---
title: "Sandbox Environments for AI Agent Workflows"
description: "<!-- cSpell:disable -->"
type: skill
canonical_url: https://claudary.paisolsolutions.com/skills/sandbox-environments
source: "Claudary"
difficulty: intermediate
author: "Claude Code Knowledge Pack"
date: 2026-07-10T11:46:21.480Z
license: CC-BY-4.0
attribution: "Sandbox Environments for AI Agent Workflows — Claudary (https://claudary.paisolsolutions.com/skills/sandbox-environments)"
---

# Sandbox Environments for AI Agent Workflows
<!-- cSpell:disable -->

## Overview

<!-- cSpell:disable -->

# Sandbox Environments for AI Agent Workflows

_Security model:_ The sandbox (Docker/E2B) provides the security boundary. Inside the sandbox, Claude runs with full permissions because the container itself is isolated.

_Security philosophy:_

> "It's not if it gets popped, it's when it gets popped. And what is the blast radius?"

Run on dedicated VMs or local Docker sandboxes. Restrict network connectivity, provide only necessary credentials, and ensure no access to private data beyond what the task requires.

---

## Options

### Sprites (Fly.io)

- Persistent Linux environments that survive between executions indefinitely
- Firecracker VM isolation with up to 8 vCPUs and 8GB RAM
- Fast checkpoint/restore (~300ms create, <1s restore)
- Auto-sleep after 30 seconds of inactivity
- Unique HTTPS URL per Sprite for webhooks, APIs, public access
- Layer 3 network policies for egress control (whitelist domains or use default LLM-friendly list)
- CLI, REST API, JavaScript SDK, Go SDK (Python and Elixir coming soon)
- Pre-installed tools: Claude Code, Codex CLI, Gemini CLI, Python 3.13, Node.js 22.20
- $30 free credits to start (~500 Sprites worth)

_Philosophy:_ Fly.io argues that "ephemeral sandboxes are obsolete" and that AI agents need persistent computers, not disposable containers. Sprites treat sandboxes as "actual computers" where data, packages, and services persist across executions on ext4 NVMe storage—no need to rebuild environments repeatedly. As they put it: "Claude doesn't want a stateless container."

_Unique Features:_

- _Stateful persistence_: Files, packages, databases survive between runs indefinitely
- _Transactional snapshots_: Copy-on-write checkpoints capture entire disk state; stores last 5 checkpoints
- _Idle cost optimization_: Auto-sleep when inactive (30s timeout), resume on request (<1s wake)
- _Cold start_: Creation in 1-2 seconds, restore under 1 second
- _Claude integration_: Pre-installed skills teach Claude how to use Sprites (port forwarding, etc.)
- _Storage billing_: Pay only for blocks written, not allocated space; TRIM-friendly
- _No time limits_: Unlike ephemeral sandboxes (typically 15-minute limits), Sprites support long-running workloads

_Pricing:_

| Resource | Cost             | Minimum             |
| -------- | ---------------- | ------------------- |
| CPU      | $0.07/CPU-hour   | 6.25% utilization/s |
| Memory   | $0.04375/GB-hour | 250MB per second    |
| Storage  | $0.00068/GB-hour | Actual blocks only  |

- Free trial: $30 in credits (~500 Sprites)
- Plan: $20/month includes monthly credits; overages at published rates
- Example costs: 4-hour coding session ~$0.46, web app with 30 active hours ~$4/month

_Specs:_

| Spec         | Value                                                          |
| ------------ | -------------------------------------------------------------- |
| Isolation    | Firecracker microVM (hardware-isolated)                        |
| Resources    | Up to 8 vCPUs, 8GB RAM per execution (fixed, not configurable) |
| Storage      | 100GB initial ext4 partition on NVMe, auto-scaling capacity    |
| Cold Start   | <1 second restore, 1-2 seconds creation                        |
| Timeout      | None (persistent); auto-sleeps after 30 seconds inactivity     |
| Active Limit | 10 simultaneous active Sprites on base plan; unlimited cold    |
| Network      | Port 8080 proxied for HTTP services; isolated networks         |

