What counts as a sub-second sandbox startup?

Sub-second sandbox startup means a sandbox reaches a usable state in under one second from the moment it's requested. That can mean cold creation from a template, where a fresh microVM boots from scratch. It can also mean resume from standby, where a paused sandbox restores from a snapshot. The two operations are different, and similar numbers can describe completely different work depending on what the vendor is timing.

Is resume from standby the same as a fast cold start?

No. Cold creation boots a new sandbox from scratch, fetching the image, booting a kernel, and initializing user-space processes. Resume from standby restores an existing sandbox state from a snapshot, including memory pages, filesystem contents, and running processes. Resume bypasses kernel boot entirely and typically completes in milliseconds, while a cold start runs through the full boot sequence even when optimized.

What is a realistic cold creation time in production?

For Firecracker-based systems, minimal-kernel configurations can hit 125 milliseconds to /sbin/init. Production templates with language runtimes, dependencies, and project files typically run from a few hundred milliseconds up to a second. Application initialization often dominates the measurement once the hypervisor finishes booting. Teams that need consistent sub-second cold creation rely on slim images, precompiled dependencies, or snapshot-based optimizations that skip the cold path entirely.

Why does standby duration matter?

Standby duration determines whether fast resume actually helps your usage pattern. When a platform deletes sandbox state after a limited window, returning users pay the full cold creation cost again. That includes dependency installs and file restoration. Coding assistants and PR review agents see users return sporadically, so short standby windows push more sessions to the cold path. Indefinite standby preserves the fast-resume benefit across every return.

When should teams care most about startup latency?

Startup latency matters most for interactive, user-facing agents where startup sits directly on the perceptible response path. Coding assistants rendering live previews, PR review agents responding to webhooks, and any agent serving sub-second user expectations fall into this category. Background and batch workloads usually care more about throughput and parallelism than per-invocation startup time. Boot disappears into a longer-running task and doesn't affect user-perceived response.

Sub-second sandbox startup: what is actually possible in 2026

Cold creation vs. resume from standby, what platforms actually deliver, and how to benchmark sandbox startup performance for your agent workload.

Nicolas Lecomte

Published June 18, 2026

13 min

Production AI agents that execute code and need persistent state accumulate context over time. They build up crawled datasets, fine-tuned parameters, and conversation history. Warm caches persist across sessions. Every time a sandbox expires or gets garbage-collected, that accumulated state disappears. Teams then spend engineering hours and compute budget rebuilding context the agent already produced.

A sandbox environment is an isolated execution environment where an AI agent runs generated code. The agent interacts with external services and manages files without affecting the host system or other tenants. The gap between "sandbox that runs code" and "sandbox that remembers what it did last week" stalls many production deployments. Standby caps, idle billing, and ephemeral filesystems push teams into workarounds that add latency, cost, and fragility.

This guide compares five platforms for running long-lived, stateful sandbox workloads in production. It covers isolation, persistence, resume speed, and cost tradeoffs so you can match the right platform to your workload.

What makes a sandbox environment suitable for long-running AI workloads?

Sandbox environments for AI agents provide isolated compute where generated code executes without access to host systems or neighboring tenants. For agents that run for days or weeks, isolation alone is not enough. The platform needs to preserve what the agent built between sessions.

Five dimensions separate platforms built for ephemeral script execution from those built for production agent workloads:

State persistence: Whether filesystem, memory, and running processes survive between sessions. Agents that accumulate context, including conversation history, crawled datasets, and installed packages, lose their advantage when state resets. Full-context memory approaches consume roughly 26,000 tokens per conversation on standard benchmarks. Rebuilding that context on every invocation burns tokens and adds latency.
Resume latency: Time from standby to executing code. Jakob Nielsen's research established 100 milliseconds as the ceiling for users to feel a system reacts instantaneously. Sub-second resume matters for interactive agents. Delays compound across tool call chains where a single request triggers multiple sandbox invocations.
Standby duration: How long the platform keeps a sandbox alive without compute charges. Short caps force teams into external state management or data loss.
Isolation model: microVMs run a separate kernel per sandbox. Containers share the host kernel, creating a larger blast radius for workloads executing untrusted code in multi-tenant environments. The CVE-2024-21626 ("Leaky Vessels") container escape vulnerability demonstrated this risk concretely.
Cost model during idle periods: Whether teams pay for standby or only for active compute. Tool-augmented AI agents exhibit GPU idle periods accounting for as much as 54.5% of total execution time. Long-running agents spend most of their time waiting.

