- What “secure” means for a code execution sandbox
- Isolation layers compared
- What can still escape each boundary
- Egress and network controls
- Secrets handling
- Resource limits and denial-of-service risk
- Audit visibility
- Questions to ask any sandbox provider or project
- Where Novita Agent Sandbox fits
- Limitations and what no sandbox eliminates
- FAQ
An AI sandbox for executing code is as secure as its isolation boundary — and the isolation boundary is only part of the answer. The better question is: what does the sandbox actually isolate, and what can still escape? Most sandboxes stop some things well (process-level code execution, arbitrary filesystem writes to the host) and leave other things open by default (outbound network, package installs, secrets in environment variables). Understanding those gaps is how you evaluate whether a sandbox fits your risk model.
What “secure” means for a code execution sandbox
Security in a code execution sandbox is not a binary property. It is a set of controls, each of which addresses a specific category of risk. When someone asks “is this sandbox secure?” they are usually asking several distinct questions at once:
- Host isolation: Can code running inside the sandbox escape to the host system?
- Tenant isolation: Can one user’s code affect another user’s session?
- Egress control: Can code inside the sandbox reach the internet, internal services, or metadata endpoints?
- Secret scoping: Are credentials accessible to more of the sandbox than they need to be?
- Supply chain risk: Can package installs introduce unexpected or malicious code?
- Auditability: Can you reconstruct what the agent actually did after the fact?
A sandbox can be strong on host isolation and weak on egress. Strong on egress and weak on secrets. Evaluating “how secure” requires checking each dimension separately, not accepting a single label like “containerized” or “microVM-based” as the whole answer.
Isolation layers compared
There are three main isolation models used in AI code execution sandboxes. Each provides a different boundary.
Process isolation
Process isolation uses OS-level primitives — Linux namespaces, cgroups, seccomp filters, and AppArmor or SELinux profiles — to restrict what a process can access. The sandbox runs as a process on the host OS, sharing the host kernel.
What it prevents: Access to the broader filesystem, other processes outside the sandbox, and syscalls explicitly blocked by the seccomp policy.
What it doesn’t prevent: Kernel exploits that escalate privilege through a shared vulnerability. A seccomp bypass or a kernel vulnerability can bridge the host boundary.
When it’s appropriate: Short-lived, low-risk, trusted-ish code where startup speed and portability matter more than a hard VM boundary. Not recommended for running arbitrary agent-generated code from external users.
Container isolation (Docker/namespaces)
Container isolation extends process isolation with a more structured image model, network namespacing, and volume mounts. Most Docker-based sandbox implementations run code inside a container with a minimal image and a restricted seccomp profile.
What it prevents: Direct filesystem access to the host, most network access to adjacent containers (when configured correctly), easy access to host processes.
What it doesn’t prevent: Kernel-level exploits still apply — containers share the host kernel. Misconfigured volume mounts, overly broad seccomp profiles, --privileged mode, and exposed Docker sockets can all negate the intended boundary.
When it’s appropriate: Many production deployments use containers effectively for AI code execution when the seccomp profile is tight, the image is minimal, egress is restricted, and no privileged access is granted. The risk model is different from microVMs but manageable with careful configuration.
MicroVM isolation (Firecracker/gVisor)
MicroVM isolation runs each sandbox in a lightweight virtual machine with its own guest kernel, isolated from the host by a KVM hypervisor boundary. Firecracker is the most common implementation; gVisor (with its user-space kernel) offers a different tradeoff.
What it prevents: Guest-kernel exploits do not propagate to the host kernel or other guests. The host attack surface is reduced to the VMM (virtual machine monitor), which is designed to be minimal.
What it doesn’t prevent: Vulnerabilities in the VMM itself (rare but not impossible). Network, package, and secrets controls still live outside the VM boundary — microVM isolation does not handle those.
