Platform

The Execution platform Bulit for AI Agents

Runloop gives your agents a full development environment -- isolated, stateful, and fast enough to run at production scale. Every primitive is API-first, so you control the lifecycle from first boot to final snapshot.

Get Started View Docs

MicroVM Devboxes

Blueprints

Snapshots

Credential Gateway

MCP Hub

Network Controls

30,000+

concurrent environments

~100ms

command execution

<2s

10GB image boot

<10ms

Credential Gateway latency

Runloop is two products in one platform. This page covers Execution -- the infrastructure where your agents run. The Evaluation & Benchmarking page covers how you measure whether they are improving. No other sandbox provider offers both.

Execution Infrastructure

Secure, isolated environments where your agents do real work

Devboxes are full Linux virtual machines -- not containers, not serverless functions. Each one runs on a dedicated MicroVM with hardware-level isolation, giving your agent the same capabilities a human developer has: filesystem access, shell execution, networking, and persistent state.

Hardware isolation -- Every Devbox runs in its own MicroVM with two isolation layers. API keys and proprietary code stay protected even when running untrusted AI-generated code.

Sub-second execution -- Custom bare-metal hypervisor delivers ~100ms command execution. 10GB images boot in under 2 seconds.

Architecture flexibility -- Full support for x86_64 and arm64 -- the only sandbox provider offering both.

Ephemeral or persistent -- Tear down after a single task or keep running for multi-day workflows with suspend/resume.

Devbox docs

Templates

Define once. Launch thousands.

Blueprints are programmable templates for Devbox environments. Define your system packages, language runtimes, dependencies, and file mounts in code, and every Devbox launched from that Blueprint starts fully configured. Docker layer caching means repeated launches skip setup entirely.

Zero cold-start -- Pre-install tools, frameworks, and dependencies. Devboxes from a Blueprint are ready immediately.

Code and file mounts -- Mount repositories via CodeMounts, inject config files, and set credentials through the Credential Gateway.

Custom base images -- Configure the base OS, custom user, and entrypoint commands.

Shared across workflows -- Same Blueprint powers agent execution, benchmark evaluation, and regression testing.

Blueprint docs

State Management

Pause, branch, and resume agent work

Snapshots capture the full disk state of a running Devbox. Resume from a snapshot to pick up exactly where you left off, or fork it into multiple parallel Devboxes to explore different approaches simultaneously.

Branch and explore -- Snapshot a Devbox and launch parallel forks to try different approaches. Evaluate results and continue with the best one.

Suspend and resume -- Stop compute charges while preserving state. Configure automatic suspension after idle periods.

Blueprints vs. Snapshots -- Blueprints define repeatable starting environments. Snapshots capture point-in-time state of live environments.

Training loop efficiency -- Restore from snapshot at each fine-tuning step instead of rebuilding environments.

Snapshot docs

Credential Security

Your agents use credentials without ever holding them

The most common vector for credential compromise in agent systems is prompt injection. An adversarial input tricks the agent into revealing API keys. Runloop Credential Gateway eliminates this attack surface. Real credentials never exist on the Devbox.

Opaque tokens -- Devbox-bound, expire on termination, useless if extracted. Even a successful prompt injection yields nothing reusable.

Protocol support -- Bearer tokens, custom headers, basic auth, and query parameters across HTTP/1.1, HTTP/2, SSE, and WebSocket.

No code changes -- Two fields change in your SDK configuration and every API call works as before.

No competitor equivalent -- E2B, Daytona, Modal, and CodeSandbox all inject real credentials into the execution environment.

Security architecture

Tool Access Control

One endpoint for all agent tools, with per-tool permissions

MCP Hub aggregates all tool servers behind a single endpoint with fine-grained control over which tools each agent can access. Your agent connects to one URL, sees a unified tool list filtered by its permissions, and calls tools by name. Restricted tools are invisible -- not denied, invisible.

Pattern-based permissions -- Grant github.search_* without granting github.delete_repo using wildcard patterns.

Token binding -- Each Hub token is minted for a specific agent on a specific Devbox.

Full audit trail -- Every tool invocation logged with user, tool name, timestamp, and outcome.

