Code, browsers, containers, and Claude self-hosted — where your agent actually does the work.

Agents need somewhere to run code. We give them four places.

Python and Node runtimes for short evals, Chromium-based headless browsers for screenshots and agentic web use, full Alpine/Debian containers for longer-lived tasks, and Claude Managed Agents self-hosted sandboxes for teams keeping Claude tool execution off Anthropic's cloud. All four are tenant-isolated, restartable from your control plane, and metered on actual CPU-seconds — not wall-clock idle.

Request sandbox access See sandbox types

Per-tenant isolationuv / pip / npm manifestsChromium + browser-use harnessPersistent volumes

sandboxes.stack private Kathmandu network

Your agent runtime Hosted Agents tenant or external SDK call

Sandbox dispatcher code · browser · linux — fair-share scheduler

Inference + tenant store shared private network · single round trip

Why this exists

Code execution belongs next to inference.

Local round-trip

Sandboxes share a Kathmandu network with our inference and hosted-agents runtimes. The agent loop stays inside one fast path.

Tenant isolation

Each sandbox call gets a fresh, locked-down environment. Per-tenant volumes are opt-in and encrypted at rest.

Dependency-aware

Upload uv.lock, requirements.txt, package.json, or an OCI image. We cache warm environments per manifest hash.

CPU-second billing

Pay for the time your code actually runs, not idle wall-clock. Hosted-agent tenants get an included quota.

Four runtimes

Pick what your agent actually needs.

Each type is tenant-isolated, restartable from your control plane, and bills on CPU-seconds — not wall-clock idle.

CODE

Code Runtime

Python and Node sandboxes for short evals, code generation, and tool use.

See Code Runtime → →

WEB

Headless Browser

Chromium-based browser sessions for screenshots, scraping, and agentic web use.

See Headless Browser → →

LINUX

Linux Container

Full Alpine or Debian environments — Docker-compatible, persistent, agent-accessible.

See Linux Container → →

CLAUDE

Claude Self-Hosted

Be the sandbox provider for your Claude Managed Agents — agent loop on Anthropic, tool execution on our Kathmandu GPUs.

See Claude Self-Hosted → →

Comparison

Default sizes, default egress, default prices.

Sandboxes scale up per-session if needed. The defaults below are what you get without any tenant overrides.

Type	Runtimes	Memory	CPU	Egress	Pricing
Code Runtime	Python 3.12 · Python 3.11	512 MB	1 vCPU burst, 0.25 vCPU sustained	100 Mbps	EUR 0.05 / hour
Headless Browser	Chromium 130+ · Playwright	2048 MB	2 vCPU burst, 0.5 vCPU sustained	250 Mbps	EUR 0.18 / hour
Linux Container	Alpine 3.20 · Debian 12	2048 MB	2 vCPU burst, 0.5 vCPU sustained	200 Mbps	EUR 0.12 / hour
Claude Self-Hosted	Anthropic ant CLI (always-on poll worker) · Anthropic SDK EnvironmentWorker (Python / TypeScript / Go)	4096 MB	4 vCPU burst, 1 vCPU sustained	250 Mbps	EUR 0.12 / hour

Hosted-agent tenants get sandbox-hours included.

If you are on a Hosted Agents tier, sandbox usage at fair-use levels comes out of your tenant quota — no separate sandbox subscription needed. Standalone sandbox customers (no Hosted Agents plan) are billed at the per-hour rates above, with a transparent monthly cap.

Sandbox safety

Code execution is risky. We treat it that way.

Defaults are conservative. Network is default-deny outbound. Tenant filesystems are isolated. Abuse cuts the call before it cuts the cohort.

Process-level isolation Linux namespaces + seccomp profiles. No cross-tenant fs or process visibility.

Per-tenant network Egress is per-sandbox; RFC1918 reachability is off by default.

Default-deny outbound Allowlist external hosts when you need them; everything else returns refused.

Volume encryption at rest Per-tenant persistent volumes are encrypted with rotated keys.

Abuse circuit breakers CPU-second, egress, and request-count caps cut runaway tasks.

Audit log on admin actions Provisioning, secret access, and tenant-level config changes are logged.

Get sandbox API access

No deposit. No waitlist. Tell us what you need to run.

Sandboxes are pay-per-use against the rates above — no founding cohort, no upfront fee. Tell us about your workload and we'll send your API key and dispatcher endpoint within one working day.

Got it. We'll send your sandbox API key and dispatcher URL within one working day.

Please complete the required fields and try again.

Practical questions

What to know before you reserve.

How does this compare to E2B / Modal / Daytona?

Different positioning. E2B and Modal are excellent global sandbox products; we are the obvious choice when your agent or inference is *also* running on ScaLabs Cloud — same network, lower per-call latency, single bill. We are deliberately not trying to be a global hyperscaler.

Are these sandboxes included with Hosted Agents?

Yes — hosted-agent tenants get a per-tier included quota of sandbox-hours across all three types. Standalone usage (no Hosted Agents subscription) is billed per CPU-second at the rates shown in the comparison table.

Can I run a long-lived service in a sandbox?

Code Runtime and Headless Browser sandboxes have per-session limits — they are not for daemons. Linux Container sandboxes can run long-lived processes; if they run 24/7 for months, consider converting to a VPS — usually cheaper at that point.

What about GPU sandboxes?

Not in the founding cohort. If you need GPU-backed code execution, use our Inference product (the model already runs on our GPUs) and call it from a CPU sandbox. We may add GPU sandboxes after the launch network is stable.

Do you support BYO container images?

Yes, on Linux Container sandboxes. Bring an OCI image; we run a basic security review before allowing it in the tenant. Reviewed images can be pushed by your CI and pulled on demand.

How is residential egress handled?

Off by default. Available on Headless Browser sandboxes via a separate add-on; capped per session, billed separately, and we monitor for abuse patterns. Talk to us before you build a workflow that depends on it.