Apache-2.0 · self-hosted · one daemon

Sandboxes for AI agents, on your own hardware

Run thousands of secure, persistent sandboxes on a Mac, a VM, or bare metal. Provider keys never enter the sandbox, every agent has a hard spend cap, and default-deny egress means a rogue prompt has nowhere to phone home.

Join the Cloud waitlist

Apache-2.0 · no lock-in · runs on the laptop you already own

viewing window · cell 9f3ab2

Terminal transcript: hc run --egress --spend-cap 5 "claude 'fix the failing tests'". Sandbox 9f3ab2 created — warm boot in 7ms. Egress token minted, cap $5.00, models claude-*. Default-deny egress on, registries allowlisted. Agent running, LLM cost $0.42, keys leaked: 0.

dosimeter — llm spend

Runs your agents — Claude Code · Codex · OpenCode · Mastra

Isolation tiers: Docker · Firecracker · Apple VZ

failure modes

You want to run untrusted agent code at scale. Two things bite immediately.

Credentials

Put your real API key in the sandbox and a prompt injection, a leaked log, or a malicious dependency can read it and walk off with full account access.

Blast radius

An agent that goes wrong can spend unboundedly, or phone your data out to anywhere on the internet.

Prompt-only defenses fail. Containment is enforced at the infrastructure layer or it isn't enforced at all.

containment model

Every byte out of a sandbox flows through one chokepoint.

Code can't touch the host

Per-sandbox isolation with three drivers behind one interface: Docker containers, plus Apple VZ and Firecracker microVMs — warm pools adopt a pre-booted VM in ~7ms, and full-VM snapshots pause and resume running processes.

Keys can't be stolen

Provider keys live on the daemon, never inside a sandbox. Each sandbox gets a revocable token the gateway swaps for the real key on the way out — a leaked token is worthless.

Money can't hemorrhage

Hard USD spend caps, model and provider allowlists, sliding-window rate limits, and token TTLs — plus a per-sandbox ceiling and real cost metering, LLM cost included.

Data can't leave

Default-deny egress on Linux: a sandbox reaches only the gateway and a pinned DNS resolver, every denial logged. MicroVM guests have no network device at all — the gateway, over vsock, is the only way out.

hc egress 9f3ab2 --spend-cap 5 --models 'claude-*' --rate-calls 60 --rate-window 1m --ttl 24h

spec sheet

Everything else a sandbox needs.

persistent workspaces
/workspace volumes survive stop, start, and daemon restarts.
streamed exec + sessions
SSE-streamed commands with persistent shell sessions.
preview URLs
An L4 proxy routes a URL to any port inside the sandbox.
code interpreter
Stateful Python and JS execution that holds state between calls.
backups + restore
Snapshot a sandbox, roll it back later.
pause + resume
Idle sandboxes hibernate; any operation resumes them. MicroVM snapshots resume in ~80ms.
resource caps + admission
Hard memory/CPU/PID caps; refuses to over-subscribe the host.
metrics, cost, traces
Per-sandbox CPU/mem/net, a configurable $ meter, OpenTelemetry.

procurement

Build, buy, or own.

Managed sandboxes bill per second forever. Building your own is 6–12 months of infra work. hotcell is the third option: own it without building it.

