Deno Sandbox: Secure MicroVMs with Secret Shielding and Egress Control

Deno Sandbox is a secure microVM environment to run untrusted or LLM-generated code with secret protection and network egress control. It materializes secrets only for approved outbound requests and blocks all other destinations, and can directly deploy to Deno Deploy with a single call. Persistence via volumes and snapshots, rapid boot times, clear specs, and usage-based pricing make it suitable for AI agents, plugins, and ephemeral CI.

Key Points

Runs untrusted or LLM-generated code safely in fast-booting microVMs with SDK-driven control and rich connectivity (SSH/HTTP/VS Code).
Secrets are protected via placeholders and an outbound proxy that only materializes credentials for approved hosts, preventing exfiltration.
Strict network egress control through host allowlists, complementing Deno runtime permissions for layered security.
One-step promotion from sandbox to production using sandbox.deploy(), avoiding separate CI rebuilds and re-authentication.
Persistent tooling via volumes and snapshots, plus clear specs (2 vCPUs, up to 4 GB RAM, <1s boot) and usage-based pricing included in Deno Deploy plans.

Sentiment

The community is cautiously positive about the technical approach, particularly the secret shielding mechanism which drew substantive security analysis from respected commenters. However, enthusiasm is tempered by pricing concerns, the lack of self-hosting options, and a notable tangent criticizing the blog post as AI-generated. The prevailing view is that the secret proxy pattern is sound and well-established (with prior art from Fly's Tokenizer, PCI-DSS tokenization services, and academic research), but Deno's specific implementation raises questions about completeness. The crowded sandbox market and premium pricing make differentiation a challenge.

In Agreement

The secret placeholder approach is a clever and practical solution for preventing credential exfiltration from sandboxed code
Network egress control with host allowlists provides meaningful defense-in-depth for AI agent sandboxing
Having both JavaScript and Python SDKs plus SSH/HTTP access makes the product accessible regardless of language preference
Sub-second boot times and the sandbox-to-deploy pipeline remove meaningful friction for developers
The lethal trifecta of untrusted input, private data, and network access is a real problem that products like this help address

Opposed

The security model has gaps: controlling which request fields receive secret substitution is the big bug class to watch out for, and echo-back attacks on approved hosts remain a threat
Pricing is dramatically higher than equivalent VM capacity from traditional cloud providers or budget hosters
The product is SaaS-only with no self-hosted option, creating vendor lock-in where open-source alternatives like E2B exist
The sandbox market is oversaturated with 30+ similar products launched in the past year, raising questions about differentiation
The blog post's apparent AI-generated writing style undermines credibility and is off-putting to the HN audience
Technical limitations around TCP connections, complex auth schemes, and the 30-minute lifetime restrict real-world utility