Engineering

Why We Built Alpha Agent on Container Isolation

How Docker containers, read-only filesystems, and zero inbound ports keep your AI workspace secure. A deep dive into Alpha Agent's security model.

Bradley Taylor ·
security architecture docker
Updated February 20, 2026

The multi-tenant challenge

When you host multiple users on shared infrastructure, the biggest challenge is isolation. One user’s data should never be accessible to another. One user’s workload should never impact another’s performance. And one user’s security incident should never compromise the platform.

Our approach: one container per user

Every Alpha Agent user gets their own Docker container. This isn’t a shared process with user-level separation — it’s full container isolation with its own filesystem, network stack, and resource limits.

Read-only filesystem

Containers run with --read-only. The root filesystem is immutable. Only specific directories — /tmp (tmpfs), workspace data, and log files — are writable. If a process is compromised, it can’t modify system binaries, install malware, or persist changes to the container image.

No-new-privileges

The --security-opt=no-new-privileges flag prevents any process from gaining additional privileges through setuid/setgid binaries. Even if an attacker finds a local privilege escalation, the container runtime blocks it. This is especially relevant given CVE-2026-25253, a remote code execution vulnerability in OpenClaw’s gateway that demonstrates why container-level privilege controls matter even after an attacker achieves initial code execution.

Resource limits

Each container has CPU and memory limits enforced through cgroups:

deploy:
  resources:
    limits:
      memory: 3072M
      cpus: '1.0'
    reservations:
      memory: 512M
      cpus: '0.25'

A single user can’t starve others of resources, even with a runaway process.

Network isolation

Containers run in isolated Docker networks. There’s no inter-container communication. Each container exposes a single port, accessible only through the host’s Nginx reverse proxy. Nginx routes by subdomain, so container ports are never directly reachable.

Infrastructure hardening

Beyond containers, the host infrastructure follows defense-in-depth:

  • Zero inbound ports — EC2 security groups have no inbound rules. All management is through SSM Session Manager.
  • IMDS blocking — Docker containers are blocked from reaching the Instance Metadata Service entirely via iptables. The host uses IMDSv2 with session tokens for its own metadata requests.
  • KMS encryption — User secrets are encrypted with AWS KMS before storage. Never plaintext, never in environment variables.

Why does container isolation matter for AI agents?

Most AI platforms run your queries through a shared backend. Your prompts and responses sit alongside everyone else’s. With Alpha Agent, your entire workspace — memory, skills, configuration, and conversation history — lives in your own container. It’s yours and only yours.

For a side-by-side breakdown of how this compares to running on localhost, see our detailed comparison post. The difference becomes especially clear when you consider that researchers found 135,000 exposed OpenClaw instances reachable from the public internet — almost all of them running directly on host machines with no isolation layer.

Read more about our security approach on our Security page.