Every serious AI product now has the same requirement: somewhere safe to run code a model just wrote. That demand created one of the fastest-moving categories in infrastructure — agent sandboxes and runtimes. Isolated machines that boot in milliseconds, run untrusted code, and disappear. E2B alone reports over 10,000 teams on its infrastructure, with products like Lovable and Quora running millions of AI-generated snippets through it (The Daily Agent).
The sandboxes are genuinely good now. That is exactly why the interesting question moved up a layer: once every vendor can hand you an isolated VM in under a second, the differentiator is everything that happens on it. Here is the field — and why teams that want agents shipping real work choose Nori Sessions.
The sandbox providers
E2B is the reference sandbox API: Firecracker microVMs with ~150ms starts and per-second billing (about $0.05 per vCPU-hour, with a $150/month Pro plan). It is a superb primitive — and deliberately just a primitive. Sessions cap out at 24 hours even on Pro, and everything above the VM is your code (E2B pricing, Northflank).
Daytona wins the stopwatch: sub-90ms sandbox creation, $0.0504 per vCPU-hour, $200 in starter credits. The speed comes with a trade — isolation is Docker containers by default, a weaker boundary than microVMs (Daytona pricing, Northflank).
Modal is the pick when the workload touches a GPU: gVisor-isolated sandboxes on a Python-first serverless platform, with H100s at $3.95/hour and CPU at $0.047 per vCPU-hour. It is compute infrastructure par excellence — you bring the agent, the glue, and the ops (Northflank).
Vercel Sandbox gives Vercel-platform teams Firecracker microVMs at $0.128 per active vCPU-hour — with sessions limited to 45 minutes on Hobby and 5 hours on Pro, in a single region (Northflank). Cloudflare’s Sandbox SDK composes Workers, Durable Objects, and Containers into a code-execution API at the edge, and its Project Think work shows Cloudflare racing to add the missing agent layers — persistent workspaces, durable tasks, sub-agents (Cloudflare docs, Cloudflare blog).
How they compare
| Platform | What you get | Isolation | Pricing model | Agent + triggers built in |
Chat-native control |
|---|---|---|---|---|---|
| E2B | Sandbox API | Firecracker microVM | Per-second metered | ✗ | ✗ |
| Daytona | Sandbox API | Docker (default) | Per-use metered | ✗ | ✗ |
| Modal | Serverless compute + sandboxes | gVisor | Per-second metered | ✗ | ✗ |
| Vercel Sandbox | Sandbox API | Firecracker microVM | Per-active-CPU metered | ✗ | ✗ |
| Cloudflare Sandbox SDK | Edge sandbox SDK | Containers + Durable Objects | Usage-based | ✗ | ✗ |
| Nori Sessions | Full agent runtime | Ephemeral cloud machines | Flat $50 / runtime / mo | ✓ | ✓ |
Publicly reported capabilities and pricing as of July 2026. See sources below.
How to choose an agent sandbox or runtime
Six questions separate the options faster than any feature grid:
- Isolation model. Firecracker microVMs (E2B, Vercel) and gVisor (Modal) are hardware-grade boundaries; Docker containers (Daytona’s default) trade isolation strength for speed. Match the boundary to how untrusted the code really is.
- Session lifetime. Agent work is bursty but long-tailed — a refactor can run hours. Caps like E2B’s 24 hours or Vercel’s 45 minutes to 5 hours become hard product constraints.
- Pricing predictability. Per-second metering is elegant until an agent loops overnight. Decide whether you want a meter or a budget line.
- What ships above the VM. The agent harness, integrations, and credential wiring are weeks of platform work if the answer is “nothing.”
- Unattended operation. If agents should work while you sleep, scheduling and notification need to exist — built in, or built by you.
- The human escape hatch. When a run goes sideways, someone needs a terminal and editor on the actual machine, not a log viewer.
Sandbox APIs answer the first three questions well and leave the last three to you. That split is the story of this category.
A sandbox is not a runtime
Look at what every row above actually sells: the bottom layer. An empty machine that boots in 90 milliseconds still boots empty. Before an agent does anything useful on it, someone has to install and configure the agent, load the repo and credentials, wire up Slack and GitHub and the rest of your stack, build the scheduler that launches runs unattended, and teach it your org’s conventions — again, on every fresh machine. The sandbox vendors are explicit that this is your job; it is why they ship SDKs. Cloudflare’s own roadmap calls these the “missing pieces.” That is months of platform engineering stacked on top of a metered bill.
