Comparison: AgentFense vs. Alternatives¶
This page helps you understand when to choose AgentFense vs. other sandboxing/isolation approaches. We focus on engineering trade-offs, not marketing claims.
TL;DR Decision Matrix¶
| Your Requirement | Recommended Solution |
|---|---|
Path-level least privilege (agent sees /src, not /secrets) |
✅ AgentFense |
| Secrets must be invisible (not just "blocked") | ✅ AgentFense |
| Multi-tenant with shared readonly base (100 users, 10GB codebase) | ✅ AgentFense (Delta Layer) |
| Full OS isolation + network control + custom kernels | Docker / Firecracker |
| Simple ephemeral compute (no codebase, just run code) | E2B / Modal |
| Maximum performance (native speed, no overhead) | AgentFense (bwrap runtime) |
| Need audit trail of file access | ✅ AgentFense |
| Quick prototype, no security requirements | Docker with basic volume mounts |
Key insight: AgentFense is not a replacement for Docker/VM isolation. It adds filesystem-level access control on top of isolation runtimes (can use bwrap or Docker as the underlying runtime).
Detailed Comparison¶
1. AgentFense vs. Docker (Direct Volume Mount)¶
Scenario: You want to run untrusted code against a real codebase.
Docker Approach¶
What you get: - ✅ Process isolation (agent cannot escape container) - ✅ Resource limits (CPU, memory, PIDs) - ✅ Network control (can disable networking)
What you DON'T get:
- ❌ Path-level permissions (agent sees all files in /workspace)
- ❌ Secret hiding (.env is visible, just "hope agent doesn't read it")
- ❌ Audit trail (no logs of "agent read file X")
- ❌ Efficient multi-tenant sharing (1 container = 1 user = expensive)
Cost breakdown (100 concurrent users):
| Metric | Docker (naive) | Docker + AgentFense |
|---|---|---|
| Storage | 10GB × 100 = 1TB | 10GB + 100×5MB = 10.5GB |
| Memory | 512MB × 100 = 50GB | 512MB + 8MB×100 = 1.3GB |
| Startup | 10s (image pull) | 10s + 0.5s (FUSE mount) |
| Secret protection | Hope + scripts | Kernel-level enforcement |
AgentFense Approach¶
from agentfense import Sandbox, RuntimeType
with Sandbox.from_local(
"./repo",
permissions=[
{"pattern": "**/*", "permission": "read"},
{"pattern": "/secrets/**", "permission": "none"}, # Invisible
],
runtime=RuntimeType.DOCKER, # Uses Docker underneath
) as sandbox:
result = sandbox.run("python /app/agent.py")
What you get additionally:
- ✅ Path-level permissions (agent sees only allowed paths)
- ✅ Secret hiding (.env doesn't exist in agent's reality)
- ✅ Audit logs (every file access logged)
- ✅ Multi-tenant sharing (Delta Layer for isolated writes)
When to use Docker alone: - Simple isolation, no sensitive data - One-off tasks, not multi-tenant platform - No compliance/audit requirements
When to use AgentFense + Docker: - Need path-level access control - Repo contains secrets - Multi-tenant SaaS platform - Compliance requires audit trail
2. AgentFense vs. E2B (Code Interpreter Sandbox)¶
E2B provides ephemeral VM-based sandboxes optimized for AI code execution.
E2B Approach¶
from e2b import Sandbox
sandbox = Sandbox(template="base")
sandbox.filesystem.write("/workspace/main.py", code)
result = sandbox.commands.run("python /workspace/main.py")
sandbox.kill()
E2B strengths: - ✅ Fully isolated VMs (Firecracker microVMs) - ✅ Fast startup (<1s for warm instances) - ✅ Managed infrastructure (no ops burden) - ✅ Built-in templates (Python, Node, etc.)
E2B limitations for codebase scenarios: - ❌ No native "mount real codebase" primitive (must upload files via API) - ❌ No path-level permissions (all uploaded files equally accessible) - ❌ No "secrets invisible" mode (files are visible or don't exist) - ❌ Expensive for large codebases (10GB repo → 10s upload time per sandbox)
Comparison table:
| Capability | E2B | AgentFense |
|---|---|---|
| Use case | Execute generated code (no pre-existing codebase) | Execute on real codebase (local repo / storage) |
| Codebase size | <100MB (upload via API) | 10GB+ (mount directly) |
| Permission granularity | N/A (all uploaded files accessible) | Path-level (glob patterns) |
| Secret hiding | Manual (don't upload secrets) | Automatic (none permission) |
| Isolation strength | Firecracker VM (strongest) | bwrap / Docker (strong) |
| Multi-tenant sharing | 1 VM per user | 1 codebase + N sandboxes (COW) |
| Cost model | Pay per VM-second | Self-hosted (your infra) |
When to use E2B:¶
- Agent generates code from scratch (no pre-existing repo)
- Small files (<100MB total)
- Want managed infrastructure (no ops)
- Budget for SaaS pricing
When to use AgentFense:¶
- Agent operates on large existing codebase (1GB+)
- Need path-level permissions (not all-or-nothing)
- Self-hosted preferred (data residency, cost control)
- Multi-tenant platform (share codebase across users)
3. AgentFense vs. Direct Filesystem Mount (No Isolation)¶
Scenario: Agent runs on host machine, directly accessing files.
