Broker for AI coding teams to run tests and generated code in signed, auditable sandboxes across fragmented cloud capacity.

1. Enterprise AI coding adoption is already creating a new class of runtime-intensive workloads rather than just more chat usage.
2. Buyers now care about safe execution of AI-generated code, which makes isolated sandboxes a must-have primitive and not a nice-to-have feature.
3. Acute capacity shortages and a 13-partner supply chain make multi-provider brokerage newly valuable because single-vendor dependence is already failing.
4. The valuation re-rating around Modal shows capital markets expect the agent-runtime layer to become a large standalone category, leaving room for a focused neutral broker.

Catalyst. The same enterprise AI coding adoption that pushed Modal from $60M to $300M ARR and forced it to assemble 13 infrastructure partners is creating immediate pressure for buyers to add multi-provider, policy-safe execution before one vendor becomes a bottleneck.

The product sits between coding agents and infrastructure providers as a control plane plus execution fabric. Developers or platform teams define approved base images, secrets boundaries, network policies, and cost ceilings, then the broker spins up each task in a signed sandbox on the best-fit provider based on latency, compliance, and live capacity. It caches build layers and test artifacts across providers so bursts are cheaper and faster than raw cloud failover. Every run produces a replayable trace showing what code executed, what tools it called, what secrets were exposed, and which provider hosted the workload. That makes the wedge valuable to both platform teams trying to scale agents and security teams trying to trust them.

What's different. CI vendors orchestrate trusted developer workflows on fixed runners, while serverless GPU clouds sell raw execution capacity. This company combines policy enforcement, reproducible sandbox packaging, and live capacity brokerage for untrusted AI-generated code, which is a different control problem than either CI or cloud provisioning alone. Over time it can build a proprietary reliability and pricing map of agent-runtime workloads across providers, making the routing layer smarter and harder to replace.

Jobs to be done

flowchart LR
  Buyer[VP Platform Engineering] --> Pain[Agent PRs overload CI and raise sandbox risk]
  Pain --> Product[Policy-aware burst runtime broker]
  Product --> Outcome[Faster agent rollout with auditable multi-cloud execution]

Executive takeaways

• AI coding is shifting infrastructure demand from static CI capacity toward governed execution environments for untrusted agent-written code.
• The buyer gap is not raw compute alone; it is policy-approved burst capacity, provenance, and network-safe execution across multiple providers.
• Existing vendors split across CI incumbents, point sandbox runtimes, and CI acceleration layers, leaving room for a neutral governance and routing broker.
• The startup wins only if it sells security throughput and multi-cloud reliability, not a cheaper undifferentiated runner pool.

Market definition

Governed execution infrastructure for AI coding and agent workflows: the layer that packages, schedules, isolates, and proves builds, tests, browser checks, and generated-code tasks triggered by coding agents.

Customer and buyer

Primary user is the platform or AI infrastructure team that owns CI, runner policies, network boundaries, and secrets handling. The economic buyer is the VP Platform Engineering or equivalent internal AI platform owner, with security and compliance as co-approvers because the workload includes untrusted agent-generated code.

Buying triggers

• When agent-generated pull requests start sharing runner pools with human-authored CI, platform teams feel queueing, orchestration, and cleanup become a reliability issue. [20][21][22][26][31]
• Security reviews intensify once the workload involves untrusted agent-written code, because secrets, outbound networking, and host reuse become procurement blockers. [25][28][39][43][48]
• Release weeks, eval batches, and multi-branch rollouts create burst demand that a single runner pool or single cloud is poorly suited to absorb. [1][2][31][35]

Willingness to pay

Direct substitutes already normalize usage-based spend for governed execution: E2B and Daytona publish about $0.000028 per second for a 2-vCPU sandbox, Depot publishes $0.004 per minute for a 2-vCPU GitHub Actions runner, and Modal bills per core and per GiB by the second. A broker is credible if it measurably cuts queueing, spare-capacity waste, and security-review labor on top of that baseline. [3][11][14][15]

Category dynamics

Growth signal 19.7%-24.0% CAGR across adjacent DevOps and AI code tools markets

Validation signals

• Modal says sandboxes drive more than a third of revenue and the platform has launched more than 1 billion sandboxes, showing real runtime demand beyond demos.
• Claude Code is explicitly marketed to read code, run tests, and open pull requests, which makes execution infrastructure part of the agent product surface.
• Codex applies the same sandbox boundary to spawned commands like git, package managers, and test runners, confirming that execution control is core to agentic coding products.
• JetBrains’ 2026 AI Pulse found 90% of developers use at least one AI tool at work and 74% use specialist AI developer tools, expanding the future demand base.