Why Nori Sessions wins
Nori Sessions starts where the sandboxes stop. Every session is an ephemeral cloud machine that arrives with the entire runtime stack already standing:
- The agent is already there. A session boots with a coding agent installed, your repos connected, and your credentials wired. No SDK, no harness to build, no platform team required.
- Unattended by design. Cron and webhook triggers launch sessions with no human attached. This very article was researched, written, and opened as a pull request by a scheduled Nori Session.
- Chat-native control. Drive sessions from Slack or Discord and get results back in the thread — your team’s existing tools are the interface, not another dashboard.
- Durable org context. Skillsets load every fresh machine with your org’s instructions, memory, and tools, so agents show up already knowing how you work.
- A real workspace on demand. A full terminal and editor are one click away whenever a human wants to inspect or take over.
And instead of per-second meter math — vCPU-hours here, GiB-hours there, session caps everywhere — Nori Sessions is a flat $50 per runtime per month, with a Premium tier that adds hands-on org setup and dedicated support. Predictable enough to put in a budget. Simple enough to explain in one sentence.
The bottom line
If you are building a product that executes untrusted AI-generated code, the sandbox APIs are excellent raw material — E2B for microVM rigor, Daytona for raw speed, Modal for GPUs. But if what you actually want is agents doing work for your team — on a schedule, from chat, with your context loaded — you don’t want raw material. You want the finished runtime. That is Nori Sessions, and it is the layer the whole category is scrambling to build. We already ship it.
Spin up your first Nori Session and put your agents to work.
Frequently asked questions
What is an AI agent sandbox?
An isolated, disposable compute environment — typically a Firecracker microVM, a gVisor sandbox, or a container — where an AI agent can execute untrusted, model-generated code without putting the host system or your infrastructure at risk. Providers like E2B, Daytona, Modal, Vercel, and Cloudflare expose these environments through APIs and SDKs.
What is the difference between an agent sandbox and an agent runtime?
A sandbox is the bottom layer: isolated compute that boots fast and runs untrusted code. A runtime is everything an agent needs to actually do a job: the sandbox plus the agent harness, repo and credential wiring, integrations, cron and webhook triggers, chat-native control, and durable org context. Sandbox APIs leave those layers for you to build; Nori Sessions ships them built in.
Which AI agent sandbox starts the fastest?
Daytona reports the fastest creation times in the category at under 90 milliseconds. E2B’s Firecracker microVMs start in roughly 150 milliseconds. At these speeds, boot time stops being the differentiator — what runs on the machine matters more.
How much do AI agent sandboxes cost?
Most sandbox providers meter usage: E2B charges about $0.05 per vCPU-hour with a $150/month Pro plan, Daytona charges $0.0504 per vCPU-hour, Vercel Sandbox charges $0.128 per active vCPU-hour, and Modal’s H100 GPUs run $3.95/hour. Nori Sessions is a flat $50 per runtime per month.
Can I run coding agents unattended on these platforms?
On sandbox APIs, unattended operation is your job: you build the scheduler, the agent harness, and the notification path yourself. Nori Sessions has cron and webhook triggers built in, so sessions launch, do the work, and report back to Slack or Discord with no human attached.
Sources
- E2B pricing — E2B
- Top 5 Code Sandboxes for AI Agents in 2026 — The Daily Agent (DEV)
- What’s the best code execution sandbox for AI agents? — Northflank
- Daytona pricing — Daytona
- Best Code Execution Sandboxes for AI Agents — Modal
- Sandbox SDK overview — Cloudflare docs
- Project Think: the next generation of AI agents — Cloudflare blog
- Vercel Sandbox vs E2B — Vercel Knowledge Base
Related guides
- Top Cloud-Based IDEs in 2026 — the editor layer of the same story: the category that pivoted from browser editors to agents.
- Agentics: AI enablement requires managed agent runtimes — the essay version of the argument this guide makes with pricing tables.
- All guides — every comparison guide in one place.