Works with:
Protect Against
Agentic Specific Threats
The non-deterministic input and outputs of large language models - unbounded inputs, stochastic reasoning, and variable outputs, creates agentic specific risks that increase uncertainty and exposure across AI workflows.
Sandbox MCP is designed to address the
OWASP Top 10 for LLM and GenAI Applications
Prompt Injection
Build secure sandboxes that limit MCP Interactions with fine-grained capability-based permissions.
Data Exfiltration
Virtualize resources such as filesystems to provide scoped access to local resources.
Lateral Movement
Isolate environments by integrating with existing Ingress/Egress and network controls.
How Does it Work?
From OpenAPI Specification to Secure MCP in Production, Instantly
OpenAPI Specification
Start with any standard OpenAPI specification as a starting point.
Generate Sandboxed Component
Automatically generate your componentized MCP server—later, customize your own templates.
Iterate
Just write your business logic—quickly design your components with idiomatic integrations into VS Code.
Deploy Securely on K8s
Deploy on open source, foundation-controlled CNCF wasmCloud—or for a simpler enterprise option, use Cosmonic Control.
Secure
by Default
Containers
Containers rely on broad Linux kernel syscalls and shared host resources, making it harder to achieve true least-privilege isolation and increasing the attack surface.
WebAssembly Components
WebAssembly components enforce capability-based security and fine-grained sandboxing, creating minimal, well-defined execution environments that align with the principle of least privilege and reduce lateral movement risk.
Containers
Components
Lateral Movement Risk
Default Open POSIX Enivironment
Security
Shared-Nothing Sandboxes
Capability Driven, Deny-by-Default
MBs to GBs
~100 per Kubernetes Node
Size
KBs to MBs
10,000s per host
Cold Starts, High Cost of Idle Infra
Start Time > Network Request
Cold Start Time
Zero Cold Starts, Autoscaling
Start Time < Network Request
5,000 Teams, Patch Same Vuln -
One Time
Maintenance
1 Team, Patch 5,000 Apps -
At Once
Tight Coupling to Environment
Dependencies Built at Build Time
Portability
One App on Cloud, On Prem,
and Edge
Established, Full App Support
Lift and Shift
Emerging, Language Dependent
Batteries
Included
Sandbox MCP enbraces the latest MCP standards to generate:
OpenAPI Specs to MCP
Instantly generate sandboxed MCP servers that expose your APIs through secure, contract-driven WebAssembly interfaces from your existing OpenAPI Specifications.
Observability
With built-in support for OpenTelemetry, dashboards and more—traces, logs, and metrics are a breeze.
Secure Virtual Capabilities
Leverage WebAssembly’s ability to virtualize contract-driven APIs and virtual filesystems, enabling isolated components to interact safely through precisely defined, policy-enforced boundaries.
Portability
Sandbox MCP makes it easy to run MCP servers on-premises, in the cloud, or anywhere it makes sense. Native K8s support makes enterprise adoption simple.
Authentication
Secure applications effortlessly with built-in authentication using API Keys, OAuth 2.0, Mutual TLS, and JSON Web Tokens for safe, ready-to-use access control.
Sandboxed MCP
Secure capability-driven sandboxes with CNCF wasmCloud limit the impact of LLM prompt injection, data exfiltration, and lateral movement.
Isolation
Accelerates Innovation
The powerful non-deterministic inputs and outputs of Agentic AI Workflows drive increased risk of exploitation - LLM Prompt Injection, Data Exfiltration, the risk of Lateral Movement, and more.
With this White Paper understand why this happens on today's infrastructure and how secure, capability driven WebAssembly Sandboxes can mitigate the security risks today.
Deploy Now On
Cosmonic Control
SandboxMCP builds standard WebAssembly Components - Cosmonic make it easy to deploy, scale, and operate them
Run Instantly.
Scale Effortlessly.
Cosmonic Control offers AI teams a production-ready platform for running WebAssembly Components on Kubernetes - including MCP. With tight integration across CI/CD, operations,observability, and network ingress/egress, it ensures scalable, secure, and reliable execution for complex agentic workflows.
Security Built In, Not bolted On
Cosmonic Control applies capability-driven isolation to every WebAssembly component, enforcing least privilege at runtime. You keep your existing Kubernetes guardrails (RBAC, admission, policies) while adding a tighter zero-trust boundary around application code.
Run More with Less: Cost-Efficient Compute
Components cold-start in microseconds and scale to zero, so redundancy doesn’t mean paying for idle pods. Cosmonic manages mulit-tenant CNCF wasmCloud hosts within K8s namespaces, respecting segmentation and policy. You can spread workloads across regions/zones without coupling reliability to always-on resources.
Enterprise-Grade Integrations
Cosmonic integrates deeply into your existing pipelines, operational controls, observability stack, and ingress/egress. Operators and CRDs give you declarative control of clusters, host groups, and workloads directly through kubectl, GitOps, and HPAs.
First Class Observability, Built In
Cosmonic supports OpenTelemetry and exports metrics, logs, and traces for both platform and component layers, giving clean separation and faster anomaly detection.
Containers and Components
Keep containers for what they do best and introduce WebAssembly where security and latency matter most. Cosmonic runs CNCF wasmCloud inside containers so both artifacts share governance, policies, and tooling.
