Kaizen and your sandbox
A sandbox and Kaizen solve different halves of the same problem. They are complementary, not alternatives.
A sandbox (Azure Container Apps, OpenAI, Docker, E2B, Modal) gives an agent an isolated microVM and can block egress to unknown hosts. It contains: untrusted code runs with a small blast radius, no credentials in the workload, nothing to damage on the host.
What a sandbox does not do: learn what an agent normally does, detect when it deviates, diff an action against what you declared, reason about a sequence, or give you a verdict log to triage. The host is allowed or the action is novel but not obviously bad, and the sandbox lets it through.
| Sandbox | Kaizen | |
|---|---|---|
| Isolation, blast radius | yes | no |
| Block unknown hosts | yes | known-bad, in-process |
| Learn each agent's normal behaviour | no | yes |
| Catch the allowed-but-malicious | no | yes |
| Reason about a run | no | yes (the reasoning check) |
| Verdict log, triage, policy, exports | no | yes |
Run Kaizen on top of the sandbox. The sandbox contains the blast; Kaizen tells you when something went wrong and catches what the allowlist permits. For a real example, see the Azure Container Apps sandboxes case study, where an agent exfiltrates to an allowed GitHub host and Kaizen catches it.