Direct Mount Approach¶
import subprocess
# ❌ Agent runs on host, full filesystem access
result = subprocess.run(["python", "agent.py"], cwd="/path/to/repo")
Risks:
- ❌ Agent can read /etc/passwd, ~/.ssh/id_rsa, etc.
- ❌ Agent can overwrite critical files (e.g., rm -rf /)
- ❌ No isolation (if agent is compromised, host is compromised)
- ❌ No audit trail (did agent read .env? Unknown.)
When this is acceptable: - Fully trusted code (you wrote it, reviewed it) - No sensitive data on host - Development/testing only (never production)
Why AgentFense is better: - ✅ Even if agent is malicious, cannot access secrets (filesystem boundary) - ✅ Cannot damage host (isolated in bwrap/Docker) - ✅ Complete audit trail (know exactly what was accessed)
4. AgentFense vs. Custom Permission Scripts¶
Scenario: You write custom code to "check if agent should access file X".
Custom Script Approach¶
def safe_read(path):
if ".env" in path or path.endswith(".key"):
raise PermissionError("Secrets not allowed")
return open(path).read()
# Agent uses safe_read instead of open
Problems:
- ❌ Fragile (easy to bypass: ../../../.env, symlinks, /proc/self/environ)
- ❌ Maintenance burden (update logic for every new secret pattern)
- ❌ Agent sees secrets exist (can ls .env, just can't read)
- ❌ No enforcement if agent uses raw syscalls (not your wrapper)
AgentFense difference: - ✅ Kernel-level enforcement (FUSE intercepts syscalls, cannot bypass) - ✅ Declarative rules (glob patterns, not procedural code) - ✅ Secrets invisible (not just "blocked", but don't exist) - ✅ Battle-tested (FUSE used in production by Google, Dropbox, etc.)
5. AgentFense vs. Git Sparse Checkout¶
Scenario: Use Git to checkout only "safe" subdirectories.
Sparse Checkout Approach¶
git sparse-checkout init
git sparse-checkout set src tests docs
# ❌ Only src/, tests/, docs/ checked out (no secrets/)
Limitations:
- ❌ Brittle (breaks if agent needs repo root, .git/ metadata)
- ❌ No protection against traversal (cd .. && cat /secrets/file)
- ❌ Hard to maintain (manually update for each new safe path)
- ❌ Cannot enforce "read vs. write" distinction
AgentFense advantages:
- ✅ Agent sees full repo structure (just some paths invisible)
- ✅ Traversal-proof (permission checks on every syscall)
- ✅ Supports read/write distinction (/docs writable, /src readonly)
Feature Comparison Table¶
| Feature | AgentFense | Docker | E2B | Direct Mount | Custom Scripts |
|---|---|---|---|---|---|
| Path-level permissions | ✅ Glob patterns | ❌ | ❌ | ❌ | ⚠️ Manual |
Secret invisibility (none) |
✅ | ❌ | ❌ | ❌ | ❌ |
View-only mode (view) |
✅ | ❌ | ❌ | ❌ | ❌ |
| Process isolation | ✅ (bwrap/Docker) | ✅ | ✅ (VM) | ❌ | ❌ |
| Multi-tenant COW | ✅ (Delta Layer) | ❌ | ❌ | ❌ | ❌ |
| Audit trail | ✅ (file-level) | ⚠️ (command-level) | ⚠️ (command-level) | ❌ | ⚠️ Manual |
| Large codebases (10GB+) | ✅ | ✅ | ❌ (slow upload) | ✅ | ✅ |
| Startup speed | ✅ <1s (bwrap) | ⚠️ 5-10s | ✅ <1s (warm) | ✅ instant | ✅ instant |
| Self-hosted | ✅ | ✅ | ❌ (SaaS only) | ✅ | ✅ |
| Complexity | Low (declarative rules) | Medium (Dockerfile + volumes) | Low (managed) | None | High (custom logic) |
Cost Analysis: Running 100 Concurrent Sandboxes¶
Scenario: SaaS platform, 100 users simultaneously running agents on 10GB codebase.
