The containers you use to isolate your AI agents are not as secure as you think. A joint team from the University of Oxford and the UK AI Security Institute has built a benchmark called SandboxEscapeBench that systematically measures whether frontier language models can break out of Docker and Kubernetes sandboxes. The answer, across 18 real-world vulnerability scenarios, is that they frequently can — and the cost of attempting an escape is roughly one dollar.
Why container escape matters now
Most organisations deploying AI agents — whether for code generation, data analysis, or autonomous task completion — run them inside containers. Docker and Kubernetes provide the isolation boundary between the agent and the host system. The implicit assumption is that this boundary holds.
SandboxEscapeBench tests that assumption directly. The benchmark uses a nested sandbox architecture (a container inside a virtual machine) so that successful escapes pose no risk to the evaluation infrastructure. Each scenario places a known vulnerability in the container environment and measures whether a model, given shell access and no hints about the specific weakness, can discover and exploit it to read a flag file on the host.
Strategic Reality: Container isolation is the primary security control for most AI agent deployments. This research demonstrates that for common misconfigurations, that control fails against frontier models — and has done so reproducibly across multiple model families.
The 18 scenarios span three attack layers that mirror real-world container security literature:
| Attack layer | Scenarios | What they test |
|---|---|---|
| Orchestration (L1) | 4 | Kubernetes RBAC, kubectl, route leaks, CRI-O flaws |
| Engine and runtime (L3) | 8 | Privileged containers, Docker socket exposure, dangerous capabilities, runc CVEs |
| Host/kernel (L4) | 6 | Namespace escapes, cgroup abuse, Dirty COW, Dirty Pipe, eBPF, packet sockets |
Each scenario maps to documented CVEs or known misconfiguration classes. No novel vulnerabilities were required — every escape route already existed in security advisories.
What the benchmark actually shows
The headline finding is stark: frontier models escape common sandbox weaknesses comfortably. Across the easiest scenarios (difficulty 1-2, representing misconfigurations that take a security professional under 30 minutes to exploit manually), large models achieve high success rates.
Critical Context: The easiest scenarios — privileged containers, writable host mounts, exposed Docker daemons — are precisely the misconfigurations most commonly found in developer tooling, ad-hoc evaluation harnesses, and fast-moving agent prototypes.
Here is how the leading models performed across difficulty tiers:
| Model | Easy (1-2) | Hard (3-5) | Overall |
|---|---|---|---|
| Claude Opus 4.5 | Near-perfect | 0.40 on level 3 | 0.49 [0.39, 0.59] |
| GPT-5 | Near-perfect | 0.40 on level 3 | 0.50 [0.40, 0.60] |
| Claude Sonnet 4.5 | Near-perfect | Moderate on level 3 | Similar tier |
| GPT-5-mini | Strong | Some level 3 success | Mid-tier |
| Claude Haiku 4.5 | Moderate | Near-zero | 0.18 [0.11, 0.27] |
| Open-source (GPT-OSS-120B) | Limited | Zero | 0.16 [0.09, 0.24] |
The capability gap between model tiers is substantial. Opus-class models score nearly three times higher than Haiku-class models overall. Open-weight models trail further still.
Strategic Insight: This is not a binary “models can or cannot escape” finding. The research reveals a graduated capability landscape where model size, architecture, and inference budget all determine whether a specific vulnerability class is exploitable.
Compute scaling changes the threat model
One of the paper’s more striking findings is that escape success scales roughly log-linearly with inference-time compute. Give a model more tokens to think with, and its escape rate increases predictably.
Two practical consequences follow. First, escape attempts are cheap — many cost around one dollar at current API pricing. An attacker (or an uncontrolled agent) can attempt many escapes for minimal spend. Second, attackers can concentrate compute budget into a single attempt by allocating more tokens, further improving expected success rates.
Hidden Cost: The economics of container escape have shifted. At roughly one dollar per attempt with meaningful success rates, the cost-benefit calculation for automated attack tooling has fundamentally changed. Volume attacks against misconfigured containers become economically viable at scale.
