Run CLI agents in isolated microVMs from your desktop. Keep your workflow — agents only access the folders and repos you specify.
What It Is
Sandboxed AI agents
Each agent session runs inside a Docker Sandbox microVM with hypervisor-level isolation. Agents read and modify your project files, but cannot reach outside their declared network policy.
Unified management
Create personas for Claude Code, Codex, GitHub Copilot, Kiro, Cursor, Gemini, and custom agents. Configure workspaces, network policies, per-agent memory, and MCP server integrations from one UI.
Native CLI feel
Agents run in a real terminal environment — Claude Code, Codex, Copilot, and others behave exactly as they would on your local machine. The sandbox looks and feels like your workstation to the agent.
Credential security
API keys and OAuth tokens are stored in your OS keychain via sbx secret — never written to disk or the application database. Beachead never sees your credentials in plaintext.
Download
Verify your download
macOS / Linux
echo "<sha256> <filename>" | sha256sum --checkWindows (PowerShell)
Get-FileHash <filename> | Format-ListPrefer to build yourself? Build from source →
Requirements
| Dependency | Purpose | Install |
|---|---|---|
| Docker Engine | Container runtime for sandboxes and memory containers | docs.docker.com |
| Docker Sandboxes (sbx) | CLI for managing sandbox microVMs | github.com/docker/sbx-releases |
| Git optional | Required for Repo Sync features | git-scm.com |