Instant remote computers — persistent, forkable Linux VMs with their own kernel, a public IPv4, and an automatic HTTPS domain, reachable over SSH. Each machine is a real KVM virtual machine running Ubuntu 24.04 with 2 vCPU, 8 GiB RAM, and 100 GB persistent disk.

How do I get started with boxd?

Run `ssh boxd.sh new --name=my-app`. A machine boots in around 50ms, gets a public IP, DNS record, and TLS cert, and you SSH straight in. First connection links your SSH key to a GitHub OAuth account — no install, no SDK, no dashboard.

Do I need to install an SDK?

No. SSH is the API. Every command works over `ssh boxd.sh ` or the optional `boxd` CLI, with `--json` output for scripts. If your language has an SSH client, it can drive boxd.

What runs on a boxd machine?

A full, unminimized Ubuntu 24.04 with systemd, passwordless sudo, and the docker group. Preinstalled: Claude Code, Codex, Docker, Python 3 (pip/uv/pipx), Go, git, headless Chrome, ffmpeg, ImageMagick, mitmproxy, ripgrep, sqlite3, nginx. Node.js is not preinstalled — use apt or nvm.

Where are boxd machines hosted?

In the EU by default, on European hardware, with no US cloud dependency. Data stays in Europe. You can also self-host the binary in your own datacenter, your own cloud, or your own country.

Is boxd free for individuals?

Yes. €0 forever, no credit card. You get 10 machines, each 2 vCPU / 8 GiB / 100 GB, unlimited runtime, SSH, fork, and public URLs.

How does team pool pricing work?

Teams buy a shared resource pool starting at 2 vCPU / 8 GiB for €25/month/user, scaling to 16 vCPU / 64 GiB for €200/month/user. Members allocate machines from the pool; higher tiers add team management, SSO, priority support, and volume pricing.

Do I pay while my machine is paused?

No. Idle cost is €0. Machines suspend to disk when dormant and resume in sub-millisecond when traffic arrives — you pay only for active compute.

What is included in the Enterprise plan?

Self-hosted boxd as a single Rust binary you run in your own VPC, datacenter, or country. No Kubernetes, no external Postgres, no Redis. EU data residency, SSO + audit logs, annual license, dedicated support. Fits DORA / NIS2 reviews and EU sovereignty requirements.

Can I switch between team pool sizes later?

Yes. Get in touch and we'll adjust your pool — no plan migration required.

How is a boxd machine isolated?

Every machine is a KVM virtual machine with its own Linux kernel — not container namespaces, not gVisor, not a shared host kernel. A CVE on one VM's kernel doesn't breach the host or its neighbours.

Can I run untrusted agent-generated code on boxd?

Yes — that's the design. KVM gives kernel-level isolation, agents get root inside their own VM, and a compromised guest can't reach the host or other tenants. This is what makes boxd safe for arbitrary, agent-generated code.

Is data encrypted at rest and in transit?

Traffic to your machine goes over SSH or HTTPS (TLS terminated at the boxd proxy, with automatic HTTP→HTTPS redirect and HSTS). All inter-node control traffic runs over a private OVH vRack — workers have no public IP.

Does boxd offer EU data residency?

Yes. Managed boxd runs on EU hardware with no US cloud dependency, GDPR / DSGVO by default, and no exposure to US subpoenas. Self-host to pin data to your own region.

Does boxd support SSO and audit logs?

Identity is your SSH public-key fingerprint, linked to your account via GitHub OAuth on first connect. Every command lands over SSH, which gives a built-in audit trail. SAML SSO is available on Enterprise — talk to us.

Can I self-host boxd?

Yes. boxd ships as a single Rust binary you drop on any KVM-capable Linux host. No Kubernetes, no external Postgres, no Redis, no queue, no scheduler — your security review's "what external services does this touch?" answer is "none."

What does the self-host architecture look like?

Nine Rust crates compiled into one binary: control plane, worker, proxy, DNS, Raft, CLI, per-VM VMM, in-VM agent, and a single-node combined binary. Raft consensus is the only coordination layer; RocksDB holds the log, embedded SQLite holds materialized state. One process per VM, supervised by the worker.

What hardware do I need to self-host boxd?

Any KVM-capable Linux host. Each VM is fixed at 2 vCPU and 8 GiB RAM with a 100 GB copy-on-write disk, enforced per-VM via cgroups. Talk to us for cluster sizing for production deployments.

