Sandbox Environments for AI Agent Workflows
Overview
Sandbox Environments for AI Agent Workflows
Security model: The sandbox (Docker/E2B) provides the security boundary. Inside the sandbox, Claude runs with full permissions because the container itself is isolated.
Security philosophy:
"It's not if it gets popped, it's when it gets popped. And what is the blast radius?"
Run on dedicated VMs or local Docker sandboxes. Restrict network connectivity, provide only necessary credentials, and ensure no access to private data beyond what the task requires.
Options
Sprites (Fly.io)
- Persistent Linux environments that survive between executions indefinitely
- Firecracker VM isolation with up to 8 vCPUs and 8GB RAM
- Fast checkpoint/restore (~300ms create, <1s restore)
- Auto-sleep after 30 seconds of inactivity
- Unique HTTPS URL per Sprite for webhooks, APIs, public access
- Layer 3 network policies for egress control (whitelist domains or use default LLM-friendly list)
- CLI, REST API, JavaScript SDK, Go SDK (Python and Elixir coming soon)
- Pre-installed tools: Claude Code, Codex CLI, Gemini CLI, Python 3.13, Node.js 22.20
- $30 free credits to start (~500 Sprites worth)
Philosophy: Fly.io argues that "ephemeral sandboxes are obsolete" and that AI agents need persistent computers, not disposable containers. Sprites treat sandboxes as "actual computers" where data, packages, and services persist across executions on ext4 NVMe storage—no need to rebuild environments repeatedly. As they put it: "Claude doesn't want a stateless container."
Unique Features:
- Stateful persistence: Files, packages, databases survive between runs indefinitely
- Transactional snapshots: Copy-on-write checkpoints capture entire disk state; stores last 5 checkpoints
- Idle cost optimization: Auto-sleep when inactive (30s timeout), resume on request (<1s wake)
- Cold start: Creation in 1-2 seconds, restore under 1 second
- Claude integration: Pre-installed skills teach Claude how to use Sprites (port forwarding, etc.)
- Storage billing: Pay only for blocks written, not allocated space; TRIM-friendly
- No time limits: Unlike ephemeral sandboxes (typically 15-minute limits), Sprites support long-running workloads
Pricing:
| Resource | Cost | Minimum |
|---|---|---|
| CPU | $0.07/CPU-hour | 6.25% utilization/s |
| Memory | $0.04375/GB-hour | 250MB per second |
| Storage | $0.00068/GB-hour | Actual blocks only |
- Free trial: $30 in credits (~500 Sprites)
- Plan: $20/month includes monthly credits; overages at published rates
- Example costs: 4-hour coding session ~$0.46, web app with 30 active hours ~$4/month
Specs:
| Spec | Value |
|---|---|
| Isolation | Firecracker microVM (hardware-isolated) |
| Resources | Up to 8 vCPUs, 8GB RAM per execution (fixed, not configurable) |
| Storage | 100GB initial ext4 partition on NVMe, auto-scaling capacity |
| Cold Start | <1 second restore, 1-2 seconds creation |
| Timeout | None (persistent); auto-sleeps after 30 seconds inactivity |
| Active Limit | 10 simultaneous active Sprites on base plan; unlimited cold |
| Network | Port 8080 proxied for HTTP services; isolated networks |
Limitations:
- Resource caps (8 vCPU, 8GB RAM, 100GB storage) not configurable yet
- 30-second idle timeout not configurable
- Region selection not available (auto-assigned based on geographic location)
- Maximum 10 active sprites on base plan (unlimited cold/inactive sprites allowed)
- Best for personal/organizational tools; not designed for million-user scale apps
Links:
- Official: https://sprites.dev/
- Documentation: https://docs.sprites.dev/
- Fly.io Blog: https://fly.io/blog/code-and-let-live/
- JavaScript SDK: https://github.com/superfly/sprites-js
- Go SDK: https://github.com/superfly/sprites-go
- Elixir SDK: https://github.com/superfly/sprites-ex
- Community: https://community.fly.io/c/sprites/
E2B
- Purpose-built for AI agents and LLM workflows
- Pre-built template
anthropic-claude-codeships with Claude Code CLI ready - Single-line SDK calls in Python or JavaScript (v1.5.1+)
- Full filesystem + git for progress.txt, prd.json, and repo operations
- 24-hour session limits on Pro plan (1 hour on Hobby)
- Native access to 200+ MCP tools via Docker partnership (GitHub, Notion, Stripe, etc.)