What is Sandbox MCP
Sandbox MCP is a free, open-source plugin for CNCF wasmCloud that generates standards-compliant Model Context Protocol (MCP) servers as secure WebAssembly components. It provides a repeatable way to build MCP tools that are secure by default, portable, composable, and sandboxed—ideal for safely extending LLMs and agentic systems.
Why should I use Sandbox MCP instead of rolling my own MCP server?
“Generate, don’t hand-wire.” Sandbox MCP turns OpenAPI specs into sandboxed MCP servers with capability-driven permissions, virtualized filesystems, and fine-grained I/O controls. You reduce security toil (prompt injection, data exfiltration, lateral movement), avoid spec drift, and gain predictable, repeatable builds you can run anywhere Kubernetes runs. Building an MCP server by hand means dealing with evolving specs, security, and scaling concerns.
Sandbox MCP address security by:
- Isolating code in capability-driven Wasm sandboxes with capability driven support, virtual FS, fine-grained I/O permissions.
- Reducing prompt injection & data exfiltration risk by strictly controlling what each component can access.
- Scaling safely; you can run thousands of components on the same host without cross-talk or lateral movement.
How does Sandbox MCP work?
Start with an OpenAPI specification, generate a componentized MCP server, then iterate on business logic in your IDE. Deploy on CNCF wasmCloud or, for a simpler enterprise path, run on Cosmonic Control. The result is a secure, contract-driven MCP service that’s observable, portable, and easy to operate.
How much does Sandbox MCP cost?
Sandbox MCP itself is free and open source—it is a plugin built on CNCF wasmCloud and open standards. It builds standards compliant WebAssembly Components that are compatible with CNCF wasmCloud and other runtimes.
For production use, Cosmonic offers enterprise-grade hosting, support, and Kubernetes integration so you can move from local dev to fleet-scale deployment with confidence.
What are agentic risks in AI workflows, and why are they different?
Agentic AI workflows face unique risks because LLM inputs and outputs are non-deterministic. This expands the risk surface—prompt injection can redirect intent, tools can be misused, data can be exfiltrated, and lateral movement becomes easier. Sandboxing and least-privilege capabilities are essential because you cannot reliably predict every model behavior ahead of time.
How does Sandbox MCP mitigate agentic security risks?
Sandbox MCP isolates each MCP server as a WebAssembly component with deny-by-default, capability-driven permissions. By virtualizing resources (e.g., filesystems) and scoping network access via existing ingress/egress controls, it limits the blast radius of prompt injection, prevents data exfiltration, and reduces lateral movement—aligning to OWASP Top 10 for LLM and GenAI apps.
What is the best way to securely run MCP in production?
The best way to securely run MCP at scale is to deploy WebAssembly components on Cosmonic Control. Cosmonic Control is a Kubernetes-native WebAssembly control plane that leverages your existing pipelines, security policies, operational controls, ingress/egress, and observability. You keep your Kubernetes guardrails (RBAC, admission, policy) and gain zero-trust, capability-driven isolation for every MCP workload.
How does WebAssembly improve security and density for MCP servers?
WebAssembly components enforce shared-nothing sandboxes with explicit capabilities, dramatically shrinking the attack surface versus general-purpose containers. Components cold-start in microseconds, autoscale to zero, and pack densely—enabling thousands of isolated MCP workloads per host while maintaining strong isolation boundaries.
Can I run Sandbox MCP on Kubernetes, cloud, on-prem, or edge?
Yes. Sandbox MCP runs wherever CNCF wasmCloud runs—including public cloud, on-premises, and edge—across common Kubernetes platforms (EKS, AKS, GKE, OpenShift, Rancher/K3s, and more). For enterprise teams, Cosmonic Control provides a turnkey path to operate, scale, and observe MCP components on any Kubernetes.
How fast can I get started building an MCP server?
You can generate your first secure MCP component in minutes: install the CLI and plugin, point to your OpenAPI spec, generate the sandboxed server, and run locally. Iterate on business logic in your IDE, then deploy to CNCF wasmCloud or to Cosmonic Control for production on Kubernetes.
How does Sandbox MCP handle observability and authentication?
Sandbox MCP embraces OpenTelemetry for end-to-end traces, metrics, and logs, making MCP servers first-class citizens in your existing dashboards. It supports common authentication patterns—API keys, OAuth 2.0, mutual TLS, and JWT—so you can enforce access control with enterprise-grade confidence.
How much does Sandbox MCP cost, and what support is available?
Sandbox MCP is free and open source. For production operations, Cosmonic offers enterprise-grade hosting, support, and Kubernetes integration via Cosmonic Control—so you can move from local dev to compliant, fleet-scale deployment with confidence and clear SLOs.
Which industries benefit from Sandbox MCP?
Sandbox MCP is industry-agnostic and infrastructure-neutral. Common adopters include financial services (least-privilege data access for LLM agents), AI/ML platforms (safe tool execution), cloud and infrastructure providers (multi-tenant, high-density compute), and media/gaming (predictable, isolated plugin runtimes).
-square.svg){kind=icon}
-blue-square.svg){kind=icon}
