Platform
Custom sandboxes for serious AI software delivery
Custom sandbox images wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends — so the delivery loop runs on the stack you already operate.
Custom sandboxes are Ciao environments built from custom images that wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends. Unlike AI builders that assume an empty JavaScript project, a custom sandbox runs your runtime, dependencies and services in isolated pods — so Ciao's Builder, QA, Security and Guardrails operate on the systems your business already depends on.
Published 2026-07-03 · Last updated 2026-07-03
Your production stack is not a greenfield React app
Most AI app builders assume the world begins at an empty JavaScript project. Real estates do not look like that. They look like a Rails monolith carrying a decade of business rules, Java services nobody wants to touch, Go APIs under real load, Python data platforms, and multi-process backends where three things must start in the right order before anything works.
The interesting question for a serious organization is not whether AI can start something new — it is whether AI can work safely on what you already run. Custom sandboxes are Ciao's answer: custom sandbox images wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends, bringing the full delivery loop to your stack instead of asking your stack to become someone else's.
The estate is usually the argument for doing nothing: too intertwined to touch, too critical to risk. Custom sandboxes invert that logic — the testing, review and audit discipline that makes greenfield AI building safe is exactly what makes brownfield AI work possible.
How custom sandboxes work
Onboarding is deliberate: the image is defined once, and every workspace built from it is reproducible.
1. Define the image
Runtime versions, system dependencies, services and process topology are captured in a custom sandbox image scoped with your team — your stack, encoded.
2. Run in isolated pods
Sandboxes run on Ciao's infrastructure designed to scale — Kubernetes, isolated pods, hibernation and wake — so each workspace is contained and reproducible.
3. Work in the Builder against your codebase
Plain-language requests become changes to your actual systems, with diffs on real git branches and the live behavior visible as you go.
4. Pass the same gates
Security runs static scanning, dependency checks and access-control probes; QA exercises the running system; Guardrails applies your plain-English policies and records human review.
5. Deploy where you need to
Ciao cloud, your own AWS, Azure or GCP account, private VPC — or on-prem under separate terms.
Why it matters
The systems that make your money today are the ones AI assistance helps most — and the ones consumer AI builders cannot touch. Custom sandboxes bring governed AI-assisted engineering to that estate without the classic trap: the big-bang rewrite that consumes two years and ships less than the monolith did.
Modernization becomes incremental instead. New capabilities, fixes and refactors land on the existing stack through a reviewed, tested, audited loop — and where a rewrite genuinely makes sense, it happens system by system, with the old and new worlds under one delivery discipline.
Who uses custom sandboxes
Custom sandboxes exist for organizations whose most valuable systems predate the AI era:
- Enterprise IT — Estates of Rails, Java and Python systems that need change velocity without change chaos.
- Software companies — Polyglot backends where the product is too valuable to rewrite and too important to leave slow.
- Modernization programs — Legacy systems evolved incrementally under governance, instead of gambled on a rewrite.
- MSPs and consultancies — Client systems in mixed stacks, operated with a consistent, auditable delivery loop across all of them.
Security and governance notes
Enterprise controls apply to the sandbox exactly as they do to the rest of the platform:
- ✓ Sandboxes run in isolated pods on Kubernetes-based infrastructure.
- ✓ SSO via SAML and OIDC, optional MFA and role-based access control.
- ✓ Append-only audit trail across prompts, merges, deploys and admin actions.
- ✓ Customer code is not used to train models; inference runs under zero-retention model contracts.
- ✓ SOC 2 Type II reports are available under NDA.
- ✓ Private VPC and on-prem deployment are available under separate terms.
Stacks custom sandboxes support
One delivery loop, six stack shapes:
| Stack | Typical estate | What the sandbox provides |
|---|---|---|
| Rails | The monolith carrying a decade of business rules | Ruby runtime, gems and services encoded in the image |
| Java | Long-lived services with strict dependencies | JVM, build tooling and service topology reproduced per workspace |
| Go | APIs and infrastructure under real load | Toolchain and dependencies pinned in the image |
| Python | Data platforms, internal services, scripts grown into systems | Interpreter, packages and system libraries as your stack expects |
| Node | Backends beyond the default greenfield shape | Your Node versions and process layout, not a fresh scaffold |
| Multi-process backends | Several services that must run together to mean anything | The full process topology running inside one isolated sandbox |
Frequently asked questions
Can the sandbox match our exact runtime versions and dependencies?
That is what the custom image is for: runtime versions, system dependencies, services and process topology are defined with your team so the sandbox reproduces the stack your systems actually need. It is scoped as part of enterprise onboarding.
Does our code have to leave our network?
Deployment targets include your own AWS, Azure or GCP account and private VPC, with on-prem available under separate terms. Customer code is not used to train models, and inference runs under zero-retention model contracts. Talk to sales about the boundary your security team requires.
How is this different from the standard Ciao Builder?
The standard Builder generates new React, TypeScript and Supabase applications. Custom sandboxes wrap the same AI-assisted engineering loop — Builder, QA, Security, Guardrails — around your existing Rails, Java, Go, Python, Node or multi-process stack.
Can we combine custom sandboxes with our own models?
Yes. Enterprise plans support bringing your own LLM — own provider keys, OpenAI-compatible endpoints and private model routing — so work on sensitive codebases runs against models your organization has approved.
How do we get started?
Custom sandboxes are an enterprise capability: serious production programs start at USD 10,000 per year, and the image is scoped with your platform team during onboarding. Contact sales with a description of your stack to begin.