InstaVM

What is InstaVM?

InstaVM is a production sandbox platform for AI agents. It provides isolated cloud virtual machines with runtime, storage, networking, secrets, and policy controls so agents can execute code and automate tasks in a controlled environment.

The product is designed for workflows where agents need more than a simple container or notebook: each run can use its own Linux environment, persistent state, egress rules, snapshots, and observability. It also supports browser and desktop automation, public URL deployment, and long-running or stateful agent workflows.

Key Features

• Hardware-isolated VMs: Each sandbox runs with its own kernel, filesystem, and network stack, which is intended for untrusted code and agent execution.
• Snapshots and cloning: Users can snapshot a VM, fork a sandbox, rewind a run, or clone prepared VMs to create parallel workers from a known state.
• Persistent volumes: Named volumes outlive individual VM runs, so files, embeddings, indexes, and other state can persist across restarts and rebuilds.
• Egress controls: Outbound network access can be restricted with allowlists and package-manager controls, giving operators more control over what agents can reach.
• Secret injection and vault support: Secrets are injected through a proxy at request time so agents do not directly see credentials in the environment.
• Observability: Execution logs, network traces, and runtime events are available for debugging and auditing agent behavior.
• Deployment patterns: Supports ephemeral sandboxes, persistent sessions, checkpoint/restore workflows, and long-running stateful agents.
• Browser and desktop automation: Includes computer-use style automation for browser and desktop workflows.

How to Use InstaVM

A typical workflow starts by creating a snapshot from an OCI image or base runtime, then launching a VM with the desired CPU and memory settings. From there, users run agent code or automation jobs through the API or CLI, optionally attach persistent volumes, and apply egress or secret policies as needed.

For more structured workflows, users can snapshot a working VM, clone it for parallel runs, or keep it alive for long-running agents and apps. The docs and CLI examples also show deployment from coding tools such as Claude Code or Codex.

Use Cases

• Code interpreter workloads: Run short-lived Python or script-based tasks in isolated environments where each task gets a clean sandbox.
• Deep research or investigation loops: Keep state across steps, checkpoint work, and resume later when research is intermittent or branchable.
• Agent evaluations: Spin up repeatable environments for testing agent behavior, including snapshots and controlled runtime settings.
• Computer use automation: Automate browser or desktop actions for agents that need to interact with a graphical environment.
• Persistent agent services: Host long-running agents, deployed apps, or MCP servers that need to keep files and state across interactions.

FAQ

Is InstaVM a container platform? No. The page positions it as hardware-isolated VMs rather than containers, which is relevant for running untrusted code and agent workloads.

Can agent state persist between runs? Yes. InstaVM supports snapshots and persistent volumes so state can survive restarts, rebuilds, and cloned environments.

Does it support secret handling for agents? Yes. The product describes proxy-based secret injection and vault support so secrets are not directly exposed to the agent process.

Can I restrict network access? Yes. The source mentions egress control with allowlists and package-manager controls.

Is it only for one-shot tasks? No. The page describes multiple patterns, including ephemeral tasks, persistent sessions, checkpoint/restore, and always-on agents.

Alternatives

• Containers or sandboxed containers: Simpler and often lighter-weight, but the source suggests InstaVM is designed for stronger isolation and more complete runtime control for agents.
• General-purpose cloud VMs: Offer full operating systems and isolation, but usually require more manual setup for snapshots, secret injection, egress policy, and agent-oriented workflows.
• Notebook or code execution platforms: Suitable for interactive compute, but they are typically oriented around human-driven analysis rather than persistent, policy-controlled agent execution.
• Browser automation tools: Useful when the main need is web interaction, but they do not necessarily provide the same full VM runtime, storage, and network controls described here.