Apache-2.0 · self-hosted · one daemon
Sandboxes for AI agents, on your own hardware
Run thousands of secure, persistent sandboxes on a Mac, a VM, or bare metal. Provider keys never enter the sandbox, every agent has a hard spend cap, and default-deny egress means a rogue prompt has nowhere to phone home.
Apache-2.0 · no lock-in · runs on the laptop you already own
Terminal transcript: hc run --egress --spend-cap 5 "claude 'fix the failing tests'". Sandbox 9f3ab2 created — warm boot in 7ms. Egress token minted, cap $5.00, models claude-*. Default-deny egress on, registries allowlisted. Agent running, LLM cost $0.42, keys leaked: 0.
Runs your agents — Claude Code · Codex · OpenCode · Mastra
Isolation tiers: Docker · Firecracker · Apple VZ
failure modes
You want to run untrusted agent code at scale. Two things bite immediately.
Credentials
Put your real API key in the sandbox and a prompt injection, a leaked log, or a malicious dependency can read it and walk off with full account access.
Blast radius
An agent that goes wrong can spend unboundedly, or phone your data out to anywhere on the internet.
Prompt-only defenses fail. Containment is enforced at the infrastructure layer or it isn't enforced at all.
containment model
Every byte out of a sandbox flows through one chokepoint.
Code can't touch the host
Per-sandbox isolation with three drivers behind one interface: Docker containers, plus Apple VZ and Firecracker microVMs — warm pools adopt a pre-booted VM in ~7ms, and full-VM snapshots pause and resume running processes.
Keys can't be stolen
Provider keys live on the daemon, never inside a sandbox. Each sandbox gets a revocable token the gateway swaps for the real key on the way out — a leaked token is worthless.
Money can't hemorrhage
Hard USD spend caps, model and provider allowlists, sliding-window rate limits, and token TTLs — plus a per-sandbox ceiling and real cost metering, LLM cost included.
Data can't leave
Default-deny egress on Linux: a sandbox reaches only the gateway and a pinned DNS resolver, every denial logged. MicroVM guests have no network device at all — the gateway, over vsock, is the only way out.
hc egress 9f3ab2 --spend-cap 5 --models 'claude-*' --rate-calls 60 --rate-window 1m --ttl 24hspec sheet
Everything else a sandbox needs.
- persistent workspaces
- /workspace volumes survive stop, start, and daemon restarts.
- streamed exec + sessions
- SSE-streamed commands with persistent shell sessions.
- preview URLs
- An L4 proxy routes a URL to any port inside the sandbox.
- code interpreter
- Stateful Python and JS execution that holds state between calls.
- backups + restore
- Snapshot a sandbox, roll it back later.
- pause + resume
- Idle sandboxes hibernate; any operation resumes them. MicroVM snapshots resume in ~80ms.
- resource caps + admission
- Hard memory/CPU/PID caps; refuses to over-subscribe the host.
- metrics, cost, traces
- Per-sandbox CPU/mem/net, a configurable $ meter, OpenTelemetry.
procurement
Build, buy, or own.
Managed sandboxes bill per second forever. Building your own is 6–12 months of infra work. hotcell is the third option: own it without building it.
