Blog · June 25, 2026

How the containment layer is being built

A June 2026 snapshot of who is building agent containment, mapped to the controls, with an honest map of where no product exists yet.

apeiris.ai·Vendor landscape series · snapshot, June 2026

Where the groundwork post on environment and containment sets out the controls, this one is a snapshot of who is building them, as of June 2026. Read the closing disclosure before you read anything into the names below.

Update · July 2026
A June 2026 market snapshot, preserved as-is. Read the vendor picture below, including Ent's June 2026 stealth emergence, as point-in-time, not current market state; facts here are not refreshed. Containment is the EC layer of Apeiris Security, now one of 12 verification domains; see the live Security domain.

Containment is the most uneven layer to map. Two of its controls rest on mature, widely deployed isolation technology. For several others I found no mapped commercial implementation at all, and that blank is exactly where new entrants are starting to appear.

The standards and open work come first

  • The containment spectrum (process → session → micro-VM) is the organizing idea, and the strongest pieces are open. gVisor puts a userspace kernel between the agent and the real one; Firecracker popularized the lightweight throwaway micro-VM. Both are open source and have been running production workloads at scale for years.
  • Google's SAIF 2.0 sets out sandboxing guidance and an agent risk map (contributed to the cross-vendor Coalition for Secure AI).
  • AWS has published the egress pattern directly: SNI-based domain allowlisting plus DNS-layer filtering.
  • OWASP supplies the principles the no-product controls lean on: least-agency, and unbounded-consumption (denial-of-wallet).

Who is building what, by control

Sandboxing (EC-01). This is the well-served control. The open isolation primitives (gVisor, Firecracker) are widely deployed and do the heavy lifting; the cloud providers wrap them. AWS offers isolation tiers; Google frames them in SAIF 2.0; Microsoft's execution-container work describes a policy-driven sandbox running at process and session level with micro-VM isolation on the roadmap.

Egress filtering (EC-02). CrowdStrike [shipping product] inspects and controls agent egress at the endpoint; AWS [shipping product] enforces SNI-based domain allowlisting plus DNS-layer filtering at the network. Both enforce default-deny-plus-allowlist outside the agent's reach.

Memory and least-access (EC-03, EC-04). Microsoft's failure-mode taxonomy [published guidance] frames both, but it is source material, not a shipping control; commercial coverage is thin and mostly platform-bundled.

Retrieval trust (EC-07). This is where the data-governance vendors appear: Databricks (through Unity Catalog) and Okta (Auth0's RAG authorization) make retrieval identity-aware so an agent cannot pull back what the user could not see.

Where there is no product yet

Four controls in this layer map to "framework-level," with no mapped commercial implementation as of this snapshot: denial-of-wallet budgets (EC-05), runaway-loop and least-agency caps (EC-06), secrets-out-of-context (EC-08), and untrusted-workspace handling (EC-09). These are not minor. They are some of the most practical day-one controls, and today you mostly build them yourself or get fragments inside a framework. Stating that plainly matters more than pretending the layer is covered.

Where implementation activity is concentrated

This is the layer with the clearest new-entrant signal. Well-funded startups are moving into agent and workspace security, the broad space around the untrusted-workspace and AI-governance blanks. One of them, Ent (ent.ai), emerged from stealth in June 2026 with a $100M seed and an intent-based, on-device workspace-security platform. I read funding at that scale as a signal of energy and direction, not a verdict on any product: it is new and unproven, and a large round tells you about conviction, not about whether the tool works. The question worth watching is whether an entrant like this grows into the workspace-containment layer the established players underweight.

It is worth naming the disintermediation pattern it hints at. Coding-agent security is currently assembled from endpoint tools, sandbox primitives, and manual config review. A newcomer that collapses workspace trust, config gating, and sandboxing into one product would remove integration seams (fewer boundaries to secure) while concentrating trust and supply-chain risk in one young, unproven tool. That is the tradeoff to weigh, not a verdict either way.

Consolidating or fragmenting?

Fragmenting, with a mature core. Isolation is consolidated and largely open. Retrieval trust is owned by the data-governance vendors. And a whole cluster of practical controls has no owner, which is precisely the gap newcomers are forming around. Watch whether the new entrants stay point solutions or grow into a workspace-containment layer. And expect more of them: an unowned cluster of practical controls is exactly the kind of blank that startups and stealth-stage companies form around fastest, so treat this part of the map as provisional.

The handoff

The isolation vendors and the endpoint/runtime vendors both touch the host, from different sides, and nothing in the map joins "this container holds" to "this detector knows which agent acted." The seam is attribution: containment supplied by the cloud and open-source layer, detection supplied by the endpoint vendors, and no product stitching the agent identity across both. A defender wires that join by hand.

See the containment groundwork post for the controls and validation steps, and explore Apeiris Security, where containment is the EC layer, at apeiris.ai.

Sources

---

How to read this. Snapshot dated 21 June 2026. A product appears here because it maps to a control, not as a recommendation or independently validated efficacy; vendor figures are their own claims; status tags mark what kind of thing each entry is. The full neutrality statement and method are in the capstone.

Apeiris Security →