Sandcastles
demo
11:41 PM
Files
~/workspacedouble-click to open
Terminal
System Monitor
runningtest
CPU

5%

4 vCPUs

Memory

219 / 3943 MB

6% used

Disk

1.3G / 3.9G

34% used

Uptime

0s

since boot

Processes

84

running

PID

1077122

agent process

Container
Agent
MCP
CPU: 4cMEM: 4096MB
Vero Sandcastle · Live demo

Your agents need a sandbox.

Not your production server.

Secure microVMs. ~125 ms boot. Per-agent isolation. MCP server + REST API built into every sandbox.

drag windows, resize, double-click title to maximize
01 · What is Sandcastle

Secure microVMs
for agent workloads.

When your agents run untrusted code — web scraping, file manipulation, arbitrary tool calls — they shouldn’t share your infrastructure. Sandcastle gives every agent its own isolated, disposable VM. Boots in ~125 ms. Dies when the agent is done. Nothing persists. Nothing leaks.

Built on a hardware-accelerated KVM hypervisor. Kernel-level isolation, not container-level. Each VM gets its own Linux kernel, memory space, and network stack.

~125 ms
cold boot time
Full microVM up with kernel, rootfs, MCP server, REST API.
12 tools
MCP server in every sandbox
Files, browser, code execution, screenshots — zero configuration.
0
shared state between VMs
Each VM kernel-isolated. A rogue agent cannot reach another VM.
02 · Image hierarchy

Three images.
Pick your level.

Every Sandcastle image extends the one below it. You never pay for capabilities you don’t use. Pick the smallest image that runs your agent — boot times scale down with the stack.

base

Minimal LinuxL1

Filesystem tools. Network access. For simple computation and data processing.

  • Package managers (apt, npm, pip)
  • Network stack (curl, wget)
  • MCP Server (12 tools)
  • REST API

browserbase

extends baseL2

Everything in base, plus a full headless browser. For web agents.

  • Headless Chromium
  • Screenshot capture
  • Accessibility tree extraction
  • JavaScript execution
  • DOM navigation and interaction

dev-machine

extends browserbaseL3

Everything in browserbase, plus a full dev environment. For complex autonomous agents.

  • Full build toolchain (gcc, make, cmake)
  • Language runtimes (Node 20, Python 3.11, Go, Rust)
  • LiveKit audio capture and streaming
  • Extended filesystem (4GB)
  • Higher resource limits (4 vCPU, 4GB RAM)
03 · MCP — the interface to the sandbox

Every sandbox
speaks MCP.

Model Context Protocol is the standard interface between AI agents and tools. Every Sandcastle VM ships with a full MCP server — 12 tools, zero configuration. Connect any agent, any framework, any platform.

03a · The MCP server

12 tools. One endpoint.
Ready at boot.

When a Sandcastle VM boots, an MCP server starts on :3000 automatically. It exposes 12 tools that cover everything an agent typically needs inside a sandbox. No installation. No setup. No tool registration. Your agent connects and starts calling tools in seconds.

web_search

Search the web and return structured results

screenshot

Capture a screenshot of any URL or the current page

extract_text

Extract readable text from a web page

file_read

Read a file from the VM filesystem

file_write

Write or create a file on the VM filesystem

file_list

List directory contents

code_exec

Execute code (Node, Python, bash) in the sandbox

browser_navigate

Navigate the headless browser to a URL

browser_click

Click an element on the current page

browser_type

Type text into a form field

accessibility_tree

Get the full accessibility tree of the current page

js_execute

Execute arbitrary JavaScript in the browser context

Try it — MCP tools/list
# request
curl -X POST http://localhost:3000/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/list",
    "id": 1
  }'

MCP is a real, standard protocol — not a proprietary API. Anything that speaks JSON-RPC 2.0 over HTTP or SSE can call it.

03b · Connect from anywhere

Works with your stack.
Not instead of it.

MCP is an open protocol. Sandcastle doesn’t care what’s on the other end — a Vero agent, a CrewAI crew, a LangGraph workflow, Claude Desktop, Cursor, or a bash script. If it speaks MCP, it gets tools.

// claude_desktop_config.json or .claude/settings.json
{
  "mcpServers": {
    "sandcastle": {
      "url": "http://sandcastle-vm:3000/mcp",
      "transport": "sse"
    }
  }
}

# Or via CLI
claude --mcp-server http://sandcastle-vm:3000/mcp

Same VM. Same tools. Same isolation. The only thing that changes is what’s connecting to it.

03c · MCP + Vero Agents

Zero-config
when you use the runtime.

