Isolated Firecracker microVMs for AI agents and untrusted code — built,
scheduled, and run on the Linux hosts you operate, behind an API and
dashboard that stay on your network.
root@sb_7a3f:~# echo "hello from inside a microVM"
hello from inside a microVM
root@sb_7a3f:~# _
WHAT IT IS
The pieces, end to end.
01 · ISOLATION
Firecracker microVMs
Hardware-level isolation, not a shared kernel. Every sandbox is a real
VM with its own kernel, so untrusted code stays contained.
02 · OPERATE
Shell, exec, files, logs
Open an interactive shell into the microVM. Run one-off commands.
Browse and download files. Tail structured logs as they arrive. All
over a private channel between the control plane and the guest — no
public SSH, no inbound exposure on the sandbox.
03 · TEMPLATES
Templates from any image or repo
Point a template at any OCI image, or build one straight from a Git
repo. qbox bakes it into a warm, reproducible snapshot — so sandboxes
resume from a booted image, not a cold boot. Python, Node, Go, Rust,
or your own.
04 · DEPLOYMENT
Control plane + host agents.
A control plane plus a lightweight agent on each host. Runs on
commodity Linux with KVM — no Kubernetes, no managed cloud. You run
the whole platform.
05 · SELF-HOSTED
Runs on infrastructure you own.
Bare metal, on-prem hypervisors, or your own cloud VMs. No telemetry,
no phone-home, no data leaving your perimeter.
06 · SDK & API
Python SDK, REST API, and a CLI
python
from qbox import Sandbox# spawn from a template, run code, read the resultsandbox = Sandbox.create(template="python-3.12")result = sandbox.run_code("print(1 + 1)")print(result.text) # 2
Drive sandboxes straight from your app — spawn, exec, files, and code execution in a few lines. A REST + WebSocket API sits underneath for everything else, and a CLI ships for operators.
USAGE
An SDK for your app. A full API underneath.
import qbox# Spawn from a template; the sandbox is killed on block exit.with qbox.Sandbox.create(template="python-3.12") as sb: result = sb.commands.run("python -V") print(result.stdout) # Python 3.12.x # Run code in a stateful kernel and read the result. execution = sb.run_code("import torch; torch.cuda.is_available()") print(execution.text)
# Spawn a sandbox from a templatecurl -X POST https://qbox.your-domain.tld/v1/sandboxes \ -H "Authorization: Bearer $QBOX_TOKEN" \ -d '{ "templateId": "tpl_python312" }'# → { "id": "sb_7a3f", "status": "booting" }# Run a command once it's runningcurl -X POST https://qbox.your-domain.tld/v1/sandboxes/sb_7a3f/exec \ -H "Authorization: Bearer $QBOX_TOKEN" \ -d '{ "cmd": "python", "args": ["-c", "print(1 + 1)"] }'# → { "stdout": "2", "exitCode": 0 }# List files, stream logs, or open an interactive shell —# all from the same authenticated API, or the operator dashboard.
CAPABILITIES
Everything a sandbox needs.
CODE INTERPRETER
Stateful code execution
Run Python or JavaScript in a persistent kernel and get rich results back — stdout, return values, tables, and plots. Reuse a context across calls, or spin up a fresh one.
BROWSER SESSIONS
Headless browsers for agents
Launch a headless Chromium in a sandbox and drive it over CDP — for agents that browse, fill forms, and use the web as a tool, isolated per session.
VOLUMES
Shared, reusable storage
Attach object-storage-backed volumes to any sandbox at a mount path. Let agents share datasets and artifacts across sandboxes without breaking isolation.
PORTS & PREVIEWS
Reach a service inside
Expose a guest port and get a preview URL that routes straight to the process in the microVM — for dev servers, apps, and tools the sandbox runs.
SNAPSHOTS
Warm starts, not cold boots
Templates are built into warm snapshots, so a sandbox resumes from a booted image in well under a second instead of cold-booting a VM per request.
METRICS
See what's running
Per-sandbox and per-host CPU, memory, disk, and network — live in the operator dashboard, so you can watch utilization across your fleet.
SEE IT
The dashboard is part of qbox.
Spawn and inspect sandboxes, open a shell, browse files, watch live
activity and metrics, and keep an eye on your hosts.
Coding agents, research agents, deep agents that need to run arbitrary code. qbox gives them true microVM isolation — and a shell, exec, and log stream so you can see what they did.
CODE INTERPRETER PRODUCTS
LLM products that expose a code-execution tool to end users. Stateful Python and JavaScript kernels in disposable microVMs, spawned from warm template snapshots, on hardware you control.
UNTRUSTED CI / EVAL WORKLOADS
SWE-Bench-style evaluation harnesses. Plugin marketplaces. Anywhere you're running unreviewed code and "it's just in Docker" stopped being good enough.
DATA & NOTEBOOK ANALYSIS
Run user-supplied analysis, notebooks, and ad-hoc scripts against your data — each session in its own VM, so a runaway job or a hostile dependency can't touch the host or other tenants.
BROWSER & TOOL USE
Agents that drive headless browsers, package managers, and arbitrary CLIs need a real machine to make a mess in. Give each one a disposable microVM with outbound network you can scope or cut off.
PER-USER DEV ENVIRONMENTS
Hand every user or tenant a clean, reproducible environment booted from a warm template snapshot — isolated from each other, on your own fleet, with no shared kernel.
SELF-HOSTED BY DESIGN
Self-hosted. Nothing leaves your network.
qbox is built for teams that can't or won't run AI workloads on
someone else's cloud. Regulated industries. Data residency
requirements. Air-gapped environments. Teams that want to own their
compute. It runs on commodity Linux hosts you already have — no
Kubernetes, no managed control plane, no data leaving your perimeter.
→ runs entirely on your own infrastructure.
→ no data leaves your network.
→ works on bare metal, on-prem hypervisors, or cloud VMs.
→ operator dashboard, SDKs, and CLI ship in the same package.
