Tallie AI
Architecture
7 min read

CubeSandbox Lands — the Other Half of Customer-Controlled AI

Two weeks ago, the open-source agent stack was missing a credible in-your-environment sandbox. With Tencent's CubeSandbox release, the gap is closed — and customer-controlled finance AI just became a much shorter procurement conversation.

Archie Norman

Tencent Cloud open-sourced CubeSandbox — a KVM-backed MicroVM sandbox built specifically for AI agents to execute code in. It is Apache 2.0, sub-60ms cold start, under 5MB of overhead per sandbox, and — the part that matters most for procurement — a drop-in replacement for the E2B SDK that until now has been the dominant closed-source option for this layer.

If you read yesterday's note on Kimi K2.6, this is the other shoe dropping. K2.6 made it credible to run a frontier-class model inside your own environment. CubeSandbox makes it credible to run the agent's code execution sandbox inside your own environment too. Same month, same architectural direction, both Apache-licensed. The customer-controlled finance-AI story just stopped having a hole in the middle.

What a sandbox does, and why it has been the awkward layer

When an AI agent does anything more interesting than answering a question — runs a Python script over a CSV, executes a query against a warehouse extract, opens a browser to scrape a CRM, automates a spreadsheet — it has to do it somewhere. That somewhere needs three properties:

  1. Isolation strong enough that the worst the agent can do is destroy its own sandbox, not the host, not other tenants, not your network.
  2. Fast enough that you can spin one up per task without the latency dominating the agent's run.
  3. Cheap enough that you can run thousands in parallel when an agent fans out into sub-tasks.

Until very recently, the three properties were a pick-two. Docker containers gave you 1 cheaply but isolation was the polite-fiction version (shared host kernel, well-documented escape patterns). Traditional VMs gave you real isolation but the boot time and memory overhead made per-task sandboxes uneconomic. E2B and a few other commercial offerings solved the trilemma — for a price, in their cloud, with your data crossing their perimeter.

For most consumer AI products that trade-off has been fine. For finance — where the agent is reading the trial balance, the bank file, or the customer contract — sending all of that through a third-party sandbox provider has been the same procurement blocker as sending prompts to a closed model API. CISOs do not love it, and increasingly will not approve it.

CubeSandbox is the first credible open-source answer to that trilemma. KVM hardware-isolation per sandbox, sub-60ms cold start, sub-5MB overhead, eBPF-based network policy. And it runs wherever you can run a KVM-enabled Linux host — your VPC, your on-prem GPU box, your sovereign-cloud tenancy.

Why E2B-compatibility is the actual headline

Buried in the README is the line that matters most for procurement: drop-in E2B SDK compatibility. Swap one URL environment variable, the same agent code keeps working.

That changes the migration economics in a way that is easy to under-rate. In normal infrastructure terms, replacing a sandbox vendor is a re-platforming project — different SDK, different lifecycle hooks, different file-system model, different network semantics. Three months minimum, often six. With drop-in compatibility, it becomes a config change you can run in shadow for a week and cut over on a Tuesday.

It is the sandbox-layer analogue of what per-task model routing did for the model layer. If your agent platform was wired directly to E2B, this matters to you in the same way that K2.6 matters if your agent platform was wired directly to OpenAI.

What this completes, alongside K2.6

Stack the two releases together and the customer-controlled finance AI argument becomes concretely buildable end-to-end:

  • The model runs in your environment (open-weights frontier model — K2.6 or one of its peers).
  • The execution sandbox runs in your environment (open-source MicroVM sandbox — CubeSandbox).
  • The control plane runs in your environment (your orchestrator, your audit log, your skills definitions).
  • The data never leaves your environment in the first place (warehouse, ledger, ops systems read in place).

A month ago, that bullet list required at least one closed-source vendor in the data path. Today it does not. That is a material change in what "customer-controlled AI" means as a procurement statement, not just as a pitch deck slide.

Which is exactly the architecture we built Tallie around — the precise reason a finance estate should not be locked to a single model, a single sandbox, or a single deployment posture. The market keeps producing events that vindicate that bet. K2.6 was one. CubeSandbox is the next. There will be more.

The honest caveats

This is news commentary, not a sales pitch. The caveats matter.

