back

Give your agents
a computer.

Fast, scalable, fully isolated Linux environments — running on your cluster, in your region, under your control. Your AI agents write code, run analyses, and do real work without data ever leaving your perimeter.

Why sandboxes

Tools are verbs you defined.
A sandbox is where the agent writes its own.

MCP servers and function tools are perfect for actions you can name in advance. But the moment an agent needs to load an unfamiliar CSV, glue two APIs together, or debug its own output — it needs a place to think in code. That place is a sandbox.

Analyze data

Load a CSV the agent has never seen, write pandas on the fly, hand back a chart.

Run untrusted code

Execute whatever the LLM just generated — without risking the rest of your system.

Wrangle messy data

Parse a PDF a customer just emailed. Reshape a JSON nobody documented. Coerce types until it works.

Run real computation

Statistics, optimization, simulations, training a quick model. Math that needs an interpreter — not a function call.

Test and self-correct

Let the agent write code, run it, read the error, fix itself. Loop closed.

Use a real computer

Browser, terminal, package managers, file system. The same tools a human engineer would open — for the moments when nothing else fits.

Control sandboxes with the SDK

Claim a sandbox. Run code. Get results.

Three lines from your agent code to a running sandbox. The Python SDK handles the rest.

from prokube.sandbox import Sandbox
with Sandbox.from_pool("python-pool") as sbx:
sbx.commands.run("pip install pandas matplotlib")
sbx.run_code("""
import pandas as pd, matplotlib.pyplot as plt
df = pd.read_csv('/workspace/sales.csv')
df.groupby('region').sum().plot.bar()
plt.savefig('/workspace/chart.png')
""")
chart = sbx.files.read('/workspace/chart.png')

Run code in a sandbox

Claim a sandbox from a warm pool, run arbitrary code, read back the results. The context manager tears it down when you are done.

The UI

Manage, connect, use.

The management UI, a web terminal for coding agents, and MCP-based sandbox access from your own tools.

Manage individual sandboxes or warm pools — in personal or shared team workspaces.

Sandbox overview

For the CISO

Three layers of isolation.
Not one.

Sandboxes are designed for the worst-case assumption: the code about to run was written by a language model one second ago, and you have no idea what it does. Defense in depth is not optional.

No Kubernetes API access

Sandbox pods run with automountServiceAccountToken: false. The code inside has no token, no client, no way to talk to the cluster control plane — even if it tried.

NetworkPolicies on egress

Allow or block outbound traffic per sandbox. Lock untrusted code to internal services only.

gVisor syscall filtering

A user-space kernel intercepts syscalls before they reach the host. Even a container escape buys the attacker nothing.

Give your agents a place to do things.

We can give your team access to a test cluster, so you can try Agent Sandboxes with your own workflows.

Source-available. Engineered in Germany. No vendor lock-in. Ever.