- Configurable compute: 1-8 vCPU, 512MB-8GB RAM
Philosophy: E2B believes AI agents need transient, immutable workloads with hardware-level kernel isolation. Each sandbox runs in its own Firecracker microVM, providing the same isolation as AWS Lambda. The focus is on developer experience—one SDK call to create a sandbox.
Unique Features:
- Fastest cold start: ~150-200ms via Firecracker microVMs
- Pre-built Claude template: Zero-setup Claude Code integration
- Docker MCP Partnership: Native access to 200+ MCP tools from Docker's catalog
- Pause/Resume (Beta): Save full VM state including memory (~4s per 1GB to pause, ~1s to resume, state persists up to 30 days)
- Network controls:
allowInternetAccesstoggle,network.allowOut/network.denyOutfor granular CIDR/domain filtering - Domain filtering: Works for HTTP (port 80) and TLS (port 443) via SNI inspection
Pricing:
| Plan | Monthly Fee | Session Limit | Notes |
|---|---|---|---|
| Hobby | $0 | 1 hour | + $100 one-time credit |
| Pro | $150 | 24 hours | + usage costs |
| Enterprise | Custom | Custom | SSO, SLA, dedicated support |
Usage Rates (per second):
| Resource | Rate |
|---|---|
| 2 vCPU | $0.000028/s |
| Memory | $0.0000045/GiB |
Specs:
| Spec | Value |
|---|---|
| Isolation | Firecracker microVM |
| Cold Start | ~150-200ms |
| Timeout | 1 hour (Hobby), 24 hours (Pro) |
| Compute | 1-8 vCPU, 512MB-8GB RAM (configurable) |
| Filesystem | Full Linux with git support |
| Pre-installed | Node.js, curl, ripgrep, Claude Code |
Limitations:
- No native sandbox clone/fork functionality
- No bulk file reading API
- Domain filtering limited to HTTP/HTTPS ports (UDP/QUIC not supported)
- Self-hosted version lacks built-in network policies
- Occasional 502 timeout errors on long operations
- Sandbox "not found" errors near timeout boundaries
Links:
- Official: https://e2b.dev/
- Documentation: https://e2b.dev/docs
- Pricing: https://e2b.dev/pricing
- Python Guide: https://e2b.dev/blog/python-guide-run-claude-code-in-an-e2b-sandbox
- JavaScript Guide: https://e2b.dev/blog/javascript-guide-run-claude-code-in-an-e2b-sandbox
- Claude Code Template: https://e2b.dev/docs/code-interpreter/claude-code
- MCP Server: https://github.com/e2b-dev/mcp-server
- GitHub: https://github.com/e2b-dev/E2B
exe.dev
Persistent VM platform created by David Crawshaw (former Tailscale CTO) and Josh Bleecher Snyder (former Braintree Director of Engineering). Launched December 2025 in developer preview.
Key Features:
- ~2 second VM creation
- Persistent disk storage (not ephemeral)
- SSH-native interface (
ssh exe.dev) - Automatic TLS and custom domains
- Built-in authentication ("Login with exe")
- Shelley AI agent included (web-based, mobile-friendly)
- No SDK required - pure SSH-based interaction
Philosophy: exe.dev takes an explicitly anti-serverless, persistent disk approach. Their core thesis: "Persistent, private, fast-starting VMs with no marginal cost per-VM." Unlike ephemeral sandboxes, exe.dev treats VMs as actual computers with persistent state, similar to Fly.io's Sprites but with an SSH-first design philosophy.
Unique Features:
- SSH-native: No SDK needed, just
ssh exe.devto access - Persistent disk: Data survives indefinitely, not ephemeral
- Shelley AI agent: Built-in web-based AI assistant that reads CLAUDE.md and AGENTS.md
- Mobile-friendly: Shelley works on mobile devices
- Custom domains: Automatic TLS with custom domain support
- Zero marginal cost: No per-VM overhead once running
Pricing:
| Plan | Monthly | VMs | CPU | RAM | Disk | Bandwidth |
|---|---|---|---|---|---|---|
| Individual | $20 | 25 | 2 (shared) | 8GB shared | 25 GB | 100 GB |
Specs:
| Spec | Value |
|---|---|
| Isolation | Full VMs (Cloud Hypervisor, KVM-based) |
| Cold Start | ~2 seconds |
| Timeout | None (persistent) |
| vCPU | 2 shared |
| RAM | 8 GB shared |
| Disk | 25 GB persistent |
| Interface | SSH (ssh exe.dev) |
| AI Agent | Shelley (built-in) |
Limitations:
- Developer preview (launched December 2025) - ecosystem still maturing
- Shared resources on Individual plan (2 vCPU, 8GB RAM shared across VMs)
- Smaller VM allocation compared to E2B/Sprites (25 VMs vs unlimited)
- Less documentation and community resources than established platforms
- No official SDK - relies on SSH interface
Links:
- Official: https://exe.dev/
- Blog: https://blog.exe.dev/
- Documentation: https://exe.dev/docs
- Shelley AI Agent: https://github.com/boldsoftware/shelley
Modal
Modal Sandboxes are the Modal primitive for safely running untrusted code from LLMs, users, or third-party sources. Built on Modal's serverless container fabric with gVisor isolation.