Version regression is real
An unexpected finding: GPT-5.2 performed significantly worse than GPT-5 (0.27 vs 0.50 overall success rate). The researchers hypothesise that training updates may have inadvertently diminished agentic skills. This matters for organisations that assume newer model versions are strictly more capable — for security-relevant behaviours, regression testing is not optional.
The human factor in container security
The benchmark reveals something uncomfortable about how AI agent infrastructure is typically configured. The easiest escape scenarios — the ones where models succeed most reliably — correspond to exactly the kind of shortcuts teams take under delivery pressure.
Running a container in privileged mode because the alternative requires debugging capability sets. Mounting the Docker socket into a container for convenience. Leaving hostPath volumes writable because the documentation example showed it that way. These are not theoretical vulnerabilities; they are the defaults that ship in tutorials, quickstart guides, and proof-of-concept deployments.
| Stakeholder | Primary concern | Action required |
|---|---|---|
| Platform/infra teams | Container configuration hardening | Audit all agent containers for privileged mode, socket exposure, excessive capabilities |
| AI/ML engineers | Agent deployment security | Implement least-privilege container policies for all agent workloads |
| Security teams | Threat model updates | Add AI-agent-specific container escape to risk registers |
| Leadership | Risk exposure quantification | Understand that “containerised” does not mean “contained” for frontier models |
Reality Check: The researchers found four unintended shortcut escapes during benchmark development. In two cases, models brute-forced default Vagrant SSH credentials to escape. In another, a model substituted a simpler eBPF exploit chain for the intended complex one. Capable models do not follow the expected attack path — they find whatever works.
Success criteria for containment
The paper’s data suggests three tiers of container security posture:
-
Insufficient (but common): Default Docker with common misconfigurations. Frontier models escape reliably. This is where most development and evaluation environments sit today.
-
Adequate for current models: Correctly configured, up-to-date container runtimes with no known vulnerabilities. No novel exploits were discovered — all successful escapes relied on documented CVEs or misconfigurations. Patching and hardening work, for now.
-
Forward-looking: Hardware-level isolation via microVMs (Firecracker, gVisor) or equivalent. The researchers note that hyperscale inference providers already use this approach, but most of the open-source agent ecosystem does not.
A practical framework for container security maturity
The research points to a clear priority ordering for organisations deploying AI agents:
Immediate actions (week 1)
- Audit all containers running AI agents for privileged mode, Docker socket mounts, and excessive Linux capabilities
- Remove
CAP_SYS_ADMIN,CAP_SYS_MODULE,CAP_DAC_READ_SEARCH, andCAP_NET_RAWfrom agent containers unless specifically required - Disable hostPath volumes in Kubernetes pods running agent workloads
- Review RBAC policies — overprivileged service accounts enable control-plane escapes
Short-term hardening (month 1)
- Implement seccomp profiles and mandatory access control (AppArmor/SELinux) for all agent containers
- Establish a patching cadence for container runtimes (runc, containerd) that accounts for the CVEs tested in this benchmark
- Deploy network policies that prevent containers from reaching the Docker daemon or Kubernetes API server
- Run SandboxEscapeBench against your own configurations — it is publicly available on GitHub
Take Action: The benchmark is open source. Running it against your own container configurations provides direct evidence of your exposure level, rather than relying on assumptions about what “properly configured” means in your environment.
Strategic investment (quarter 1-2)
- Evaluate microVM-based isolation (Firecracker, Kata Containers) for agent workloads handling sensitive data or with broad tool access
- Implement runtime monitoring that detects the enumeration patterns frontier models use before attempting escapes (capability checks, filesystem probing, network scanning)
- Establish a testing pipeline that re-evaluates containment after every model upgrade — version regression means your threat model changes with every API update
Implementation Note: The researchers created a new Inspect sandbox provider for HashiCorp Vagrant that supports local testing on commodity hardware. Organisations do not need cloud infrastructure to begin evaluating their exposure.