Option 1: Docker (1 container per user)¶
Storage: 10GB base × 100 containers = 1TB
Memory: 512MB × 100 = 50GB RAM
Cost: $500/month (AWS c5.metal: 96 vCPU, 192GB RAM)
Limit: ~30 concurrent users (OOM crash beyond that)
Option 2: E2B (Firecracker VMs)¶
E2B pricing: ~$0.001/second per VM
100 users × 60s average session × 1000 sessions/month = 6,000,000 VM-seconds
Cost: $6,000/month
Limit: Elastic (managed infrastructure)
Upload overhead: 10GB × 100 users × 10s upload = 16 hours/month wasted
Option 3: AgentFense + bwrap¶
Storage: 10GB base + 100×5MB delta = 10.5GB
Memory: 8MB × 100 = 800MB RAM (FUSE + bwrap overhead)
Cost: $50/month (AWS t3.xlarge: 4 vCPU, 16GB RAM)
Limit: 200+ concurrent users (tested)
Savings: - 10x cheaper than Docker (1 container per user) - 120x cheaper than E2B (for this workload)
When to Use What¶
Use Docker alone when:¶
- Simple isolation, no fine-grained permissions needed
- No secrets in mounted volumes
- One-off tasks, not platform/SaaS
- Budget allows 1 container per user
Use E2B when:¶
- Agent generates code from scratch (no pre-existing codebase)
- Want managed infrastructure (no ops team)
- Small files (<100MB)
- Budget for SaaS pricing ($0.001/VM-second)
Use AgentFense when:¶
- Need path-level least privilege (not all-or-nothing)
- Secrets in codebase must be invisible (not just blocked)
- Multi-tenant platform (share codebase across users)
- Large codebases (1GB+)
- Compliance requires file-level audit trail
- Self-hosted preferred (cost, data residency)
Use AgentFense + Docker when:¶
- Need both strong isolation (Docker) AND fine-grained permissions (AgentFense)
- Untrusted code on sensitive repos
- Production SaaS platform with compliance requirements
Use Direct mount when:¶
- Fully trusted code (you control it)
- No secrets, no sensitive data
- Development/testing only
Migration Paths¶
From Docker to AgentFense¶
Before:
After:
from agentfense import Sandbox, RuntimeType
with Sandbox.from_local(
repo_path,
preset="agent-safe", # Read all, write /output, hide secrets
runtime=RuntimeType.DOCKER, # Keep Docker isolation
) as sandbox:
sandbox.run("python /app/agent.py")
Migration effort: 30 minutes (change 5 lines of code)
From E2B to AgentFense¶
Before (E2B):
sandbox = e2b.Sandbox()
for file in repo_files:
sandbox.filesystem.write(file.path, file.content) # Upload each file
result = sandbox.commands.run("agent-command")
After (AgentFense):
from agentfense import Sandbox
with Sandbox.from_local("./repo", preset="agent-safe") as sandbox:
result = sandbox.run("agent-command") # No upload needed
Migration effort: 2 hours (refactor file upload logic)
From Custom Scripts to AgentFense¶
Before:
def safe_read(path):
if is_secret(path): # 200 lines of custom logic
raise PermissionError
return open(path).read()
After:
permissions = [
{"pattern": "**/*", "permission": "read"},
{"pattern": "/secrets/**", "permission": "none"},
]
with Sandbox.from_local("./repo", permissions=permissions) as sandbox:
sandbox.run(agent_command)
Migration effort: 1 day (replace custom logic with declarative rules)
FAQ: "Why Not Just Use X?"¶
Q: "Why not just use Docker with readonly volumes?"¶
Answer: Readonly applies to all files. You cannot do:
- Make /docs writable while /src is readonly
- Hide /secrets (it's still visible, just read-only)
- Audit what agent actually accessed
AgentFense supports per-path granularity:
{"pattern": "/src/**", "permission": "read"}, # Readonly
{"pattern": "/docs/**", "permission": "write"}, # Writable
{"pattern": "/secrets/**", "permission": "none"} # Invisible
Q: "Why not just use AppArmor / SELinux profiles?"¶
Answer: AppArmor/SELinux are powerful but:
- ❌ Complex (100+ lines of config for basic permissions)
- ❌ Path patterns are limited (no glob support like **/*.env)
- ❌ No "view" mode (list names without reading)
- ❌ No Delta Layer (multi-sandbox COW)
AgentFense provides a higher-level abstraction optimized for the "agent on codebase" use case.
Q: "Why not just ask the LLM not to read secrets?"¶
Answer: Prompt injection attacks can bypass this:
AgentFense enforces permissions at the kernel level (FUSE filesystem)—even a jailbroken LLM cannot bypass syscall interception.
Next Steps¶
- Try AgentFense: Quick Start
- See real scenarios: Use Cases
- Understand internals: Architecture