The thesis
Agents changed the security boundary
For the last decade, enterprise security invested in the point where a human touches a system: the browser tab, the SaaS session, the rendered page. Secure web gateways, CASBs, the secure enterprise browser — all instrument the human interface.
That control point goes blind the moment an agent does the work headlessly — calling APIs directly, installing packages, writing to production systems, without ever rendering a page for a human to be watched on.
The durable place to enforce policy, capture audit evidence, and prove isolation is no longer the interface a human clicks. It is the execution boundary the agent's work crosses.
Why existing options fall short
Containers share a kernel
Docker, Kubernetes, and gVisor all share a kernel with the host. A guest kernel exploit chain — including the long tail of historical container escapes — bypasses the boundary.
For agent-generated code that may originate from prompt injection, supply-chain compromise, or adversarial training data, a hardware-rooted boundary is qualitatively different from a shared-kernel one.
The CVE history is the proof: runc (CVE-2019-5736), containerd (CVE-2022-23651), the Docker socket escape, the myriad kernel syscalls that punch through namespaces. Each one is a container-escape class that a microVM makes irrelevant.
The answer
How NeuronEdge Enclave meets each requirement
| Requirement | How Enclave meets it |
|---|---|
| Separate-kernel isolation | Firecracker microVM per workspace (the same VMM that powers AWS Lambda) |
| Customer-owned infrastructure | Single-binary self-host install; runs in your VPC or on-prem |
| Hardware-rooted attestation | AMD SEV-SNP (verified on Azure DCasv5); key release gated on firmware evidence |
| Operator-excluded confidentiality | SEV-SNP memory encryption — the cloud provider sees ciphertext, not plaintext |
| Audit-grade governance | Signed event stream; every command + network call is independently-verifiable |
| Agent-native primitives | Create / exec / write / read / snapshot / fork / destroy — designed for agent planning loops |
| Open source | Apache-2.0. The runtime, SDKs, and deploy artifacts are open forever |
The honest part
What it doesn't solve
NeuronEdge Enclave doesn't solve agent alignment (whether the agent does the right thing — that's the model and prompt's job). It solves execution-boundary safety: a jailbroken agent contained by Enclave cannot escape to the host; it can still produce wrong outputs.
The confidential tier attests the host CVM launch, not the agent's guest code. The isolation within the CVM is OpenShell's shared-kernel sandbox (Landlock/seccomp/netns), not a separate per-workspace hardware boundary.
We publish the full threat model because the honest ceiling is the product.
The execution boundary is the new control point.
Own it. Self-host it. Attest it.