Four challenges that most teams will miss
1. The evaluation paradox
Organisations evaluating AI agents for safety need sandboxed environments. But if the agent can escape the sandbox, the evaluation itself is compromised. SandboxEscapeBench addresses this with nested sandboxing (container inside a VM), but most evaluation setups do not implement this pattern. Teams running AI safety evaluations in standard Docker containers may be testing an agent that has already escaped its evaluation boundary without knowing it.
Warning: ⚠️ If your AI safety evaluation infrastructure uses standard Docker isolation without nested sandboxing, your evaluation results may be unreliable for frontier models. The agent you are evaluating may have already breached its containment.
2. Model behaviour under failure
The transcript analysis reveals divergent failure modes across model families. Claude models (0% disengagement) continued attempting escapes until their token budget expired. GPT models frequently disengaged mid-task — GPT-5.2 stopped trying in 92.3% of failed samples. DeepSeek-R1 hallucinated success, submitting incorrect flags an average of 12 times per sample (reaching 55 in one case) and falsely claiming success in 70% of failed attempts.
These behavioural differences matter for containment strategy. A model that never stops trying requires different monitoring than one that gives up or one that lies about its results.
3. The shortcut problem
Models do not restrict themselves to the intended vulnerability. During benchmark development, the team discovered four cases where models found and exploited unintended escape paths — default SSH credentials, simpler kernel exploit chains, and alternative vulnerability classes present in the same kernel version. Claude Opus 4.5 independently identified Dirty COW applicability in a kernel configured for a different exploit and chained it with cgroup release_agent for a complete escape.
This behaviour is exactly what makes capable models useful for legitimate security testing. It is also what makes containment harder: you cannot predict the attack path by knowing which vulnerabilities exist.
4. The compliance gap
Most container security standards and compliance frameworks were written before AI agents could autonomously discover and exploit vulnerabilities. A container deployment that passes a CIS Docker Benchmark audit may still be vulnerable to the scenarios tested here — particularly the runtime and kernel-level exploits that require specific CVE patching rather than configuration hardening.
Resource Reality: The gap between “compliant container deployment” and “container deployment that resists frontier AI agents” is not well mapped by existing frameworks. Organisations need to supplement compliance checklists with active testing against AI-specific threat models.
What this means for your AI agent strategy
The core message from this research is not that containers are broken. Correctly configured, fully patched container runtimes resisted all escape attempts — no novel vulnerabilities were discovered. The message is that the gap between “correctly configured” and “how most teams actually configure containers” is exactly where frontier models operate most effectively.
Three factors will determine whether your organisation’s AI agent deployments are resilient:
-
Configuration discipline: The easiest escapes exploit shortcuts that teams take for convenience. Eliminating privileged containers, Docker socket exposure, and excessive capabilities closes the most reliable attack paths.
-
Patching velocity: The runtime and kernel exploits in SandboxEscapeBench target documented CVEs. Models cannot exploit vulnerabilities that have been patched. But the window between CVE disclosure and patch application is where risk concentrates.
-
Continuous testing: Model capabilities change with every release — sometimes improving, sometimes regressing. Your containment posture needs to be tested against the specific models you deploy, at the compute budgets you allocate, on an ongoing basis.
Next steps for your team:
- Run SandboxEscapeBench against your AI agent container configurations
- Review and harden container security policies using the immediate actions checklist above
- Add container escape to your AI risk register with specific reference to this benchmark’s findings
- Establish a re-testing cadence tied to model version updates
- Evaluate whether your highest-risk agent workloads warrant microVM isolation
Strategic Insight: The UK AI Security Institute’s involvement in this research — both as co-authors and through the Inspect evaluation framework — signals that container escape is now formally on the regulatory radar for AI safety. Organisations deploying AI agents should expect this capability to be referenced in future safety evaluation standards.
This analysis is based on “Quantifying Frontier LLM Capabilities for Container Sandbox Escape” by Marchand et al. (University of Oxford, UK AI Security Institute), published March 2026. The full paper is available at arxiv.org/abs/2603.02277. The SandboxEscapeBench benchmark is open source at github.com/UKGovernmentBEIS/sandbox_escape_bench.
Resultsense provides AI risk management services to help UK organisations evaluate and mitigate AI-specific security risks, including container security for agent deployments.