Insights

Blog

Engineering updates, security deep-dives, and building in the open.

2026-07-04Security

What Actually Contains a Rogue AI Agent (Come Try to Break It)

Most agent security is a claim on a slide. So we built Arena — a place to attack a real AI agent in our runtime and see, hands-on, what actually holds: the microVM it's isolated in, the guardrails that inspect its traffic, and the deterministic walls it can't route around.

Read more
2026-06-23Guide

How to Give an AI Agent Code Execution Without Handing Over Your Credentials

Agents need API keys to be useful — but the moment a key lives inside the sandbox, one prompt injection can exfiltrate it. Here's how to give an agent a credential it can use but never read.

Read more
2026-06-10Guide

How to Lock Down an AI Agent's Network Egress

By default an agent can call anywhere on the internet — which is exactly how a prompt-injected agent exfiltrates data or phones home. Here's how to put it on an allowlist and record every attempt.

Read more
2026-05-28Guide

How to Sandbox an MCP Server

An MCP server runs on your machine with your tokens and pulls in hundreds of dependencies you've never read. Here's how to wrap any MCP server in an isolated microVM with one line of config.

Read more
2026-05-17Security

Dirty Frag: Why Hardware Isolation Matters

A new kernel zero-day gives unprivileged users deterministic root on most Linux distributions since 2017. We tested it against our microVM isolation boundary. Here's what happened.

Read more
2026-03-28Security

Why Sandboxes Alone Won't Secure Your AI Agents

Sandboxes isolate execution. But isolation doesn't stop your agent from leaking a customer's SSN to a third-party API. Here's the gap nobody talks about.

Read more
2026-03-24Engineering

Anatomy of an Agent Data Leak

We walked through a real scenario where a coding agent leaked a database password to a third-party API. Here's exactly how it happened and what would have stopped it.

Read more
2026-03-14Security

Prompt Injection Is Not Solved. Stop Pretending It Is.

Everyone knows prompt injection is a problem. Most teams think they've handled it with a system prompt. They haven't.

Read more
2026-03-10Engineering

Why We Chose Firecracker Over Docker for Agent Sandboxing

Containers are fast and convenient. They're also a terrible isolation boundary for untrusted AI agents. Here's the tradeoff we made and why.

Read more