When it’s appropriate: Running untrusted or agent-generated code from external users, multi-tenant environments where blast radius matters, and workloads that may execute arbitrary shell commands or package install scripts.
| Isolation model | Host kernel shared | Tenant separation | Startup overhead | Host escape risk |
|---|---|---|---|---|
| Process | Yes | Weak | Lowest | Highest |
| Container | Yes | Moderate | Low | Medium (config-dependent) |
| MicroVM | No | Strong | Moderate | Low |
What can still escape each boundary
The isolation model addresses runtime code execution. It does not automatically address what enters or leaves the sandbox through other paths.
Outbound network: All three isolation models leave outbound network access to policy configuration. Default-open egress means code inside the sandbox can reach the public internet, cloud metadata endpoints (169.254.169.254 on AWS and GCP), internal services on the same network, and arbitrary external APIs. That is a data exfiltration path, a secrets-retrieval path, and a command-and-control path regardless of the isolation model.
Package installs: An apt install, pip install, or npm install fetches and executes code from an external registry. If the sandbox allows package installs and has open egress, a package name collision, typosquatting attack, or dependency confusion attack can introduce malicious code that runs with all of the sandbox’s permissions. The isolation boundary contains the blast radius but does not prevent the install.
Shared state: In multi-tenant deployments, shared caches, shared package registries, shared template images, or shared filesystem mounts create channels between tenants that bypass the isolation boundary.
Secrets in environment variables: Environment variables visible to the agent process are readable by any code the agent runs. If a database credential or API key is in the environment, it is accessible to the sandbox and anything it executes or installs.
Egress and network controls
Egress is where most sandboxes have their largest gap. Open outbound internet access is common because it is convenient — agents need to install packages, call APIs, and fetch resources. But it also creates risks:
Cloud metadata endpoints: On hosted cloud infrastructure, 169.254.169.254 (and its IPv6 equivalent) serves instance metadata including IAM credentials. Code inside a sandbox with open egress can reach this endpoint and retrieve credentials for the underlying host.
DNS-based exfiltration: Even if HTTP is blocked, outbound DNS queries can be used to exfiltrate data by encoding it in domain lookups. DNS blocking requires filtering at the resolver level, not just blocking TCP/UDP 53 to external servers.
Internal services: If the sandbox runs on a private network segment, open egress may allow access to internal databases, admin panels, and APIs that are not intended to be reachable from agent code.
Controls to evaluate:
| Control | What it prevents | What to verify |
|---|---|---|
| Default-deny egress | Outbound connections to unlisted destinations | Does it block DNS as well as TCP/UDP? |
| Allowlist-based egress | Connections to non-approved domains | Is the allowlist customer-configurable? |
| Metadata endpoint blocking | Cloud credential retrieval via 169.254.169.254 | Is IPv6 metadata also blocked? |
| Egress proxy | Logging and inspection of all outbound traffic | Is the proxy log accessible? |
| DNS filtering | DNS-based exfiltration and internal name resolution | Which resolver is used inside the sandbox? |
There is no universally correct egress policy. Some agent workloads genuinely need broad internet access to be useful. The key is that the policy is deliberate and auditable, not open by default because it was never configured.
Secrets handling
Secrets in AI agent sandboxes follow the same principles as secrets in any software system, with one additional constraint: the agent may execute code that reads, logs, or transmits the environment without developer intent.
Scoping: Mount only the credentials the sandbox actually needs for the current task. A sandbox running a coding task does not need production database credentials. A sandbox evaluating model outputs does not need the API key for a billing service.
Lifetime: Short-lived credentials are significantly safer than long-lived ones. If a credential leaks inside a sandbox, a short TTL limits the window of exposure. Many cloud IAM systems support short-lived tokens that expire in minutes or hours.
Injection method: Environment variables are the most common injection method and the most accessible to any code in the process. Secrets that can be injected via filesystem mounts, mounted at a path the agent does not need to traverse, or fetched dynamically only when the specific tool that needs them runs, are more constrained than a blanket environment variable set.
Redaction: Secrets should be redacted from stdout, stderr, tool response payloads, model-visible context, and audit logs. An agent that echoes its environment, calls env, or passes a token to a failing API call may leak credentials into logs that are then stored or visible to operators.
