Parano Sandbox

A developer environment with multi-layer control over what leaves the machine

One compromised npm package, one manipulated instruction for an AI agent — and the organisation loses production keys, source code, client data. Traditional antivirus won't detect it because the code is signed and comes from trusted sources. Parano Sandbox isolates the work environment and inspects every byte leaving the machine.

6independent traffic control layers
0additional infrastructure costs
100%data stays on organisation's hardware

Problem

AI agents (Claude, Cursor, Copilot) install packages, execute commands and connect to APIs — each of these actions is a potential attack vector. Supply chain attacks on popular packages, prompt injection in task descriptions, phishing editor extensions — none of these scenarios are detected by traditional security tools. Effective defence requires environment isolation and outbound traffic inspection.

Solution

The developer or AI agent works inside a local virtual machine — installing packages, building, testing, calling APIs. Every outbound connection passes through six independent control layers. In parallel, four monitoring layers observe the machine from the inside — if a process attempts to read an SSH key, the system terminates it before the file is opened.

MASZYNA WIRTUALNADeweloperlub agent AISystem plikówefemerycznyKluczepoza VM (host)ruch01Dozwolone domeny02Inspekcja HTTPSBLOCKED03Skaner kluczy04Prompt Guard (AI)BLOCKED05Llama Guard (AI)06Limity transferuBLOCKEDDozwolone połączenienpm registry, GitHub,dozwolone APILog audytowykażde zdarzenie, eksportdo SIEM (Splunk / ELK)

Six layers of outbound traffic control

  1. 01

    Domain allowlist

    Connections to unlisted addresses are rejected. Write operations to public package registries (npm, PyPI, NuGet) are blocked.

  2. 02

    HTTPS inspection

    Encrypted traffic is unwrapped at the proxy, analysed and re-encrypted. Certificate generated in memory on each boot.

  3. 03

    Key and token scanner

    Pattern recognition for AWS, GitHub, OpenAI, Anthropic, SSH and dozens of other provider keys. Detection in outbound traffic triggers immediate blocking.

  4. 04

    Fast AI model (Prompt Guard)

    Meta Prompt Guard at ~50 ms latency — real-time detection of AI agent manipulation attempts.

  5. 05

    Deep AI model (Llama Guard)

    Meta Llama Guard 3 — detection of obfuscated data exfiltration attempts and hidden instructions in code comments.

  6. 06

    Transfer limits

    Outbound data volume control. Anomalies in transfer size or frequency generate alerts and blocks.

Advantages over cloud-based solutions

Encrypted traffic inspection with AI analysis
Not just domain filtering — full content analysis of encrypted connections by two independent models.
Ephemeral filesystem
All virtual machine content is volatile. Malware cannot survive a reboot.
Cryptographic keys outside the VM
Secrets injected from host memory on demand and never written to the virtual machine's disk.
Dynamically generated security tests
A different attack scenario is generated on each boot. Static exceptions cannot bypass the tests.

Comparison with alternatives

CapabilityParano SandboxAmazon AgentCoreGoogle Agent Sandboxmicrosandbox
Encrypted HTTPS inspectionYesNoNoNo
Key and token scannerYesNoNoNo
AI-powered content analysisYes (2 models)NoNoNo
Package filtering before installationYes (5 stages)NoNoNo
Ephemeral filesystemYesPartialPartialNo
Central security policyYes (git repository)PartialPartialNo
Data stays on developer machineYesNoNoYes
Offline / air-gap operationYesNoNoYes
Infrastructure costsNone (existing hardware)Per vCPU/hPer vCPU/hNone

Central fleet management

Security policy in a git repository
All configuration in one repository with a company → team → developer hierarchy. Developers can add project domains but cannot remove anything from the corporate list.
Approved package lists with pinned versions
Packages not on the list or at a different version are blocked at install time. Central control over what reaches developer machines.
Updates with canary and automatic rollback
First 5 machines get the update early. If anything fails, the rest of the fleet is not updated. Rolling back requires a single commit.
Corporate certificates and internal registries
Corporate certificate deployed automatically to all tools. npm install routed to your Nexus/Artifactory instead of the public internet.
Locked critical settings
Settings like HTTPS inspection or public registry blocking cannot be disabled locally by the developer. Attempts result in a boot error.
Signed configuration
Configuration repository verified by digital signature. Even after intercepting network traffic, an attacker cannot substitute their own policy version.

Let's talk about developer environment security

We'll show you how multi-layer outbound traffic inspection protects against supply chain attacks and data exfiltration by AI agents.

Book a call