Regulatory & technical constraints

• Short-lived credentials and least-privilege access are table stakes once generated code touches cloud resources or internal systems.
• Provenance and signed attestations are becoming the expected control surface for build artifacts and SBOMs.
• Multi-tenant execution of untrusted code may require stronger isolation than default containers, especially for shared enterprise environments.
• Ephemeral build environments are increasingly preferred over reused hosts to reduce contamination and reproducibility risk.

Competition clusters into three camps: Git-centric CI incumbents, purpose-built sandbox runtimes, and CI acceleration vendors. The white space is a neutral governance layer that routes across those stacks instead of forcing a full rip-and-replace.

Why incumbents do not win by default

• Cloud build services. Hyperscaler build services reduce runner operations but remain provider-specific; they do not solve neutral multi-cloud routing or unified policy across existing CI estates by default.
• Git-based CI platforms. GitHub-style CI is deeply embedded, but its runner model still leaves teams to choose between limited hosted capacity, larger paid runners, or self-hosted ARC complexity for bursty agent traffic.
• Sandbox specialists. Point sandbox vendors solve secure execution well, but they are mostly provider-specific runtimes rather than neutral brokers across approved clouds, corporate networks, and existing CI controls.
• CI acceleration vendors. Runner acceleration vendors show buyers will pay for faster execution, but they optimize a managed runner stack rather than policy-governed routing across heterogeneous execution providers.

Agent Runtime Burst Broker should start as a policy-governed overflow execution layer for 500-2,000 engineer B2B software companies that have already rolled out internal coding agents and are now seeing agent-generated pull requests saturate CI queues. The first product should not try to replace GitHub Actions, cloud build services, or a sandbox vendor; it should intercept agent-triggered builds, integration tests, browser checks, and selected generated-code tasks, package them into signed ephemeral sandboxes, and route them across approved providers with replayable audit traces. This beachhead is narrow on purpose because the buyer, trigger, and ROI are clearest when one platform team is already absorbing queue spikes, security-review friction, and burst-capacity overruns during release weeks. Research-backed sizing supports an estimated $1.1B TAM, $264.6M initial SAM, and $7.9M year-3 SOM if the company stays focused on mid-to-large software teams before expanding into broader agent-runtime workloads. The go-to-market should sell security throughput and burst reliability, not cheaper compute, using paid BYOC pilots that prove lower queue time, complete execution traces, and easier procurement. The company can win if it becomes the neutral governance and routing layer that incumbents do not naturally offer across existing CI estates and multiple clouds. The biggest disconfirming risks are that overflow-only deployment may not be enough to justify budget, that incumbents may bundle similar policy features, and that early buyers may demand GPU, browser, or VPC capabilities beyond the initial workload mix. The first 12 months therefore need to prove that buyers will pay for an agent-only execution pool, that BYOC meaningfully shortens security review, and that cross-provider routing beats a single-vendor baseline on latency, cost, or approval time.

Problem

• As internal coding agents move from suggestion to pull-request creation, agent-generated builds, integration tests, and browser checks collide with human CI workloads and create queue spikes that existing runner pools were not designed to absorb.
• Security and compliance teams are reluctant to let untrusted agent-written code run against privileged systems unless execution is isolated, auditable, and bound to explicit network, secret, and provenance controls.

Solution

• Insert a policy-aware control plane between coding agents and execution infrastructure so each agent task runs inside a signed ephemeral sandbox with approved base images, short-lived credentials, explicit egress rules, and replayable traces.
• Route CPU, browser, and later GPU workloads across multiple approved providers with cache reuse and policy checks, landing first as an agent-only overflow pool that coexists with the customer's current CI workflow.

