InstaVM

InstaVM provides instant, hardware-isolated virtual machines purpose-built for AI agent workloads. It goes beyond traditional sandboxes by offering a full cloud stack — runtime, persistent storage, networking, secrets management, and policy controls — all accessible via a RESTful API, Python/TypeScript SDKs, or a native SSH interface. The homepage notes that InstaVM's CodeRunner component received funding from Microsoft and GitHub Open Source, and the project reached the #1 spot on Hacker News with 1,143 votes.

What It Is

InstaVM is a cloud execution platform that runs AI agent code inside Firecracker microVMs — each with a dedicated kernel, filesystem, and network stack. Unlike container-based sandboxes, every run is fully kernel-isolated, preventing cross-tenant leakage. The platform targets developers building code interpreters, autonomous research agents, AI evaluations, reinforcement learning loops, computer-use workflows, and vibe-coding app deployments.

How the Execution Model Works

InstaVM supports four primary deployment patterns:

• Ephemeral sandboxes — a clean VM per task, terminated when done; suited for code interpreters and one-shot automations.
• Persistent sessions — VMs that stay alive across interactions, preserving files, packages, and state between calls.
• Checkpoint / clone / parallelize — snapshot active work, resume later, or clone from the same state for branching research flows.
• Long-running stateful agents — always-on VMs for operators, app runtimes, and long-lived MCP servers.

Cold boot is claimed at under 200ms (P95 185ms), warm session reuse under 10ms, and snapshot restore under 500ms.

Security Architecture

Security is a first-class design concern. Key mechanisms include:

• Hardware isolation — each sandbox has its own kernel, filesystem, and network stack; root inside a sandbox does not grant host access.
• Proxy-based secret injection — agents never receive API keys directly; InstaVM injects secrets via a proxy at request time, keeping credentials out of the blast radius if an agent is compromised by prompt injection.
• Egress control — outbound traffic is deny-by-default; operators can configure domain/CIDR allowlists and package-manager controls per VM.
• Observability by default — full execution logs, network traces, and runtime events are captured for every run.

Platform Capabilities

Beyond raw execution, InstaVM ships a broad set of infrastructure primitives:

• Persistent volumes — named volumes that survive VM lifecycles, supporting read-only fan-out to parallel workers or read-write mounts to a single agent.
• OCI image support — any OCI image can serve as the base runtime; snapshots capture warm VM state for fast fan-out.
• Shares and custom domains — expose any running port instantly with public or private access tokens, then attach custom domains for production URLs.
• SSH-native workflow — ssh instavm.dev from any shell (local, CI, or remote runner) to create, connect, clone, share, and destroy VMs without installing a CLI.
• Computer use — full Linux desktop with browser, terminal, and sudo access; supports agent-plus-human handoff via noVNC.
• Webhook integrations — authenticated, signed payloads with retry handling to Slack, GitHub, Jira, Linear, Zapier, n8n, and more.

Integrations and SDK

InstaVM publishes Python and TypeScript SDKs (pip install instavm / npm i instavm) and a CLI. The platform is model-agnostic and the homepage lists compatibility with OpenAI, Anthropic, LangChain, LlamaIndex, Google AI, Azure, and DSPy. An agent skill (use-instavm) is available via the skills CLI for direct deployment from Claude Code, Codex, Gemini CLI, GitHub Copilot, and AMP.

Update: CodeRunner and Microsoft/GitHub Sponsorship

The homepage banner announces that CodeRunner — InstaVM's local development companion for Mac — received funding from Microsoft and GitHub Open Source. CodeRunner provides complete VM-level isolation during local testing with zero cloud uploads, using Apple containers. The same API and code work for both local development and cloud deployment, enabling a prototype-locally-then-deploy workflow. The GitHub skills repository was last pushed in May 2026, indicating active development.