Pydantic AI is a type-safe Python framework for building agents and LLM applications. Its Code Mode, available through Pydantic AI Harness and powered by Monty, lets models write Python code that calls tools through a controlled execution layer rather than making sequential tool calls. Code execution can reduce LLM roundtrips and improve complex multi-step tool workflows, though performance and reliability gains are workload-dependent. Regardless, executing that untrusted code requires secure, isolated environments. Veracode's 2025 GenAI Code Security Report found vulnerabilities in 45% of tested AI-generated code tasks, making sandboxed execution essential for production deployments. Choosing the right code execution sandbox determines whether your Pydantic AI workflows can run generated code securely, scale without manual intervention, and access GPU acceleration when ML workloads require it.
This guide examines seven sandbox platforms serving different Pydantic AI use cases in 2026, starting with Modal, a serverless compute platform that combines secure sandboxed execution with on-demand GPU access for AI workloads.
Key Takeaways
- Security isolation protects against untrusted code execution: When using Pydantic AI Harness Code Mode, models generate and run Python code through a controlled execution layer, making sandboxed execution critical. Modal uses gVisor containers for compute isolation, while E2B employs Firecracker microVMs
- GPU access differentiates sandbox platforms for ML workloads: Modal combines secure sandboxed execution with broad, production-oriented on-demand GPU access, including T4, L4, A10, L40S, A100 variants, RTX PRO 6000, H100, H200, and B200 variants, essential for agents running inference or fine-tuning alongside code generation. Other platforms in this comparison also document GPU-capable sandboxing, but with different maturity, access constraints, and GPU catalogs
- Production-proven platforms reduce operational risk: Modal powers cloud infrastructure for over 10,000 teams and publishes customer examples involving large-scale AI workloads and sandboxed code execution
- Compliance matters for sensitive data: Modal maintains SOC 2 Type II certification and supports HIPAA-compliant workloads on Enterprise plans via a BAA, meeting enterprise security requirements for Pydantic AI deployments
1. Modal
Modal delivers serverless compute for secure code execution at scale, with on-demand GPU access layered on top for workloads requiring acceleration. The platform takes your code, containerizes it, and executes it in the cloud with automatic scaling, all defined through code using Modal's SDKs in Python, TypeScript, and Go.
Core Capabilities
- Code-first development: Define compute, storage, and networking in code without YAML or configuration files. Modal supports SDKs in Python, TypeScript, and Go, and sandboxes can run whatever runtime or language the workload requires
- Scale-to-zero architecture: Modal Functions scale to zero by default when there are no inputs. Modal Sandboxes have a default maximum lifetime of 5 minutes, can be configured up to 24 hours, and can be automatically terminated after inactivity by setting
idle_timeout - Fast cold starts: Engineered for fast cold starts and faster feedback loops, with an optimized filesystem that helps containers come online quickly without letting large images slow startup down
- On-demand GPU access: Agents can call upon GPUs when workloads require acceleration, with options spanning T4, L4, A10, L40S, A100, A100-40GB, A100-80GB, RTX PRO 6000, H100, H200, and B200 / B200+
Security and Compliance
Modal maintains SOC 2 Type II certification and supports HIPAA-compliant workloads on Enterprise plans via a BAA. The platform uses gVisor-based sandboxing for compute isolation, TLS 1.3 for public APIs, and encryption for data in transit and at rest.
Why It Works for Pydantic AI
Modal's code-first approach aligns naturally with Pydantic AI's type-safe ecosystem. The platform supports 50,000+ concurrent sandbox sessions, enabling Pydantic AI Harness Code Mode workflows to execute generated code at massive scale while maintaining security isolation.
Best For: Teams building Pydantic AI Harness Code Mode workflows that need secure code execution at scale, with on-demand GPU access when workloads require ML inference, model fine-tuning, or compute-intensive analysis.
2. E2B
E2B specializes in secure sandboxes for AI agents, focusing on ephemeral code execution with Firecracker microVM isolation. The platform markets itself as used by Fortune 100 companies for agentic workflows.