Can boxd run inside my own cloud account (BYOC)?

Yes — self-host the binary in your VPC, datacenter, or region. The open-source microVM engine underneath (Ignition) lives at github.com/lttle-cloud/ignition.

How are updates delivered to a self-hosted install?

Signed binary releases on a regular cadence. You choose when to apply each release — boxd never auto-updates a self-hosted install.

Why are persistent VMs better for AI agents?

Agents need to run for hours, not seconds, and need a stable place to come back to. Ephemeral sandboxes lose context between calls and force a setup-teardown tax on every iteration. boxd persists files, packages, processes, and agent context across sessions — the agent stops at 2am and picks up at 9am.

How does forking help an agent?

Fork is a copy-on-write clone of the entire running machine — kernel, filesystem, processes, disk — in under 100ms. Agents fork to explore multiple approaches in parallel, each with a real running stack, and keep the winner.

Can an agent control boxd without an SDK?

Yes. Every VM ships with an in-VM `boxd` CLI that auto-authenticates by source IP — no tokens to inject. Agents already speak shell, so `shell.exec` plus SSH is all they need to create, fork, exec on siblings, or open a proxy.

What happens when an agent disconnects mid-task?

The machine keeps running. Long builds, background jobs, and agent tasks continue after the SSH session drops. SSH back in (or have the agent reconnect) and the same processes are still there.

How do I sandbox an agent's tool calls?

Run the agent inside a boxd VM. KVM gives kernel-level isolation, the agent gets root inside its own machine, and you can fork a clean copy per task. The blast radius stays inside one VM.

How does boxd differ from E2B?

E2B is ephemeral Firecracker sandboxes with an SDK; boxd is persistent KVM VMs with SSH as the interface. E2B is retrofitting persistence onto a primitive built for short-lived runs; boxd was built persistent-first.

When should I pick E2B over boxd?

If you need a stateless code-execution sandbox called from a Python or JS SDK with no persistence requirements, and you're already standardized on E2B's API surface.

When should I pick boxd over E2B?

When your agent needs to run for hours, keep state between calls, fork running stacks in parallel, host an MCP server with a real URL, or run on EU-sovereign / self-hosted infrastructure. Cold boot is sub-30ms vs ~150ms; resume is sub-millisecond.

How does boxd differ from Daytona?

Daytona is container-based dev environments running on a Postgres/Redis/Harbor stack; boxd is KVM VMs shipping as a single Rust binary. Daytona has pivoted toward agent sandboxes — boxd was built for that primitive from day one with real kernel-level isolation.

When should I pick Daytona over boxd?

If you specifically want container-based dev environments and are comfortable operating Postgres, Redis, and a registry to self-host.

When should I pick boxd over Daytona?

When you want kernel-level isolation, persistent forkable state, sub-30ms boot, and a self-host install that's one binary with zero external services. Or when your agents need to run untrusted code safely.

How does boxd differ from GitHub Codespaces?

Codespaces are GitHub-hosted devcontainers that bill while idle and live inside the GitHub product surface. boxd is persistent KVM VMs with sub-30ms cold boot, idle cost €0, automatic public HTTPS URLs per machine, and no GitHub lock-in.

When should I pick Codespaces over boxd?

If your team is fully inside GitHub, your workflow lives in the browser-based VS Code Codespaces UX, and pay-while-idle pricing is acceptable.

When should I pick boxd over Codespaces?

When you want one template forked per engineer or per PR, real preview URLs (services, DB, background jobs — not just the frontend), zero idle cost, and the option to self-host in your own cloud. Or when you need KVM isolation rather than container-based devcontainers.

How does boxd differ from Modal?

Modal is a serverless Python function runtime backed by gVisor; boxd is a persistent SSH-accessible Linux machine backed by KVM. Modal runs your function and exits; boxd runs your machine and keeps it.

When should I pick Modal over boxd?

When the workload is genuinely a stateless Python function — fan out, run, return — and you want a Python SDK plus autoscaling rather than a Linux box to log into.

When should I pick boxd over Modal?

When you need a real machine: long-running agents, MCP servers with stable URLs, persistent state, fork primitives, or anything beyond a single Python function. Or when you want SSH and stronger KVM isolation instead of an SDK and gVisor.

FAQ

Frequently asked.

Frequently asked questions about boxd — pricing, security, agents, self-host, and how it compares.

