated OAuth so agents can securely access end-user resources (Gmail, Google Calendar, etc.) without touching raw credentials. SuperAuth provides OAuth-based authentication flows for agent tools and integrations. Includes deployment via celesto deploy, step-level audit trails, tracing, and monitoring for agents running minutes to days.
by ASCII
Managed Ubuntu VM sandboxes for agents with SSH/SCP, CLI, HTTP API, and TypeScript/Python SDKs. Boxes run on Hetzner CX33-class VMs with Docker, GitHub CLI, Claude Code, Codex, Chrome, and common language toolchains preinstalled. The product is optimized for long-running agent workflows: boxes can be stopped, resumed from filesystem snapshots, forked, exposed through HTTPS preview URLs, and used through a browser desktop stream. Pricing is simple VM-time billing with a monthly minimum.
Managed Firecracker microVM runtime for agents and untrusted code. Isorun creates isolated Linux VMs from OCI images, exposes command/file/port APIs, and adds agent-oriented lifecycle features like hibernate/resume, snapshot/restore, and forking. It also supports network policies, host-side credential injection, audit trails, and adapters for MCP, OpenAI Agents, and LangChain. The product is early, with a small public SDK and limited public company information.
General-purpose serverless AI platform with a dedicated sandbox product for executing untrusted and agent-generated code. Sandboxes scale to 20,000+ concurrent containers with sub-second cold starts, gVisor isolation, and auto-shutdown on idle. Three levels of snapshotting: filesystem (persistent, delta-based), directory (mountable into running sandboxes), and full memory snapshots that restore processes mid-execution. Secure-by-default networking with CIDR-based egress control, encrypted TCP tunnels, authenticated HTTP/WebSocket access via connect tokens, and custom domain support. Pure usage-based pricing (CPU at ~$0.14/core/hour, memory at ~$0.024/GiB/hour) on top of a free or paid plan. Beyond sandboxes, Modal supports GPU inference, model training, batch processing, cron jobs, and web endpoints.
by Fly.io
Standalone sandbox product by Fly.io with its own domain, CLI, and SDKs. Built on the thesis that ephemeral sandboxes are obsolete: Sprites are persistent Firecracker microVMs with 100GB NVMe-backed storage that survives between sessions, so agents install dependencies once, not every run. Creation takes 1-2 seconds, checkpoints complete in ~300ms via copy-on-write metadata operations, and VMs auto-sleep after 30 seconds of inactivity with billing frozen until wake. Granular cgroup-level billing charges for actual CPU cycles and resident memory, not allocated resources, so a 4-hour coding session costs ~$0.44. Native MCP support at sprites.dev/mcp. Beyond sandboxes, Fly.io is a global bare-metal app hosting platform with managed databases, GPU support, and edge networking across 30+ regions.
gVisor fallback
Full-stack cloud platform with sandboxing as a first-class capability. Choose your isolation technology per workload: Kata Containers (dedicated kernel via microVM) or gVisor (user-space syscall interception). Any OCI container image works without modification, sessions run indefinitely with no time caps, and BYOC deployment is self-serve across AWS, GCP, Azure, bare metal, and five other providers. CPU at $0.01667/vCPU-hr with per-second billing, GPUs available at $2.74/hr for H100s all-inclusive. Beyond sandboxes, Northflank runs your full stack: databases (Postgres, Redis, MongoDB, MySQL), APIs, GPU inference, CI/CD, scheduled jobs, with SSO, RBAC, and audit logging from a single control plane.
Persistent dev environments running on Namespace's own bare metal (AMD EPYC, AmpereOne, Apple M4 Pro) across US and EU data centers, with 25-100 Gbps inter-node networking and local NVMe. Devboxes serve both human developers and AI coding agents from the same Dockerfile-based environment definition, with one-click Claude Code enablement. Auto-pause when idle, resume in seconds, per-minute billing from $0.004/min (4 vCPU/8 GB). Same underlying platform that powers Buildkite Hosted Agents and Warp Background Agents. Beyond devboxes, Namespace provides CI runners (Buildkite integration), Docker image builders, and native macOS/Windows compute across Linux (amd64/arm64), macOS, and Windows.
by Anthropic
$0.08/session-hr + tokens
Claude-only managed agent runtime where you define what the agent should do and Anthropic runs everything: model, harness, sandbox, and orchestration. Define agents via natural language or YAML, connect to external services through MCP, and deploy with built-in sandboxed code execution, credential management via secure proxy, scoped permissions, and end-to-end session tracing. Sessions run autonomously for hours with state that persists through disconnections. Agents can spin up and direct other agents for parallel work (research preview). Pricing is standard Claude API token rates plus $0.08 per active session-hour (idle time excluded), with web search at $10 per 1,000 queries.
