Coding Agent Sandboxes — Comprehensive List

Compiled from awesome-lists (restyler/awesome-sandbox, webcoyote/awesome-AI-sandbox, bureado/awesome-agent-runtime-security) and a survey of vendor blogs / field guides published through 2026. Grouped by isolation primitive and then by deployment model.

1. OS-level primitives (no container, no VM)

These rely on kernel/userland features to constrain a normal host process. Lowest overhead, weakest boundary.

• macOS Seatbelt / sandbox-exec — Apple's TrustedBSD-based MAC framework. Used directly by Codex CLI, Gemini CLI, and underneath Anthropic's srt.
• Linux Landlock — Unprivileged filesystem/network LSM; default backend for Codex CLI on Linux.
• Linux seccomp-bpf — Syscall filtering, layered into most other Linux sandboxes.
• Linux namespaces + cgroups — Building blocks for almost every Linux sandbox.
• Windows AppContainer / Restricted Tokens — Codex CLI's Windows backend.
• bubblewrap — Unprivileged namespace sandbox; backs Flatpak and Anthropic's srt on Linux.
• Firejail — Mature SUID namespace+seccomp sandbox for Linux desktops.
• Minijail — Google/ChromeOS launcher built on namespaces + seccomp.
• nsjail — Google's namespace+seccomp jail; used by Windmill for Python/Go.
• Landlock Island — Landlock-powered CLI sandbox.
• syd — Userspace syscall-intercepting Linux sandbox (ptrace-style).
• cap-std — Capability-based stdlib for confining Rust programs.

2. Application kernels (userspace syscall interception)

• gVisor — Google's Go-based user-space kernel; powers Cloud Run, App Engine, Cloud Functions; optional runtime in Kata, Modal, etc.
• bVisor — Bash-focused gVisor-style sandbox.

3. MicroVM runtimes (hardware-virtualized, container-fast)

• Firecracker — AWS's KVM VMM; foundation of Lambda, Fargate, Fly.io, Vercel Sandbox, E2B, Sprites.
• Cloud Hypervisor — Intel-led Rust VMM, alternative to Firecracker (used by Kata).
• libkrun — Embeddable KVM library; powers microsandbox and Podman's VM mode.
• Kata Containers — OCI-compatible runtime that puts each container in its own microVM.
• Sysbox — Container runtime that runs systemd/Docker-in-Docker safely; used by Daytona for harder isolation.
• QEMU — General-purpose; used by Lima/Tart/UTM workflows below.
• Lima — Linux VMs on macOS; backbone of dev-sandbox wrappers.
• Tart — Apple-Silicon native macOS/Linux VM tool; used by Chamber, yoloAI.
• UTM — QEMU front-end for macOS/iOS.

4. Container runtimes commonly used as agent sandboxes

• Docker / OCI — De-facto base.
• Docker Sandboxes / sbx — Docker's purpose-built microVM-backed sandbox CLI for Claude Code, Codex, Gemini, Kiro.
• Podman — Daemonless, rootless OCI runtime.
• Incus / LXC / LXD — System containers; basis of vibebin.
• Dev Containers (devcontainer.json) — VS Code spec; used by trailofbits/claude-code-devcontainer.

5. Language-runtime / WASM sandboxes

• WebAssembly + WASI — Capability-based binary sandbox.
• Wasmtime / Wasmer — Server-side WASM runtimes.
• V8 Isolates — Per-script V8 heaps; powers Cloudflare Workers, Deno Deploy, Vercel Edge.
• Deno — Permission-flagged JS/TS runtime; used by Windmill.
• StackBlitz WebContainers — Browser-native Node.js on WASM.
• just-bash (Vercel) — A simulated shell in TypeScript with no real OS at all, used for some agent flows.

6. Hosted / SaaS sandbox platforms for coding agents

Platform	Underlying tech	Notes
E2B	Firecracker microVMs	The reference "AI agent sandbox"; SDKs in Python/JS; self-hostable.
Daytona	OCI containers (+ optional Kata/Sysbox)	Sub-90 ms cold start claim; AGPL core; persistent stateful workspaces.
Modal Sandboxes	gVisor on KVM	GPU-friendly; auto-shutdown when agent finishes.
Fly.io Sprites	Firecracker microVMs	Persistent 100 GB NVMe, ~300 ms checkpoint/restore, scale-to-zero.
Fly Machines	Firecracker	The general-purpose layer Sprites is built on; used as a backend by several agent products.
Vercel Sandbox	Firecracker microVMs	GA; filesystem snapshots; integrates with AI SDK / OpenAI Agents SDK.
Northflank Sandboxes	Kata Containers on K8s	BYOC, full-stack agent infra.
Blaxel	microVM	Claims ~25 ms cold start; agent-grade focus.
Runloop Devboxes	microVMs	Enterprise-targeted; OpenAI Agents SDK provider.
Freestyle VMs	Full Linux VMs (nested virt)	Sub-600 ms boot; bundles Git hosting + deploys.
Morph Sandbox SDK	microVMs	Codegen-focused; pairs with Fast Apply.
CodeSandbox SDK / Together Code Sandbox	microVMs (~500 ms snapshot start)	Persistent IDE-style sandboxes; up to 64 vCPU.
Replit	Containers/VMs	Long-running collaborative dev.
Beam	Containers w/ GPUs	Agent code execution + ML.
Cloudflare Workers / Sandboxes	V8 Isolates (+ container preview)	Edge-scale, ephemeral.
Bunnyshell	K8s	Ephemeral coding-agent envs.
Gitpod Flex / Coder	Containers/VMs	CDEs adopted as agent sandboxes; zero-trust runner model.
Perplexity Sandbox API	Hosted	Tool-callable from Perplexity Agent API.
OpenSandbox, Quilt, ComputeSDK, Zeroboot	Various	Tracked in Ry Walker's 14-platform comparison.