If you’re running agents on the Vero runtime, you don’t configure MCP at all. When an agent’s workspace specifies execution: sandcastle, the runtime handles the full sandbox lifecycle behind the scenes.

agent workspace config — that’s it
name: researcher
model: claude-sonnet-4-20250514
execution: sandcastle
image: dev-machine
tools:
  - web_search
  - screenshot
  - extract_text
  - file_ops
  - code_exec
Lifecycle
  1. 1
    Agent run triggers
  2. 2
    Runtime boots VM
  3. 3
    MCP server starts
  4. 4
    Tool calls route through sandbox
  5. 5
    Results return to agent
  6. 6
    VM terminates

The agent’s code doesn’t change. It calls web_search or screenshot the same way it always does.

03d · REST API alongside MCP

MCP for agents.
REST for everything else.

The MCP server handles tool calls from agents. But sometimes you need to interact with the sandbox from outside an agent loop — a CI pipeline, a monitoring script, a dashboard. That’s what the REST API on :8080 is for.

sandcastle-vm:8080
# Health check
curl http://sandcastle-vm:8080/health
# → {"status":"ok","uptime":"4m 32s","agent":"research-agent-01"}

# List running processes
curl http://sandcastle-vm:8080/processes
# → {"count":84,"top":[{"pid":12,"cmd":"mcp-server"},{"pid":18,"cmd":"api-server"},...]}

# Trigger a tool call via REST (alternative to MCP)
curl -X POST http://sandcastle-vm:8080/tools/web_search \
  -d '{"query":"latest AI research papers"}'

# Get agent status
curl http://sandcastle-vm:8080/agent/status
# → {"agent_id":"research-agent-01","status":"running","tools_called":7,"uptime":"4m"}

# Stream events (SSE)
curl -N http://sandcastle-vm:8080/events
# → data: {"type":"tool_call","tool":"web_search","timestamp":"..."}
# → data: {"type":"tool_result","tool":"web_search","status":"ok","timestamp":"..."}
MCP is the primary interface for agent-to-sandbox communication. REST is for orchestration, monitoring, and non-agent integrations. Both run in every sandbox by default.
04 · What else ships with every sandbox

Not just MCP.

Beyond the MCP server and REST API, every Sandcastle VM ships with capabilities that cover the common agent workloads.

MMDS Secret Injection

API keys, tokens, credentials — injected at boot via the hypervisor metadata service. Never written to disk. Never in environment variables. Vanishes when the VM dies.

all images

Headless Chromium

Full browser automation without installing anything. Navigate, click, type, screenshot, extract text, run JavaScript, read the accessibility tree. Drives the MCP browser tools under the hood.

browserbase · dev-machine

LiveKit Audio Streaming

Capture and stream audio from within the VM. Built for voice agent workloads — real-time STT processing, call recording, audio analysis. Integrates with any LiveKit-compatible client.

dev-machine
05 · Security model

Kernel-level isolation.
Not container-level.

Containers share a kernel. If one breaks out, it can reach others. Sandcastle VMs don’t share a kernel. Each VM gets its own. A compromised agent can’t reach another agent’s memory, filesystem, or network. It can’t even see it exists.

Hardware-isolated microVM

KVM-accelerated hypervisor. Minimal attack surface. Hardware virtualization per VM.

Own kernel per VM

No shared kernel. No container escape risk.

No shared filesystem

Each VM has its own disk. Nothing mounts from the host.

MMDS secrets

Injected at boot via metadata service. Not in env vars. Not on disk. Gone when the VM dies.

Network egress controls

Per-VM network policy. Restrict what domains the agent can reach.

Auto-terminate

VMs die on idle timeout or max lifetime. No zombie processes. No leaked resources.

06 · Deployment

Run it our way.
Or yours.

Vero-hosted

default

We manage the microVM fleet. You call the API. VMs spin up on our infrastructure. Zero ops.

Self-hosted

Deploy on your own bare-metal or Proxmox infrastructure. Same Sandcastle software. Your data never leaves your network.

Hybrid

Vero-hosted for burst capacity. Self-hosted for sensitive workloads. Same API, same images, same tools.

07 · Pricing

Per-second billing.
No minimums.

Pay for what you use. VM-seconds, measured from boot to termination. No idle charges (VMs auto-terminate). No per-seat pricing. No “contact us” for the self-serve tier.

Free

$0/ month
  • 1,000 VM-seconds / month
  • base + browserbase images
  • Community support
Start free
Most popular

Pro

$X/ 1,000 VM-seconds
  • All images (base, browserbase, dev-machine)
  • Priority support
  • Custom images (coming)
Request access

Enterprise

Customvolume pricing
  • Self-hosted option
  • SLA
  • Dedicated support
  • Security review
Talk to us

* Exact Pro pricing TBD. Early access members get first look.

08 · Early access

Get a sandbox.

Sandcastle is in early access. Request access and get a free allocation of VM-seconds to try it with your agents.