by Vercel
Backed by the same Firecracker infrastructure that runs 2.7M Vercel deployments daily, each sandbox gets a dedicated microVM with its own kernel, filesystem, and network. Billing is "Active CPU" only, so I/O wait time is excluded, which Vercel claims cuts costs up to 95% for agent workloads that spend most of their time waiting on LLM or API calls ($0.128/vCPU-hr active, $0.0212/GB-hr memory). Pro plans support 2,000 concurrent sandboxes with snapshotting for instant environment restore. Credential brokering keeps secrets outside the sandbox boundary entirely, injecting them at the proxy layer so untrusted code never touches raw API keys. Open-source CLI and TypeScript/Python SDKs; free tier includes 5 hrs active CPU/month. Beyond sandboxes, Vercel is the dominant frontend/fullstack deployment platform, known for Next.js hosting, edge functions, and the v0 AI code generation tool.
by Cloudflare
Two sandbox tiers on the same global network: Dynamic Workers (V8 isolates) start in single-digit milliseconds with a few MB of memory for JavaScript/TypeScript execution, while Sandbox SDK (containers) provides full Linux environments with shell access, custom Docker images, and preview URLs. Dynamic Workers have no concurrency limits and run on the same thread as the parent Worker; Sandbox SDK supports any language and scales to zero when idle. Both run across 300+ edge locations on the $5/month Workers Paid plan with usage-based billing, egress control, and credential injection built in. Beyond sandboxes, Cloudflare is a publicly traded infrastructure company best known for its CDN, DDoS protection, and DNS, with a developer platform spanning Workers, R2, D1, KV, Queues, Durable Objects, and Workers AI.
by AWS
AWS Lambda MicroVMs is a managed Firecracker-based compute primitive for running user-generated or AI-generated code in isolated, stateful environments. You build a MicroVM from a Dockerfile, snapshot the initialized environment, and restore dedicated instances on demand with explicit run, suspend, resume, and terminate lifecycle hooks. Suspended environments stop compute billing while retaining state through snapshots, with memory and disk state preserved for up to 8 hours. It is AWS-native infrastructure rather than a sandbox SaaS, with regional, lifetime, architecture, and resource-shape constraints.
by Alibaba
Kata / gVisor / Firecracker optional
Open-source (Apache 2.0) sandbox platform from Alibaba. Runs on Docker locally or Kubernetes at scale with a custom operator providing pre-warmed resource pools, batch sandbox creation, and optional task orchestration. SDKs in Python, Java/Kotlin, TypeScript/JavaScript, and C#/.NET talk to a standardized OpenAPI protocol, so switching runtimes requires zero code changes. Supports gVisor, Kata Containers, and Firecracker microVM isolation, per-sandbox egress controls, and a built-in Jupyter-based code interpreter for Python, Java, JavaScript, TypeScript, Go, and Bash. Ships with ready-made integrations for Claude Code, Gemini CLI, Codex CLI, LangGraph, Playwright, VNC desktops, and RL training workloads.
Microsandbox boots a real VM in under 100ms, with no daemon, no server, and no root. It uses libkrun microVMs instead of containers, giving each sandbox its own kernel and hardware-level isolation. The SDK is three lines of code: pick an image, set CPU/memory, call create(). Secrets never enter the guest; the VM sees only placeholders. Runs standard OCI images, ships SDKs for Rust, TypeScript, and Python, and includes an MCP server so any agent can manage its own sandboxes. Works with Claude Code, Cursor, Codex, Gemini CLI, and GitHub Copilot out of the box. Apache 2.0, self-hosted, YC-backed.
cap-drop + read-only rootfs
Open-source backend for self-hosted AI app builders and preview environments. sandboxd turns a single Docker host into many isolated dev containers, each with its own workspace, memory limits, lifecycle API, built-in coding agents, and Traefik-powered preview URL. It focuses on the practical platform loop: create, build, preview, sleep, wake, and persist. Isolation is hardened Docker/runc, not a VM boundary, so it is best for authenticated users or dedicated hosts rather than anonymous hostile workloads.
by NVIDIA
Landlock / seccomp / policy proxy
NVIDIA OpenShell is an open-source runtime for autonomous AI agents with a gateway control plane, sandbox supervisor, declarative YAML policy engine, credential providers, inference routing, CLI, and TUI. Sandboxes can run through Docker, Podman, Kubernetes, or an opt-in MicroVM driver using libkrun on macOS/Linux and QEMU for GPU-backed Linux sandboxes. OpenShell applies layered controls: Landlock filesystem restrictions, seccomp syscall filtering, unprivileged agent processes, network namespaces, and a policy proxy that evaluates outbound traffic by destination, binary identity, HTTP method/path, SSRF rules, and inference routing. Network and inference policy can be hot-reloaded on running sandboxes, while filesystem and process policy are locked at creation. Supports Claude Code, OpenCode, Codex, Copilot CLI, OpenClaw, Ollama, custom containers, file upload/download, port forwarding, logs, and experimental GPU passthrough. Apache 2.0, active Rust codebase, but explicitly alpha and single-player today.
by Smol Machines
SmolVM boots a dedicated Linux VM per workload in under 200ms using libkrun, a library VMM - no daemon, no Docker, no privileged setup. Every sandbox gets its own kernel on the platform's native hypervisor (Hypervisor.framework on macOS, KVM on Linux), providing real hardware isolation rather than container namespaces. Network is off by default; when enabled, egress can be locked to specific hostnames. Workloads pack into single .smolmachine files that run on any matching-architecture host with zero dependencies. Ships a CLI and an embedded Node.js SDK (NAPI-RS) for in-process VM management, with 4 vCPUs and 8 GiB elastic RAM as defaults. Apache 2.0, supports macOS Apple Silicon and Intel plus Linux x86_64 and aarch64.
