Agreed, the pattern is converging across the industry. The Unikraft setup is where it gets interesting for us with sub-second boots (or sub 100ms even), scale-to-zero that suspends the VM after a few seconds of idle (frees resources), and dedicated bare metal in AWS so we're not sharing hardware.
We haven't open-sourced the control plane glue yet but it's something we're thinking about. browser-use itself is open source. The sandbox infra on top is the proprietary part for now.
Fair point, and you're right that those three steps alone aren't a security boundary. They're defense-in-depth, not the primary isolation.
The actual security model is the architecture itself: the sandbox runs in its own VM inside a private VPC. It has no AWS keys, no database credentials, no LLM API tokens. The only thing it can do is talk to the control plane, which validates every request and scopes every operation to that one session.
So even if you bypass all three hardening steps, you get a session token that only works inside that VPC, talking to a control plane that only lets you do things scoped to your own session. There's nothing to escalate to.
The bytecode removal, privilege drop, and env stripping are just there to make the agent's life harder if it tries to inspect its own runtime. Not the security boundary.
I was thinking of doing a really simple app to just capture your txs after you have paid at e.g. the grocery store. Maybe I will build it some time in the future.
reply