The fastest way to compromise your startup is to hand an AI agent your SSH keys and tell it to ship. That’s not paranoia — 13% of organisations reported breaches of AI models or applications in 2025, and 97% of them had no AI access controls in place. The pattern is always the same: give the agent enough rope to be useful, and it has enough rope to hang you.
The permission paradox
A comic making the rounds on LinkedIn says it plainly. You picked Mac for the security. Total peace of mind. Then someone asks how you run Claude with it, and the answer is: oh, you just disable all the permissions.
That’s not a punchline. That’s the actual workflow at most startups right now. AI coding agents — Claude Code, Codex, Amp — are most powerful when they can read your filesystem, run shell commands, push git commits, and manage your infrastructure. That’s also what makes unrestricted local access genuinely dangerous. Only 21% of executives have complete visibility into what their agents are actually accessing, and 80% of organisations have already reported risky agent behaviours including unauthorised system access. This is not a theoretical threat surface.
The problem is structural. Agents need broad access to be useful, and broad access on a local machine means no meaningful blast radius limit. Your .env files, your AWS credentials, your SSH keys — they’re all one misbehaving prompt injection away from exposure.
The market responded faster than the regulation
Here’s what’s interesting: the same velocity that created this problem built the solution. Between late 2024 and early 2026, a new category emerged — agent-native sandboxes — and it moved from experiment to production-ready faster than most security frameworks move through committee.
The underlying technology isn’t new. Firecracker microVMs — the same isolation that powers AWS Lambda — can boot in under 200 milliseconds. What changed is the tooling built on top, designed explicitly for the agent use case: persistent environments, checkpoint and rollback, per-minute billing, and hardware-level isolation that means a compromised agent cannot touch your host.
This is what the ecosystem looks like right now.
The new category of agent-native sandboxes
Sprites.dev, built by Fly.io, launched in January 2026 as persistent Firecracker microVMs with a full 100GB NVMe root filesystem. An agent gets a whole Linux machine, not a container. The environment survives between sessions — an agent can pick up where it left off — and if it destroys the environment, you checkpoint-rollback in 300ms. Hardware isolation means a kernel exploit inside the Sprite cannot touch your host machine.
E2B takes the same Firecracker base and optimises for cold start: under 200ms. Open source, SDK-first in Python and TypeScript, with a Docker partnership that gives agents access to real tooling without sacrificing isolation. The right fit if your agent workflow is stateless and bursty.
Daytona pivoted from developer environments to AI code infrastructure in early 2025. It runs on Docker by default with optional Kata Container isolation, exposes a clean RESTful API, and handles state persistence across parallel runs. It’s the pragmatic middle ground between full VM overhead and raw container risk.
Shellbox is the smallest surface area in the category. On-demand Linux VMs accessed purely over SSH — no custom client, no SDK required. Boxes auto-pause when you disconnect, resume on reconnect, and bill per minute at $0.02/hour. If you’re running Claude Code remotely and want true isolation without ceremony, Shellbox gets out of your way entirely.
Cloudflare Sandbox takes the opposite approach: maximum restriction by default. V8 isolates with no filesystem, no environment variable access, and outbound requests blocked unless explicitly permitted. It solves a narrower problem — AI-generated code that must not leak credentials — but solves it completely and at the edge.
Rivet’s Sandbox Agent SDK sits above all of these. It wraps Claude Code, Codex, Amp, and OpenCode behind a single HTTP/SSE API, running inside whatever sandbox you choose. The problem it solves isn’t isolation — it’s fragmentation. Every coding agent speaks a different protocol. Rivet lets you swap the agent underneath without rewriting your integration.
This is what velocity looks like
Most security problems outlast the products that caused them by years. This one moved differently. The same engineering culture that shipped AI agents into production — fast, iterative, willing to break things — shipped the containment infrastructure within 12 months. That’s not accidental. It’s the natural consequence of a community that takes its own tools seriously enough to fix them.
The question “is this what we’re doing now?” — disabling security controls to use AI — has a real answer. The box exists. The isolation is production-grade. The billing is per-minute. There is no longer a valid engineering reason to run a fully autonomous agent against your local machine.
Run agents in mayhem mode. Just not on your laptop.
If your team is running agents in anger and hasn’t thought through the sandbox layer, talk to us. This is exactly the architectural decision that looks minor until it isn’t.
Sources: IBM Security Report: AI Breaches and Access Controls, 2025 · Help Net Security: AI went from assistant to autonomous actor, 2026 · Help Net Security: Enterprises racing to secure agentic AI deployments, 2026 · Simon Willison: Sprites.dev developer and API sandboxes, 2026 · Sprites.dev — Stateful sandboxes by Fly.io · E2B — The Enterprise AI Agent Cloud · Daytona — Secure Infrastructure for AI-Generated Code · Shellbox — On-demand Linux VMs over SSH · Cloudflare Sandbox SDK · Rivet Sandbox Agent SDK · Northflank: E2B vs Sprites.dev comparison, 2026