Skip to main content

Sandbox isolation

Each AISafe AI agent runs inside an isolated sandbox: a constrained execution environment with no access to other customers' data, no persistent storage, and controlled network egress. Even if an agent misbehaves, it cannot cause harm outside its assigned task.

How sandboxes work

AISafe spins up one or more sandboxes for the AI agents at the start of each assessment. Each sandbox:

  • Runs in an isolated environment: the agent's execution environment shares no filesystem or memory with other sandboxes or the host.
  • Has controlled network access: the sandbox reaches the targets you specify, and no others. For code audits, the sandbox has no outbound network access except to the AI model provider. For pentests, the sandbox reaches the target URLs you provide plus any additional allowed domains you configure.
  • Is ephemeral: the platform destroys the sandbox when the assessment completes (or times out). No state persists between assessments.

No data egress

AISafe's sandbox network policy prevents data exfiltration:

  • Code audits: the sandbox processes your source code. It does not upload your code to any external service except the AI model provider for reasoning.
  • Pentests: the sandbox reaches the target URLs you provide, and no others. The platform blocks any host not in your allowlist. You can add additional allowed domains if your application makes cross-origin requests.

Token isolation

AISafe uses short-lived installation access tokens to access your source code via a GitHub or GitLab integration:

  • Short-lived: tokens expire within a fixed window and do not touch disk.
  • Single-repository scope: each token covers one repository, minimizing blast radius.
  • In-memory only: the scan holds tokens in memory for its duration, then discards them.

Even if a sandbox were compromised, the attacker would access a single repository for a limited time, with no ability to escalate to other repos or persist access.

What this means for you

You can use AISafe to audit sensitive codebases and test production-adjacent applications, knowing that:

  • Your source code stays in an isolated environment, away from the internet
  • AI agents cannot reach unintended internal services during pentests
  • Access tokens expire within a short window and cover a narrow scope
  • No data persists after the assessment completes