- What counts as an AI agent sandbox?
- When does self-hosting make sense?
- Open-source sandbox options to evaluate
- Isolation boundary: containers, microVMs, and full VMs
- State, files, and workspace lifecycle
- Network, packages, and egress policy
- Secrets, logs, and audit trails
- Reset, snapshots, and multi-tenant risk
- Developer access and debugging paths
- Where Novita Agent Sandbox fits
- Self-hosting checklist
- FAQ
Teams evaluating open-source AI agent sandboxes should first check the real isolation boundary, workspace persistence model, egress and package controls, secret handling, auditability, and the operational effort required to run them safely. The right choice is less about finding a universal winner and more about matching a sandbox model to your threat model, agent workload, compliance needs, and engineering capacity.
What counts as an AI agent sandbox?
An AI agent sandbox is an execution environment where an agent can run code, inspect files, automate a browser, call tools, or complete a task without receiving broad access to the host machine or production network. It is the boundary between model reasoning and real-world side effects.
That boundary matters because modern agents do more than write text. A coding agent may clone a repository, install dependencies, run tests, open preview ports, and write a pull request. A browser or data agent may execute scripts, keep state, download files, and capture screenshots. Those actions need a runtime, and the runtime needs controls.
For an evaluation, separate four layers:
| Layer | What it decides | Why it matters |
|---|---|---|
| Agent framework | How the model plans, calls tools, and reacts to results | A good framework does not automatically create a safe runtime |
| Sandbox runtime | Where commands, files, browser sessions, and processes run | This is the main isolation and lifecycle boundary |
| Policy plane | What the sandbox may read, fetch, install, expose, or retain | This determines whether the sandbox matches your risk model |
| Review plane | What logs, diffs, artifacts, and approvals are available after the run | This determines whether a human can verify what happened |
Self-hosted and open-source options can give teams more control over those layers. They also move more responsibility onto the team operating them.
When does self-hosting make sense?
Self-hosting can be reasonable when your team needs direct control over deployment location, network paths, base images, retention rules, logging systems, or internal security review.
It is less attractive when the real requirement is simply “let an agent run code safely.” In that case, a managed sandbox may be easier to operate because the provider handles provisioning, scaling, runtime updates, uptime, and parts of the developer experience.
Use self-hosting when at least one of these is true:
- Your policy requires execution inside a specific cloud account, VPC, region, or private network.
- Your agents need custom base images, internal package mirrors, private source systems, or internal browser targets.
- Your security team wants to inspect the isolation stack, egress path, retention model, and logs.
- You have the engineering capacity to patch runtime components, watch abuse signals, rotate secrets, and debug failures.
Avoid self-hosting by default when you cannot staff the operational work. Sandboxes look simple during demos because a single container or VM can run a command. Production is different: you need concurrency limits, resource quotas, image cleanup, package-cache strategy, network policy, secret scoping, telemetry, incident response, and a clear upgrade path.
Open-source sandbox options to evaluate
The open-source landscape is moving quickly, so treat this as a dated orientation rather than a permanent feature matrix. As of June 24, 2026, these projects and tools are useful examples to inspect when you compare self-hosted or open-source agent sandbox paths.
| Option | What to inspect first | Self-hosting question |
|---|---|---|
| E2B | Open-source sandbox/runtime components, SDKs, templates, and Firecracker-based sandbox positioning | Which pieces are open source, which deployment modes are supported today, and what operational work remains for your team? |
| Daytona | Workspace and sandbox infrastructure for development and AI agent use cases, with open-source repositories and self-hosted documentation paths | Does its workspace model, API surface, and deployment architecture match your agent workload and security policy? |
| OpenHands | Agent platform with a documented runtime architecture using sandboxed environments for executing agent actions | Are you adopting the full agent platform, or only borrowing the runtime pattern? |
| SWE-ReX | Open-source runtime interface used in software-engineering agent research and evaluation workflows | Does its abstraction fit your production needs, or is it mainly useful for controlled evaluation harnesses? |
| Modal Sandbox | Managed sandbox API rather than an open-source self-hosted runtime | Useful as a comparison point for API ergonomics, process execution, filesystem, and timeout behavior, not as a self-hosted option |
Do not pick from a table alone. For each project, read the current docs, inspect the latest release notes, and run a small proof of concept with your own workload. The evaluation should answer: what can run, what is isolated, what persists, what can reach the network, what can see secrets, and what evidence remains after the task.
