Zone 4

Compute Sandbox

Isolated execution environment for AI inference. No direct access to the vault. All outputs pass through Zone 7 before storage.

Full architecture Security
Z0 Auth Gateway Z1 API Router Z2 Session Manager Z3 Memory Engine Z4 Compute Sandbox Z5 Integration Layer Z6 MCP Gateway Z7 Security Policy Engine

Overview

The Compute Sandbox is the ephemeral AI execution environment where inference happens. It is intentionally stateless — memory is zeroed after every session, and no persistent state is maintained. The sandbox has no direct access to the vault (Zone 3); all data flows through the Security Policy Engine (Zone 7) for inspection before storage. This design ensures that even a compromised compute environment cannot exfiltrate data.

Key capabilities

Ephemeral Execution

Compute environments are created per-session and destroyed after use — no persistent state remains.

Memory Zeroing

All memory is cryptographically zeroed after session completion to prevent data residue.

Sandboxed Inference

AI models run in isolated containers with no direct network access to internal zones.

No Vault Access

Compute sandbox cannot directly read or write to the vault — all data flows through Zone 7.

Resource Limits

Per-session CPU, memory, and time limits prevent resource exhaustion and denial of service.

Output Inspection

All AI-generated outputs pass through the Security Policy Engine before reaching the user or vault.

Security implications

How Zone 4 enforces bRRAIn's zero-trust security model:

  • No persistent state — compute environments are ephemeral and destroyed after each session
  • Memory is cryptographically zeroed to prevent data remnant attacks
  • No direct vault access — all data flows through the Security Policy Engine
  • Resource limits prevent denial-of-service through compute exhaustion
  • AI outputs are inspected for policy violations before storage or delivery
Every zone enforces its own security boundary. No zone trusts another implicitly.

How it connects

Zone 4 receives context from Zone 3 for inference and passes results to Zone 5 when external integration is needed.

Zone 3 — Memory Engine Zone 4 Compute Sandbox Zone 5 — Integration Layer Zone 7 — Security Policy Engine inspects all zone transitions

Related certifications

bRRAIn professionals who interact with Zone 4:

Operations Controller

Manages compute resource allocation, monitors sandbox health, and enforces execution policies.

See Zone 4 in action

Request a demo to see how bRRAIn's zero-trust architecture protects your institutional memory.

Request a demo Explore architecture