  • KVM-only, x86_64-only. CubeSandbox needs a KVM-enabled x86_64 Linux host. No ARM (yet), no macOS dev environments without WSL, no shared-tenancy environments where you cannot get to the hypervisor. For a lot of enterprise infrastructure that is fine. For some it is a real constraint.
  • "Drop-in E2B compatibility" is rarely 100%. It is usually 95%, with the last 5% being whatever your agent depends on at the edges. Plan a real shadow-test window before any cutover. Drop-in is a starting point, not a finish line.
  • Operational maturity. A KVM/MicroVM/eBPF stack is more moving parts than a Docker container. The team operating this needs to be comfortable with kernel-level Linux, virtualisation, and network namespaces. "Set and forget" it is not.
  • Vendor-trust questions. Tencent Cloud is a Chinese cloud provider, and a procurement team in some sectors will have the same conversation about CubeSandbox they had about Kimi K2.6. Apache 2.0 source code is materially easier to evaluate than open weights — it is auditable line-by-line — but the conversation still happens. Have an answer ready.
  • Production-at-scale claims. Tencent says CubeSandbox is "validated at scale in Tencent Cloud production." That is their claim. Until the open-source community has run it in anger for a few months, treat the published cold-start and density numbers as the floor of what to validate, not the ceiling.

None of those kill the thesis. They are the work that makes adopting open-source agent infrastructure a serious engineering exercise — which is precisely what it should be.

What we'd do this month

If you are running a Tallie deployment, two practical moves:

  1. Stand up CubeSandbox in a non-production environment alongside whatever sandbox layer your agent currently uses. Run a representative workload in shadow for a week. Compare cold-start latency, density per node, sandbox isolation behaviour under load, and total cost per agent-hour. Vendor benchmarks do not capture the things that bite you in production.
  2. For any workload currently blocked on "we cannot send agent code execution to a third-party sandbox provider," this is the layer to evaluate now. Combined with an open-weights model running on the same hardware, you have a route to keeping the entire agent stack inside your perimeter.

If you are not running a Tallie deployment, the procurement question to put to your AI vendor is the same shape as last month's: can your platform run on this sandbox, in our environment, with this model, this week? If the answer requires a roadmap conversation, the answer is no.

The pattern, again

K2.6 last week. CubeSandbox this week. The model layer and the execution layer of the open-source agent stack each took a serious step forward, in the same month, both fully self-hostable, both with Apache-class licenses on the parts that matter for procurement.

The teams whose architecture treats both "which model" and "which sandbox" as routing decisions will absorb both releases over a long lunch. The teams whose stack was wired into a single closed model and a single closed sandbox have a longer week ahead of them.

That is the bet. The market keeps making the case for us.

Frequently asked

What is CubeSandbox?
An open-source (Apache 2.0) MicroVM sandbox built by Tencent Cloud for AI agents to execute code in. It uses KVM hardware isolation per sandbox, achieves sub-60ms cold start with under 5MB overhead, and is API-compatible with the E2B SDK so existing agent code can switch to it without a rewrite.
Why does an agent need a sandbox at all?
Whenever an agent runs code — a Python script over a CSV, a SQL query against a warehouse extract, a browser session against a CRM — that code has to execute somewhere isolated enough that a bad output can't damage the host, the network, or other tenants. Containers give cheap-but-weak isolation; full VMs give strong isolation but are too slow to spin up per task. MicroVMs are the trilemma fix.
How does this affect on-prem or VPC AI deployments?
Until CubeSandbox shipped, the agent code-execution layer was the awkward gap in customer-controlled AI: even teams running their own model still sent agent payloads through a third-party sandbox provider. With an open-source MicroVM that runs on any KVM-enabled Linux host, the entire stack — model, agent runtime, sandbox — can now live inside the customer's perimeter.
#cubesandbox#agent-sandbox#microvm#kernel-isolation#customer-controlled#open-source#finance-ai
Keep reading
Architecture

Kimi K2.6 Lands — and Why Open-Weights Frontier Models Change the Finance AI Calculus

Read article
Architecture

Letting an LLM Write SQL Against Your Warehouse — Safely

Read article
Talk to us

Your data. Your model. Your infrastructure.

Bring AI productivity to your finance, operations, and sales teams without handing over your data estate, your deployment posture, your model strategy, or the cost of your stack. Your processes encoded as skills, authored with you by our engineers — on-prem or VPC, LLM-agnostic, governed by default.

Join waitlistGet in touch