← Back to research
·11 min read·company

Microsandbox

Microsandbox is an open-source, self-hosted sandbox platform from Super Rad Company (formerly Zerocore AI) using libkrun microVMs for hardware-isolated AI agent code execution, with a cloud offering in closed beta.

https://microsandbox.dev
sandboxesopen-sourcerustmicrovmcoding-agentsself-hostedsecuritymcppythonlocal-first

Key takeaways

  • Local-first microVM sandboxes with hardware isolation — secrets never leave the host, and snapshot/fork/restore now ships in core
  • libkrun-based architecture boots in ~320ms on bare-metal Linux — faster than Docker (463ms) and 2.5x faster than Firecracker per official benchmarks
  • Company rebranded from Zerocore AI to Super Rad Company; 6.5K+ GitHub stars, Go SDK added, cloud offering in closed beta with waitlist as of June 2026

FAQ

What is Microsandbox?

Microsandbox is an open-source tool for running untrusted code in hardware-isolated microVMs on your own machine, designed for AI agents that need secure code execution without cloud dependencies.

How does Microsandbox differ from E2B?

Microsandbox is self-hosted and local-first using libkrun microVMs, while E2B is a cloud-hosted platform using Firecracker. Microsandbox keeps secrets on-host; E2B offers managed infrastructure at scale.

What languages does Microsandbox support?

Microsandbox provides SDKs for Python, JavaScript/TypeScript, Rust, and Go (added in v0.5.0), with OCI-compatible images supporting any language runtime.

Is Microsandbox production-ready?

Microsandbox is maturing but still pre-1.0. It works on macOS (HVF), Linux (KVM), and Windows via WSL2. Expect breaking changes as the project evolves.

Does Microsandbox have a cloud offering?

As of June 2026 the cloud platform is in closed beta with a waitlist. The local runtime is free forever under Apache 2.0; cloud pricing arrives with the beta.

Executive Summary

Microsandbox is an open-source, self-hosted sandbox platform that uses libkrun microVMs to provide hardware-isolated execution environments for AI agents. Built in Rust by Super Rad Company (formerly Zerocore AI, YC X26), it boots a full VM in ~320ms — faster than Docker — with true VM-level isolation, combining the security of traditional VMs with the speed of containers. Since March 2026 the project has rebranded its company, shipped snapshot/fork/restore, added a Go SDK, and opened a waitlist for its closed-beta cloud platform.

AttributeValue
CompanySuper Rad Company (formerly Zerocore AI)
Founded2024
FundingY Combinator (X26 batch); no other rounds publicly disclosed
FounderStephen Akinyemi
HeadquartersUnknown

Product Overview

Microsandbox takes a fundamentally different approach from cloud-hosted sandbox platforms like E2B. Instead of sending code to remote infrastructure, Microsandbox runs lightweight microVMs locally on your own machine. Secrets never leave the host, networking is programmable from the outside, and each sandbox gets its own dedicated kernel.

The project was created by Stephen Akinyemi, who previously built infrastructure at Zerocore AI. He has articulated the thesis that containers are insufficient for running truly untrusted AI-generated code — shared kernels mean sophisticated attacks can escape. MicroVMs solve this with hardware-level isolation while maintaining the speed developers expect.

Key Capabilities

CapabilityDescription
MicroVM IsolationEach sandbox runs in its own VM with a dedicated kernel via libkrun
~320ms StartupBoots a full VM faster than Docker (463ms) and 2.5x faster than Firecracker (808ms)
Secret InjectionCredentials injected at the network layer — the guest never sees real values
Snapshot / Fork / RestoreSave full VM state, fork hundreds of identical sandboxes from one baseline, sub-millisecond restore
Programmable NetworkingInspect DNS, analyze HTTP traffic, block exfiltration at the IP level; configurable ingress policy
Peer SandboxesCode inside a sandbox can spawn isolated sibling sandboxes with their own network, filesystem, and secrets
OCI CompatibleWorks with standard container images (Docker Hub, GHCR)
MCP ServerBuilt-in Model Context Protocol server for AI agent integration

Product Surfaces / Editions

SurfaceDescriptionAvailability
CLImsb command for server, sandbox, and project managementBeta
Python SDKpip install microsandboxBeta
JavaScript/TypeScript SDKnpm install microsandboxBeta
Rust SDKcargo add microsandboxBeta
Go SDKFull API parity, added in v0.5.0 (May 2026)Beta
MCP ServerNative MCP integration for AI agentsBeta
Project SandboxesSandboxfile-based project config (like package.json for sandboxes)Beta
Cloud PlatformManaged sandboxes with encrypted state and cloud syncClosed beta (waitlist)

Technical Architecture

Microsandbox uses libkrun, a lightweight virtualization library from the containers project that leverages KVM (Linux) or Hypervisor.framework (macOS) for hardware isolation. Unlike Firecracker (used by E2B and AWS Lambda), libkrun includes its own Virtual Machine Monitor and uses Transparent Socket Impersonation (TSI) for networking — avoiding the overhead of virtual network interfaces.