Zeroboot forks a full KVM virtual machine in 0.79ms. It works by mmap-ing a Firecracker memory snapshot with MAP_PRIVATE, giving each sandbox copy-on-write pages at the OS level. Each fork is a real hardware-isolated VM using ~265KB of actual memory, not a container. 1,000 concurrent forks complete in 815ms. Written in Rust, self-hostable on any Linux box with KVM, with Python and TypeScript SDKs and a managed API in early access at api.zeroboot.dev. Apache 2.0.
Seatbelt profiles
Agent Safehouse wraps local coding agents in macOS sandbox-exec policies so they can read and write only what they need. It starts from deny-all, grants read/write access to the selected project directory, allows read-only toolchain access, and blocks sensitive paths like SSH keys, shell profiles, browser data, other repos, and arbitrary home-directory files unless explicitly enabled. Ships as a Homebrew package or single Bash script, with composable policy profiles for major agents and integrations. It is not a VM and does not provide Docker-style isolation, but it has near-zero overhead and makes local YOLO-mode agents much safer on macOS.
by Earendil Works
krun experimental
Gondolin runs untrusted agent code inside local Linux microVMs while keeping network and filesystem access mediated by a TypeScript host control plane. QEMU is the default backend, with experimental libkrun support. The guest gets a real Linux environment, but outbound HTTP/TLS traffic flows through programmable host-side policy hooks, secrets are injected only for allowed destinations, and VFS mounts can be implemented in JavaScript. Includes CLI and TypeScript SDK, snapshots/resume, SSH, ingress gateways, custom images, and a Pi extension example. Best thought of as a programmable sandbox toolkit for agent runtimes rather than a hosted platform.
The full infrastructure powering E2B Cloud, open-sourced under Apache-2.0. Self-hostable via Terraform on GCP (stable) or AWS (beta). Includes the API server, sandbox orchestrator, environment daemon (envd), authentication, dashboard API, database layer, reverse proxy, and observability via OpenTelemetry. Built on Firecracker microVMs orchestrated through Nomad and Consul. Requires Terraform, Packer, Docker, a Cloudflare account, and a PostgreSQL database (Supabase supported). Heavier to deploy than Docker Compose alternatives but gives you the exact same production infrastructure that runs e2b.dev. The separate SDK repo (e2b-dev/E2B, 11.6k stars) provides Python and TypeScript clients.
by Celesto
SmolVM is a self-hosted sandbox engine that runs each AI agent session in its own Firecracker microVM - hardware-level isolation, not containers. VMs boot in ~572ms, execute commands in ~43ms, and full lifecycle is ~3.5s. Includes built-in browser sessions with CDP access and live-view, domain-level network egress controls via nftables, VM snapshots, and OpenClaw GUI support. Ships as a pip package with a CLI and Python SDK, with ready-made tool wrappers for OpenAI Agents, LangChain, and PydanticAI. Apache 2.0, no account required, runs on your own infrastructure.
Lifo runs a full Unix environment inside a browser tab with zero boot time - no VM, no container, no cloud round-trip. It maps POSIX interfaces directly onto Web APIs: IndexedDB becomes the filesystem, Fetch becomes the network stack, and the JS runtime becomes the process model. The @lifo-sh/core npm package exposes a Sandbox.create() API that boots a shell with 58+ commands (grep, awk, curl, tar, node, etc.), a virtual filesystem with IndexedDB persistence, and a Node.js compatibility layer shimming 15 stdlib modules. Git operations work in-browser via isomorphic-git, and the same sandbox runs in Node.js with optional host filesystem mounts. MIT licensed, entirely client-side, zero infrastructure cost.
by Docker
Closed-source release repo
Docker Sandboxes gives coding agents a disposable local microVM with its own filesystem, network, and private Docker daemon, so agents can install packages, modify configs, build images, run Compose, and start containers without touching the host Docker daemon or broader machine. Workspaces are mounted into the sandbox, changes are visible immediately, and sandbox state persists across stop/start until removed. The public GitHub repo is for releases and issues only: Docker Sandboxes itself is proprietary, not open source. The sbx CLI supports Claude Code, Codex, Gemini CLI, OpenCode, Copilot, Cursor, Kiro, Droid, Docker Agent, and shell sessions, plus branch/worktree mode for parallel agents. Network traffic routes through a host proxy for policy enforcement and credential injection.