Fast, scalable, fully isolated Linux environments — running on your cluster, in your region, under your control. Your AI agents write code, run analyses, and do real work without data ever leaving your perimeter.
Why sandboxes
MCP servers and function tools are perfect for actions you can name in advance. But the moment an agent needs to load an unfamiliar CSV, glue two APIs together, or debug its own output — it needs a place to think in code. That place is a sandbox.
Load a CSV the agent has never seen, write pandas on the fly, hand back a chart.
Execute whatever the LLM just generated — without risking the rest of your system.
Parse a PDF a customer just emailed. Reshape a JSON nobody documented. Coerce types until it works.
Statistics, optimization, simulations, training a quick model. Math that needs an interpreter — not a function call.
Let the agent write code, run it, read the error, fix itself. Loop closed.
Browser, terminal, package managers, file system. The same tools a human engineer would open — for the moments when nothing else fits.
Control sandboxes with the SDK
Three lines from your agent code to a running sandbox. The Python SDK handles the rest.
from prokube.sandbox import Sandboxwith Sandbox.from_pool("python-pool") as sbx:sbx.commands.run("pip install pandas matplotlib")sbx.run_code("""import pandas as pd, matplotlib.pyplot as pltdf = pd.read_csv('/workspace/sales.csv')df.groupby('region').sum().plot.bar()plt.savefig('/workspace/chart.png')""")chart = sbx.files.read('/workspace/chart.png')
Claim a sandbox from a warm pool, run arbitrary code, read back the results. The context manager tears it down when you are done.
The UI
The management UI, a web terminal for coding agents, and MCP-based sandbox access from your own tools.
Manage individual sandboxes or warm pools — in personal or shared team workspaces.

For the CISO
Sandboxes are designed for the worst-case assumption: the code about to run was written by a language model one second ago, and you have no idea what it does. Defense in depth is not optional.
Sandbox pods run with automountServiceAccountToken: false. The code inside has no token, no client, no way to talk to the cluster control plane — even if it tried.
Allow or block outbound traffic per sandbox. Lock untrusted code to internal services only.
A user-space kernel intercepts syscalls before they reach the host. Even a container escape buys the attacker nothing.
We can give your team access to a test cluster, so you can try Agent Sandboxes with your own workflows.
Source-available. Engineered in Germany. No vendor lock-in. Ever.