All skills
Skillintermediate

Sandbox Environments for AI Agent Workflows

Claude Code Knowledge Pack7/10/2026

Overview

Sandbox Environments for AI Agent Workflows

Security model: The sandbox (Docker/E2B) provides the security boundary. Inside the sandbox, Claude runs with full permissions because the container itself is isolated.

Security philosophy:

"It's not if it gets popped, it's when it gets popped. And what is the blast radius?"

Run on dedicated VMs or local Docker sandboxes. Restrict network connectivity, provide only necessary credentials, and ensure no access to private data beyond what the task requires.


Options

Sprites (Fly.io)

  • Persistent Linux environments that survive between executions indefinitely
  • Firecracker VM isolation with up to 8 vCPUs and 8GB RAM
  • Fast checkpoint/restore (~300ms create, <1s restore)
  • Auto-sleep after 30 seconds of inactivity
  • Unique HTTPS URL per Sprite for webhooks, APIs, public access
  • Layer 3 network policies for egress control (whitelist domains or use default LLM-friendly list)
  • CLI, REST API, JavaScript SDK, Go SDK (Python and Elixir coming soon)
  • Pre-installed tools: Claude Code, Codex CLI, Gemini CLI, Python 3.13, Node.js 22.20
  • $30 free credits to start (~500 Sprites worth)

Philosophy: Fly.io argues that "ephemeral sandboxes are obsolete" and that AI agents need persistent computers, not disposable containers. Sprites treat sandboxes as "actual computers" where data, packages, and services persist across executions on ext4 NVMe storage—no need to rebuild environments repeatedly. As they put it: "Claude doesn't want a stateless container."

Unique Features:

  • Stateful persistence: Files, packages, databases survive between runs indefinitely
  • Transactional snapshots: Copy-on-write checkpoints capture entire disk state; stores last 5 checkpoints
  • Idle cost optimization: Auto-sleep when inactive (30s timeout), resume on request (<1s wake)
  • Cold start: Creation in 1-2 seconds, restore under 1 second
  • Claude integration: Pre-installed skills teach Claude how to use Sprites (port forwarding, etc.)
  • Storage billing: Pay only for blocks written, not allocated space; TRIM-friendly
  • No time limits: Unlike ephemeral sandboxes (typically 15-minute limits), Sprites support long-running workloads

Pricing:

ResourceCostMinimum
CPU$0.07/CPU-hour6.25% utilization/s
Memory$0.04375/GB-hour250MB per second
Storage$0.00068/GB-hourActual blocks only
  • Free trial: $30 in credits (~500 Sprites)
  • Plan: $20/month includes monthly credits; overages at published rates
  • Example costs: 4-hour coding session ~$0.46, web app with 30 active hours ~$4/month

Specs:

SpecValue
IsolationFirecracker microVM (hardware-isolated)
ResourcesUp to 8 vCPUs, 8GB RAM per execution (fixed, not configurable)
Storage100GB initial ext4 partition on NVMe, auto-scaling capacity
Cold Start<1 second restore, 1-2 seconds creation
TimeoutNone (persistent); auto-sleeps after 30 seconds inactivity
Active Limit10 simultaneous active Sprites on base plan; unlimited cold
NetworkPort 8080 proxied for HTTP services; isolated networks

Limitations:

  • Resource caps (8 vCPU, 8GB RAM, 100GB storage) not configurable yet
  • 30-second idle timeout not configurable
  • Region selection not available (auto-assigned based on geographic location)
  • Maximum 10 active sprites on base plan (unlimited cold/inactive sprites allowed)
  • Best for personal/organizational tools; not designed for million-user scale apps

Links:


E2B

  • Purpose-built for AI agents and LLM workflows
  • Pre-built template anthropic-claude-code ships with Claude Code CLI ready
  • Single-line SDK calls in Python or JavaScript (v1.5.1+)
  • Full filesystem + git for progress.txt, prd.json, and repo operations
  • 24-hour session limits on Pro plan (1 hour on Hobby)
  • Native access to 200+ MCP tools via Docker partnership (GitHub, Notion, Stripe, etc.)
  • Configurable compute: 1-8 vCPU, 512MB-8GB RAM

Philosophy: E2B believes AI agents need transient, immutable workloads with hardware-level kernel isolation. Each sandbox runs in its own Firecracker microVM, providing the same isolation as AWS Lambda. The focus is on developer experience—one SDK call to create a sandbox.

