Safeguard
Tag

sandboxing

Safeguard articles tagged "sandboxing" — guides, analysis, and best practices for software supply chain and application security.

22 articles

AI Security

MCP Server Sandbox Escapes: Threat Model

A threat model for sandbox escapes in Model Context Protocol servers, mapping attack surfaces from tool execution environments to host processes and shared state.

Mar 25, 20267 min read
AI Security

Securing MCP Servers: A Practical Checklist

MCP servers are runtime dependencies your agent trusts implicitly. Here is a concrete checklist for auth, tool pinning, sandboxing, and monitoring before you ship one.

Mar 22, 20266 min read
AI Security

Sandboxing LLM Agent Code Execution: Patterns

If your agent can execute code, something it reads from the internet can execute code. Pick your sandbox before the agent picks one for you.

Jan 29, 20267 min read
AI Security

Step-by-step guide to hardening and securing an MCP serve...

A practical, step-by-step guide to hardening and securing an MCP server deployment -- authentication, sandboxing, network policy, and monitoring included.

Dec 18, 20258 min read
Industry Analysis

Practical steps to secure third-party WebAssembly plugins...

A step-by-step guide to securing third-party WebAssembly plugins in production: sandboxing, capability restriction, resource limits, provenance checks, and runtime monitoring.

Dec 10, 20258 min read
DevSecOps

WebAssembly WASI Security Model in 2025

A technical look at WASI Preview 2, the component model, and capability-based isolation for running untrusted code inside supply chain tooling.

Nov 5, 20255 min read
AI Security

Open-Weight Model Sandboxing Patterns

Running an open-weight model inside an enterprise perimeter seems safer than calling a hosted API. It is, and it isn't. The sandboxing patterns that actually produce the safety properties.

Aug 28, 20256 min read
Container Security

Kata Containers Security Model Review

Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.

Nov 14, 20246 min read
Container Security

gVisor Runtime Security Deep Dive

gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.

Feb 18, 20247 min read
Container Security

Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker

Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, Kata Containers, and Firecracker from a security perspective.

Dec 12, 20237 min read
sandboxing (Page 2) — Safeguard Blog