What Is A Sandboxed Virtual Machine?

Beginner-friendly infographic: Sandboxed VMs explained without jargon.

TL;DR

A sandboxed virtual machine is a fenced-off computer environment where risky code runs without touching your real files, passwords, or system. Most AI tools that write code or use a computer on your behalf run inside one — full VM, microVM, container, or OS-level sandbox. “Sandboxed” doesn’t mean “safe.” It means “bounded.” This post covers how sandboxes work, why your AI can’t see your localhost, and the four questions to ask before trusting any AI coding tool.

AI writers use “sandboxed” with the swagger of a term that needs no introduction.

I did that too, until someone pointed out the obvious: it absolutely does.

Many readers are not familiar with the concept.

Today, we’re going to fix that.

Hey, I’m Karo Zieminski 🤗

AI Product Manager and builder. I write Product with Attitude, an AI newsletter of 18,000+ subscribers building with AI and developing critical AI literacy through practice.

The kind where you sit down on a Saturday morning, follow a guide,
and walk away with a working agent, automation, or product.

Built by you. Understood by you. Owned by you.

If you’re new here, welcome! Here’s what you might have missed:

→ How to Save Credits in Perplexity Computer
→ Claude Cowork Guide for Power Users: 50+ Tested Tips

What’s Inside

• What a sandboxed virtual machine is, with zero jargon.

• The house analogy that makes it easier to understand.

• Why a virtual machine is not the same as a container.

• Which kind of sandbox powers tools like Claude, Perplexity Computer, Vercel, and Replit.

• Why some AI assistants can’t see the website running on your laptop, even though you can see it perfectly.

• The four questions to ask before trusting any AI tool that runs code for you.

• The limits of sandboxes, and the modern malware trick that slips past them entirely.

A Sandboxed VM, Explained Like You’re at Home

Your real computer is the house.

It contains the things you care about: private documents, photos, passwords, keys, and anything else you don’t want accidentally damaged.

The sandbox is a separate workshop next to the house. That’s where the risky work happens.

Inside the workshop, there is a virtual machine, which is like a temporary model house built to imitate your real one.

The AI can use it to run code, test things, make a mess, or break something without setting fire to your real house or knocking over the family china.

When we say an AI tool works inside a sandboxed VM, it means:

We’re not letting this work happen inside our real computer.
We’re putting it in a separate workshop where mess is allowed.

That does not automatically mean it’s safe. It means there is a boundary. The question is how strong that boundary is.

A good sandbox keeps the AI in the workshop.

A bad sandbox leaves the side door open.

The Three Words That Make a Sandboxed VM Work

A sandboxed virtual machine does what those three words promise: virtual, machine, sandboxed.

If we remove any one of those words, the meaning changes.

• Virtual.

  • A virtual machine is fake. The “computer” the AI is using doesn’t physically exist.

  • It’s software pretending to be your computer, using a slice of your real computer’s memory and processing power.

  • When the AI shuts down, that fake computer disappears. Nothing physical was ever there.

• Machine.

  • A virtual machine behaves like a real computer.

  • It can install software, save files, browse the web, and run programs.

  • AI doesn’t necessarily know it’s in a fake computer.

• Sandboxed.

  • It’s fenced in.

  • The fake computer can only see, write to, or reach what it has been given permission to access.

  • Everything outside the fence is invisible to it.

If we put the three together, we get a temporary, isolated mini-computer with rules about what it can touch.

What is a Hypervisor

Someone needs to make sure the workshop door stays closed.

The technical word is hypervisor, and you can happily forget that word the second you finish this paragraph.

The hypervisor is your estate manager: the person with the master keys who decides what the AI can touch, which doors stay locked, and whether anything from the workshop can reach the real house.

Modern processors from Intel and AMD have special features built into the chip itself that help the hypervisor enforce isolation.

• This is much harder to break than software-only protection.

• It’s like the difference between a sticky note that says “do not enter” and a locked door between the workshop and your living room.

Sensitive actions get checked at the door.