| Capability | hotcell | E2B self-host | Daytona | NVIDIA OpenShell | Tencent CubeSandbox |
|---|---|---|---|---|---|
| Install | One npm install | Terraform + Packer deploy (Nomad/Consul); bring your own Postgres + Cloudflare domain | Managed cloud; BYOC deploys via Helm charts on Kubernetes | CLI + gateway (alpha, single-player) | Install script on Linux/KVM; single node or CubeMaster cluster |
| Keys out of sandbox | Yes — keys stay on the daemon; sandboxes get revocable tokens | Partial — header-injection proxy (beta); no key vault | — | Yes — placeholder tokens, fail-closed proxy | Yes — credential vault; keys injected at CubeEgress proxy |
| Spend caps + cost metering | Per-token and per-sandbox USD caps; real cost metering, LLM included | — | Compute metering (vCPU/RAM/disk); no LLM spend controls | — | — |
| Default-deny egress | Kernel-enforced on Linux; allowlisted registries; every denial logged | No — internet on by default; opt-in filters cover ports 80/443 only | Restricted on lower tiers; registries and AI APIs always allowed | Yes — deny-by-default proxy, with a built-in inference.local bypass | Yes — L7 domain allowlists; eBPF prevents bypass; denials audited |
| True pause/resume | Yes — full-VM snapshots resume in ~80ms; idle auto-pause built in | Yes — orchestrator pause/resume | VM sandboxes only; containers lose memory on stop | — | Yes — AutoPause/Resume via full-VM snapshots |
| Fleet of sandboxes per host | One daemon runs the whole fleet, with admission control | Yes — orchestrator nodes run many sandboxes via cluster API | Daytona's control plane manages the fleet; BYOC = your runner nodes | Gateway API — alpha, one gateway per developer | Yes — Cubelet per node, CubeMaster cluster orchestration |
| Isolation tiers | Docker · Firecracker · Apple VZ microVMs | Firecracker microVMs (GCP; AWS beta) | Container class default; Linux/Windows VM classes (hypervisor unnamed) | Containers, libkrun microVMs, K8s pods | KVM microVMs (RustVMM) — Linux/KVM only |
| License | Apache-2.0 | Apache-2.0 | Private codebase since June 2026; AGPL-3.0 repo unmaintained | Apache-2.0 | Apache-2.0 (third-party component exceptions) |
Comparison reflects each project's own public docs as of July 2026 ("—" means the docs don't document it); corrections welcome via GitHub issue.
procedure
Sixty seconds to a contained agent.
- 1
npm install -g hotcell - 2
hc daemon & # REST :4750 · preview :4751 · egress gateway :4752 - 3
hc run --egress --spend-cap 5 "claude 'fix the failing tests'"
Open the dashboard at 127.0.0.1:4750 — live terminal, metrics, cost meter, preview links.
licensing
Open source and Cloud.
Open source — free forever
One daemon, one host, unlimited sandboxes. Every containment guarantee included. Apache-2.0.
hotcell Cloud early access
One control plane for your whole fleet: central key vault, org-wide egress policy, per-team spend quotas, SSO and audit. Your hardware, our coordination layer.
operator's manual
Questions, answered honestly.
How is this different from E2B?
E2B is a managed sandbox service billed per usage, with a self-host path that means standing up its full infra stack yourself. hotcell is one daemon you npm-install on hardware you already own — a Mac, a VM, or bare metal — with the containment layer (key vaulting, spend caps, default-deny egress) built in rather than left to you. If you want someone else to run the servers, use a managed service; if you want the sandboxes on your own metal, that's what hotcell is for.
Does default-deny egress work on macOS?
Kernel-enforced default-deny egress is Linux-only for the container driver. On macOS with Docker Desktop, enforcement is advisory — the gateway, policy, caps, and cost metering all still work, but packets aren't dropped at a host firewall. For hardware-enforced lockdown on a Mac, use the Apple VZ microVM driver: microVM guests have no network device at all, so egress is denied by construction and the gateway, over vsock, is their only route out.
How strong is the isolation, really?
The container driver shares the host kernel — that's the tradeoff for speed and density. If you need hardware isolation, use the microVM tier: Apple VZ on macOS or Firecracker on Linux + KVM, both with full daemon-level parity on an 11-check end-to-end suite. Both have warm pools (a create adopts a pre-booted VM in ~7ms) and true pause/resume — a full-VM snapshot restores RAM and running processes, resuming in ~80ms on Firecracker vs ~2.5s cold boot.
Can I use my own LLM gateway or a custom provider?
Yes. The egress gateway speaks to OpenAI, Anthropic, OpenRouter, Google, or any custom endpoint you configure. Keys stay on the daemon either way — sandboxes only ever see their revocable per-sandbox tokens.
Is it really free? What will you charge for?
The daemon is Apache-2.0 and free: one host, unlimited sandboxes, every containment guarantee included, no feature gates. The paid product is hotcell Cloud — a coordination layer for fleets (central key vault, org-wide egress policy, per-team spend quotas, SSO, audit). It runs against your hardware either way.
Is it multi-tenant?
No — single-tenant by design. Anyone who can reach the API controls the sandboxes, so treat API access as shell access: bind the daemon to loopback or set an API key.