Why we win

• GitHub Actions, cloud build services, and sandbox vendors each solve part of the workflow, but none naturally own neutral cross-provider governance, provenance, and routing across the customer's existing CI estate.
• Every production run compounds differentiated data on workload shape, cold starts, failure modes, cache behavior, and policy outcomes across providers, which can make routing quality and audit posture improve faster than a single-provider runtime.

Milestones

flowchart LR
  Wedge[Agent-only overflow wedge] --> MVP[Signed sandbox MVP]
  MVP --> Proof[Queue and audit proof]
  Proof --> Expansion[Broader governed runtime]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least 30% of qualified beachhead accounts are willing to buy an agent-only overflow execution layer without replacing their existing CI stack.
• The first 3 paid pilots can reduce median queue time for agent-generated jobs by at least 30% while maintaining complete execution traceability.
• Security and procurement teams accept BYOC, short-lived credentials, and audit exports as sufficient control boundaries for third-party routing.
• Most early workloads can be served by CPU and browser-oriented execution so the company can defer GPU-heavy architecture without missing the buying trigger.
• At least half of paid pilots convert into annual contracts above $80k ARR because the product is seen as a control layer, not a commodity runner pool.

Open diligence questions

• How often does the first buyer want overflow-only deployment versus a broader CI and sandbox migration?
• What proof artifact most often unlocks procurement: attestation, network trace, secret-access log, or customer-cloud deployment?
• Which workload classes dominate the first 90 days of usage: integration tests, browser checks, generated-code execution, or GPU jobs?
• How much of the incumbent alternative is GitHub Actions optimization, a point sandbox vendor, or internal platform engineering?
• Does the budget come from developer productivity, AI platform, cloud infrastructure, or security tooling in the first deal?

Model sanity

• Revenue engine. Base-case revenue comes from growing from 4 paying accounts at Y1 exit to 30 by Q4Y3 while blended annual ARPU rises from pilot-equivalent $36K to $165K as contracts convert and expand.
• Must go right. BYOC plus short-lived credentials must clear security review on time, because the sales-cycle sensitivity is the largest driver of both Y3 revenue and cash risk.
• Model breaks if. The model gets stressed if procurement slips by a quarter and gross margin stalls near 65-68%, which pushes the cash low point toward zero before the next raise.
• Next-round proof. The next financing is justified once the company reaches roughly 8-12 production customers with repeatable deployments, referenceable security reviews, and visible second-workflow expansion.

Scenarios

Sensitivity

flowchart LR
  Leads[Triggered platform teams] --> Pilots[Paid BYOC pilots]
  Pilots --> Customers[Production customers]
  Customers --> Revenue[Subscription plus usage revenue]
  Revenue --> GrossProfit[Gross profit]
  GrossProfit --> Cash[Cash runway]

Flags: Y1 revenue is only $65.5K against $919.5K of EBITDA burn, so the company must stay disciplined until annual production contracts start compounding. · The rule-of-40 output looks exceptionally high because Y3 growth is measured off a sub-$1M Y2 base rather than mature scale. · The model assumes BYOC clears security review without forcing a customer-hosted control plane; if that fails, both sales cycle and services burden worsen materially.

• Incumbent bundling. A cloud runtime vendor or hyperscaler could add enough policy and routing features to narrow the differentiation gap. Mitigation: Focus on neutral multi-provider governance, cross-vendor audit, and workload portability that single providers are structurally weak at offering.
• Adoption pacing. If enterprises keep coding agents in limited pilots, workload volume may not justify a new runtime layer soon enough. Mitigation: Start with customers already seeing CI saturation and price around immediate queue-time and capacity savings instead of long-term transformation promises.
• Security proof burden. Buyers may hesitate to trust a new intermediary with untrusted code execution and sensitive build contexts. Mitigation: Offer signed sandbox templates, strict secret-scoping, replayable traces, and third-party security attestations from the first design-partner deployments.