_Limitations:_

- Resource caps (8 vCPU, 8GB RAM, 100GB storage) not configurable yet
- 30-second idle timeout not configurable
- Region selection not available (auto-assigned based on geographic location)
- Maximum 10 active sprites on base plan (unlimited cold/inactive sprites allowed)
- Best for personal/organizational tools; not designed for million-user scale apps

_Links:_

- Official: https://sprites.dev/
- Documentation: https://docs.sprites.dev/
- Fly.io Blog: https://fly.io/blog/code-and-let-live/
- JavaScript SDK: https://github.com/superfly/sprites-js
- Go SDK: https://github.com/superfly/sprites-go
- Elixir SDK: https://github.com/superfly/sprites-ex
- Community: https://community.fly.io/c/sprites/

---

### E2B

- Purpose-built for AI agents and LLM workflows
- Pre-built template `anthropic-claude-code` ships with Claude Code CLI ready
- Single-line SDK calls in Python or JavaScript (v1.5.1+)
- Full filesystem + git for progress.txt, prd.json, and repo operations
- 24-hour session limits on Pro plan (1 hour on Hobby)
- Native access to 200+ MCP tools via Docker partnership (GitHub, Notion, Stripe, etc.)
- Configurable compute: 1-8 vCPU, 512MB-8GB RAM

_Philosophy:_ E2B believes AI agents need transient, immutable workloads with hardware-level kernel isolation. Each sandbox runs in its own Firecracker microVM, providing the same isolation as AWS Lambda. The focus is on developer experience—one SDK call to create a sandbox.

_Unique Features:_

- _Fastest cold start_: ~150-200ms via Firecracker microVMs
- _Pre-built Claude template_: Zero-setup Claude Code integration
- _Docker MCP Partnership_: Native access to 200+ MCP tools from Docker's catalog
- _Pause/Resume (Beta)_: Save full VM state including memory (~4s per 1GB to pause, ~1s to resume, state persists up to 30 days)
- _Network controls_: `allowInternetAccess` toggle, `network.allowOut`/`network.denyOut` for granular CIDR/domain filtering
- _Domain filtering_: Works for HTTP (port 80) and TLS (port 443) via SNI inspection

_Pricing:_

| Plan       | Monthly Fee | Session Limit | Notes                       |
| ---------- | ----------- | ------------- | --------------------------- |
| Hobby      | $0          | 1 hour        | + $100 one-time credit      |
| Pro        | $150        | 24 hours      | + usage costs               |
| Enterprise | Custom      | Custom        | SSO, SLA, dedicated support |

_Usage Rates (per second):_

| Resource | Rate           |
| -------- | -------------- |
| 2 vCPU   | $0.000028/s    |
| Memory   | $0.0000045/GiB |

_Specs:_

| Spec          | Value                                  |
| ------------- | -------------------------------------- |
| Isolation     | Firecracker microVM                    |
| Cold Start    | ~150-200ms                             |
| Timeout       | 1 hour (Hobby), 24 hours (Pro)         |
| Compute       | 1-8 vCPU, 512MB-8GB RAM (configurable) |
| Filesystem    | Full Linux with git support            |
| Pre-installed | Node.js, curl, ripgrep, Claude Code    |

_Limitations:_

- No native sandbox clone/fork functionality
- No bulk file reading API
- Domain filtering limited to HTTP/HTTPS ports (UDP/QUIC not supported)
- Self-hosted version lacks built-in network policies
- Occasional 502 timeout errors on long operations
- Sandbox "not found" errors near timeout boundaries

_Links:_

- Official: https://e2b.dev/
- Documentation: https://e2b.dev/docs
- Pricing: https://e2b.dev/pricing
- Python Guide: https://e2b.dev/blog/python-guide-run-claude-code-in-an-e2b-sandbox
- JavaScript Guide: https://e2b.dev/blog/javascript-guide-run-claude-code-in-an-e2b-sandbox
- Claude Code Template: https://e2b.dev/docs/code-interpreter/claude-code
- MCP Server: https://github.com/e2b-dev/mcp-server
- GitHub: https://github.com/e2b-dev/E2B

---

### exe.dev

Persistent VM platform created by David Crawshaw (former Tailscale CTO) and Josh Bleecher Snyder (former Braintree Director of Engineering). Launched December 2025 in developer preview.

