Notes from the syscall boundary.
Honest writing about isolation models. Where they break. What "containerized" actually means in 2026. No vendor benchmarks. Numbers cite the source; opinions name themselves.
- Jun 2, 2026
AI-agent code execution: where the new attack surface lives
An agent runtime executes code that didn't exist twenty seconds ago, generated by a model that may have been prompt-injected by content it scraped twenty minutes ago. The threat model is unusual. Container security people should pay attention.
ai-agentsthreat-model - May 26, 2026
Isolation models, ranked by what they actually break
Process, namespace, syscall-filter, userspace-kernel, MicroVM, hardware. Five layers, five honest trade-offs, one ranking that doesn't pretend a chroot is a sandbox.
isolationtrade-offs - May 12, 2026
Why namespaces aren't enough for untrusted code
Namespaces are a packaging primitive. A user/pid/mount namespace contains nothing on its own. The escape budget is the syscall surface — and on a stock kernel, that's roughly 350 system calls of attack area.
isolationkernel