Cloudflare has moved its Sandboxes and Containers offering from beta to general availability, providing AI agents with persistent Linux environments that include secure credential injection, PTY terminal support, snapshot-based recovery and active CPU pricing. The announcement details the security model, developer experience improvements and positioning against other agent infrastructure providers.
Cloudflare announced the general availability of Sandboxes and Cloudflare Containers as part of its Agents Week initiative. The service provides developers with on‑demand Linux environments that stay alive across agent interactions, sleep when idle and wake on request. First introduced in beta last June, the GA release adds a set of features aimed at security, usability and cost efficiency.
The core abstraction is a container that can be addressed by a stable identifier. When a request arrives for a named sandbox, Cloudflare provisions the environment if it is not already running, otherwise it resumes the existing instance. This model gives AI agents a stateful workspace that persists file changes, background processes and in‑memory variables between invocations.
On the security front, Cloudflare uses outbound Workers as a programmable egress proxy. The proxy intercepts any network call made from inside the sandbox and can inject credentials at the transport layer without ever exposing the token to the untrusted workload. Developers can define per‑host auth logic, apply identity‑aware policies and dynamically adjust network permissions as a task progresses. This approach implements a zero‑trust model where no secret is ever handed to the sandbox process.
Developer experience received several upgrades. PTY support replaces the earlier request‑response shell simulation with a real pseudo‑terminal session proxied over WebSocket, giving agents a familiar interactive terminal. Persistent code interpreters keep state across execution calls, much like a Jupyter notebook, so imports and variables survive between steps. Background processes can be started and exposed through live preview URLs, enabling agents to run development servers and share a working link. Filesystem watching, built on Linux inotify, emits change events in real time, allowing agents to react to file modifications instantly.
Snapshot‑based session recovery is slated for rollout in the coming weeks. A snapshot captures the full disk state of a container and can be restored in near‑instant time. Cloudflare illustrates the benefit with a concrete measurement: cloning a repository, running npm install and booting from scratch takes about thirty seconds, while restoring from a snapshot requires roughly two seconds. This enables patterns such as forking a sandbox to explore multiple approaches in parallel.
The SDK, currently at version 0.8.9, offers a TypeScript API for executing commands, cloning repositories, writing files and managing processes. Documentation is now publicly available and includes examples for common workflows.
Pricing has shifted to active CPU billing. Customers are charged only for the vCPU seconds actually consumed, at a rate of $0.00002 per vCPU‑second. The standard plan supports up to fifteen thousand concurrent lite instances, six thousand basic instances and over one thousand larger instances. This model aims to align cost with actual usage rather than provisioned capacity.
In the broader agent infrastructure space, Cloudflare differentiates itself through its global edge network and a two‑tier architecture. Lightweight V8 isolate‑based Dynamic Workers handle ephemeral code execution, while full container‑based Sandboxes provide a complete operating system with tools such as git, bash and multi‑language build chains. Competing solutions include E2B, which uses Firecracker microVMs with dedicated kernels per session; Daytona, which pivoted from development environments to AI agent infrastructure and claims sub‑90 ms sandbox creation using Docker containers; Modal, which targets GPU‑heavy Python workloads with serverless infrastructure; and Vercel, which recently launched its own Firecracker‑based Sandbox in beta.
Figma is already running production agent workloads on the new infrastructure. Alex Mullans, who leads AI and Developer Platforms at Figma, explained that the company needed a reliable, highly scalable sandbox for executing untrusted agent‑ and user‑authored code as part of its Figma Make product.
The general availability release marks a step toward making isolated, stateful environments a practical building block for AI agent systems. By combining edge distribution, granular security controls and usage‑based pricing, Cloudflare aims to provide a platform where agents can develop, test and operate with the same expectations developers have for traditional cloud services.
Comments
Please log in or register to join the discussion