Core Capabilities
- Firecracker microVMs: Hardware-level isolation for running untrusted AI-generated code
- Open-source option: Self-hosting available (Apache-2.0 license) with BYOC on AWS/GCP for organizations with data sovereignty requirements
- Multi-language SDKs: Support for Python, TypeScript/JavaScript integration patterns with LangChain, OpenAI, and Anthropic frameworks
- Template system: Reproducible sandbox environments with versioning for consistent Pydantic AI deployments
Use Case Focus
E2B excels at ephemeral code execution, spinning up isolated environments for agents to run generated code, then tearing them down. The platform supports 24-hour maximum session duration on Pro tier plans.
Best For: Teams building Pydantic AI workflows focused on code execution and testing where GPU acceleration is not required, particularly those seeking strong SDK integrations with popular AI frameworks.
3. Pydantic Monty
Pydantic Monty is an experimental Pydantic-maintained Python interpreter that powers Pydantic AI Harness Code Mode. Rather than spinning up external containers, Monty runs within the parent process with cold starts.
Core Capabilities
- Embedded interpreter: No external services or container orchestration required, running directly within your application
- Start-from-nothing security: Zero filesystem, network, or environment access by default with an allowlist-only capability model
- Lightweight footprint: 4.5MB download that runs anywhere Rust compiles (Linux, macOS, Windows, WASM)
- Fast state persistence: Snapshot/resume in kilobytes versus gigabytes for microVMs
Architecture Approach
Monty takes a fundamentally different approach than cloud sandboxes. As Samuel Colvin, Pydantic founder, explains: "LLMs work faster, cheaper and more reliably when they write code instead of making sequential tool calls. Monty makes that possible without the complexity of a sandbox or risk of running code directly on the host."
Trade-offs
Monty is marked as experimental in its own GitHub README and is not yet production-ready. It runs a limited Python subset rather than full CPython. Class definitions and some standard library features are not yet supported. Check the GitHub repository for current capabilities. The project has thousands of GitHub stars and is under active development.
Best For: Teams building Pydantic AI Harness Code Mode workflows that need the fastest possible startup times and want to eliminate external infrastructure dependencies, provided the Python subset meets their requirements and the experimental maturity of the project is acceptable.
4. Daytona
Daytona provides persistent development environments with sandbox creation support. The platform offers both open-source and managed cloud options with GPU support and configurable runtime persistence.
Core Capabilities
- Sandbox creation: Supports cloud-based sandbox creation for agent workloads
- Configurable runtime persistence: Sandboxes can be configured for indefinite runtime, with auto-stop after 15 minutes of inactivity by default
- GPU support: Experimental NVIDIA GPU sandboxes are available for ML workloads, though access is gated and GPU sandboxes must be ephemeral
- Multi-SDK support: Python, TypeScript, Ruby, Go, plus REST API and MCP server integration
Security and Compliance
Daytona has announced SOC 2 Type I and HIPAA certifications for enterprise deployments. The platform includes features like Git integration, LSP support, and Docker-in-Docker capabilities.
Best For: Teams building Pydantic AI workflows that require persistent development environments and prefer workspace continuity over ephemeral execution, particularly those wanting open-source transparency.
5. Northflank
Northflank is a full workload runtime platform offering multiple isolation options and comprehensive deployment flexibility. The platform processes 2M+ isolated workloads monthly with enterprise-grade compliance.
Core Capabilities
- Multiple isolation options: Northflank supports Kata Containers with Cloud Hypervisor, plus Firecracker and gVisor isolation paths depending on workload requirements and infrastructure constraints
- Comprehensive BYOC: Self-serve deployment across AWS, GCP, Azure, Oracle, bare-metal, and on-premises infrastructure
- Full workload runtime: Supports agents, APIs, databases, workers, and jobs alongside sandboxes
- GPU support: Available for ML workloads with flexible resource allocation
Enterprise Track Record
Northflank states that it has run production workloads since 2021 and has operated secure sandboxing infrastructure since 2019. The platform maintains SOC 2 Type 2 certification.
Best For: Teams building Pydantic AI workflows that need specific isolation profiles or strict data residency requirements, particularly enterprises with existing multi-cloud infrastructure.
6. Blaxel
Blaxel is a sandbox platform built specifically for AI agents, with a focus on persistent "agent computers" that stay on standby and resume when needed. The platform supports resume from standby state.