_Key Features:_

- ~2 second VM creation
- Persistent disk storage (not ephemeral)
- SSH-native interface (`ssh exe.dev`)
- Automatic TLS and custom domains
- Built-in authentication ("Login with exe")
- Shelley AI agent included (web-based, mobile-friendly)
- No SDK required - pure SSH-based interaction

_Philosophy:_ exe.dev takes an explicitly anti-serverless, persistent disk approach. Their core thesis: "Persistent, private, fast-starting VMs with no marginal cost per-VM." Unlike ephemeral sandboxes, exe.dev treats VMs as actual computers with persistent state, similar to Fly.io's Sprites but with an SSH-first design philosophy.

_Unique Features:_

- _SSH-native_: No SDK needed, just `ssh exe.dev` to access
- _Persistent disk_: Data survives indefinitely, not ephemeral
- _Shelley AI agent_: Built-in web-based AI assistant that reads CLAUDE.md and AGENTS.md
- _Mobile-friendly_: Shelley works on mobile devices
- _Custom domains_: Automatic TLS with custom domain support
- _Zero marginal cost_: No per-VM overhead once running

_Pricing:_

| Plan       | Monthly | VMs | CPU        | RAM        | Disk  | Bandwidth |
| ---------- | ------- | --- | ---------- | ---------- | ----- | --------- |
| Individual | $20     | 25  | 2 (shared) | 8GB shared | 25 GB | 100 GB    |

_Specs:_

| Spec       | Value                                  |
| ---------- | -------------------------------------- |
| Isolation  | Full VMs (Cloud Hypervisor, KVM-based) |
| Cold Start | ~2 seconds                             |
| Timeout    | None (persistent)                      |
| vCPU       | 2 shared                               |
| RAM        | 8 GB shared                            |
| Disk       | 25 GB persistent                       |
| Interface  | SSH (`ssh exe.dev`)                    |
| AI Agent   | Shelley (built-in)                     |

_Limitations:_

- Developer preview (launched December 2025) - ecosystem still maturing
- Shared resources on Individual plan (2 vCPU, 8GB RAM shared across VMs)
- Smaller VM allocation compared to E2B/Sprites (25 VMs vs unlimited)
- Less documentation and community resources than established platforms
- No official SDK - relies on SSH interface

_Links:_

- Official: https://exe.dev/
- Blog: https://blog.exe.dev/
- Documentation: https://exe.dev/docs
- Shelley AI Agent: https://github.com/boldsoftware/shelley

---

### Modal

Modal Sandboxes are the Modal primitive for safely running untrusted code from LLMs, users, or third-party sources. Built on Modal's serverless container fabric with gVisor isolation.

_Key Features:_

- Pure Python SDK for defining sandboxes with one line of code (also JS/Go SDKs)
- Execute arbitrary commands with `sandbox.exec()` and stream output
- Autoscale from zero to 10,000+ concurrent sandboxes
- Dynamic image definition at runtime from model output
- Built-in tunneling for HTTP/WebSocket connections to sandbox servers
- Granular egress policies via CIDR allowlists
- Named sandboxes for persistent reference and pooling
- Production-proven: Lovable and Quora run millions of code executions daily

_Philosophy:_ Modal treats sandboxes as secure, ephemeral compute units that inherit its serverless fabric. The focus is on Python-first AI/ML workloads with aggressive cost optimization through scale-to-zero, trading cold start latency for resource efficiency.