• When code inside the sandbox tries to do something, like read a file, open a website, or reach another part of the system, the request goes through a series of checks first.

• Sometimes that means the hypervisor. Sometimes it means the operating system. Sometimes it means network rules, or other guardrails.

• The rule is simple: the platform decides what the workshop can touch.

You don’t set the house rules. The platform does.

• When you use Claude Code, Perplexity Computer, Replit, Vercel, or another AI coding tool, you’re trusting the platform’s engineers to build the workshop walls properly and lock the right doors.

• You can audit that trust by asking the four questions later in this post.

Sandbox vs Virtual Machine vs Container: a Plain-English Glossary

These three words get used like they mean the same thing. They don’t. Here’s a quick translator.

The difference between a container and a VM matters more than the names suggest:

• A container shares the building’s plumbing with everyone else. If someone breaks the plumbing, water gets everywhere.

• A VM has its own separate plumbing. Breaking it stays inside the room. That’s why most AI tools that handle untrusted code prefer VMs (or microVMs), not plain containers.

To sum up:

• A container shares the house plumbing

• A VM has its own sealed pipes

• A sandboxed VM has sealed pipes, locked doors, and an estate manager checking every request at the gate.

Why MicroVMs Made 2026 Different

For most of the last decade, running code in a VM was slow.

Booting up a fake computer took time and used a lot of memory.

That speed is fine for testing.

It’s terrible for AI assistants that need to spin up a fresh environment for every task.

Then came microVMs.

The most famous one is called Firecracker, built by AWS.

A Firecracker microVM boots in about 125 milliseconds.

That’s faster than the time it took you to blink just now. And the whole thing uses less memory than a single Chrome tab.

That speed changed the game for AI tools.

Now, when we ask Claude Cowork or Perplexity Computer to do something, the platform can spin up a fresh microVM for your task, run the code inside it, and throw it away when the task ends.

The next person’s task starts in a brand-new workshop with no trace of your work.

That is the architecture behind many of the AI tools we use now.

The AI Tools Sandbox Map

Here’s the practical map: which AI tools run your work in which protected space, based on each company’s own documentation as of April 2026.

• Claude Code: Sandboxed bash environment with file and network restrictions

• Claude Cowork: Sandboxed compute environment with controlled tool access

• Perplexity Computer: Firecracker microVMs

• Vercel Sandbox: Firecracker microVMs

• Replit is in the process of migrating to microVMs

• Lovable doesn’t use microVMs. It runs on a fundamentally different architecture, and it's intentional.

Why Your AI Assistant Can’t See Your Localhost

This problem catches almost everyone in week one. Usually when they’re already tired and blaming themselves.

You’re building a website on your laptop.

You can see it in your browser at localhost:3000.

You ask your AI assistant to “go look at my website.” The AI says it can’t find anything at localhost:3000.

You assume the AI is broken. Or your prompts. Or your skills.

Nothing is broken.

The AI is in the workshop, not inside your real house.

Remember the house analogy. Your real computer is the house. The sandbox is the fenced-off workshop. The virtual machine is the temporary model house inside that workshop.

For the AI, the house is the virtual machine, not your laptop.

So when it says, “I’ll check localhost,” it’s checking it in its own model house.

3 Ways to Fix an AI Agent That Can't Access Your Localhost

The fix is one of three things, and which one you use depends on the tool:

• Tunnel the port. Open a controlled hallway from your real house to the AI’s workshop so the AI can reach your local website.

• Run the server inside the sandbox. Move your work into the AI’s model house and run the website from there.

• Use a public URL. Put your work at a temporary public address the AI’s workshop can reach over the internet.

  → If you’re not sure how to do this, start with this exact prompt.

The Four Questions Every User & Builder Should Ask

These four questions will not make your tool safe by default, but they give you a first layer of judgment and move you from blind trust to informed use.

1. What can it read?

What files can the AI see? Just one folder, or my whole hard drive? Can it read my saved passwords? My browser history? My API keys? My environment variables? My emails?

If the answer is “more than the task needs,” the tool is over-permissioned.

