Why must agent-generated code execute in an isolated sandbox, and what are e2b and Modal's isolation models?
Explain why agent-generated code must run in an isolated sandbox rather than directly on the host. Describe how e2b and Modal achieve isolation differently.
Agent code is untrusted, so it must run in a throwaway sandbox with no host access, no default network, and CPU, memory, and time limits, never a bare subprocess.
Imagine you hire a stranger to test recipes in your house. You would not hand them keys to every room, your wallet, and the front door. You would put them in a rented kitchen with a timer, basic ingredients, and a locked door, then throw the kitchen away when they leave. Agent-generated code is that stranger. The model might write something harmful by accident, or someone might trick it into writing something nasty. So you run the code in a disposable box that has no path to your real files, no money or passwords lying around, and a clock that shuts it off. If the code misbehaves, only the rented box is wrecked, and you delete it anyway. Your real machine never even saw the stranger.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open with why agent code is untrusted (model mistakes plus prompt injection), state that a bare subprocess inherits the host so it is no boundary, lay out the defense in depth defaults (no network plus egress allowlist, ephemeral filesystem, CPU, memory, and time limits, seccomp), then contrast container, gVisor, and microVM isolation and place e2b and Modal on that spectrum with the latency tradeoff.
Real products, models, and research that use this idea.
- e2b runs each agent code execution in a Firecracker microVM, giving every run a separate guest kernel and an ephemeral filesystem that is torn down afterward.
- Modal executes serverless functions in ephemeral Docker-based containers with read-only base images and per-function CPU, memory, and timeout limits.
- OpenAI's Code Interpreter, now the ChatGPT data analysis tool, runs model-generated Python in a network-disabled sandbox with a disposable filesystem.
- Google uses gVisor to add a user-space kernel layer in front of containers running untrusted workloads, shrinking the host syscall attack surface.
- Anthropic's Claude Code and computer use deployments emphasize running agent-driven actions inside isolated environments rather than directly on a developer's host.
What an interviewer would ask next. Try answering before peeking at the approach.
QAn attacker injects code that must phone home to exfiltrate data, but you run a no-network sandbox with an egress allowlist. What are the remaining exfiltration paths and how do you close them?
QWhy is a Firecracker microVM considered a stronger boundary than a hardened container with seccomp, gVisor, and dropped capabilities?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating a sandbox as a feature for catching bugs rather than a security boundary. The real job is containing untrusted code, including code an attacker injected, not just stopping accidental crashes.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.