Platform

Custom sandboxes for serious AI software delivery

Custom sandbox images wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends — so the delivery loop runs on the stack you already operate.

Custom sandboxes are Ciao environments built from custom images that wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends. Unlike AI builders that assume an empty JavaScript project, a custom sandbox runs your runtime, dependencies and services in isolated pods — so Ciao's Builder, QA, Security and Guardrails operate on the systems your business already depends on.

Best forExisting production stacksPolyglot backendsIncremental modernization

Published 2026-07-03 · Last updated 2026-07-03

Your production stack is not a greenfield React app

Most AI app builders assume the world begins at an empty JavaScript project. Real estates do not look like that. They look like a Rails monolith carrying a decade of business rules, Java services nobody wants to touch, Go APIs under real load, Python data platforms, and multi-process backends where three things must start in the right order before anything works.

The interesting question for a serious organization is not whether AI can start something new — it is whether AI can work safely on what you already run. Custom sandboxes are Ciao's answer: custom sandbox images wrap AI-assisted engineering around Rails, Java, Go, Python, Node and multi-process backends, bringing the full delivery loop to your stack instead of asking your stack to become someone else's.

The estate is usually the argument for doing nothing: too intertwined to touch, too critical to risk. Custom sandboxes invert that logic — the testing, review and audit discipline that makes greenfield AI building safe is exactly what makes brownfield AI work possible.

How custom sandboxes work

Onboarding is deliberate: the image is defined once, and every workspace built from it is reproducible.

  1. 1. Define the image

    Runtime versions, system dependencies, services and process topology are captured in a custom sandbox image scoped with your team — your stack, encoded.

  2. 2. Run in isolated pods

    Sandboxes run on Ciao's infrastructure designed to scale — Kubernetes, isolated pods, hibernation and wake — so each workspace is contained and reproducible.

  3. 3. Work in the Builder against your codebase

    Plain-language requests become changes to your actual systems, with diffs on real git branches and the live behavior visible as you go.

  4. 4. Pass the same gates

    Security runs static scanning, dependency checks and access-control probes; QA exercises the running system; Guardrails applies your plain-English policies and records human review.

  5. 5. Deploy where you need to

    Ciao cloud, your own AWS, Azure or GCP account, private VPC — or on-prem under separate terms.

Why it matters

The systems that make your money today are the ones AI assistance helps most — and the ones consumer AI builders cannot touch. Custom sandboxes bring governed AI-assisted engineering to that estate without the classic trap: the big-bang rewrite that consumes two years and ships less than the monolith did.

Modernization becomes incremental instead. New capabilities, fixes and refactors land on the existing stack through a reviewed, tested, audited loop — and where a rewrite genuinely makes sense, it happens system by system, with the old and new worlds under one delivery discipline.

Who uses custom sandboxes

Custom sandboxes exist for organizations whose most valuable systems predate the AI era:

  • Enterprise IT — Estates of Rails, Java and Python systems that need change velocity without change chaos.
  • Software companies — Polyglot backends where the product is too valuable to rewrite and too important to leave slow.
  • Modernization programs — Legacy systems evolved incrementally under governance, instead of gambled on a rewrite.
  • MSPs and consultancies — Client systems in mixed stacks, operated with a consistent, auditable delivery loop across all of them.

Security and governance notes

Enterprise controls apply to the sandbox exactly as they do to the rest of the platform:

  • ✓ Sandboxes run in isolated pods on Kubernetes-based infrastructure.
  • ✓ SSO via SAML and OIDC, optional MFA and role-based access control.
  • ✓ Append-only audit trail across prompts, merges, deploys and admin actions.
  • ✓ Customer code is not used to train models; inference runs under zero-retention model contracts.
  • ✓ SOC 2 Type II reports are available under NDA.
  • ✓ Private VPC and on-prem deployment are available under separate terms.

Stacks custom sandboxes support

One delivery loop, six stack shapes:

StackTypical estateWhat the sandbox provides
RailsThe monolith carrying a decade of business rulesRuby runtime, gems and services encoded in the image
JavaLong-lived services with strict dependenciesJVM, build tooling and service topology reproduced per workspace
GoAPIs and infrastructure under real loadToolchain and dependencies pinned in the image
PythonData platforms, internal services, scripts grown into systemsInterpreter, packages and system libraries as your stack expects
NodeBackends beyond the default greenfield shapeYour Node versions and process layout, not a fresh scaffold
Multi-process backendsSeveral services that must run together to mean anythingThe full process topology running inside one isolated sandbox

Frequently asked questions

Can the sandbox match our exact runtime versions and dependencies?

That is what the custom image is for: runtime versions, system dependencies, services and process topology are defined with your team so the sandbox reproduces the stack your systems actually need. It is scoped as part of enterprise onboarding.

Does our code have to leave our network?

Deployment targets include your own AWS, Azure or GCP account and private VPC, with on-prem available under separate terms. Customer code is not used to train models, and inference runs under zero-retention model contracts. Talk to sales about the boundary your security team requires.

How is this different from the standard Ciao Builder?

The standard Builder generates new React, TypeScript and Supabase applications. Custom sandboxes wrap the same AI-assisted engineering loop — Builder, QA, Security, Guardrails — around your existing Rails, Java, Go, Python, Node or multi-process stack.

Can we combine custom sandboxes with our own models?

Yes. Enterprise plans support bringing your own LLM — own provider keys, OpenAI-compatible endpoints and private model routing — so work on sensitive codebases runs against models your organization has approved.

How do we get started?

Custom sandboxes are an enterprise capability: serious production programs start at USD 10,000 per year, and the image is scoped with your platform team during onboarding. Contact sales with a description of your stack to begin.

Related pages

Serious development starts with serious responsibility.

Custom Sandboxes: AI Engineering on Your Stack | Ciao