Key Features:
- Pure Python SDK for defining sandboxes with one line of code (also JS/Go SDKs)
- Execute arbitrary commands with
sandbox.exec()and stream output - Autoscale from zero to 10,000+ concurrent sandboxes
- Dynamic image definition at runtime from model output
- Built-in tunneling for HTTP/WebSocket connections to sandbox servers
- Granular egress policies via CIDR allowlists
- Named sandboxes for persistent reference and pooling
- Production-proven: Lovable and Quora run millions of code executions daily
Philosophy: Modal treats sandboxes as secure, ephemeral compute units that inherit its serverless fabric. The focus is on Python-first AI/ML workloads with aggressive cost optimization through scale-to-zero, trading cold start latency for resource efficiency.
Unique Features:
- Sandbox Connect Tokens: Authenticated HTTP/WebSocket access with unspoofable
X-Verified-User-Dataheaders for access control - Memory Snapshots: Capture container memory state to reduce cold starts to <3s even with large dependencies like PyTorch
- Idle Timeout: Auto-terminate sandboxes after configurable inactivity period
- Filesystem Snapshots: Preserve state across sandbox instances for 24+ hour workflows
- No pre-provisioning: Sandboxes created on-demand without capacity planning
Pricing (as of late 2025, after 65% price reduction):
| Plan | Monthly Fee | Credits Included | Seats | Container Limits |
|---|---|---|---|---|
| Starter | $0 | $30/month | 3 | 100 containers, 10 GPU |
| Team | $250 | $100/month | ∞ | 1,000 containers, 50 GPU |
| Enterprise | Custom | Volume discounts | ∞ | Custom limits, HIPAA, SSO, etc. |
Compute Rates (per second):
| Resource | Rate | Notes |
|---|---|---|
| Sandbox/Notebook CPU | $0.00003942/core | Per physical core (= 2 vCPU) |
| Standard Function CPU | $0.0000131/core | Per physical core |
| Memory | $0.00000222/GiB | Pay for actual usage |
| GPU (A10G) | $0.000306/s | ~$1.10/hr |
| GPU (A100 40GB) | $0.000583/s | ~$2.10/hr |
| GPU (H100) | $0.001097/s | ~$3.95/hr |
Special Credits: Startups up to $25k, Academics up to $10k free compute
Specs:
| Spec | Value |
|---|---|
| Isolation | gVisor (Google's container runtime) |
| Cold Start | ~1s container boot, 2-5s typical with imports |
| With Snapshots | <3s even with large dependencies |
| Default Timeout | 5 minutes |
| Max Timeout | 24 hours (use snapshots for longer) |
| Idle Timeout | Configurable auto-termination |
| Filesystem | Ephemeral (use Volumes for persistence) |
| Network Default | Secure-by-default, no incoming connections |
| Egress Control | block_network=True or cidr_allowlist |
| Concurrent Scaling | 10,000+ sandboxes |
Volumes (Persistent Storage):
- High-performance distributed filesystem (up to 2.5 GB/s bandwidth)
- Volumes v2 (beta): No file count limit, 1 TiB max file size, HIPAA-compliant deletion
- Explicit
commit()required to persist changes - Last-write-wins for concurrent modifications to same file
- Best for model weights, checkpoints, and datasets
Limitations:
- Cold start penalties when containers spin down (2-5s typical)
- No on-premises deployment option
- Sandboxes cannot access other Modal workspace resources by default
- Single-language focus (Python-optimized, less suited for multi-language untrusted code)
- Volumes require explicit reload to see changes from other containers
- Less suited for persistent, long-lived environments vs microVM solutions
Modal vs E2B for AI Agents:
| Aspect | Modal | E2B |
|---|---|---|
| Isolation | gVisor containers | Firecracker microVMs |
| Cold Start | 2-5s typical, <3s with snapshot | ~150ms |
| Session Duration | Up to 24h (stateless) | Up to 24h (Pro), persistent |
| Self-Hosting | No (managed only) | Experimental |
| Multi-Language | Python-focused | Python, JS, Ruby, C++ |
| Network Control | Granular egress policies | Allow/deny lists |
| Best Fo |