These five dimensions shape the comparison that follows.

AI agent sandbox platforms at a glance

The table below summarizes how each platform handles the dimensions that matter for persistent, long-running agent workloads. Detailed breakdowns follow in the platform-specific sections.

Dimension	Blaxel	E2B	Modal	Daytona	Fly.io
Isolation model	microVMs (Firecracker-based)	microVMs (Firecracker-based)	Container (gVisor syscall interception)	Container (Docker)	microVMs (Firecracker)
State persistence	Full filesystem + memory in standby; not guaranteed perpetual durability (volumes recommended for long-term storage)	Filesystem and memory; paused sandboxes kept indefinitely	Filesystem snapshots + memory snapshots (alpha)	Filesystem; archived after a configurable stopped interval; restores from archive take longer	Filesystem via volumes; automatic daily snapshots with configurable retention (not recommended as primary backup)
Resume from standby	Sub-25ms	Fast resume and creation are part of the platform positioning	Not publicly documented in this article	Not publicly documented in this article (fast for pre-built templates only)	Machines can boot quickly, but performance varies by startup mode and conditions
Maximum standby duration	Unlimited (perpetual)	Indefinite (paused sandboxes kept indefinitely)	Alpha feature with limited retention	Auto-stop after inactivity; archived after a stopped interval by default	No auto-deletion (manual management required)
Concurrency	50,000+ concurrent sandboxes	Not publicly documented in this article	Not publicly documented in this article	Not publicly documented in this article	Machines API (user-managed scaling)
Deployment model	Managed platform	Managed platform	Managed platform	Managed platform / self-hosted	DIY on Fly.io infrastructure
Pricing model	Usage-based, billed per second by sandbox size; no memory charge during standby (snapshot/volume storage charges still apply)	Usage-based with sandbox time billing	Usage-based billing	Usage-based billing with a default idle window	Per-second billing for running Machines
Ideal workload	Production AI agents needing persistent state + instant resume	Short-lived code execution, developer prototyping	GPU inference, batch Python workloads	Development workspaces, collaborative coding	Teams comfortable managing their own agent infra

Each platform section below unpacks these tradeoffs with specific feature details, pros, cons, and workload fit.

1. Blaxel

Blaxel is a perpetual sandbox platform built for AI agents that need stateful, long-running execution environments. The core problem is that agents accumulate context over days and weeks. They need infrastructure that preserves that context without idle charges or standby deadlines.

The platform spans Sandboxes, Agents Hosting, MCP Servers Hosting, Batch Jobs, and a Model Gateway. Co-locating these components on the same infrastructure eliminates network roundtrip latency between the agent and its sandbox. Teams building coding agents, PR review agents, or data analysis workflows get one platform for the full agent stack.

Key features

Sub-25ms resume from standby for Sandboxes, Agents Hosting, and MCP Servers Hosting.
Perpetual standby with zero compute cost is available on higher quota tiers. Starter quotas can enforce TTL-based deletion policies, while higher tiers allow sandboxes to wait on standby indefinitely when not in use.
microVM isolation. Each sandbox runs in an individual microVM with its own kernel. Blaxel uses the same microVM approach as AWS Lambda for hardware-enforced tenant isolation.
Persistent filesystem and memory state across sessions while the sandbox remains in standby. Running processes are preserved in snapshots. For guaranteed long-term persistence, use Volumes.
Co-located agent hosting eliminates network roundtrip latency between agent and sandbox.
High concurrent sandbox capacity in production.
Automatic standby occurs when there are no active connection requests. After network inactivity, the sandbox transitions from active to standby. Scale-to-zero economics.
Networking features include custom domains, dedicated egress gateways (in private preview), and secrets injection via proxy routing.
SOC 2 Type II, ISO 27001:2022, and HIPAA compliance, with Business Associate Agreement (BAA) support.
The OpenAI Agents SDK focuses on orchestration, tool execution, handoffs, guardrails, tracing, and sandbox execution.
Hosting supports Python and TypeScript. SDKs are available for Python, TypeScript, and Go.

