isorun
Get access
new Public beta · no card required

Sandboxes in
milliseconds.

The fastest, safest, and cheapest runtime for AI agents. Spawn a real Linux VM from any Docker image in 10 ms.

Billed per second at $0.04/hour for 1 vCPU + 1 GiB. Typical agent execution costs < $0.001.

Get API access Read docs

$50 free credit · No card required

per-second billing no cold starts any OCI image
the impossible trianglecheap + fast + safe
isoruncompetitors
$npm install isoruncopy

first-party adaptersClaude Managed AgentsOpenAI AgentsLangChainLangGraphMCPcoming soonCrewAI

01/Runtimesix primitives

One runtime. Six primitives.

Everything an agent needs to run real code safely, at the speed of a function call.

KVM01

Hardware isolation

Every sandbox its own guest kernel. No neighbours.

vmvmvmhost
OCI02

Any image

Pull from Docker Hub, ghcr, your registry.

boot in 10ms
fork()03

Fork running VMs

Clone an in-flight sandbox. Branch live state in place.

vm~3 ms / clone
tty04

Persistent shells

Long-lived bash. Signals, scrollback, detach.

$ npm run build✓ built in 2.1s$ _
tls05

Public URLs

Expose a port. Get HTTPS. WS, SSE, H2, H3.

:3000https://…
unique06

Hibernate / resume

Pause to disk. Restore in 21 ms, where you left.

runningpausedresume21 ms
02/Architecturecredential proxy · P2

Your secrets never enter the sandbox.

API keys are injected at the network boundary. A memory dump of the guest, an /proc/*/environ walk, and a full process listing all yield nothing. The blast radius of an isolation failure is bounded by the in-flight request, not the credentials you hold.

Guest VM

agent code
OPENAI_API_KEYsk-placeholder
OPENAI_BASE_URL10.0.0.1:443
/proc/*/environ(empty)
request

Host proxy

credential injection
match base_url
inject headersk-live_…
log · hmac chainsigned
tls egress

Upstream

api.openai.com
authenticated200 OK
latency overhead0.4 ms
allow-listdefault-deny
Four layers of isolation: CPU virtualization (KVM), network policy (default-deny egress), credential proxy (secrets never in guest), audit chain (HMAC-linked log). Hostile code inside the guest cannot read the key, cannot reach an unlisted endpoint, and cannot rewrite the record of what it did.
03/Networkegress profiles · allow · deny

Egress policy, before the packet leaves.

Pick a profile or author a rule set. Enforcement lives in the host kernel. Code inside the guest can't turn it off.

unrestrictedNo filtering, sandbox can reach any hostallow-all
locked-downAir-gapped, no external network at alldeny-all
claude-codeAnthropic API + PyPI + npm + GitHub + crates.ioallow-list
openaiOpenAI API + PyPI + npm + GitHuballow-list
data-scienceHuggingFace + PyPI + GitHub + S3 + GCS + condaallow-list
web-devnpm + jsDelivr + cdnjs + Google Fonts + GitHuballow-list
allowlist.py
from isorun import Sandbox

with Sandbox(
    "python",
    deny=["0.0.0.0/0"],                      # block everything
    allow=["api.openai.com", "pypi.org"],    # …except these
) as sb:
    sb.exec("pip install openai")                   # works
    sb.exec("curl https://api.openai.com/v1/models")  # works
    out = sb.exec("curl -m 2 https://example.com")
    assert out.exit_code != 0                   # blocked
04/Workloadsany image · any port

Bring your image. Expose any port.

No base-image restrictions, no runtime lock-in. If it runs on Linux, it runs on isorun, and if it listens on a port, it’s one call away from a public URL.

Any OCI image

Pull any image. Pinned tags, digests, private registries.

Pass any OCI reference to Sandbox(). First use builds an optimized cache; every boot after is a standard cold-start. latest/lts/stable rejected at create, we won’t let a silent upstream republish invalidate your cache.

python:3.12node:22ubuntu:24.04ghcr.io/you/agent:1.0playwright/python:v1.48
Public URLs

Every port, one TLS hop from the internet.

Call sb.url(port) and get a signed HTTPS URL that proxies to whatever you’re listening on: vite, jupyter, gradio, anything. End-to-end WebSocket, streaming SSE, every HTTP method. ~120 ms warm, ~180 ms cold.

https://5173-run01ab….isorun.app/
05/MCPmodel context protocol

Give Claude a real computer.

In under 20 ms, less time than a single model round‑trip.

spawn.py · isorun
ready
# spawn a Linux VM, run code, destroy it
from isorun import Sandbox
 
sb = await Sandbox.create()
r = await sb.run("python", "-c", "'2**32'")
await sb.destroy()
press run · 1 vCPU · 1 GB

Under 20 ms cold start

Multi-tool agent rounds fit under a single 600 ms frame budget.

Parallel by default

Spin up 30 siblings from one prompt. Each isolated.

Hibernate, resume in 21 ms

Pause a session, come back with scrollback, FDs, and processes intact.

06/Thesiswhitepaper · v1.0

Three constraints. Seven properties.

Agent workloads are simultaneously price-sensitive, latency-sensitive, and security-sensitive. Adjacent workloads stress at most two. That’s the whole design brief.

Constraint A

Low marginal cost

Cheap enough that invoking a sandbox isn't a budget decision. Breaks above roughly five cents an hour.

threshold < $0.05/hisorun $0.04/h
Constraint B

Low cold-start latency

Fast enough to vanish into a single tool-call. Boot has to sit an order of magnitude below inference latency.

threshold < 20 msisorun 10 ms p50
Constraint C

Isolation against hostile code

The boundary has to sit below the untrusted code, hardware-assisted, not namespace-based, not syscall-filtered.

boundary hardwarelayers 4 deep
id
Property
Mechanism
A
B
C
P1
Hardware-enforced isolation
Own guest kernel under KVM. No shared syscall surface.
P2
Out-of-sandbox credentials
Secrets never enter the guest. Injected at the proxy, not the env.
P3
Default-deny egress
Allow-list from host kernel. Zero-overhead on the data path.
P4
Tamper-evident audit log
HMAC-chained entries. Rewrites break every subsequent signature.
P5
< 10 ms create-to-execute
Median boot lands below a single frontier-model tool-call.
P6
Snapshot / restore
Checkpoint and restore in milliseconds. Speculative execution becomes viable.
P7
Ephemeral lifecycle
State reclaimed on terminate. No storage bill, no leftover credentials.
Six of seven is not 86% as good as seven. The dimension you omit determines the failure mode you eventually discover.·Emir Beganović · April 2026
Read the whitepaper
07/Pricingper-second billing

Per second. No minimums.

The advertised price is the price. Egress, storage, and platform fees are included.

$0.04/ hour
1 vCPU · 1 GB RAM · per-second billing
Get API access Talk to us
most agent sessions: $0.001 to $0.01 each
  • Per-second billing
  • Unmetered egress
  • Any OCI image
  • TLS, WS, HTTP/3
  • Public HTTPS URLs
  • Hibernate / resume
  • Hardware isolation
  • Default-deny egress
/Get access

Spin up your first sandbox in 10 ms.

Public beta. No credit card. $50 of credit on sign-up, about 1,250 hours of a 1 vCPU sandbox.

Get access Read the docs
SDKs: TypeScript · more coming soon  ·  Adapters: Claude Managed Agents · OpenAI Agents · LangChain · LangGraph · MCP  ·  CrewAI coming soon