CURRENT

Dynamic Workers spin up V8 isolates in milliseconds with megabyte-scale memory footprints. A second-layer sandbox adds hardware memory protection keys against escape. Extremely fast, extremely cheap. But if your agent needs shell access or compiled binaries, you're shopping for a different product.

GKE Agent Sandbox runs gVisor's user-space kernel, intercepting every system call before it touches the host. Pre-warmed pools provision 300 sandboxes per second. Strong isolation, real speed. The blind spot: a prompt-injected agent holding valid IAM permissions walks right through.

Each session gets its own Firecracker microVM with KVM-level hardware isolation. The real differentiator: durable filesystem storage lets agents suspend mid-task and resume with files, packages, and git history intact. Sessions run up to eight hours with full shell access. You pay for the weight.

Agent Gateway inspects MCP and A2A interactions at the protocol layer, enforcing access rules before requests reach tools. It governs what agents do rather than where they run. Worth noting: attribute-based authorization currently covers MCP traffic only. Everything else passes uninspected.

The baseline when nobody adds sandboxing. OX Security audited 200,000 active MCP servers across 150 million downloads and surfaced ten-plus critical CVEs. Nine of eleven tested registries were compromised. Anthropic's response: the behavior is "expected." That's the floor you're building on.

GKE Agent Sandbox spins up 300 isolated pods per second, each with its own kernel, network stack, and file system via gVisor. Per-task code execution gets a tight perimeter. Agent-to-agent communication, where orchestration risks actually compound, gets nothing.

Agent Gateway sits between agents and tools, mediating MCP, A2A, REST, and gRPC with centralized access policies, mTLS, and Model Armor for prompt-injection defense. Fine-grained policy conditions only work for MCP today. What an agent reasons about or remembers? Still ungoverned territory.

V8 isolates let Dynamic Workers run AI-generated code in milliseconds with minimal memory overhead, roughly 100x faster than containers. The trade-off is architectural: isolates are stateless by design. Per-task execution gets a boundary. Persistent state across sessions lives somewhere else entirely.

Browser Rendering gets a new name and new capabilities: Live View, Human in the Loop handoff, and 120 concurrent sessions. A human can watch and intervene while an agent operates a browser. Everything the agent does before opening or after closing that tab falls completely outside the boundary.

Natural-language rules get compiled into Cedar policies and enforced at the gateway, independent of agent code or model. Identity-aware, per-call tool permissions are real progress. The structural gap: each action is evaluated alone. A sequence of five permitted actions that collectively cause harm goes undetected.

The CIS MCP Companion Guide maps Critical Security Controls onto MCP deployments, recommending sandboxed services and treating external configuration as untrusted input. Solid operational hardening for practitioners. But it can only advise around protocol-level defaults that Anthropic has explicitly declined to change.