Azure Container Apps Sandboxes now run untrusted AI agent code in hardware-isolated microVMs, starting from OCI images in under a second. foursignals.dev/wire/2026-06…

Microsandbox acumula 6.500 estrellas en 8 meses: microVMs Rust que arrancan en 100ms para aislar código de agentes de IA sinapti.ca/post/microsandbox…

Microsandbox: Rust microVMs that boot in 100ms to safely run untrusted AI agent code - 6.5k stars in 8 months (YC-backed) sinapti.ca/post/en/microsand…

Nice! Does ist Support nested virtualization for running microvms in k8s? I read that this would require at least m3 hardware?

I’ll note that these are mostly so-called MicroVMs, which charge by the millisecond. Unlike a VPS, they start → execute → shut down. We’re clearly moving toward agents that can freely switch between local and remote execution, with shared state across both. That’s actually exactly what I’m working on right now, lol.

we are building docker, but with microvms @microsandbox it is fast and easy microvms running locally on your machine. and we have a frictionless agent-ready SDK and CLI

This is a great video to understand the differences between containers, VMs, MicroVMs and what goes into building sandboxes for running AI agents securely. youtube.com/watch?v=wsFd22SL…

ANTHROPIC JUST SHIPPED THIS TODAY. A 16-YEAR-OLD ALREADY CLOSED $84,600 WITH IT temu enterprise infra, fully autonomous, self-hosted, and all running on claude ALL the infra is his too no devops team, no platform engineers, no 14-month roadmap. one kid pointing claude managed agents at a sandbox he spun up himself for the price of a large pizza the brain stays on anthropic, the hands run on his box. the agent loop is managed, every tool call executes inside his own perimeter the stack: claude managed agents, a self-hosted sandbox, e2b microVMs for isolation, vaults for keys, a cron schedule so it all works overnight the setup: → defined the environment once, ran hundreds of sessions against it → tool execution never leaves his VPC, credentials never touch the model → the vault holds the API keys, the sandbox only ever sees a placeholder → scheduled deployments so the agents file work while he sleeps → every session gets its own isolated container, full event log, resume or trace anything later → treated claude like a delivery team, not a chat box he wired the agents straight into client codebases. find the bug, fix the bug, open the PR, no human in the loop until review the whole operation runs at about $58 a month. anthropic literally says prototype to launch in days instead of months. he took that literally meanwhile every funded startup in his batch is still 14 months deep in a "production agent infrastructure" roadmap, burning seed checks to build the exact sandbox layer anthropic just shipped today as one config line he closed $84,600 in signed client contracts before a single one of them put anything in front of a customer people are already benchmarking founders by how little infra they need to own to win a teenager with a $30 box is out-executing companies with real cap tables and zero shipped product the official guide dropped today. he didn't wait for it 2026 is wild (and its going to get even wilder)

"audit chain is local DSSE Merkle, not externally anchored (no Sigstore/Fulcio/Rekor despite earlier claim)" - we never claimed it was - sigstore is used for artifact attestation. For the rest, we are a poor fit, we are not providing hardware rooted isolation, we provide fine-grained capability based isolations, something not possible for all the others, who really are microvms wearing a 'I am now an agent sandbox" t-shirts.

I have; there are many microvms but this one is mine! I wanted a particular shape and the ability to change it myself.

With @StackshiftCloud Buildpack, you get faster builds and a cleaner deploy path. On a Pro plan, your app runs with a VM-backed isolation using microVMs, so you get a stronger security boundary than a shared container runtime.

Hmm... I've been launching hundreds of microVMs a day since 2023. Most run Docker inside, about a half - full-fledged Kubernetes clusters. No issues if you bake the guest right. And on the host side, each of these microVMs is wrapped with a Docker container, mainly for networking isolation and simpler garbage collection on shutdown. Again, no issues. But if I were to skip the Docker daemon, I'd need to synchronize container creation, which is not fun at all.

JIC, I want to separate those statements: - Docker works often "magically" and using more moving parts which are implicitly expected, but... good luck debugging if you've had an issue with broken state (I literally have checklists) - the "newer" solutions remove the magic parts here and there; some remove the daemon, runc goes further etc. - microvms... I like them irrationally, and what I meant - I've noticed that I have to justify liking them in conversations. So most certainly it's not as rational as it seems to me

I agree that Docker has many moving parts, but most, if not all, "newer" solutions, especially microVMs, tend to have even more of them. For instance, when it comes to networking, it's usually the same bridge, but with tap devices instead of veth devices. And this is often wrapped with an extra network namespace, connected with the host via an extra veth pair. Hoops all the way down.

AgentCore is interesting because it gives coding agents the boring stuff: isolated microVMs, a persistent workspace, and a real shell.

Yeah, sadly, firecracker is not a user solution. It's only reasonable for a compute provider. You can only be sold microVMs, you can't bring your own microVM solution. It's a sad, sad world, because I love virtualization and wish I could just use whatever virt technology I like