Core Capabilities
- Perpetual standby: Sandboxes can remain on automatic standby at zero compute cost rather than being torn down after each task
- Standby resume: Preserving full filesystem, memory, and running processes when resuming from standby
- MicroVM isolation: Secure execution with co-located agent hosting that eliminates network roundtrip latency
- Full agent stack: Includes Sandboxes, Agent Hosting, Batch Jobs, MCP Servers Hosting, and Model Gateway
Compliance
Blaxel maintains SOC 2 Type II, ISO 27001, and HIPAA compliance, meeting enterprise security requirements for sensitive Pydantic AI deployments.
Best For: Teams building Pydantic AI workflows with sporadic execution patterns (such as waiting for human approval) where traditional sandboxes would delete state or continue billing during idle periods.
7. Fly.io Sprites
Fly.io Sprites provides persistent Linux microVMs with large local NVMe-backed storage. Sprites expose a large NVMe-backed cache per Sprite while durable filesystem state is stored through Fly's object-storage-backed storage architecture, giving agents ample space for large codebases and dependencies.
Core Capabilities
- Large local storage cache: Sprites expose a large NVMe-backed cache for codebases and dependencies, with durable state stored through Fly's object-storage-backed architecture
- Flexible idle billing: Compute billing stops when Sprites are paused. Warm wake resumes preserved process state; cold wake restarts configured Services. Long-running Tasks keep the Sprite active and bill until released or expired
- Services feature: Auto-restart processes on cold wake for long-running Pydantic AI workflows
Architecture Approach
Sprites function as persistent development machines rather than ephemeral sandboxes. Sprite filesystem state persists across hibernation cycles. Memory and process state is preserved across warm suspension but dropped after a cold pause, which occurs after extended idle periods.
Best For: Teams building Pydantic AI workflows maintaining long-running projects (such as multi-day codebase refactoring) where substantial persistent local storage is essential.
Why Modal Stands Out for Pydantic AI Sandboxes
Sandboxes Combined with Production-Grade GPU Access
Modal combines secure Sandboxes for AI-generated code with on-demand GPU access on a single serverless AI infrastructure platform. While other platforms in this comparison also document GPU-capable sandboxing, Modal offers broad, production-oriented GPU access spanning T4, L4, A10, L40S, A100, A100-40GB, A100-80GB, RTX PRO 6000, H100, H200, and B200 / B200+, with different maturity, access constraints, and GPU catalogs than competitors. For Pydantic AI Harness Code Mode workflows that also need to run ML inference, execute model fine-tuning, or perform compute-intensive analysis, this combination reduces the need to orchestrate multiple platforms.
Code-First Developer Experience
Modal's code-first SDKs, available in Python, TypeScript, and Go, align naturally with Pydantic AI's type-safe ecosystem. Teams define compute requirements, container images, and scaling behavior directly in code. No YAML configuration or infrastructure management required. This approach enables rapid iteration for Pydantic AI development workflows.
Massive Concurrency for Agent Workloads
Modal supports 50,000+ concurrent sandbox sessions with fast cold starts and fine-grained observability for metrics, logs, and Sandbox status. For Pydantic AI Harness Code Mode workflows executing generated code at scale, this capacity ensures consistent performance without manual infrastructure provisioning.
Enterprise-Grade Security and Compliance
With SOC 2 Type II certification, HIPAA support via BAA on Enterprise plans, and gVisor-based sandboxing for compute isolation, Modal meets the compliance requirements that enterprise Pydantic AI deployments demand. The platform uses TLS 1.3 for public APIs and encryption for data in transit and at rest.
Production-Proven Scale
Modal powers cloud infrastructure for over 10,000 teams, including production coding agents like Ramp's background agent, which uses Modal Sandboxes to generate code changes and write them back into commits and pull requests. Modal publishes customer examples involving large-scale AI workloads and sandboxed code execution. The platform's AI-native container runtime, custom scheduler, and optimized filesystem are built specifically for the demands of AI workloads.
For teams building Pydantic AI Harness Code Mode workflows that require secure code execution, production-grade reliability, and on-demand GPU access, Modal's combination of sandboxed execution at scale and comprehensive GPU support makes it the clear choice.
Explore the Modal documentation to get started with Pydantic AI sandbox integration.
View Modal Docs