Resource limits and denial-of-service risk
A sandbox without resource limits is vulnerable to agent workloads that exhaust CPU, memory, disk, or network bandwidth — either through runaway code, an infinite loop, a memory leak in an installed package, or a deliberate attempt to disrupt adjacent workloads.
Resource controls to verify:
- CPU limits: Throttling or hard limits per session prevent one session from monopolizing host capacity.
- Memory limits: OOM kill policies should terminate the sandbox session, not the host process.
- Disk quotas: Per-session write limits prevent a session from filling shared storage.
- Execution timeout: Sessions that exceed a wall-clock limit should be terminated cleanly, not left running.
- Network rate limits: Outbound bandwidth limits can constrain exfiltration even when egress policy allows the destination.
- Concurrent process limits: Agents that fork aggressively or spawn background processes can exhaust process table slots.
Resource limit violations are also worth logging. A session that consistently hits CPU throttle or OOM kill during tasks that should be lightweight is a signal worth investigating.
Audit visibility
Isolation controls reduce the blast radius when something goes wrong. Audit logs are how you find out that something went wrong and reconstruct what happened.
For AI agent sandboxes specifically, useful audit coverage includes:
- Process execution: Every command that runs, with full argument list, UID, and parent process. Without argument lists,
curlandpythonin a log are not meaningful. - Filesystem access: Reads and writes to sensitive paths. Writes and deletes are higher priority than reads for most threat models.
- Outbound network: Destinations, protocols, DNS queries, and bytes transferred. DNS query logging is often missing but important.
- Package installs: Package manager, package name, version, source registry, and hash.
- Session lifecycle: Create, pause, resume, terminate, and cleanup events with reason codes.
- Resource limit events: OOM kills, CPU throttle, timeout termination.
The collection mechanism matters as much as the coverage. Logs generated inside the sandbox process can be suppressed or modified by a sufficiently privileged agent. Kernel-level collection (via auditd, eBPF, or hypervisor instrumentation) is generated below the application layer, where the agent has no write access.
Questions to ask any sandbox provider or project
Use this checklist when evaluating a managed sandbox service or an open-source sandbox framework:
Isolation
- Does each agent session get its own isolated environment, or are sessions grouped on shared execution environments?
- What isolation model is used: process, container, or microVM?
- Is the guest kernel shared with the host?
Network and egress
- Is egress default-open or default-deny?
- Can egress policy be configured per-tenant or per-session?
- Is the cloud metadata endpoint (
169.254.169.254) blocked? - How is DNS handled inside the sandbox?
Package installs
- Are package installs allowed by default?
- Can installs be limited to approved registries?
- Are install events logged with source and hash?
Secrets
- How are credentials injected into the sandbox?
- Can credentials be scoped to the specific tool or task that needs them?
- Are secrets redacted from logs and model-visible outputs?
Resource limits
- Are CPU, memory, disk, and timeout limits enforced?
- What happens when a limit is hit — throttle, kill, or alert?
Audit logs
- Are logs generated at the kernel/hypervisor level or inside the sandbox process?
- What event categories are logged by default?
- Can logs be exported to an external SIEM or log aggregation system?
- What is the log retention policy?
Tenancy
- Are workloads from different tenants isolated from each other?
- Are there shared caches, images, or mounts that create cross-tenant channels?
Where Novita Agent Sandbox fits
Novita Agent Sandbox is designed for agent workloads that need isolated execution environments for code, files, processes, and longer-running sessions. It targets teams building coding agents, evaluation pipelines, data analysis agents, and browser-based agent workflows.
The sandbox supports session lifecycle controls including pause, resume, and autopause for idle sessions. It provides resource metrics and session-level execution logs accessible through the API. For teams already using Novita model APIs, it can serve as the execution layer in an agent architecture where the model plans and calls tools, and the sandbox handles runtime execution in an isolated environment.