Unique Features:

  • Fastest cold start: ~150-200ms via Firecracker microVMs
  • Pre-built Claude template: Zero-setup Claude Code integration
  • Docker MCP Partnership: Native access to 200+ MCP tools from Docker's catalog
  • Pause/Resume (Beta): Save full VM state including memory (~4s per 1GB to pause, ~1s to resume, state persists up to 30 days)
  • Network controls: allowInternetAccess toggle, network.allowOut/network.denyOut for granular CIDR/domain filtering
  • Domain filtering: Works for HTTP (port 80) and TLS (port 443) via SNI inspection

Pricing:

PlanMonthly FeeSession LimitNotes
Hobby$01 hour+ $100 one-time credit
Pro$15024 hours+ usage costs
EnterpriseCustomCustomSSO, SLA, dedicated support

Usage Rates (per second):

ResourceRate
2 vCPU$0.000028/s
Memory$0.0000045/GiB

Specs:

SpecValue
IsolationFirecracker microVM
Cold Start~150-200ms
Timeout1 hour (Hobby), 24 hours (Pro)
Compute1-8 vCPU, 512MB-8GB RAM (configurable)
FilesystemFull Linux with git support
Pre-installedNode.js, curl, ripgrep, Claude Code

Limitations:

  • No native sandbox clone/fork functionality
  • No bulk file reading API
  • Domain filtering limited to HTTP/HTTPS ports (UDP/QUIC not supported)
  • Self-hosted version lacks built-in network policies
  • Occasional 502 timeout errors on long operations
  • Sandbox "not found" errors near timeout boundaries

Links:


exe.dev

Persistent VM platform created by David Crawshaw (former Tailscale CTO) and Josh Bleecher Snyder (former Braintree Director of Engineering). Launched December 2025 in developer preview.

Key Features:

  • ~2 second VM creation
  • Persistent disk storage (not ephemeral)
  • SSH-native interface (ssh exe.dev)
  • Automatic TLS and custom domains
  • Built-in authentication ("Login with exe")
  • Shelley AI agent included (web-based, mobile-friendly)
  • No SDK required - pure SSH-based interaction

Philosophy: exe.dev takes an explicitly anti-serverless, persistent disk approach. Their core thesis: "Persistent, private, fast-starting VMs with no marginal cost per-VM." Unlike ephemeral sandboxes, exe.dev treats VMs as actual computers with persistent state, similar to Fly.io's Sprites but with an SSH-first design philosophy.

Unique Features:

  • SSH-native: No SDK needed, just ssh exe.dev to access
  • Persistent disk: Data survives indefinitely, not ephemeral
  • Shelley AI agent: Built-in web-based AI assistant that reads CLAUDE.md and AGENTS.md
  • Mobile-friendly: Shelley works on mobile devices
  • Custom domains: Automatic TLS with custom domain support
  • Zero marginal cost: No per-VM overhead once running

Pricing:

PlanMonthlyVMsCPURAMDiskBandwidth
Individual$20252 (shared)8GB shared25 GB100 GB

Specs:

SpecValue
IsolationFull VMs (Cloud Hypervisor, KVM-based)
Cold Start~2 seconds
TimeoutNone (persistent)
vCPU2 shared
RAM8 GB shared
Disk25 GB persistent
InterfaceSSH (ssh exe.dev)
AI AgentShelley (built-in)

Limitations:

  • Developer preview (launched December 2025) - ecosystem still maturing
  • Shared resources on Individual plan (2 vCPU, 8GB RAM shared across VMs)
  • Smaller VM allocation compared to E2B/Sprites (25 VMs vs unlimited)
  • Less documentation and community resources than established platforms
  • No official SDK - relies on SSH interface

Links:


Modal

Modal Sandboxes are the Modal primitive for safely running untrusted code from LLMs, users, or third-party sources. Built on Modal's serverless container fabric with gVisor isolation.