┌──────────────────────────────────────┐
│          Host Machine                │
├──────────────────────────────────────┤
│  ┌──────────┐  ┌──────────┐          │
│  │ Sandbox  │  │ Sandbox  │   ...    │
│  │ (microVM)│  │ (microVM)│          │
│  │ own      │  │ own      │          │
│  │ kernel   │  │ kernel   │          │
│  └────┬─────┘  └────┬─────┘          │
│       │              │               │
│  ┌────┴──────────────┴─────┐         │
│  │   libkrun (KVM / HVF)   │         │
│  └─────────────────────────┘         │
│  ┌─────────────────────────┐         │
│  │   msb server (Rust)     │         │
│  │   + secret injection    │         │
│  │   + network policy      │         │
│  └─────────────────────────┘         │
└──────────────────────────────────────┘

Key Technical Details

AspectDetail
Isolationlibkrun microVMs (hardware-level, KVM/HVF)
Cold Start~320ms boot on bare-metal Linux/KVM (official 10-iteration median; vs Docker 463ms, Firecracker 808ms)
PersistenceFiles saved to ./menv directory on host; full-VM snapshots with sub-millisecond restore
LanguageRust (core), with Python/JS/Rust/Go SDKs
Open SourceYes (Apache 2.0, local runtime); cloud platform will be commercially licensed
Self-HostingFully supported; managed cloud in closed beta
PlatformsmacOS (HVF), Linux (KVM), Windows (WSL2)

Secret Management — The Killer Feature

Microsandbox's most innovative feature is network-layer secret injection. When you provide an API key with an allowed host:

  1. The sandbox sees only a random placeholder (e.g., msb_placeholder_a7f3...)
  2. When the sandbox makes a verified TLS connection to the allowed host, Microsandbox swaps the placeholder for the real credential at the network layer
  3. If the sandbox tries to send the placeholder to any other host, only the worthless placeholder is transmitted

This means even if malicious code reads environment variables and tries to exfiltrate them, the real credentials never leave the host. DNS rebinding protection, cloud metadata blocking, and DNS-to-IP binding activate automatically.

Strengths

  • True hardware isolation — Each sandbox has its own kernel; container escape attacks are irrelevant
  • Local-first — Secrets and data never leave your machine; no cloud dependency
  • Secret injection — Network-layer credential management prevents exfiltration by design
  • Fast startup — ~320ms boot for a full microVM beats Docker on bare-metal Linux per official benchmarks
  • Snapshot/fork/restore — Save full VM state and fork hundreds of identical sandboxes from one baseline with sub-millisecond restore
  • Programmable networking — DNS inspection, HTTP interception, DLP, and domain allowlisting built in
  • Apache 2.0 — Permissive license with no AGPL restrictions (unlike Daytona)
  • Rust codebase — Memory-safe foundation for security-critical infrastructure
  • OCI compatible — Use standard Docker/container images; no proprietary format

Cautions

  • Pre-1.0 — Still on v0.5.x (v0.5.6 released June 10, 2026); expect breaking changes
  • Cloud still gated — The managed cloud remains in closed beta behind a waitlist as of June 2026; teams wanting managed infrastructure today need to look elsewhere
  • Small team — A handful of core contributors; bus factor is a concern
  • No GPU support — CPU-only microVMs; ML inference workloads need alternatives
  • Windows via WSL2 only — Native macOS (HVF) and Linux (KVM); Windows requires WSL2
  • Limited ecosystem — 6.5K stars but a far smaller SDK install base than E2B; early adoption curve
  • No enterprise features — No SOC2, no RBAC, no audit certifications (yet); a composable plugin system covers audit logging
  • Rebrand churn — The Zerocore AI → Super Rad Company rename and GitHub org move (zerocore-ai → superradcompany) may confuse links and package trust signals

What Developers Say

From the Hacker News launch thread (May 2025):

"If we get enough of these sandboxes, maybe we will finally get one that's easy for me to run on my own machines." — simonw

"I think this is the one that looks the closest so far [to being usable]." — hobofan

"I'm still not sure why this warrants being its own project" given Firecracker and Kata Containers. — jauntywundrkind

"When you say 'bullet proof' security, there are exploits to break out of VMs that exist. Have you looked into those?" — spicybright

The tone is cautiously positive: developers want a local-first sandbox this easy, but skeptics question differentiation versus existing microVM tooling and push back on absolute security claims.