When evaluating Novita Agent Sandbox for security-sensitive use cases, verify current isolation model, egress policy defaults, log coverage, and secrets handling in the product documentation before making architecture decisions. Security requirements vary significantly by workload — what is appropriate for an internal evaluation pipeline may not be sufficient for a multi-tenant product handling user-supplied code.
As with any sandbox, the security posture depends on both the platform’s defaults and your application-level controls: how credentials are scoped, what the agent is allowed to request, which tool calls require human approval, and how audit logs are monitored.
Limitations and what no sandbox eliminates
No sandbox eliminates all risk. Understanding what remains outside the boundary is as important as understanding what the boundary provides.
Application-layer trust decisions: The sandbox controls runtime execution. It does not decide what the agent is allowed to ask for. If your application permits an agent to request a credential, execute arbitrary shell commands, or call any API, the sandbox reduces blast radius but does not prevent those actions.
Prompt injection: An agent that processes untrusted content — web pages, user-uploaded files, external API responses — can be manipulated through that content into taking actions it should not. This is an application design problem, not a sandbox problem. The sandbox can limit where those actions land, but the decision logic lives in your application.
Zero-day vulnerabilities: All isolation models have known and unknown vulnerabilities. MicroVM isolation provides the strongest boundary in current production use, but VMM vulnerabilities exist. Defense-in-depth — combining multiple controls rather than trusting one boundary — is a more robust posture than any single isolation model.
Social engineering through model output: An agent may produce output that persuades a human operator to take an unsafe action. Sandboxes do not audit human decisions.
Compliance and regulatory risk: Isolation controls address technical risk. Regulatory requirements (GDPR, HIPAA, SOC 2, ISO 27001) address data handling, retention, documentation, and audit requirements that extend beyond what a sandbox provides at the infrastructure level.
Security in a code execution sandbox is best framed as a set of controls to evaluate and configure, not a property you acquire by choosing a product. The evaluation questions above apply to every sandbox decision — including your own infrastructure if you are building rather than buying.
FAQ
How secure is a sandboxed AI code execution environment compared to running code on a server?
A well-configured sandbox significantly reduces the blast radius of executing untrusted code compared to running it directly on a server. It constrains filesystem access, process scope, and network access. However, the difference depends on configuration. An open-egress container with broad environment variable injection may be less safe than a hardened server with network controls. The isolation model is a starting point, not a guarantee.
Does microVM isolation mean a sandbox is fully secure?
No. MicroVM isolation (Firecracker, KVM-based) provides a strong host boundary that shared-kernel containers do not. But it does not control egress, secrets, package installs, or audit coverage. A microVM with open egress and no log collection is not “fully secure” even though the isolation layer is strong.
Can AI-generated code escape a sandbox?
It depends on the isolation model and configuration. Container escapes require exploiting the kernel or a misconfiguration; microVM escapes require exploiting the VMM. Both are possible but uncommon. The more practical risks are data exfiltration through allowed network paths, reading secrets from the environment, or installing malicious packages through unrestricted package managers.
What is the biggest security risk in most AI code sandboxes?
Open outbound egress is the most commonly under-addressed risk. Many sandboxes allow unrestricted outbound internet access by default because it is convenient for agents that need to install packages and call APIs. This creates paths for data exfiltration, credential theft via cloud metadata endpoints, and command-and-control communication that exist regardless of how strong the isolation boundary is.
Should I use a managed sandbox or build my own?
Managed sandboxes handle the operational complexity of microVM or container lifecycle, host capacity, and image management. Building your own gives you more control over the full policy stack. Either way, the same evaluation questions apply: egress policy, secrets handling, log coverage, resource limits, and audit export. The build vs. buy decision is separate from the security evaluation.
What makes agent sandbox security different from traditional code execution security?
Traditional code execution security assumes you roughly know what code will run. AI agents change this: a single prompt can cause a session to install packages, write files, run shell commands, call external APIs, and spawn subprocesses without explicit developer approval for each step. This makes audit coverage more important (you cannot anticipate every action), egress controls more important (the agent may reach destinations you did not expect), and secret scoping more important (the agent has access to everything in its environment).
