Sandboxes on your own machines.

A self-hostable sandbox orchestrator for AI agents and untrusted code. Isolated Firecracker microVMs scheduled across the hosts you operate, behind a dashboard and API that stay on your network.

Try it out →

qbox · sandbox-7a3f

$ qbox spawn --template python-3.12
→ scheduling on host fc-02            [ok]
→ booting firecracker microvm        [ok]
→ restoring template snapshot         [ok]
→ guest agent ready                   [ok]
→ sandbox sb_7a3f running
 
$ qbox shell sb_7a3f
root@sb_7a3f:~# python -c "import torch; print(torch.__version__)"
2.4.1+cu121
root@sb_7a3f:~# echo "hello from inside a microVM"
hello from inside a microVM
root@sb_7a3f:~# _

WHAT IT IS

The pieces, end to end.

01 · ISOLATION

Firecracker microVMs

Hardware-level isolation, not a shared kernel. Every sandbox is a real VM with its own kernel, so untrusted code stays contained. Not a container. Not a chroot.

02 · OPERATE

Shell, exec, files, logs

Open an interactive shell into the microVM. Run one-off commands. Browse and download files. Tail structured logs as they arrive. All over a private channel between the control plane and the guest — no public SSH, no inbound exposure on the sandbox.

03 · TEMPLATES

Templates from any image

Point a template at any OCI image and qbox builds it into a warm, reproducible snapshot — so sandboxes start from a booted image, not a cold boot. Python, Node, Go, Rust, or your own.

04 · DEPLOYMENT

Control plane + host agents.

A control plane plus a lightweight agent on each host. Runs on commodity Linux with KVM — no Kubernetes, no managed cloud. You run the whole platform.

05 · SELF-HOSTED

Your hardware. Your data.

Bare metal, on-prem hypervisors, or your own cloud VMs. No telemetry, no phone-home, no data leaving your perimeter. An operator dashboard ships in the box.

06 · SDK

Python & TypeScript SDKs

from qbox import Sandbox

# spawn from a template, run code, read the result
sandbox = Sandbox.create(template="python-3.12")
result = sandbox.run_code("print(1 + 1)")
print(result.text)   # 2

Drive sandboxes straight from your app — spawn, exec, files, and code execution in a few lines. A REST and WebSocket API sits underneath for anything else, and a CLI ships for operators.

SEE IT

The dashboard ships in the box.

Spawn and inspect sandboxes, stream logs, open a shell, browse files, and watch your hosts — a real operator surface, not a black box.

qbox dashboard overview: fleet status, sandboxes, and hosts — Overview

qbox sandboxes list with live status — Sandboxes

interactive shell into a sandbox microVM — Shell

editing and running code in a sandbox from the dashboard — Code editor

browsing a sandbox's files in the dashboard — Files

qbox templates built from OCI images — Templates

qbox hosts with live capacity and heartbeat — Hosts

OPERATE

Operate sandboxes like you own them.

Sandbox platforms typically hand you a black box: workload in, result out. qbox is different — a real operator surface ships with the product. Shell into the guest. Exec one-off commands. Browse files. Stream lifecycle and log events. All over an authenticated data plane.

SHELL & EXEC

Open an interactive shell straight into the microVM (for templates with SSH enabled), or run one-off commands with streamed stdout/stderr and exit codes. It travels over a private channel between the control plane and the guest — no public SSH port, no inbound exposure on the sandbox.

FILES & LOGS

Browse the guest filesystem, preview files, and download them — reads stream chunk-by-chunk straight from the sandbox. Tail the guest's structured logs live as the workload runs.

LIFECYCLE

Spawn and terminate sandboxes and watch lifecycle events — booted, running, terminated — over a live stream. The fleet reports capacity continuously, so workloads land on a host with room.

qbox dashboard streaming a sandbox's live logs

Live logs from a sandbox in the operator dashboard.

USAGE

An SDK for your app. A full API underneath.

import qbox

# Spawn from a template; the sandbox is killed on block exit.
with qbox.Sandbox.create(template="python-3.12") as sb:
    result = sb.commands.run("python -V")
    print(result.stdout)            # Python 3.12.x

    # Run code in a stateful kernel and read the result.
    execution = sb.run_code("import torch; torch.cuda.is_available()")
    print(execution.text)

# Spawn a sandbox from a template
curl -X POST https://qbox.your-domain.tld/v1/sandboxes \
  -H "Authorization: Bearer $QBOX_TOKEN" \
  -d '{ "templateId": "tpl_python312" }'
# → { "id": "sb_7a3f", "status": "booting" }

# Run a command once it's running
curl -X POST https://qbox.your-domain.tld/v1/sandboxes/sb_7a3f/exec \
  -H "Authorization: Bearer $QBOX_TOKEN" \
  -d '{ "cmd": "python", "args": ["-c", "print(1 + 1)"] }'
# → { "stdout": "2", "exitCode": 0 }

# List files, stream logs, or open an interactive shell —
# all from the same authenticated API, or the operator dashboard.

SELF-HOSTED BY DESIGN

Your hardware. Your data. Your rules.

qbox is built for teams that can't or won't run AI workloads on someone else's cloud. Regulated industries. Data residency requirements. Air-gapped environments. Teams that want to own their compute. It runs on commodity Linux hosts you already have — no Kubernetes, no managed control plane, no data leaving your perimeter.

→ runs entirely on your own infrastructure.
→ no data leaves your network.
→ works on bare metal, on-prem hypervisors, or cloud VMs.
→ operator dashboard, SDKs, and CLI ship in the same package.

Get in touch →

WHAT IT'S FOR

From AI agents to dev sandboxes.

AI AGENT EXECUTION

Coding agents, research agents, deep agents that need to run arbitrary code. qbox gives them true microVM isolation — and a shell, exec, and log stream so you can see what they did.

CODE INTERPRETER PRODUCTS

LLM products that expose a code-execution tool to end users. Stateful Python and JavaScript kernels in disposable microVMs, spawned from warm template snapshots, on hardware you control.

UNTRUSTED CI / EVAL WORKLOADS

SWE-Bench-style evaluation harnesses. Plugin marketplaces. Anywhere you're running unreviewed code and "it's just in Docker" stopped being good enough.

DATA & NOTEBOOK ANALYSIS

Run user-supplied analysis, notebooks, and ad-hoc scripts against your data — each session in its own VM, so a runaway job or a hostile dependency can't touch the host or other tenants.

BROWSER & TOOL USE

Agents that drive headless browsers, package managers, and arbitrary CLIs need a real machine to make a mess in. Give each one a disposable microVM with outbound network you can scope or cut off.

PER-USER DEV ENVIRONMENTS

Hand every user or tenant a clean, reproducible environment booted from a warm template snapshot — isolated from each other, on your own fleet, with no shared kernel.

The sandbox is ready.

Self-host on your own Linux hosts. Bring your own agents and workloads.

Try it out →