Security & Compliance

SEACTION FEATURE

Title of the section

Run structured benchmarks and compare models before deploying to production.

Content Radar

Your agents use credentials without ever holding them

Credential theft through prompt injection is already happening in production. Prompt-injected PR comments have caused GitHub Copilot to exfiltrate AWS keys from private repositories via encoded image requests. Link Trap attacks coerce models into packaging credentials into attacker-controlled URLs. In every case, the root cause is the same: real credentials exist in the agent's environment, and a single successful prompt injection extracts them.

Runloop Credential Gateway eliminates this attack surface entirely. Real credentials never exist on the Devbox. The gateway issues an opaque token that is bound to a specific Devbox, expires when that Devbox terminates, and only works through Runloop's proxy infrastructure. The agent uses the token exactly like a normal API key -- two fields change (base URL and key source) and every SDK call works as before. The gateway injects the real credential server-side and proxies to the upstream API with typically less than 10ms of added latency.

No other agent infrastructure provider offers an equivalent mechanism. E2B, Daytona, Modal, and CodeSandbox all inject real credentials into the execution environment, leaving them extractable through the same attack patterns documented above.

Financial Planning

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Financial Planning

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

View Credential Gateway docs

Content Radar

One endpoint for all agent tools, with per-tool permissions

Over-privileged MCP agents have already leaked secret tokens and credentials when prompted by attacker-controlled data inputs -- documented in incidents involving Supabase MCP and Obsidian RAG integrations. Unrestricted tool access is as dangerous as unrestricted code execution. Runloop MCP Hub aggregates all tool servers behind a single endpoint and gives you fine-grained control over which tools each agent can access.

Pattern-based permissions -- Grant github.search_code without granting github.delete_repo using wildcard patterns -- restricted tools are invisible to the agent

Token binding -- Each MCP Hub token is minted for a specific agent on a specific Devbox -- extracted tokens cannot be reused from another environment

Full audit trail -- Every tool invocation logged with user, tool name, timestamp, and outcome for compliance evidence

Content Radar

Track and Manage Your Financial Health

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam venenatis orci sit amet lobortis tristique. Aliquam euismod lacinia tortor.

Lorem ipsum dolor sit amet

Find Out More

Badge

Network & Egress Security

Build-time

Access to package registries and dependency sources only

Runtime

Restricted to approved LLM providers (e.g., api.anthropic.com)

Snapshot

Zero network access. Fully locked down

Security Layer

Layer 7 (Application)

Layer 3 (Network)

Layer 3/4 (Encrypted)

Exposure

Single Service Only

Full Network-to-Network

Site-to-Site Encrypted

IP Management

Handles Overlapping IPs

Requires Unique CIDRs

developer quickstart

Defense in depth across four infrastructure layers

Each layer operates independently. A failure at one layer does not compromise the others.

Compute Isolation

Each Devbox runs inside a dedicated MicroVM on bare-metal infrastructure with two isolation layers: hypervisor boundary and container boundary. No shared kernel, no shared state, no cross-tenant access. Ephemeral by default.

Network Enforcement

DNS-level allowlists block all egress traffic to unlisted domains. Lifecycle-aware policies restrict access per stage: broad during build, locked during runtime. Every blocked connection is logged.

Credential Protection

The Credential Gateway replaces real API keys with opaque, devbox-bound tokens. Even if an agent is compromised through prompt injection, the extracted token is useless outside the originating environment.

Tool Access Control

MCP Hub enforces per-tool permissions using pattern matching. Agents only see the tools they are authorized to use -- restricted tools are invisible. Every invocation is logged for compliance.

purpose-built agent evaluation

Isolated environments instrumented for evaluation

Every test runs in its own isolated sandbox with production-identical toolchains. The Credential Gateway injects API keys as opaque tokens bound to each sandbox. Benchmark Jobs orchestrate evaluation at scale.

from runloop import Runloop
client = Runloop(api_key="rl_live_...")
# Create an isolated sandbox
sandbox = client.sandboxes.create(
    image="python:3.12",
    resources={"cpu": 2, "memory": "4Gi"}
)
# Execute commands
result = sandbox.exec("python -c 'print(42)'")
print(result.stdout)  # 42
# Attach credentials securely
sandbox.credentials.attach("OPENAI_API_KEY")

import { Runloop } from "@runloop/sdk";
const client = new Runloop({ apiKey: "rl_live_..." });
// Spin up a sandbox environment
const sandbox = await client.sandboxes.create({
  image: "node:20",
  resources: { cpu: 2, memory: "4Gi" },
});
// Run code inside the sandbox
const result = await sandbox.exec("node -e 'console.log(42)'");
console.log(result.stdout); // 42
// Securely inject credentials
await sandbox.credentials.attach("OPENAI_API_KEY");

# Install the Runloop CLI
curl -fsSL https://runloop.dev/install | sh
# Authenticate
runloop auth login
# Create a sandbox
runloop sandbox create --image python:3.12 --cpu 2
# Execute a command
runloop sandbox exec --id sb_abc123 "python -c 'print(42)'"
# List active environments
runloop sandbox list --status running
# Attach credentials
runloop credentials attach OPENAI_API_KEY --sandbox sb_abc123

layer 7

Application Protection

Credential management and protocol-level controls that keep your agents secure at the application layer

Credential Gateway

Agents never see raw credentials. Secrets are injected at runtime via a zero-trust gateway with automatic rotation and audit logging.

MCP Hub

Centralized Model Context Protocol management with policy enforcement, rate limiting, and real-time observability across all agent sessions.

# Before: direct API access (insecure)
client = anthropic.Anthropic(
    api_key="sk-ant-real-key-here"
)

# After: via Credential Gateway (secure)
client = anthropic.Anthropic(
    base_url="https://gateway.runloop.ai",
    api_key=os.environ["RL_ANTHROPIC"]
)

# That's it. Two-line change for complete credential protection.

Enterprise Compliance for production AI deployments

Certifications, agreements, and deployment controls for regulated environments.

SOC 2 Type II

Independently audited infrastructure with secure network boundaries, isolated compute, and auditable deployments. Request our SOC 2 report

Request SOC 2 Report

HIPAA-Eligible

Data protection controls and Business Associate Agreement availability for healthcare and life sciences workloads. Contact sales for BAA

Contact for BAA

GDPR Compliant

Data residency controls, encryption at rest and in transit, and Data Processing Agreements for EU-regulated organizations. Request DPA

Request DPA

Enterprise Support

24/7 managed platform with dedicated oncall team. Enterprise SLAs with guaranteed response times. Architecture documentation and security questionnaire support.

Contact Sales