CapabilityhotcellE2B self-hostDaytonaNVIDIA OpenShellTencent CubeSandbox
InstallOne npm installTerraform + Packer deploy (Nomad/Consul); bring your own Postgres + Cloudflare domainManaged cloud; BYOC deploys via Helm charts on KubernetesCLI + gateway (alpha, single-player)Install script on Linux/KVM; single node or CubeMaster cluster
Keys out of sandboxYes — keys stay on the daemon; sandboxes get revocable tokensPartial — header-injection proxy (beta); no key vaultYes — placeholder tokens, fail-closed proxyYes — credential vault; keys injected at CubeEgress proxy
Spend caps + cost meteringPer-token and per-sandbox USD caps; real cost metering, LLM includedCompute metering (vCPU/RAM/disk); no LLM spend controls
Default-deny egressKernel-enforced on Linux; allowlisted registries; every denial loggedNo — internet on by default; opt-in filters cover ports 80/443 onlyRestricted on lower tiers; registries and AI APIs always allowedYes — deny-by-default proxy, with a built-in inference.local bypassYes — L7 domain allowlists; eBPF prevents bypass; denials audited
True pause/resumeYes — full-VM snapshots resume in ~80ms; idle auto-pause built inYes — orchestrator pause/resumeVM sandboxes only; containers lose memory on stopYes — AutoPause/Resume via full-VM snapshots
Fleet of sandboxes per hostOne daemon runs the whole fleet, with admission controlYes — orchestrator nodes run many sandboxes via cluster APIDaytona's control plane manages the fleet; BYOC = your runner nodesGateway API — alpha, one gateway per developerYes — Cubelet per node, CubeMaster cluster orchestration
Isolation tiersDocker · Firecracker · Apple VZ microVMsFirecracker microVMs (GCP; AWS beta)Container class default; Linux/Windows VM classes (hypervisor unnamed)Containers, libkrun microVMs, K8s podsKVM microVMs (RustVMM) — Linux/KVM only
LicenseApache-2.0Apache-2.0Private codebase since June 2026; AGPL-3.0 repo unmaintainedApache-2.0Apache-2.0 (third-party component exceptions)

Comparison reflects each project's own public docs as of July 2026 ("—" means the docs don't document it); corrections welcome via GitHub issue.

procedure

Sixty seconds to a contained agent.

  1. 1
    npm install -g hotcell
  2. 2
    hc daemon &   # REST :4750 · preview :4751 · egress gateway :4752
  3. 3
    hc run --egress --spend-cap 5 "claude 'fix the failing tests'"

Open the dashboard at 127.0.0.1:4750 — live terminal, metrics, cost meter, preview links.

licensing

Open source and Cloud.

Open source — free forever

One daemon, one host, unlimited sandboxes. Every containment guarantee included. Apache-2.0.

hotcell Cloud early access

One control plane for your whole fleet: central key vault, org-wide egress policy, per-team spend quotas, SSO and audit. Your hardware, our coordination layer.

operator's manual

Questions, answered honestly.

How is this different from E2B?

E2B is a managed sandbox service billed per usage, with a self-host path that means standing up its full infra stack yourself. hotcell is one daemon you npm-install on hardware you already own — a Mac, a VM, or bare metal — with the containment layer (key vaulting, spend caps, default-deny egress) built in rather than left to you. If you want someone else to run the servers, use a managed service; if you want the sandboxes on your own metal, that's what hotcell is for.

Does default-deny egress work on macOS?

Kernel-enforced default-deny egress is Linux-only for the container driver. On macOS with Docker Desktop, enforcement is advisory — the gateway, policy, caps, and cost metering all still work, but packets aren't dropped at a host firewall. For hardware-enforced lockdown on a Mac, use the Apple VZ microVM driver: microVM guests have no network device at all, so egress is denied by construction and the gateway, over vsock, is their only route out.

How strong is the isolation, really?

The container driver shares the host kernel — that's the tradeoff for speed and density. If you need hardware isolation, use the microVM tier: Apple VZ on macOS or Firecracker on Linux + KVM, both with full daemon-level parity on an 11-check end-to-end suite. Both have warm pools (a create adopts a pre-booted VM in ~7ms) and true pause/resume — a full-VM snapshot restores RAM and running processes, resuming in ~80ms on Firecracker vs ~2.5s cold boot.

Can I use my own LLM gateway or a custom provider?

Yes. The egress gateway speaks to OpenAI, Anthropic, OpenRouter, Google, or any custom endpoint you configure. Keys stay on the daemon either way — sandboxes only ever see their revocable per-sandbox tokens.

Is it really free? What will you charge for?

The daemon is Apache-2.0 and free: one host, unlimited sandboxes, every containment guarantee included, no feature gates. The paid product is hotcell Cloud — a coordination layer for fleets (central key vault, org-wide egress policy, per-team spend quotas, SSO, audit). It runs against your hardware either way.

Is it multi-tenant?

No — single-tenant by design. Anyone who can reach the API controls the sandboxes, so treat API access as shell access: bind the daemon to loopback or set an API key.

Agents are radioactive. Handle them accordingly.

Join the Cloud waitlist