Reusable configurations -- Define MCP configs once and apply across Devboxes.

MCP Hub docs

Networking

Control what your agents can reach

Fine-grained control over network access at the Devbox level. Network Policies define DNS-level allowlists -- everything not explicitly permitted is blocked. Policies are lifecycle-aware: broad during builds, locked during runtime, fully restricted during snapshot capture.

DNS-level enforcement -- Allowlists of hostnames. All traffic to unlisted domains is blocked and logged.

Lifecycle-aware policies -- Different access rules per stage without manual switching.

Tunnels -- Expose HTTP/HTTPS, WebSocket, and SSE services running inside a Devbox.

SSH access -- Per-Devbox SSH keys for interactive debugging and IDE connection.

Networking docs

The workflow surface for building, debugging, and shipping agents

Four tools for the full agent development lifecycle -- from first prototype to production deployment.

Repo Connect

Independently audited infrastructure with secure network boundaries, isolated compute, and auditable deployments.

CLI (rl-cli)

Manage Devboxes, Blueprints, and Snapshots from your terminal. List environments, SSH into a Devbox, inspect logs, and debug agent output.

Dashboard

Web interface for monitoring and managing Runloop resources. View Devbox status, inspect logs, track resource usage, and manage team access.

SDKs

First-class Python and TypeScript client libraries. Every primitive is accessible through the SDK. Framework-agnostic: works with any orchestration layer.

API-First

Three lines to launch. Full lifecycle control from there.

Every execution primitive -- Devboxes, Blueprints, Snapshots, Credential Gateway, MCP Hub, Network Policies -- is accessible through the same SDK.

import runloop

# Launch a Devbox with credential protection and tool access control
devbox = runloop.devboxes.create(
    blueprint_id="bp_agent_runtime",
    credentials=[
        {"name": "RL_ANTHROPIC", "secret": "anthropic-api-key"},
        {"name": "RL_GITHUB", "secret": "github-pat-readonly"}
    ],
    mcp_config="github-readonly",
    network_policy="runtime-locked"
)

# Execute a command
result = runloop.devboxes.execute_sync(devbox.id, "python run_agent.py")

# Snapshot for later resume or parallel branching
snapshot = runloop.devboxes.snapshot(devbox.id, name="checkpoint-1")

import Runloop from 'runloop';

const devbox = await runloop.devboxes.create({
  blueprintId: 'bp_agent_runtime',
  credentials: [
    { name: 'RL_ANTHROPIC', secret: 'anthropic-api-key' },
    { name: 'RL_GITHUB', secret: 'github-pat-readonly' }
  ],
  mcpConfig: 'github-readonly',
  networkPolicy: 'runtime-locked'
});

const result = await runloop.devboxes.executeSync(devbox.id, 'node run_agent.js');

const snapshot = await runloop.devboxes.snapshot(devbox.id, { name: 'checkpoint-1' });

# Install the Runloop CLI
curl -fsSL https://runloop.dev/install | sh
# Authenticate
runloop auth login
# Create a sandbox
runloop sandbox create --image python:3.12 --cpu 2
# Execute a command
runloop sandbox exec --id sb_abc123 "python -c 'print(42)'"
# List active environments
runloop sandbox list --status running
# Attach credentials
runloop credentials attach OPENAI_API_KEY --sandbox sb_abc123

Built for production from day one

Enterprise security and compliance across every deployment model.

SOC 2 Type II

Independently audited infrastructure with secure network boundaries, isolated compute, and auditable deployments.

HIPAA & GDPR

Enterprise-grade data protection standards for regulated industries. BAA and DPA available.

Deploy to Your Cloud

Run Runloop inside your AWS, GCP, or Azure account. Same APIs, your compliance boundary.

Enterprise Support

24/7 managed platform with dedicated oncall. Enterprise SLAs with guaranteed response times.

Execution is half the platform. Evaluation & Benchmarking is the other half -- run public benchmarks, build private evaluation suites, integrate regression testing into CI/CD, and generate fine-tuning signals. All on the same infrastructure.

Start building in minutes

Launch your first Devbox with three lines of code. Every execution primitive is API-first, with credential protection and tool access control built in.