Private beta · joining now

EU-native managed sandboxes for AI agents.

Spin up dedicated agent sandboxes from any MCP client, Claude Code, Cursor, or your own agent. Code execution, file I/O, snapshots. Each sandbox is its own hardware-isolated environment. Compute and data stay inside the EU - no US-Cloud-Act exposure on what your agent does.

How it works

Design partners get early access + a discount on the first three months.

agent.py
from orkestr import Sandbox

# One-shot Python execution inside a fresh sandbox.
with Sandbox.create(template="python-3.12") as sbx:
    sbx.files.write("/workspace/main.py", "print(sum(range(1_000_000)))")
    result = sbx.exec("python /workspace/main.py")
    print(result.stdout)        # 499999500000
    print(result.duration_ms)   # ~120

# Long-lived agent session: pause + resume across requests.
sbx = Sandbox.create(template="node-22", network="restricted")
snapshot_id = sbx.pause()
# ...minutes or hours later, from any worker:
sbx = Sandbox.resume(snapshot_id)
POST api.orkestr.eu/v1/sandboxes
beta

What's actually different.

E2B, Daytona, Modal, Cloudflare Sandboxes already exist. Three things make this one worth your time.

EU compute, EU operator

Code runs on dedicated bare-metal hardware in Germany or Finland, operated by an EU company. No US parent in the data path. GDPR DPA on the same legal entity as the rest of orkestr.

Dedicated VM per sandbox

Hardware-virtualised isolation, every template, no exceptions. Each sandbox gets its own kernel and rootfs; a jailbreak inside one does not reach the host or another tenant. Cold start around 150 ms; under 30 ms from the warm pool.

Per-second pricing, no minimums

CPU-seconds and MB-seconds. No per-invocation tax, no monthly platform fee on PAYG. Snapshot storage rolls into the same line item. Pricing details are part of the beta invite.

How a sandbox call gets to EU hardware.

Click any stage to see what it does. The shape of the call is identical to E2B and Modal, so swapping in the orkestr SDK is one import line.

sandbox
Boots in roughly 150 ms cold, under 30 ms from a warm pool. Hardware-virtualised isolation: each sandbox gets its own kernel and rootfs, dropped on terminate. No shared container runtime, no syscall surface across tenants.

Drop-in for the agent stack you already use.

Speaks the same primitives as the existing managed sandbox providers. If your agent can call a tool, it can call this.

MCP servers
Any client speaking Model Context Protocol
Claude Code
Drop-in tool for the CLI agent
Cursor / Windsurf
Custom tool definitions
Claude Managed Agents
Use as a Managed Agents sandbox provider
OpenAI / Mistral agents
Function-call shape supported
LangChain / LlamaIndex
Tool wrappers shipped in SDK

How this fits next to what already exists.

We are not trying to replace the US providers. We are the one to pick when "where the code physically runs" is on the table.

What you'll ask aboutorkestr SandboxesCloudflare / Daytona / Modal / Vercel
EU data residency, no US parentEU bare-metal, EU operatorCloudflare, Modal, Vercel: US-headquartered; Daytona: US/EU mixed
Sandbox isolationDedicated VM per sandboxContainer or v8 isolate, sometimes VM
Snapshot + resumeNative, included on all plansAvailable on some, paid tier on others
GDPR DPA on requestYes, same DPA as orkestr platformVaries; cross-border transfer clauses common
Pricing modelPer-second CPU + RAM, no minimumsPer-second or per-invocation, varies
Comparison reflects public docs at the time of writing and may change. We will keep this table honest as the others ship.

Join the private beta.

Tell us what you're building. We onboard a handful of teams each week and will reach out when there's a slot. Design partners get a discount on the first three months once we switch on paid usage.

0/2000

Protected by ALTCHA

No spam. We email when there's a slot, that's it. You can ask to be removed anytime.

Common questions

What is a sandbox here, exactly?
A dedicated, hardware-isolated VM with its own kernel and rootfs. You create one, run commands or upload files, optionally snapshot it, then terminate. Default lifetime is a few minutes; agents that need persistent state use the pause / resume primitive. Each sandbox is hardware-isolated, not just process- or namespace-isolated.
Why dedicated VMs instead of containers?
Containers share the host kernel. That is fine for trusted workloads, less fine when an LLM is generating shell commands you have not seen yet. We give each sandbox its own kernel via hardware virtualisation, so a kernel-level escape from one sandbox does not reach another tenant. The cold-start cost is roughly 100-200 ms instead of single-digit ms, which is acceptable when an agent step itself is seconds.
Where does the code run?
EU only. Falkenstein (Germany) and Helsinki (Finland), on bare-metal dedicated machines we operate. No edge POPs in non-EU regions. The orkestr legal entity is in the EU, so there is no US-Cloud-Act exposure on snapshots, env vars, or runtime data.
What about networking, egress, secrets?
Three modes per sandbox: off (no outbound, default), restricted (allowlist for package registries and common APIs), open (full egress, paid tier with verified billing). Secrets are passed at create time as env vars and live only in the VM memory. Snapshots include memory by design, so for hard secrets prefer fetching them at exec time from your own KMS.
How does this compare to E2B, Daytona, Modal, Cloudflare Sandboxes?
Same shape of API and same primitives. The differences: we are EU-operated end to end, with no US parent. We give every sandbox its own dedicated VM rather than picking between containers, isolates, and VMs per template. And we are priced for steady, small workloads (per-second metering, no per-invocation premium) rather than burst at scale.
When does this launch and what does the waitlist get me?
We are running a private beta now with a small group of design partners. Joining the waitlist gets you early access before general availability, a discount on the first three months of paid usage, and a direct line to the team for SDK feedback. We follow up by email when your slot opens.
Is this affiliated with Anthropic?
No. orkestr is an independent EU company. Claude, Claude Code, and Claude Managed Agents are trademarks of Anthropic, PBC. We mention them as compatible clients, not as a partnership.

Ready to put your agent inside an EU sandbox?

Join the waitlist. We'll be in touch with onboarding details as slots open.