# InstaVM

> Instant cloud infrastructure for AI agents — hardware-isolated microVMs with runtime, storage, networking, secrets injection, and egress control.

InstaVM provides instant, hardware-isolated virtual machines purpose-built for AI agent workloads. It goes beyond traditional sandboxes by offering a full cloud stack — runtime, persistent storage, networking, secrets management, and policy controls — all accessible via a RESTful API, Python/TypeScript SDKs, or a native SSH interface. The homepage notes that InstaVM's CodeRunner component received funding from Microsoft and GitHub Open Source, and the project reached the #1 spot on Hacker News with 1,143 votes.

## What It Is

InstaVM is a cloud execution platform that runs AI agent code inside Firecracker microVMs — each with a dedicated kernel, filesystem, and network stack. Unlike container-based sandboxes, every run is fully kernel-isolated, preventing cross-tenant leakage. The platform targets developers building code interpreters, autonomous research agents, AI evaluations, reinforcement learning loops, computer-use workflows, and vibe-coding app deployments.

## How the Execution Model Works

InstaVM supports four primary deployment patterns:

- **Ephemeral sandboxes** — a clean VM per task, terminated when done; suited for code interpreters and one-shot automations.
- **Persistent sessions** — VMs that stay alive across interactions, preserving files, packages, and state between calls.
- **Checkpoint / clone / parallelize** — snapshot active work, resume later, or clone from the same state for branching research flows.
- **Long-running stateful agents** — always-on VMs for operators, app runtimes, and long-lived MCP servers.

Cold boot is claimed at under 200ms (P95 185ms), warm session reuse under 10ms, and snapshot restore under 500ms.

## Security Architecture

Security is a first-class design concern. Key mechanisms include:

- **Hardware isolation** — each sandbox has its own kernel, filesystem, and network stack; root inside a sandbox does not grant host access.
- **Proxy-based secret injection** — agents never receive API keys directly; InstaVM injects secrets via a proxy at request time, keeping credentials out of the blast radius if an agent is compromised by prompt injection.
- **Egress control** — outbound traffic is deny-by-default; operators can configure domain/CIDR allowlists and package-manager controls per VM.
- **Observability by default** — full execution logs, network traces, and runtime events are captured for every run.

## Platform Capabilities

Beyond raw execution, InstaVM ships a broad set of infrastructure primitives:

- **Persistent volumes** — named volumes that survive VM lifecycles, supporting read-only fan-out to parallel workers or read-write mounts to a single agent.
- **OCI image support** — any OCI image can serve as the base runtime; snapshots capture warm VM state for fast fan-out.
- **Shares and custom domains** — expose any running port instantly with public or private access tokens, then attach custom domains for production URLs.
- **SSH-native workflow** — `ssh instavm.dev` from any shell (local, CI, or remote runner) to create, connect, clone, share, and destroy VMs without installing a CLI.
- **Computer use** — full Linux desktop with browser, terminal, and sudo access; supports agent-plus-human handoff via noVNC.
- **Webhook integrations** — authenticated, signed payloads with retry handling to Slack, GitHub, Jira, Linear, Zapier, n8n, and more.

## Integrations and SDK

InstaVM publishes Python and TypeScript SDKs (`pip install instavm` / `npm i instavm`) and a CLI. The platform is model-agnostic and the homepage lists compatibility with OpenAI, Anthropic, LangChain, LlamaIndex, Google AI, Azure, and DSPy. An agent skill (`use-instavm`) is available via the `skills` CLI for direct deployment from Claude Code, Codex, Gemini CLI, GitHub Copilot, and AMP.

## Update: CodeRunner and Microsoft/GitHub Sponsorship

The homepage banner announces that CodeRunner — InstaVM's local development companion for Mac — received funding from Microsoft and GitHub Open Source. CodeRunner provides complete VM-level isolation during local testing with zero cloud uploads, using Apple containers. The same API and code work for both local development and cloud deployment, enabling a prototype-locally-then-deploy workflow. The GitHub skills repository was last pushed in May 2026, indicating active development.

## Features
- Hardware-isolated Firecracker microVMs
- Sub-200ms cold start (P95 185ms)
- Persistent named volumes
- OCI image support with snapshot and clone
- Proxy-based secret injection
- Egress control with domain/CIDR allowlists
- SSH-native workflow via ssh instavm.dev
- Full Linux desktop for computer use with noVNC
- Checkpoint, restore, and clone VMs
- Public URL shares and custom domain support
- Authenticated webhook integrations
- Python and TypeScript SDKs
- CLI tool
- CodeRunner for local Mac development
- Agent skills for Claude Code, Codex, Gemini CLI
- Observability: execution logs, network traces, runtime events
- Parallel VM fan-out
- MCP server hosting support

## Integrations
OpenAI, Anthropic, LangChain, LlamaIndex, Google AI, Azure, DSPy, Slack, GitHub, Jira, Linear, Zapier, n8n, Stripe, Claude Code, Codex, Gemini CLI, GitHub Copilot, AMP

## Platforms
WINDOWS, MACOS, LINUX, WEB, API, DEVELOPER_SDK, CLI

## Pricing
Freemium — Free tier available with paid upgrades

## Links
- Website: https://instavm.io
- Documentation: https://instavm.io/docs
- Repository: https://github.com/instavm/skills
- EveryDev.ai: https://www.everydev.ai/tools/instavm