sandboxing
Safeguard articles tagged "sandboxing" — guides, analysis, and best practices for software supply chain and application security.
22 articles
MCP Server Sandbox Escapes: Threat Model
A threat model for sandbox escapes in Model Context Protocol servers, mapping attack surfaces from tool execution environments to host processes and shared state.
Securing MCP Servers: A Practical Checklist
MCP servers are runtime dependencies your agent trusts implicitly. Here is a concrete checklist for auth, tool pinning, sandboxing, and monitoring before you ship one.
Sandboxing LLM Agent Code Execution: Patterns
If your agent can execute code, something it reads from the internet can execute code. Pick your sandbox before the agent picks one for you.
Step-by-step guide to hardening and securing an MCP serve...
A practical, step-by-step guide to hardening and securing an MCP server deployment -- authentication, sandboxing, network policy, and monitoring included.
Practical steps to secure third-party WebAssembly plugins...
A step-by-step guide to securing third-party WebAssembly plugins in production: sandboxing, capability restriction, resource limits, provenance checks, and runtime monitoring.
WebAssembly WASI Security Model in 2025
A technical look at WASI Preview 2, the component model, and capability-based isolation for running untrusted code inside supply chain tooling.
Open-Weight Model Sandboxing Patterns
Running an open-weight model inside an enterprise perimeter seems safer than calling a hosted API. It is, and it isn't. The sandboxing patterns that actually produce the safety properties.
Kata Containers Security Model Review
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
gVisor Runtime Security Deep Dive
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker
Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, Kata Containers, and Firecracker from a security perspective.