Isolation boundary: containers, microVMs, and full VMs
The first question is not “is it secure?” The useful question is “what is the isolation boundary?”
Containers are attractive because they are fast, familiar, and easy to build around Docker images. They can fit trusted internal jobs, CI-like tasks, short-lived analysis, and development workflows where the threat model is moderate. But containers share the host kernel, so teams handling untrusted code or multi-tenant workloads need to evaluate kernel exposure, seccomp/AppArmor profiles, user namespaces, mounted volumes, privileged mode, and escape response.
MicroVMs, such as Firecracker-style isolation, add a stronger VM boundary while keeping startup and density closer to container workflows than traditional VMs. They are common in agent sandbox discussions because they can give each session a separate kernel and tighter resource boundary. That does not remove the need for network policy, secret controls, patching, or host hardening; it only clarifies the runtime isolation layer.
Full VMs may fit stricter enterprise environments, desktop automation, or workflows that need a broader OS surface. The tradeoff is heavier startup, image management, and capacity planning.
Ask these questions before self-hosting:
| Check | What to verify |
|---|---|
| Kernel boundary | Does the sandbox share a kernel with other workloads, or does each session get a separate kernel? |
| Tenant boundary | Can two customer sessions ever share host-level resources, volumes, caches, browser profiles, or network namespaces? |
| Privilege model | Does the sandbox run privileged containers, root users, mounted Docker sockets, or host paths? |
| Escape posture | How are kernel, runtime, container, and hypervisor vulnerabilities patched and rolled out? |
| Resource controls | Are CPU, memory, disk, process count, open files, and runtime duration enforced per session? |
| Side channels | Does your risk model require mitigation for shared CPU, cache, disk, or noisy-neighbor behavior? |
If a project describes itself as “isolated,” keep reading until you know the mechanism.
State, files, and workspace lifecycle
Agent work is stateful even when the sandbox is short-lived. The agent may create files, install packages, keep a browser profile, run background processes, or pause while a human reviews an artifact. Your sandbox needs a clear workspace model.
Start with the lifecycle:
- Create a sandbox from a base image or template.
- Mount or clone the allowed workspace.
- Run setup commands under policy.
- Let the agent execute commands, browser actions, and file operations.
- Extract outputs: diffs, logs, screenshots, reports, or downloaded files.
- Stop, pause, snapshot, archive, or destroy the sandbox.
The critical point is that persistence should be intentional. Persistent workspaces are useful for long-running agents, multi-step coding tasks, and human-in-the-loop review. They are also where stale credentials, cached dependencies, browser cookies, generated data, and partial work can leak across sessions if cleanup is weak.
Before self-hosting, define:
- Whether each agent task gets a fresh filesystem.
- Whether package caches are shared, scoped, or rebuilt.
- Whether browser profiles persist between runs.
- Whether user uploads are copied, mounted, or streamed.
- Whether snapshots include secrets, tokens, cookies, or internal logs.
- How long logs and artifacts are retained.
- Who can reopen a paused session.
A good sandbox makes the default lifecycle boring. You should be able to explain what exists before the task starts, what changes during the task, and what remains after cleanup.
Network, packages, and egress policy
Network access is where many sandbox designs become vague. Agents often need the internet, but “internet access” is not one permission.
A coding agent may need package registries, public docs, Git remotes, and a preview URL. A browser agent may need a test application, a staging API, and screenshot storage. A data agent may need object storage, a database replica, or a restricted SaaS API. Those are different permissions with different risks.