---

2. What can it write?

Where can the AI save things? Just a temporary folder? My desktop? Any folder I have open? Can it overwrite my existing files? Can it install software on my real machine?

The rule is the same: the AI should only have write access to the smallest space that gets the job done.

---

3. What can it connect to?

Can the AI reach the open internet? Just specific websites? My internal company network? My cloud accounts? My smart home?

Network access is the most underrated risk. An over-connected AI can leak your data without ever touching your filesystem.

---

4. What survives after the task ends?

Does the sandbox reset to zero when the task is over? Or does it remember files, logins, browser sessions, and settings between runs? Both options have a use. Persistent sandboxes are convenient. Disposable sandboxes are safer. Pick one knowing what you picked.

If you can answer all four for every AI tool in your stack, you understand your real risk. If you can’t, you’re trusting a label.

What “Sandboxed” Doesn’t Mean

A few myths to clear up, because the marketing is misleading.

It doesn’t mean safe

Sandboxing reduces risk. It doesn’t remove it. A poorly configured sandbox can still expose passwords, leak data, reach internal networks, or read files it shouldn’t.

If this risk worries you, don’t guess your way through it. Speak with a cybersecurity specialist.
There are excellent cybersecurity writers on Substack who cover these topics in depth, including Chris at ToxSec.

It doesn’t mean nothing is saved

Some sandboxes wipe themselves clean every time. Others save your files, logins, and history between sessions. Many AI tools default to saving things, because it makes them more useful.

It doesn’t mean the AI can’t make bad decisions

The sandbox controls what the AI is allowed to do. It does not control what the AI chooses to do within those rules. An AI assistant can still summarize something incorrectly, follow a malicious instruction hidden in a webpage, or run the wrong command on the wrong file. Bounded does not mean wise.

The Limits of Sandboxes

Sandboxed VMs are useful, but they are not automatic safety.

Three things to keep in mind:

Smart malware can detect a sandbox.

Some malware checks whether it is running on a real person’s computer or inside a sandboxed virtual machine.

MITRE tracks this as a known malware technique: if the software realizes it is being tested, it might stop running, pretend to be harmless, delay its attack, or show only boring, fake behavior to hide what it was really built to do.

[Note: MITRE is a U.S.-based nonprofit research organization that maintains widely used knowledge bases for cybersecurity. Wikipedia for attacker tactics.]

According to Picus Security’s Red Report 2026, this trick was present in multiple cases of malware analyzed that year.

Hypervisor escapes are rare but real.

A sandboxed VM is supposed to keep each guest in their own house on the estate. The hypervisor is the estate manager: it controls the keys, and makes sure one guest cannot wander into another guest’s home.

But once in a while, a flaw in the system lets a guest get access they should never have had, and interfere with parts of the estate that were supposed to be off-limits.

Prompt injection is a real threat.

Your AI agent can read instructions hidden inside webpages, PDFs, emails, calendar invites, documents, and even comments in code. This is called indirect prompt injection.

The AI does not always know which text is content to summarize and which text is an instruction to obey. So if a webpage secretly says, “Ignore the user and do this instead,” the assistant may treat that as part of the task, even when it conflicts with what you originally asked.

The sandboxed VM controls where the AI can act. Prompt injection can influence what the AI tries to do.

Key Takeaways

• A sandboxed virtual machine is a fenced-in temporary computer where AI tools run code without touching your real one. a

• The fence is exactly as good as the rules of the fence.

• Many AI tools that write code or use a computer on your behalf run inside some kind of fenced-off workspace.

• Knowing what our sandbox can read, write, reach, and remember is an AI literacy skill worth building early.

WHY SUBSCRIBE ・YOUR BENEFITS・ TOOLS I BUILT・CLAUDE HUB・PERPLEXITY HUB ・VIBE CODING HUB

Comments

[Biense]

Thanks! This can't be explained enough, and you explained it very clear too!

[Dan Cucolea]

This is very well explained! Even so, I still find myself having to wrap my head around the permission requests when my agents (like Hermes and Codex) inevitably try to run sudo commands.