Key Features:

  • Pure Python SDK for defining sandboxes with one line of code (also JS/Go SDKs)
  • Execute arbitrary commands with sandbox.exec() and stream output
  • Autoscale from zero to 10,000+ concurrent sandboxes
  • Dynamic image definition at runtime from model output
  • Built-in tunneling for HTTP/WebSocket connections to sandbox servers
  • Granular egress policies via CIDR allowlists
  • Named sandboxes for persistent reference and pooling
  • Production-proven: Lovable and Quora run millions of code executions daily

Philosophy: Modal treats sandboxes as secure, ephemeral compute units that inherit its serverless fabric. The focus is on Python-first AI/ML workloads with aggressive cost optimization through scale-to-zero, trading cold start latency for resource efficiency.

Unique Features:

  • Sandbox Connect Tokens: Authenticated HTTP/WebSocket access with unspoofable X-Verified-User-Data headers for access control
  • Memory Snapshots: Capture container memory state to reduce cold starts to <3s even with large dependencies like PyTorch
  • Idle Timeout: Auto-terminate sandboxes after configurable inactivity period
  • Filesystem Snapshots: Preserve state across sandbox instances for 24+ hour workflows
  • No pre-provisioning: Sandboxes created on-demand without capacity planning

Pricing (as of late 2025, after 65% price reduction):

PlanMonthly FeeCredits IncludedSeatsContainer Limits
Starter$0$30/month3100 containers, 10 GPU
Team$250$100/month1,000 containers, 50 GPU
EnterpriseCustomVolume discountsCustom limits, HIPAA, SSO, etc.

Compute Rates (per second):

ResourceRateNotes
Sandbox/Notebook CPU$0.00003942/corePer physical core (= 2 vCPU)
Standard Function CPU$0.0000131/corePer physical core
Memory$0.00000222/GiBPay for actual usage
GPU (A10G)$0.000306/s~$1.10/hr
GPU (A100 40GB)$0.000583/s~$2.10/hr
GPU (H100)$0.001097/s~$3.95/hr

Special Credits: Startups up to $25k, Academics up to $10k free compute

Specs:

SpecValue
IsolationgVisor (Google's container runtime)
Cold Start~1s container boot, 2-5s typical with imports
With Snapshots<3s even with large dependencies
Default Timeout5 minutes
Max Timeout24 hours (use snapshots for longer)
Idle TimeoutConfigurable auto-termination
FilesystemEphemeral (use Volumes for persistence)
Network DefaultSecure-by-default, no incoming connections
Egress Controlblock_network=True or cidr_allowlist
Concurrent Scaling10,000+ sandboxes

Volumes (Persistent Storage):

  • High-performance distributed filesystem (up to 2.5 GB/s bandwidth)
  • Volumes v2 (beta): No file count limit, 1 TiB max file size, HIPAA-compliant deletion
  • Explicit commit() required to persist changes
  • Last-write-wins for concurrent modifications to same file
  • Best for model weights, checkpoints, and datasets

Limitations:

  • Cold start penalties when containers spin down (2-5s typical)
  • No on-premises deployment option
  • Sandboxes cannot access other Modal workspace resources by default
  • Single-language focus (Python-optimized, less suited for multi-language untrusted code)
  • Volumes require explicit reload to see changes from other containers
  • Less suited for persistent, long-lived environments vs microVM solutions

Modal vs E2B for AI Agents:

AspectModalE2B
IsolationgVisor containersFirecracker microVMs
Cold Start2-5s typical, <3s with snapshot~150ms
Session DurationUp to 24h (stateless)Up to 24h (Pro), persistent
Self-HostingNo (managed only)Experimental
Multi-LanguagePython-focusedPython, JS, Ruby, C++
Network ControlGranular egress policiesAllow/deny lists
Best Fo