Use categories:
| Egress type | Typical need | Policy question |
|---|---|---|
| Package registries | npm, pip, apt, cargo, model/tool dependencies | Are registries allowlisted, cached, scanned, and logged? |
| Public web | Documentation lookup, browser tasks, public data collection | Is arbitrary browsing allowed, proxied, rate-limited, and auditable? |
| Git access | Clone repos, push branches, fetch submodules | Are tokens read-only where possible and scoped to the task? |
| Internal APIs | Staging services, test apps, private package mirrors | Is access limited by environment, service, route, and credential? |
| Preview ingress | Human review of local web apps or generated reports | Which port is exposed, to whom, for how long, and with what auth? |
| Webhooks | Agent callbacks, CI events, external tool integration | Can the sandbox send outbound callbacks to arbitrary hosts? |
Package policy deserves special attention. Many agent tasks fail without dependency installs, but package installs bring post-install scripts, native binaries, registry compromise, typosquatting risk, and long cache lifetimes. Prefer lockfile-based installs, approved registries, short-lived tokens, and install logs.
For self-hosted systems, also decide who owns DNS logs, proxy configuration, certificate trust stores, and network incident response.
Secrets, logs, and audit trails
An agent sandbox should not become a place where raw credentials are easy for the model to print, copy, or exfiltrate.
The safest pattern is task-scoped access. Give the sandbox the minimum credential needed for the job, and remove it when the job ends. A coding task may need a read-only repository token and a pull request token. A browser task may need a test account, not a production user. A data task may need a temporary signed URL, not a standing cloud credential.
Avoid secrets in files the agent can casually read. Environment variables are convenient, but many debugging commands print environment state. If the platform supports brokered actions, use them: let the sandbox perform a narrow operation without exposing the raw credential to the model loop.
Logging should be strong enough for review and incident response:
- Commands requested, approved, denied, and executed.
- Working directory, exit code, stdout, stderr, timeout, and resource usage.
- File artifacts produced by the task.
- Network destinations at the granularity your policy supports.
- Package names, versions, registries, and install output.
- Secrets redaction decisions and redaction failures.
- Human approvals for risky actions.
The goal is not to drown reviewers in logs. The goal is to reconstruct what happened when an agent produces a surprising output, a dependency changes, or a token is suspected of exposure.
Reset, snapshots, and multi-tenant risk
Reset behavior is a production feature, not a cleanup script at the end of a demo.
Ephemeral sandboxes are simpler to reason about: create, run, extract artifacts, destroy. They work well for short code execution, one-shot browser actions, and evaluation jobs. Persistent sandboxes help with longer workflows, but they need ownership, expiry, and review controls.
Snapshots and templates sit between those models. They can speed up startup by preserving a prepared environment, but they also preserve whatever is inside the snapshot. Verify whether they include:
- Installed packages and caches.
- Shell history or process state.
- Browser cookies, local storage, and downloads.
- Temporary files and generated outputs.
- Credentials or configuration files.
- Logs from previous tasks.
For multi-tenant systems, ask how the scheduler places workloads, whether caches are shared, how disks are wiped, and how host-level resources are monitored. Also ask what happens during failures. A sandbox that crashes, times out, or loses its controller still needs cleanup and artifact handling.
Developer access and debugging paths
Self-hosted sandboxes need a practical debugging story. When an agent fails, developers need to know whether the problem is the model, the tool call, the runtime, the image, the package mirror, the network path, or the target application.
Useful debugging paths include:
- A way to replay commands from the same base image.
- Structured logs for command execution and tool calls.
- Downloadable artifacts and screenshots.
- Explicit timeout and resource-limit errors.
- A controlled way for a developer to attach to a live session when policy allows.
- Versioned templates or images so failures can be tied to an environment version.
- Clear separation between user-visible output and internal runtime logs.