Pros and cons

Pros:

Blaxel's documentation says higher quota tiers allow unlimited persistence and that standby preserves the full sandbox state via snapshot and resume.
Among the evaluated platforms with publicly stated resume-from-standby figures, Blaxel's stated time appears to be the fastest. This is especially relevant for interactive agent workloads.
Hardware-enforced isolation via microVMs, not containers.
Integrated agent stack, including agent hosting, sandbox, MCP servers, and batch jobs, removes multi-vendor complexity.
Enterprise compliance certifications: SOC 2 Type II, ISO 27001, and HIPAA.
Scale-to-zero economics. Zero compute cost during standby periods that dominate agent lifecycle time.

Cons:

CPU-focused infrastructure without GPU support for inference or training.
Language support limited to Python, TypeScript, and Go. No Ruby, Java, or Rust.
No support for air-gapped deployment. For on-premise solutions, the supported models are limited to private endpoint connectivity and bring-your-own-metal options.

Best for

Coding agents and codegen workflows are the primary fit. Blaxel sandboxes can power AI coding workflows with real-time previews of AI-generated code. Each user gets a dedicated sandbox that sits in standby until the next session, resuming with full state intact. The platform also serves autonomous research agents, PR review agents, and multi-step workflow agents.

2. E2B

E2B is an AI sandbox platform providing secure code execution environments with fast boot times. It targets developer-focused use cases and smaller-scale projects. The open-source runtime gives teams visibility into the execution layer. E2B fits teams building prototypes or short-lived code execution workflows, and paused sandboxes are kept indefinitely with no automatic deletion or time-to-live limit.

Key features

Firecracker microVM-based isolation with separate Linux guest instances per session.
Fast cold creation time.
Open-source sandbox runtime (Apache-2.0).
SDK support for Python and TypeScript.
Sandbox persistence depends on the tier and state: running sandboxes have time limits, while paused sandboxes are kept indefinitely.
Custom templates for pre-configured environments.
Supports Python, JavaScript and TypeScript, R, Java, and Bash execution.

Pros and cons

Pros:

Open-source model gives visibility into the runtime.
Reported creation times are fast.
Active developer community and documentation.
Good fit for short-lived code execution tasks.

Cons:

Production networking features are more limited in this article than Blaxel's managed setup.
Custom domains and dedicated IPs are supported through documented proxy-based setups, including running your own infrastructure such as a GCP VM.
No secrets injection via proxy routing documented in public SDK.
No co-located agent hosting. Agent and sandbox communicate over the network, adding latency to every tool call.

Best for

Developer teams and prototyping projects building code execution features where sandboxes are short-lived during active use and production networking requirements are minimal.

Practitioners from Vita AI have confirmed production E2B use with mounted volumes for personal skills and organization workspaces. Less suited for enterprise workloads needing publicly documented compliance certifications, though E2B does support long-term state persistence via sandbox pause/resume.

3. Modal

Modal is a serverless compute platform focused on GPU workloads and Python functions. Sandbox functionality is a secondary product rather than the core focus. Modal fits teams whose primary need is GPU inference or batch processing and who want sandbox capabilities as an add-on.

Modal uses gVisor for isolation. gVisor intercepts system calls at the user-space level and runs a separate userspace kernel per sandbox. That creates a materially different security model from Firecracker microVMs. It is one of the seven sandbox providers recognized in the OpenAI Agents SDK.