_Unique Features:_

- _Sandbox Connect Tokens_: Authenticated HTTP/WebSocket access with unspoofable `X-Verified-User-Data` headers for access control
- _Memory Snapshots_: Capture container memory state to reduce cold starts to <3s even with large dependencies like PyTorch
- _Idle Timeout_: Auto-terminate sandboxes after configurable inactivity period
- _Filesystem Snapshots_: Preserve state across sandbox instances for 24+ hour workflows
- _No pre-provisioning_: Sandboxes created on-demand without capacity planning

_Pricing (as of late 2025, after 65% price reduction):_

| Plan       | Monthly Fee | Credits Included | Seats | Container Limits                |
| ---------- | ----------- | ---------------- | ----- | ------------------------------- |
| Starter    | $0          | $30/month        | 3     | 100 containers, 10 GPU          |
| Team       | $250        | $100/month       | ∞     | 1,000 containers, 50 GPU        |
| Enterprise | Custom      | Volume discounts | ∞     | Custom limits, HIPAA, SSO, etc. |

_Compute Rates (per second):_

| Resource              | Rate             | Notes                        |
| --------------------- | ---------------- | ---------------------------- |
| Sandbox/Notebook CPU  | $0.00003942/core | Per physical core (= 2 vCPU) |
| Standard Function CPU | $0.0000131/core  | Per physical core            |
| Memory                | $0.00000222/GiB  | Pay for actual usage         |
| GPU (A10G)            | $0.000306/s      | ~$1.10/hr                    |
| GPU (A100 40GB)       | $0.000583/s      | ~$2.10/hr                    |
| GPU (H100)            | $0.001097/s      | ~$3.95/hr                    |

_Special Credits:_ Startups up to $25k, Academics up to $10k free compute

_Specs:_

| Spec               | Value                                         |
| ------------------ | --------------------------------------------- |
| Isolation          | gVisor (Google's container runtime)           |
| Cold Start         | ~1s container boot, 2-5s typical with imports |
| With Snapshots     | <3s even with large dependencies              |
| Default Timeout    | 5 minutes                                     |
| Max Timeout        | 24 hours (use snapshots for longer)           |
| Idle Timeout       | Configurable auto-termination                 |
| Filesystem         | Ephemeral (use Volumes for persistence)       |
| Network Default    | Secure-by-default, no incoming connections    |
| Egress Control     | `block_network=True` or `cidr_allowlist`      |
| Concurrent Scaling | 10,000+ sandboxes                             |

_Volumes (Persistent Storage):_

- High-performance distributed filesystem (up to 2.5 GB/s bandwidth)
- Volumes v2 (beta): No file count limit, 1 TiB max file size, HIPAA-compliant deletion
- Explicit `commit()` required to persist changes
- Last-write-wins for concurrent modifications to same file
- Best for model weights, checkpoints, and datasets

_Limitations:_

- Cold start penalties when containers spin down (2-5s typical)
- No on-premises deployment option
- Sandboxes cannot access other Modal workspace resources by default
- Single-language focus (Python-optimized, less suited for multi-language untrusted code)
- Volumes require explicit reload to see changes from other containers
- Less suited for persistent, long-lived environments vs microVM solutions

_Modal vs E2B for AI Agents:_

| Aspect           | Modal                           | E2B                            |
| ---------------- | ------------------------------- | ------------------------------ |
| Isolation        | gVisor containers               | Firecracker microVMs           |
| Cold Start       | 2-5s typical, <3s with snapshot | ~150ms                         |
| Session Duration | Up to 24h (stateless)           | Up to 24h (Pro), persistent    |
| Self-Hosting     | No (managed only)               | Experimental                   |
| Multi-Language   | Python-focused                  | Python, JS, Ruby, C++          |
| Network Control  | Granular egress policies        | Allow/deny lists               |
| Best Fo

---

Source: [Claudary](https://claudary.paisolsolutions.com/skills/sandbox-environments) · https://claudary.paisolsolutions.com