General

What is boxd?: Instant remote computers — persistent, forkable Linux VMs with their own kernel, a public IPv4, and an automatic HTTPS domain, reachable over SSH. Each machine is a real KVM virtual machine running Ubuntu 24.04 with 2 vCPU, 8 GiB RAM, and 100 GB persistent disk.
How do I get started with boxd?: Run `ssh boxd.sh new --name=my-app`. A machine boots in around 50ms, gets a public IP, DNS record, and TLS cert, and you SSH straight in. First connection links your SSH key to a GitHub OAuth account — no install, no SDK, no dashboard.
Do I need to install an SDK?: No. SSH is the API. Every command works over `ssh boxd.sh <command>` or the optional `boxd` CLI, with `--json` output for scripts. If your language has an SSH client, it can drive boxd.
What runs on a boxd machine?: A full, unminimized Ubuntu 24.04 with systemd, passwordless sudo, and the docker group. Preinstalled: Claude Code, Codex, Docker, Python 3 (pip/uv/pipx), Go, git, headless Chrome, ffmpeg, ImageMagick, mitmproxy, ripgrep, sqlite3, nginx. Node.js is not preinstalled — use apt or nvm.
Where are boxd machines hosted?: In the EU by default, on European hardware, with no US cloud dependency. Data stays in Europe. You can also self-host the binary in your own datacenter, your own cloud, or your own country.

Pricing

Is boxd free for individuals?: Yes. €0 forever, no credit card. You get 10 machines, each 2 vCPU / 8 GiB / 100 GB, unlimited runtime, SSH, fork, and public URLs.
How does team pool pricing work?: Teams buy a shared resource pool starting at 2 vCPU / 8 GiB for €25/month/user, scaling to 16 vCPU / 64 GiB for €200/month/user. Members allocate machines from the pool; higher tiers add team management, SSO, priority support, and volume pricing.
Do I pay while my machine is paused?: No. Idle cost is €0. Machines suspend to disk when dormant and resume in sub-millisecond when traffic arrives — you pay only for active compute.
What is included in the Enterprise plan?: Self-hosted boxd as a single Rust binary you run in your own VPC, datacenter, or country. No Kubernetes, no external Postgres, no Redis. EU data residency, SSO + audit logs, annual license, dedicated support. Fits DORA / NIS2 reviews and EU sovereignty requirements.
Can I switch between team pool sizes later?: Yes. Get in touch and we'll adjust your pool — no plan migration required.

Security & isolation

How is a boxd machine isolated?: Every machine is a KVM virtual machine with its own Linux kernel — not container namespaces, not gVisor, not a shared host kernel. A CVE on one VM's kernel doesn't breach the host or its neighbours.
Can I run untrusted agent-generated code on boxd?: Yes — that's the design. KVM gives kernel-level isolation, agents get root inside their own VM, and a compromised guest can't reach the host or other tenants. This is what makes boxd safe for arbitrary, agent-generated code.
Is data encrypted at rest and in transit?: Traffic to your machine goes over SSH or HTTPS (TLS terminated at the boxd proxy, with automatic HTTP→HTTPS redirect and HSTS). All inter-node control traffic runs over a private OVH vRack — workers have no public IP.
Does boxd offer EU data residency?: Yes. Managed boxd runs on EU hardware with no US cloud dependency, GDPR / DSGVO by default, and no exposure to US subpoenas. Self-host to pin data to your own region.
Does boxd support SSO and audit logs?: Identity is your SSH public-key fingerprint, linked to your account via GitHub OAuth on first connect. Every command lands over SSH, which gives a built-in audit trail. SAML SSO is available on Enterprise — talk to us.

Self-host

Can I self-host boxd?: Yes. boxd ships as a single Rust binary you drop on any KVM-capable Linux host. No Kubernetes, no external Postgres, no Redis, no queue, no scheduler — your security review's "what external services does this touch?" answer is "none."
What does the self-host architecture look like?: Nine Rust crates compiled into one binary: control plane, worker, proxy, DNS, Raft, CLI, per-VM VMM, in-VM agent, and a single-node combined binary. Raft consensus is the only coordination layer; RocksDB holds the log, embedded SQLite holds materialized state. One process per VM, supervised by the worker.
What hardware do I need to self-host boxd?: Any KVM-capable Linux host. Each VM is fixed at 2 vCPU and 8 GiB RAM with a 100 GB copy-on-write disk, enforced per-VM via cgroups. Talk to us for cluster sizing for production deployments.
Can boxd run inside my own cloud account (BYOC)?: Yes — self-host the binary in your VPC, datacenter, or region. The open-source microVM engine underneath (Ignition) lives at github.com/lttle-cloud/ignition.
How are updates delivered to a self-hosted install?: Signed binary releases on a regular cadence. You choose when to apply each release — boxd never auto-updates a self-hosted install.