Key features

gVisor-based isolation (syscall interception, not hardware virtualization).
GPU support for inference and training workloads.
Python-first SDK and developer experience.
State can be preserved with snapshots, including memory snapshots in alpha.
Filesystem and memory snapshot retention is presented as limited in alpha sandbox persistence.
Usage-based billing.

Pros and cons

Pros:

Strong GPU infrastructure for teams combining inference with code execution.
Polished Python developer experience.
Good fit for batch processing and data pipelines.

Cons:

Sandbox lifetimes are constrained compared with platforms designed around perpetual standby.
Sandboxes are a secondary product. This is more relevant when sandbox execution is a primary cost driver.
gVisor shares the host kernel, intercepting syscalls at the user-space level rather than providing hardware-enforced boundaries. For untrusted code execution in multi-tenant environments, this is a weaker isolation model than microVMs.
No co-located agent hosting or MCP server hosting.

Best for

Teams whose primary workload is GPU inference or batch Python processing and who want sandbox functionality as a supplement. Not the strongest fit for persistent, long-running sandbox environments for AI agents executing untrusted code.

4. Daytona

Daytona is a development workspace provider that pivoted from developer environments to AI agent infrastructure in early 2025. It uses container-based isolation via Sysbox, with docs also referring to container and/or microVM technology. The archive limit for expired workspaces fits teams building developer tooling more than production agent infrastructure.

Daytona is open-source under AGPL-3.0 and is one of the sandbox providers supported in the OpenAI Agents SDK.

Key features

Daytona's architecture describes isolated sandboxes built on OCI/Docker compatibility, and its open-source deployment uses Docker Compose.
Self-hosted or managed deployment options.
Pre-built templates for fast workspace creation.
Default idle timeout before auto-shutdown, which can be disabled.
Workspaces can be configured to auto-archive after being stopped for a specified interval.
Usage-based billing.
Open-source (AGPL-3.0).

Pros and cons

Pros:

Self-hosted deployment option for teams with on-premise requirements.
Fast creation times for pre-built templates.
Collaborative development workspace features.
GPU support has been reported in independent sources.

Cons:

Container isolation shares the host kernel. For untrusted code execution in multi-tenant environments, that creates more shared-kernel exposure than a microVM model. Some discussions describe Daytona as using Sysbox to provide a more VM-like container environment, though the specific attribution and wording could not be verified.
The default idle window adds compute cost after every session. This is longer than Blaxel's transition to standby under its per-second billing model.
Archived workspaces require slow restoration.
No native custom domains or dedicated/static IPs.

Best for

Development teams needing collaborative workspace environments with a self-hosted deployment option. Less suited for production AI agent workloads requiring perpetual state, instant resume, or hardware-enforced isolation for untrusted code.

5. Fly.io

Fly.io is a global cloud platform running Firecracker microVMs with a Machines API that developers use as ad-hoc sandboxes, which fits teams comfortable building and maintaining their own sandbox infrastructure on top of raw compute primitives.

Fly.io uses Firecracker microVMs. This provides a hardware-enforced isolation model similar to E2B and Blaxel. Fly.io does not appear in the visible provider examples of the OpenAI Agents SDK docs, and its Machines API is documented through official HTTP interfaces.

Key features

Firecracker microVM isolation.
Programmatic VM management is available via the Machines REST API.
Global deployment across multiple regions.
Volumes for persistent storage.
No automatic sandbox deletion (user manages lifecycle).

Pros and cons

Pros:

microVM isolation provides hardware-enforced security boundaries. This gives stronger separation than shared-kernel containers for workloads executing untrusted code in multi-tenant environments.
No platform-imposed standby caps. VMs persist until the user deletes them.
Mature global infrastructure with broad regional coverage.
Full control over VM configuration and lifecycle.

Cons:

No managed sandbox features. Teams must build tunnels, snapshots, logging, and observability themselves.
No co-located agent hosting, MCP server hosting, or integrated agent stack.
Fly.io primarily exposes a REST API for Machines/VM management.
No built-in state persistence. Requires manual volume and snapshot management.
Boot and resume behavior are less optimized for managed sandbox workflows.
Not recognized as an OpenAI Agents SDK provider.

