Hardened agent runtime
Hosts AI agents within secure, isolated execution sandboxes instead of unmonitored chatbot interfaces, ensuring all code execution and tool interactions are strictly confined.
isolated agent sandbox · execution-risk containment
Host AI agents securely inside a persistent, isolated sandbox.
agent-vm is a framework-agnostic sandbox system designed specifically for AI agents, allowing them to work securely inside a persistent, isolated environment that mitigates execution risks and prevents credential or network leakage.
Operator
Control plane
Isolation substrate
Governance overlay
agent containment
secure agent sandboxing
A hardened virtual environment designed specifically to contain AI agents, allowing them to execute code and operate tools safely.
risk mitigation
default-deny boundaries
Prevents unverified network egress, credential leakage, and unauthorized host access during agent execution.
agnostic substrate
framework independent
Standardized hosting layers that isolate any digital worker or autonomous process, regardless of its underlying framework.
what it is
Enterprise containment for autonomous digital workers.
Instead of exposing internal networks to unverified third-party libraries and unchecked agent scripts, this substrate runs digital workers inside an isolated, highly-auditable virtual sandbox. This ensures all file system operations and execution tasks remain safely contained within VM boundaries.
The architecture is completely agent-agnostic. Any autonomous process is assigned a risk tier and runs in a hardened, default-deny hosting container. This allows the agent to safely compile software, run tests, and process raw assets without risking host-level intrusion or data exfiltration.
sandbox capabilities
Eliminating execution risk at the infrastructure layer.
Durable state isolation
Maintains persistent context and files on a secure, dedicated storage layer that is isolated from the host operating system, preventing cross-tenant leakage or unauthorized data access.
Secure tool execution
Allows agents to process external data, invoke APIs, and ingest transcripts locally on the VM substrate, satisfying strict data governance and regulatory compliance.
Containment policy enforcement
Enforces default-deny network egress, deterministic runtime timeouts, and credential-by-reference access gates to completely eliminate exfiltration and host takeover risks.
three layers + governance
Each layer assumes the one above can fail.
Promotion control plane
Immutable exact-commit releases, dry-run-by-default mutation, drift detection, state as truth, and recorded rollback targets.
- exact commit promotion
- dry-run before apply
- drift-aware status
Isolation substrate
Nested-virt golden VM with Tier-1 cosign-signed, digest-pinned services and Tier-2 ephemeral Kata microVM jobs.
- reconcile → align
- default-deny egress
- verified teardown
agent-gateway@<profile>
Per-profile runtime layout with one declared runtime source, OS-level profile isolation, and independently restartable hardened systemd units.
- one service per profile
- Linux user isolation
- restart blast-radius control
Governance overlay
Risk tiers L0–L5, SLO/canary, fail-closed MCP tool allowlists, secrets-by-reference, signed supply chain, audit trails, and proven rollback.
- risk-tier gates
- canary before promotion
- audit evidence
what is actually validated
Honest proof, not production theater.
The evidence proves the substrate walking skeleton and selected control-plane flows. It does not claim a turnkey managed platform or a production migration.
- 🖥️ Golden VM provisioned from code.
- 🔑 Tier-1 service signed, digest-pinned, and aligned.
- 🔄 Promotion and rollback path exercised.
- 🌐 Tier-2 microVM boots with default-deny egress.
- 🧹 Timeout and teardown are verified.
grounded in primary research
Aligned with frontier safety standards.
Dual-Isolation Thesis
"Without network isolation, a compromised agent could exfiltrate sensitive files; without filesystem isolation, it could escape the sandbox."
Our architecture implements exactly this dual-isolation model, combining filesystem containment with default-deny network egress.
Anthropic Engineering (2025) →Host Defense Architecture
"By intercepting all sandboxed application system calls to the kernel, it protects the host from the application."
Our substrate intercepts tool actions and enforces strict host boundaries, protecting your infrastructure from untrusted code.
Google gVisor Platform →Minimal Attack Surface
"A minimal device model that excludes all non-essential functionality and reduces the attack surface."
Our Tier-2 microVMs run on stripped-down, isolated virtual devices with hardware-enforced boundaries and fast teardown.
AWS Firecracker microVM →reference workloads
Two worker shapes, one hosting contract.
Persistent digital worker
Long-running background agents promoted by immutable git commits, executing complex workflows within a dedicated, isolated environment.
Ephemeral task container
Short-lived sandboxed containers that spin up on demand to execute unsafe scripts or process raw input, tearing down completely upon task completion.
read the evidence trail