7. Self-hosted sandbox runtimes & SDKs

• microsandbox — libkrun microVMs, sub-200 ms boot, MCP server, persistent or msx ephemeral mode.
• AIO Sandbox — Docker image bundling shell, browser, files, Jupyter, VS Code, MCP.
• Cleanroom — Buildkite's microVM sandbox with deny-by-default egress and credential proxy.
• K7 — Self-hosted lightweight VM sandbox infra with API/SDK.
• BoxLite — Embeddable VM sandbox with snapshots.
• boxed — Multi-backend (Docker / Firecracker / WASM) execution engine.
• smolVM — Local microVM manager.
• coderunner — Hosted-style runner for untrusted AI code.
• Kilntainers — MCP-oriented runtime over Docker/Podman/microVM/Wasm.
• forgemax — MCP gateway with sandboxed code execution.

8. Local sandboxes built specifically for coding-agent CLIs

Multi-backend / multi-platform

• Anthropic Sandbox Runtime (srt) — Official Anthropic OS-level sandbox: Seatbelt on macOS, bubblewrap on Linux, plus a network-filtering proxy. No container.
• container-use (Dagger) — Per-agent containerized worktrees via MCP; parallel agents with Git branch review.
• Sculptor (Imbue) — Desktop UI for running agents in isolated containers.
• Conductor (Melty Labs) — Mac app orchestrating parallel Claude Code + Codex agents in isolated git worktrees.
• cco — Thin launcher that picks a local sandbox backend.
• yoloAI — Multi-backend runner over Seatbelt/Tart/Docker.
• [boxed / BoxLite / Kilntainers] — see §7.

macOS-focused

• Agent Safehouse — Deny-first Seatbelt profile system.
• sandbox-shell — Seatbelt shell wrapper.
• SandVault — Separate macOS user account + sandbox-exec hardening.
• vibebox, yolobox — Fast local Seatbelt sandboxes.
• Chamber — Tart-based ephemeral macOS VM for Claude/Codex.
• ClodPod — VM workflow that maps host projects into a guest.
• lima-devbox — Lima dev sandbox for Mac.

Linux-focused

• Fence — Native command sandbox without containers.
• Matchlock — AI-agent Linux sandbox.
• Microbox — Lightweight ephemeral Linux sandboxes.
• Nono — Capability-oriented kernel-backed sandbox.
• sandbox-run — Per-project bubblewrap wrapper.
• shai — Sandboxing shell for AI coding agents.
• sucoder — Unix-permissions-based containment.
• treebeard — Ephemeral Git-worktree sandbox with CoW + network gating.
• agentsafe / nervos — Per-task Firecracker microVMs.
• bunkervm — Tiny Linux VM "safe machine" for agents.
• Greywall — Local sandbox with live network controls.
• vibebin — Persistent Incus/LXC platform.

Container-wrapper CLIs around specific agents

• ClaudeBox — Docker Claude Code env with allowlists.
• sandclaude — Opinionated Docker wrapper for Claude Code.
• claude-code-devcontainer — Hardened devcontainer template.
• codex-lockbox — Docker sandbox with firewall rules for Codex CLI.
• codex-container-sandbox — Podman wrapper exposing only the repo + bind mounts.
• packnplay — Docker-backed command sandbox with worktrees.
• agentbox — Containerized agent sandbox with privilege drop and firewalling.
• EdgeBox — Local GUI sandbox with desktop exposed to the agent.

9. Built-in sandboxes shipped with major agents

• OpenAI Codex CLI — Default-on. Seatbelt on macOS, Landlock + seccomp on Linux, restricted tokens on Windows. Modes: read-only, workspace-write, danger-full-access.
• Anthropic Claude Code — Sandboxed bash tool backed by @anthropic-ai/sandbox-runtime (Seatbelt / bubblewrap + network proxy). Cloud sessions ("Claude Code for web") run in full microVMs.
• Google Gemini CLI — Seatbelt on macOS or Docker/Podman containers via .gemini/sandbox.Dockerfile.
• GitHub Copilot Coding Agent / Workspace — Runs each task in an ephemeral cloud sandbox VM.
• Cursor / Devin / Cognition — Each ships its own hosted sandbox/VM per task (Devin uses dedicated cloud VMs).
• Replit Agent — Runs inside a Replit VM/container.

10. Policy / approval / audit layers (often paired with the above)

• Cupcake — OPA/Rego hook enforcement for coding agents.
• nah — Deterministic allow/ask/block guard for Claude Code.
• predicate-secure — Policy-based authz + post-run verification.
• claude-rule-enforcer — Behavior rules for Claude Code.
• shannot — Human-in-the-loop approval flow.
• punkgo-jack — Merkle-logged audit/receipt layer for hook events.
• deepclause-sdk — DML-style runtime authorization SDK.

Further reading

• restyler/awesome-sandbox — Deep taxonomy + decision framework.
• webcoyote/awesome-AI-sandbox — Curated open-source list.
• bureado/awesome-agent-runtime-security — Runtime-security angle.
• Luis Cardoso, "A field guide to sandboxes for AI" — containers vs gVisor vs microVMs vs WASM.
• michaellivs.com, "A thousand ways to sandbox an agent" — spectrum overview.
• Northflank, "Best sandboxes for coding agents in 2026" — vendor matrix.
• Ry Walker, "AI Agent Sandboxes Compared" — 14-platform comparison.
• Penligent, "Sandboxes for Coding Agents" — threat-model framing.