early access

Hardened dev environments for AI agents.

Let Claude Code, Codex, and Cursor agents run on real machines — with network controls, exfiltration protection, and full visibility into what they're doing.

Book a Call →

AI agents need real environments. You need to trust what they're doing.

AI coding agents need to install packages, run builds, and hit APIs. That means real compute, real network access, and real risk — prompt injection, data exfiltration, unauthorized outbound calls. Existing sandboxes time out after hours, not days. Most teams either accept the risk, cripple the agent, or stitch together workarounds that don't scale. Iron.sh gives you a better option.

Three commands. Fully isolated.

01 — Create an environment

$ irons create agent-run-42 --key ~/.ssh/agent.pub

02 — Lock down egress

$ irons egress mode deny $ irons egress allow pypi.org

03 — Connect your agent

$ irons ssh --command agent-run-42

Each environment is a cloud VM with security boundaries enforced at the network level. Allowlist only the domains your agent needs. Block everything else.

Network controls

Define exactly which domains your agent can reach. Allow what it needs, deny everything else. Enforced at the infrastructure level, not the application layer.

Exfiltration protection

Prevent agents from leaking source code, secrets, or proprietary data to unauthorized destinations. No more hoping the agent behaves.

Full audit logging

See every outbound connection attempt — allowed or denied, timestamped, with the active policy mode. Know exactly what your agent did, not just what it said it did.

Persistent environments

No 24-hour time limits. Your environments run as long as you need them — hours, days, or weeks. Stop and restart them on your schedule.

Build your security policy from real behavior, not guesswork.

Start in warn mode. Let your agent run. Watch the audit log to see exactly which domains it reaches. Then build a precise allowlist and switch to deny. No trial and error.

irons audit log

2026-02-19T16:41:54ALLOWEDchangelogs.ubuntu.com(mode: warn)

2026-02-19T16:42:00ALLOWEDapi.openai.com(mode: warn)

2026-02-19T16:42:09ALLOWEDsketchy-domain.io(mode: warn)← catch this

2026-02-19T16:42:26DENIEDsketchy-domain.io(mode: deny)

Built by infrastructure engineers, not a slide deck.

Iron.sh is built by a former director of engineering at OP Labs (Optimism), where he built infrastructure securing billions in onchain assets. We know what it takes to run untrusted workloads safely.

We're in early access.

We're keeping the cohort small so every environment boots fast and stays fast. Book a 15-minute call and we'll have you running secure environments the same day.

Book a Call →