Pricing and Licensing

AspectDetail
LicenseApache 2.0 (local runtime); cloud platform will carry its own commercial license
CostLocal and self-hosted use is "free, forever" per the company
Cloud ServiceClosed beta with waitlist as of June 2026; pricing "arrives with the closed beta"
Self-HostedFully supported — laptop, VPC, or air-gapped on-prem

The local runtime remains free and open source. The cloud platform — the presumed monetization path — has moved from "launching soon" to a closed beta with a waitlist, including encrypted state (keys held by the customer) and a forthcoming cloud-sync feature for resuming sandboxes across machines. No public pricing has been published yet.

Competitive Positioning

Direct Competitors

CompetitorDifferentiation
E2BE2B is cloud-hosted with Firecracker; Microsandbox is local-first with libkrun. E2B has enterprise scale; Microsandbox has stronger secret management
DaytonaDaytona is a full dev platform (Docker-based); Microsandbox is a focused execution primitive with hardware isolation
ModalModal offers serverless GPU compute; Microsandbox is local, CPU-only, security-focused
CodeSandboxCodeSandbox targets browser-based dev; Microsandbox targets agent-driven code execution

When to Choose Microsandbox Over Alternatives

  • Choose Microsandbox when: Running untrusted AI-generated code locally, secrets must stay on-host, or you need maximum isolation without cloud costs
  • Choose E2B when: You need managed infrastructure at enterprise scale with compliance certifications
  • Choose Daytona when: You need a complete development platform with team collaboration features
  • Choose Modal when: You need GPU access for ML workloads

Ideal Customer Profile

Best fit:

  • AI agent developers who need to execute untrusted code locally with maximum security
  • Teams handling sensitive API keys who cannot tolerate credential exposure to third parties
  • Self-hosting enthusiasts who want cloud-grade isolation on their own hardware
  • Developers building MCP-integrated tools that need sandboxed execution
  • Security-conscious startups building coding agents or data pipelines

Poor fit:

  • Enterprise teams needing managed cloud infrastructure with SLAs
  • Organizations requiring SOC2 compliance and audit trails
  • Teams needing GPU access for ML workloads
  • Windows-only development environments
  • Teams wanting a mature, battle-tested production platform today

Viability Assessment

FactorAssessment
Financial HealthEarly — YC X26 backing; no other funding publicly disclosed
Market PositionChallenger — Differentiated on local-first and secret management; now also offers tool.store, an MCP tool package manager
Innovation PaceRapid — Seven releases in May–June 2026 alone (v0.5.0–v0.5.6): Go SDK, ingress policy, live metrics, configurable IP pools
Community/EcosystemGrowing — 6,519 GitHub stars and 323 forks as of June 2026 (up from ~5K/238 in March)
Long-term OutlookPromising — Strong technical thesis, YC backing, cloud now in closed beta; needs to convert the waitlist and grow the team

Microsandbox occupies a unique position in the AI sandbox space: it is the only major player betting entirely on local-first, self-hosted microVM isolation. If the thesis is correct that AI agents will increasingly run on developer machines (not just in the cloud), Microsandbox could become the default execution layer. The secret injection feature alone is a meaningful innovation that competitors will likely copy.

Bottom Line

Microsandbox is the most security-focused AI sandbox available today. The combination of hardware-isolated microVMs, network-layer secret injection, and programmable networking makes it technically superior to container-based alternatives for running truly untrusted code.

The trade-off is maturity. This is pre-1.0 software from a small team whose cloud offering is still gated behind a closed-beta waitlist. You are betting on the project and the thesis, not on proven enterprise infrastructure.

Recommended for: Developers building AI agents locally who need maximum isolation and cannot tolerate secret exposure to third-party infrastructure.

Not recommended for: Enterprise teams needing managed, compliant, production-grade sandbox infrastructure today.

Outlook: Momentum is real — the rebrand to Super Rad Company, a Go SDK, snapshot/fork/restore, and seven releases in six weeks show a team shipping fast. The cloud platform has advanced from "launching soon" to closed beta with a waitlist; general availability and public pricing are the next milestones to watch, along with first enterprise customers.

Research by Ry Walker Research • methodology

Sources

Share on XShare on LinkedIn