Per-request lifecycle
One microVM Per Request
Each request boots its own Firecracker microVM and that VM is destroyed the moment the response is returned. No state survives between executions.
Platform · Secure Execution
Every Request Runs in Its Own Sealed Sandbox
Firecracker microVMs give each user, team, and project a completely isolated compute environment. Read-only filesystem. No lateral movement. Destroyed after use.
Firecracker microVMEphemeral by designRead-only rootfsNothing persists
How isolation is enforced
Isolation Is an Architecture, Not a Setting
Immutable rootfs
Read-Only Filesystem
The root filesystem is mounted read-only. Persistent malware and unauthorized modifications have nowhere to live — the disk image is the same on every boot.
Kernel-level filtering
seccomp-bpf Syscall Filtering
Every microVM runs behind a restrictive syscall filter, so the workload can only reach the narrow surface it actually needs at the kernel level.
No shared state
No Lateral Movement
Tenants never share a kernel, a filesystem, or a network namespace. A compromised request cannot reach another user, project, or the host.
The sandbox, drawn
What a Single Request Actually Touches
A request enters through one gated checkpoint, runs inside a sealed microVM on top of the GPU host, and returns a single response. Nothing crosses the boundary except the prompt in and the answer out.
Prompt in
Sealed isolation boundary
Gated checkpoint
Authenticated · syscall-filtered
Model runtime
Read-only rootfs · seccomp-bpf
Ephemeral memory
Nothing persists after teardown
Response out
Host · bare-metal GPU
Firecracker VMM on dedicated hardware
The dashed perimeter is the trust boundary. Inputs and outputs are the only things allowed to cross it — everything in between is created for one request and discarded with it.
Isolation capabilities
What the Architecture Guarantees
<125ms
microVM cold start — faster than a network roundtrip
1 : 1
One microVM per request — never shared between tenants
Read-only
Immutable root filesystem on every boot
Zero
State carried between executions — nothing persists
These describe how the platform is built, not measured production traffic. Isolation is enforced by the architecture, so it holds from the first request.
Build on isolated compute
Run Your Workloads in a Sandbox You Can Trust
Tell us what you need to run. We will scope an isolated execution environment around it — per-request microVMs, read-only filesystems, and a torn-down lifecycle by default.