Agents

Why are persistent VMs better for AI agents?: Agents need to run for hours, not seconds, and need a stable place to come back to. Ephemeral sandboxes lose context between calls and force a setup-teardown tax on every iteration. boxd persists files, packages, processes, and agent context across sessions — the agent stops at 2am and picks up at 9am.
How does forking help an agent?: Fork is a copy-on-write clone of the entire running machine — kernel, filesystem, processes, disk — in under 100ms. Agents fork to explore multiple approaches in parallel, each with a real running stack, and keep the winner.
Can an agent control boxd without an SDK?: Yes. Every VM ships with an in-VM `boxd` CLI that auto-authenticates by source IP — no tokens to inject. Agents already speak shell, so `shell.exec` plus SSH is all they need to create, fork, exec on siblings, or open a proxy.
What happens when an agent disconnects mid-task?: The machine keeps running. Long builds, background jobs, and agent tasks continue after the SSH session drops. SSH back in (or have the agent reconnect) and the same processes are still there.
How do I sandbox an agent's tool calls?: Run the agent inside a boxd VM. KVM gives kernel-level isolation, the agent gets root inside its own machine, and you can fork a clean copy per task. The blast radius stays inside one VM.

boxd vs E2B

How does boxd differ from E2B?: E2B is ephemeral Firecracker sandboxes with an SDK; boxd is persistent KVM VMs with SSH as the interface. E2B is retrofitting persistence onto a primitive built for short-lived runs; boxd was built persistent-first.
When should I pick E2B over boxd?: If you need a stateless code-execution sandbox called from a Python or JS SDK with no persistence requirements, and you're already standardized on E2B's API surface.
When should I pick boxd over E2B?: When your agent needs to run for hours, keep state between calls, fork running stacks in parallel, host an MCP server with a real URL, or run on EU-sovereign / self-hosted infrastructure. Cold boot is sub-30ms vs ~150ms; resume is sub-millisecond.

boxd vs Daytona

How does boxd differ from Daytona?: Daytona is container-based dev environments running on a Postgres/Redis/Harbor stack; boxd is KVM VMs shipping as a single Rust binary. Daytona has pivoted toward agent sandboxes — boxd was built for that primitive from day one with real kernel-level isolation.
When should I pick Daytona over boxd?: If you specifically want container-based dev environments and are comfortable operating Postgres, Redis, and a registry to self-host.
When should I pick boxd over Daytona?: When you want kernel-level isolation, persistent forkable state, sub-30ms boot, and a self-host install that's one binary with zero external services. Or when your agents need to run untrusted code safely.

boxd vs GitHub Codespaces

How does boxd differ from GitHub Codespaces?: Codespaces are GitHub-hosted devcontainers that bill while idle and live inside the GitHub product surface. boxd is persistent KVM VMs with sub-30ms cold boot, idle cost €0, automatic public HTTPS URLs per machine, and no GitHub lock-in.
When should I pick Codespaces over boxd?: If your team is fully inside GitHub, your workflow lives in the browser-based VS Code Codespaces UX, and pay-while-idle pricing is acceptable.
When should I pick boxd over Codespaces?: When you want one template forked per engineer or per PR, real preview URLs (services, DB, background jobs — not just the frontend), zero idle cost, and the option to self-host in your own cloud. Or when you need KVM isolation rather than container-based devcontainers.

How does boxd differ from Modal?: Modal is a serverless Python function runtime backed by gVisor; boxd is a persistent SSH-accessible Linux machine backed by KVM. Modal runs your function and exits; boxd runs your machine and keeps it.
When should I pick Modal over boxd?: When the workload is genuinely a stateless Python function — fan out, run, return — and you want a Python SDK plus autoscaling rather than a Linux box to log into.
When should I pick boxd over Modal?: When you need a real machine: long-running agents, MCP servers with stable URLs, persistent state, fork primitives, or anything beyond a single Python function. Or when you want SSH and stronger KVM isolation instead of an SDK and gVisor.