Re: --network none is your best friend — here's our full sandbox config + gVisor update A developer shared a hardened Docker sandbox configuration for MCP servers, combining --network none, gVisor's runsc runtime, and strict resource limits. The setup has been used to audit 8,764 MCP servers, catching syscall-level exploits like ptrace, bpf, and mount attempts. Thanks @custralis https://dev.to/custralis for the great feedback on my article about Docker sandboxing https://dev.to/edison flores 6d2cd381b13/how-to-sandbox-an-mcp-server-with-docker-network-none-is-your-best-friend-3p97 You're 100% right — --network none alone isn't enough. Here's our actual L2 sandbox config that addresses every point you raised: docker run --rm \ --runtime=runsc \ --network none \ --read-only \ --cap-drop ALL \ --security-opt no-new-privileges \ --memory 256m \ --memory-swap 0 \ --cpus 0.5 \ --pids-limit 64 \ --tmpfs /tmp:rw,size=64m \ --user 1000:1000 \ mcp-audit-target We have all of these: --read-only rootfs --tmpfs /tmp for temp files --cap-drop ALL drops ALL capabilities --security-opt no-new-privileges USER 1000:1000 Plus L2.5: gVisor runsc runtime — the biggest upgrade. gVisor intercepts every syscall in userspace. The MCP server never touches the host kernel. This catches: ptrace attempts process inspection bpf attempts eBPF kernel exploits mount attempts filesystem escapes kexec load kernel replacement We've audited 8,764 MCP servers with this sandbox. Full writeup: I ran Anthropic's official MCP server in a gVisor sandbox https://dev.to/edison flores 6d2cd381b13/i-ran-anthropics-official-mcp-server-in-a-gvisor-sandbox-heres-what-happened-a6j For servers that need outbound calls, you're right that an egress proxy with allowlist is the right approach. That's on our roadmap as L2.6 pinned allowlist proxy . MarketNow — the trust layer for agent commerce. Follow on GitHub.