Autonomous AI agents your security team can actually approve.
Diffract runs every agent inside a kernel-isolated sandbox — deny-by-default egress, credentials it can never read, and a complete audit trail. Any model, any provider, hot-swapped at runtime. Deploy it in one command, self-hosted or fully managed.
Built for zero-trust
autonomy.
Six pillars that turn unpredictable agents into auditable infrastructure.
Kernel-Level Sandbox
Every agent runs in its own sandbox built on NVIDIA OpenShell — network namespaces, Landlock and seccomp enforce isolation at the syscall boundary. It can't touch the host, your network, or another workload.
Deny-by-Default Networking
The sandbox's only way out is a policy proxy. Your agent reaches the hosts you approve — and nothing else. Every connection is inspected, logged, and revocable in seconds.
Credentials the Agent Can't Read
API keys and tokens are injected at the boundary, never into the agent's reach. Even a fully compromised agent has no secret to steal and nothing to exfiltrate.
Connect Your Stack, Safely
Give the agent your CLIs, CRMs, and internal APIs through scoped, credential-isolated connections. It acts on your behalf — and reaches Slack, Telegram, Discord and 20+ channels — without ever holding the key.
Built to Run in Production
Watchdog supervision, resource caps, and self-healing recovery, plus a full dashboard for sessions, logs and policy. Operable 24/7 by the team that owns it.
Any Model, No Lock-In
Hot-swap Claude, GPT, Gemini, Llama or NVIDIA Nemotron at runtime — no restarts, no SDK churn. Bring any OpenAI-compatible provider, and your own keys.
Six layers,
zero trust.
Every request crosses a defined boundary. Every boundary enforces policy. From the dashboard down to the kernel, every action an agent takes is logged and reviewable.
Contained
by design.
Six controls enforced in the runtime — not bolted on afterward. Each one is something you can put in front of your auditors.
Deny-by-Default Networking
No egress unless you declare it. The sandbox routes out through a single policy proxy — every connection inspected, logged, and rate-limited.
Network-Namespace Isolation
Each agent gets its own network namespace, filesystem, and process tree. It can't see the host, your internal network, or another tenant's workload.
Agent-Blind Credentials
Keys are injected at the boundary, never into the agent. A compromised agent has no secret to steal and nothing to leak.
Host Approval & Egress Control
Add or revoke the exact hosts an agent may reach from one policy. Changes apply live, and every approval is recorded.
Resource Containment
Cgroup limits cap CPU, memory, and process count. A runaway or forked agent is killed before it can touch the host.
Full Audit Trail
Every session, tool call, and egress decision is logged and reviewable in the dashboard — the evidence your compliance team asks for.
Any model,
one router.
Switch providers in real time. No SDK reshuffling, no environment swaps, no re-leaked tokens. Bring your own keys — or use ours.
+ DeepSeek, Qwen, Moonshot, Mistral, GLM and OpenRouter — or any OpenAI-compatible endpoint.
Three steps to
production.
From zero to a sandboxed, multi-provider agent in minutes — self-hosted, or fully managed by us.
Install
One command pulls everything — Node, Docker, the OpenShell runtime, and the Diffract stack.
$ curl -fsSL https://diffraction.in/install.sh | bashOnboard
Provision an isolated sandbox, register your model providers, and bring up the gateway and dashboard.
$ diffract onboardOperate
Open the dashboard to chat, connect your tools, and set the egress policy your security team signs off on.
# open your private dashboardReady to deploy your
first agent?
Self-hosted or fully managed. Audit-ready from day one. Built for teams who refuse to trade safety for speed.