Be careful with emergency access. Broad shell access into live sandboxes can violate the same isolation assumptions the sandbox was built to enforce. Define who can attach, what they can see, whether secrets are redacted, and how access is logged.
Where Novita Agent Sandbox fits
Novita Agent Sandbox is a managed agent runtime for code execution, browser automation, computer-use style workflows, data analysis, evaluations, and long-running agent workflows. The Novita Agent Sandbox documentation describes a stateful sandbox environment with SDK and CLI paths for lifecycle, commands, files, browser sessions, and related workflow primitives.
That makes Novita a fit to evaluate when your team wants agent execution infrastructure without taking on the full self-hosted operations burden from day one.
Keep the boundary clear:
- Use open-source or self-hosted runtimes when deployment control, source-level customization, or internal infrastructure ownership is the priority.
- Use a managed sandbox when faster adoption, provider-managed runtime operations, and an API-first workflow are more important than owning every layer.
- In either case, evaluate isolation, egress, package installs, secrets, logs, persistence, and review gates against your own policy.
Do not treat any provider name as a security guarantee. Treat it as a runtime choice that still needs architecture review.
Self-hosting checklist
Use this checklist before moving an open-source AI agent sandbox into production.
| Area | Minimum question before production |
|---|---|
| Isolation | Is the boundary container, microVM, full VM, or something else, and is that enough for the workload? |
| Workspace | Does each task start from a known filesystem state, and can it be reset? |
| Persistence | Are pause, resume, snapshots, and retention explicit rather than accidental? |
| Network | Are package fetches, browsing, API calls, Git, webhooks, and preview ingress separately controlled? |
| Packages | Are lockfiles, registries, post-install scripts, native binaries, and caches governed? |
| Secrets | Are credentials task-scoped, redacted, rotated, and unavailable to unrelated commands? |
| Logs | Can a reviewer reconstruct commands, outputs, file changes, network paths, and approvals? |
| Multi-tenancy | Are host sharing, cache sharing, disk cleanup, quotas, and noisy-neighbor behavior understood? |
| Debugging | Can engineers reproduce failures without bypassing the security model? |
| Operations | Who patches images, runtimes, kernels, dependencies, and sandbox controllers? |
| Abuse controls | Are timeouts, resource limits, rate limits, and kill paths enforced? |
| Exit path | Can artifacts be exported and reviewed even if the sandbox crashes or times out? |
If several answers are unclear, keep the project in a prototype lane. A sandbox that cannot explain its boundaries is not ready to run untrusted agent work at scale.
FAQ
What is the best open-source AI agent sandbox?
There is no single best open-source AI agent sandbox for every team. The right choice depends on your isolation requirement, deployment model, agent workload, egress policy, persistence needs, and operations capacity. Compare options by running your own task inside each candidate runtime.
Is Docker enough for an AI agent sandbox?
Docker can be enough for trusted internal automation, local development, and CI-like jobs, but it may not be enough for untrusted code or strict multi-tenant workloads. Check kernel sharing, privileges, mounted volumes, network access, secrets, and escape response before relying on containers alone.
Are microVMs safer than containers for agent workloads?
MicroVMs can provide a stronger isolation boundary because each sandbox can run with a separate kernel. That does not automatically solve egress, packages, secrets, logging, patching, or multi-tenant operations. Treat microVMs as one part of the architecture, not the whole security model.
What should I test before self-hosting an agent sandbox?
Test a real workload that clones or mounts files, installs dependencies, runs commands, handles secrets, reaches approved network targets, produces artifacts, times out, and resets. Also test failure paths: package install failure, browser crash, network deny, resource limit, and sandbox cleanup after a controller error.
When should I use a managed sandbox instead of self-hosting?
Use a managed sandbox when your team wants the agent execution API and review artifacts without owning runtime patching, scaling, capacity planning, and infrastructure operations. Self-host when deployment control or source-level customization is important enough to justify that work.
