Compute
Time traveling agent sandboxes
Evaluate agents with knowledge cut-offs. Generate temporally-consistent context in your cloud.
Trusted by teams building the next generation of AI + ML
Why Chalk Compute
Designed to help AI teams deploy safely and securely. Production-grade by default.
Fast.
Sub-second cold starts on every workload.
Safe.
gVisor isolation, OIDC identity, policy-bound egress.
Yours.
Runs inside your AWS, GCP, or Azure account. Always.
Chalk maintains a content-addressed image cache on every node in your cluster. Once an image lands on a host, every subsequent sandbox using it boots in under a second. Common base images are pre-warmed across the fleet, so cold starts are an exception, not a default. Scale-to-zero costs you nothing on the way back up.
Every workload runs inside a gVisor-hardened sandbox — a user-space kernel intercepts syscalls before they reach the host. Each sandbox launches with its own OIDC-compliant cloud identity, scoped to that workload alone. Outbound traffic is restricted to a hostname or CIDR allowlist you control. A compromised agent stays inside its blast radius.
Sandboxes execute in your VPC, on nodes you provisioned, under IAM roles you control. Customer data never crosses to a third-party plane. Logs stay in your account. KMS keys, network policies, and audit trails are the ones your security team already operates. Chalk's metadata plane orchestrates the work; your data plane owns the data.
Fast.
Sub-second cold starts on every workload.
Chalk maintains a content-addressed image cache on every node in your cluster. Once an image lands on a host, every subsequent sandbox using it boots in under a second. Common base images are pre-warmed across the fleet, so cold starts are an exception, not a default. Scale-to-zero costs you nothing on the way back up.
Safe.
gVisor isolation, OIDC identity, policy-bound egress.
Every workload runs inside a gVisor-hardened sandbox — a user-space kernel intercepts syscalls before they reach the host. Each sandbox launches with its own OIDC-compliant cloud identity, scoped to that workload alone. Outbound traffic is restricted to a hostname or CIDR allowlist you control. A compromised agent stays inside its blast radius.
Yours.
Runs inside your AWS, GCP, or Azure account. Always.
Sandboxes execute in your VPC, on nodes you provisioned, under IAM roles you control. Customer data never crosses to a third-party plane. Logs stay in your account. KMS keys, network policies, and audit trails are the ones your security team already operates. Chalk's metadata plane orchestrates the work; your data plane owns the data.
Built for production. Agents you trust.
One platform. Every Agent.
Compute is one piece of the unified platform.
Feature Store
One source of truth for every feature, online and offline.
Model Platform
Train, version, and roll out models on the same engine that serves them.
Real-Time Serving
Sub-millisecond inference for production ML.
LLM Toolchain
Prompts, embeddings, evals, and tool-use as first-class features.
It all runs in your cloud.
Chalk Compute and the Chalk Context Engine deploy entirely inside your AWS, GCP, or Azure account.
Simple primitives. Endless possibilities.
Chalk Compute exposes the small set of primitives you actually need to run agents and inference in production — scaling groups, sandboxes, containers, images, volumes, functions, and function queues — with the boring parts (caching, isolation, autoscaling) already solved.
Containers
A high-level managed container that bundles image build, file upload, and lifecycle in a single Python class. Configure CPU, memory, GPU, secrets, volumes, and lifetime — then .run(), .exec(), and .stop().
Sandboxes
gVisor-isolated execution environments with their own filesystem, network namespace, and resource limits. CPU and GPU workloads, kernel-level multi-tenancy.
Scaling Groups
Long-running, autoscaling HTTP services deployed from an image. Configure min and max replicas, target CPU utilization, and a port — Chalk handles the load-balanced endpoint and graceful scale-down.
Images
A fluent Python builder for defining software environments. Content-addressed caching means rebuilds are near-instant and identical across every sandbox.
Volumes
Persistent, versioned file storage with copy-on-write semantics. Fork a volume to fan out parallel workloads against the same snapshot — no copies, no drift.
Functions
Deploy any Python callable as a remotely invocable endpoint. Automatic scaling, no servers to provision, no Dockerfiles to maintain.
Function Queue
Durable, ordered task execution with retries and backpressure. The right substrate for agent loops, evals, and bulk inference jobs that have to actually finish.
Bring your own agent harness.
We don't care which harness you build on — Chalk Compute is the infrastructure underneath.
Hardened at the kernel. Locked at the network.
Identified at the workload.
Every sandbox runs under gVisor — a user-space kernel that intercepts syscalls before they reach the host. Inside the sandbox, root has no effective capabilities, no-new-privs is on, and the kernel interfaces with the worst historical bug count are sealed off. We run a probe suite against every build to verify the sandbox holds.
gVisor isolation
Every workload runs under gVisor — a user-space kernel that mediates syscalls before they reach the host. Inside the sandbox, CapEff and CapBnd are zero, no-new-privs is on, and securebits (secure-noroot, secure-no-suid-fixup, secure-keep-caps) are locked. Root inside the container has nothing to escalate to.
Kernel surface unreachable
The interfaces with the largest historical bug count are blocked entirely: io_uring, bpf, perf_event_open, userfaultfd, fanotify, and kexec_load all return permission denied. /dev/kcore, /dev/mem, and /dev/port don't exist; /sys/kernel is empty; host block-device mounts aren't visible.
Workload Identity Federation
Every sandbox launches with its own OIDC-compliant cloud identity, scoped to that workload alone. When self-hosted on Kubernetes, no service account token is mounted into the workload — it cannot authenticate to the cluster API by default.
Network Policy
Restrict outbound egress to a hostname or CIDR allowlist; off-list traffic is dropped silently at the network layer. Raw packet sockets (AF_PACKET) and link-level admin (ip link) are blocked outright — a compromised agent can't sniff the wire or reconfigure interfaces.
MCP Gateway
Sandboxes call MCP servers through the gateway, authenticated by their workload identity. The gateway holds the real credential and proxies the call — agents get tool access without ever seeing the upstream key.
WireGuard Tunnels
Per-session WireGuard tunnels with dynamically negotiated keys, scoped to a single workload. Connect sandboxes to each other or bridge to on-prem databases without exposing them to the public internet.
Agents for
In a sandbox. In your cloud.
Compute that knows your data.
See what your team can ship when sandboxes, models, and agents all run on the same engine — inside your cloud.