Best for

Infrastructure-savvy teams willing to build and maintain custom sandbox tooling on top of microVM primitives. Strong fit for organizations that already run workloads on Fly.io and want to add sandbox capabilities without adopting a new vendor. Less suited for teams that want managed, production-ready agent infrastructure out of the box.

Why production AI agents that execute code need persistent, isolated execution

For long-running AI agents that execute code and need persistent state in production, sandbox environments are core infrastructure. They determine whether agents maintain context across sessions, execute untrusted code safely, and resume without rebuilding state.

An arXiv characterization study found that OS-level execution, including tool calls, container initialization, and sandbox operations, accounts for 56–74% of end-to-end agent task latency. LLM reasoning accounts for only 26–44%. Agents that lose state on every restart burn compute rebuilding context. They add latency rebuilding caches and risk failures when external data shifts between sessions.

Perpetual sandbox platforms like Blaxel address these production requirements by combining indefinite standby, zero compute cost while idle, instant resume, and microVM isolation. Agents pick up exactly where they stopped: filesystem, memory, and running processes intact while preserved in standby. For guaranteed long-term retention, use Volumes. For teams building coding agents, PR review agents, or data analysis workflows, those capabilities often separate demos from production deployments.

Ready to test persistent sandboxes for your agent workload? Talk to the Blaxel team or start building on the free tier.

Frequently asked questions about sandbox environments

What is a sandbox environment?

A sandbox environment is an isolated execution environment where code runs without affecting the host system or other workloads. AI agents use sandboxes to execute generated code, run tools, and interact with external services inside a controlled boundary.

What is the difference between an ephemeral sandbox and a persistent sandbox?

Ephemeral sandboxes destroy state when they shut down. Persistent sandboxes preserve filesystem, memory, and running processes across sessions. For AI agents that accumulate context over time, persistent sandboxes eliminate the cost and latency of rebuilding state on every invocation.

Why do AI agents need microVM isolation instead of containers?

For AI agents executing untrusted or generated code in multi-tenant environments, microVMs provide a separate kernel per sandbox. Containers share the host kernel, which means a vulnerability in one container can expose other workloads. The CVE-2024-21626 runc escape demonstrated this concretely: unprivileged container workloads achieved host filesystem access. microVM architectures are structurally separated from the host in ways that reduce exposure to this attack vector.

How does standby duration affect AI agent infrastructure costs?

Platforms that cap standby force teams to either keep sandboxes running, paying for idle compute, or accept state loss and rebuild. Platforms with unlimited standby and zero idle-compute charges eliminate this tradeoff. The FinOps Foundation says serverless architectures let teams pay only for the compute resources they consume and are especially effective for sporadic or unpredictable workloads.

What resume latency is acceptable for production AI agents?

Interactive agents, including coding assistants and real-time tools, need sub-second resume. Nielsen's research places the threshold for perceived instant response at 100 milliseconds. Delays compound across tool call chains. For batch or async workflows, resume latency is less critical than throughput and concurrency.

COMPUTE

STORAGE

NETWORKING

Get started for free

Get started for free

COMPUTE

STORAGE

NETWORKING

Sub-second sandbox startup: what is actually possible in 2026

What makes a sandbox environment suitable for long-running AI workloads?

AI agent sandbox platforms at a glance

1. Blaxel

Key features

Pros and cons

Best for

2. E2B

Key features

Pros and cons

Best for

3. Modal

Key features

Pros and cons

Best for

4. Daytona

Key features

Pros and cons

Best for

5. Fly.io

Key features

Pros and cons

Best for

Why production AI agents that execute code need persistent, isolated execution

Frequently asked questions about sandbox environments

Related Articles

Sandbox provider security assessment: a checklist for enterprise buyers

Defining the perpetual sandbox

5 Top AI Agent Runtime Tools for Production Workloads