Cloudflare just mass produced the agent runtime

Nine years of edge primitives suddenly snap together, and the result is the most coherent agent platform I've seen.

Every few years a platform company ships something that recontextualises everything it shipped before. Today is that day for Cloudflare.

Agents Week landed with a volley of announcements: Dynamic Workers in open beta, Sandboxes reaching general availability, a Git-compatible storage primitive called Artifacts, a persistence framework called Think, and an expanded model catalogue following the Replicate acquisition.

Individually, each is a solid product release. Taken together, they reveal something more significant. Cloudflare has not bolted an agent platform onto its infrastructure. It has shown that its infrastructure was always heading here, and the primitives I've been building on for years (Workers, Durable Objects, Workflows, R2, D1) were the foundation waiting for a building to justify them.

I wrote a book about Cloudflare's Developer Platform. The chapter on AI agents described Dynamic Workers, Code Mode, and the Agents SDK as pieces of an architecture that compose with unusual precision. That chapter now reads like a preview of today's press release, which is either good foresight or a sign that this trajectory was obvious to anyone paying close attention.

Agents are too expensive. That's the real problem, and Cloudflare just solved it.

Forget the feature list for a moment. The fundamental barrier to agents reaching mainstream adoption is cost.

Matthew Prince's napkin maths tells the story: a hundred million knowledge workers, each running an agentic assistant at fifteen per cent concurrency, means twenty-four million simultaneous sessions. Under the container-per-agent model that dominates today, that's somewhere between half a million and a million server CPUs just for the United States, just for one agent per person.

Containers take hundreds of milliseconds to cold start. They burn hundreds of megabytes of memory each. This arithmetic is why agents remain the province of software engineers running coding assistants who can justify the spend. Your HR department's agentic assistant? Priced out before it writes its first email.

Dynamic Workers demolish this constraint. V8 isolates, the same sandboxing engine that has run the Workers platform for eight years, spin up in single-digit milliseconds and consume single-digit megabytes of memory. Cloudflare claims 100x faster startup and 10-100x better memory efficiency than containers. Having built on this platform extensively, those numbers track with what I've seen. Create a fresh isolate for every request, run one snippet of AI-generated code, throw it away. No warm pools. No reuse. No shared state leaking across security boundaries.

The pricing seals it: $0.002 per unique Dynamic Worker per day, waived during the beta. Agent sandboxing at consumer scale becomes economically viable for the first time. That shift matters far more than any individual API announcement.

The smartest idea in the entire stack

Most coverage will focus on Dynamic Workers. Fair enough; they're the headline. But the idea I keep returning to is Code Mode, because it changes the fundamental interaction pattern between agents and tools.

Conventional agent architecture is chatty. The LLM picks a tool, the system executes it, the result goes back into context, the LLM picks another tool, the result goes back into context, and on it goes. Ten tool calls means ten full LLM round-trips with a context window that balloons at every step. Expensive. Slow. Fragile.

Code Mode collapses this entirely. Instead of sequential tool calls, the LLM writes a single function that chains the API calls together. One round-trip to generate the code. One sandbox execution. One result. Cloudflare's testing shows token reductions of up to 81 per cent. Their own MCP server is built this way: the entire Cloudflare API exposed through just two tools in under a thousand tokens, because the agent writes TypeScript against a typed API rather than navigating hundreds of individual tool definitions.

The catch is that Code Mode requires a sandbox cheap enough and fast enough to create per-request. Which is precisely what Dynamic Workers deliver. The two features are architecturally inseparable. Code Mode is the pattern; Dynamic Workers are what make the pattern economically sane.

When I wrote about Code Mode in my book, it felt like a clever optimisation. After today, it feels like the default way agents should work.

Everything was already here

The thing that strikes me hardest about Agents Week, and I say this as someone who has spent a year trying to articulate how Cloudflare's primitives interrelate, is that almost nothing announced today is genuinely new infrastructure. It is existing infrastructure revealed as an agent platform.

Durable Objects give each agent its own single-threaded execution environment with co-located storage. One agent instance per user. No race conditions when tools modify state. No distributed locking. Hibernation when idle, costing nothing between messages. I described this alignment in chapter eighteen, arguing that the Durable Object model and the agent model were essentially the same thing viewed from different angles. Seeing it become the production foundation for an agent platform feels less like prediction and more like recognition of something that was already there.

Workflows provide durable execution for the steps that must complete regardless of what happens to the connection. Agent decides to process a payment, send a confirmation, update inventory. The agent owns the decision. The Workflow owns the execution, checkpointing and resuming if anything fails mid-process. Dynamic Workers provide sandboxing. Browser Rendering gives agents eyes on the web. R2 and D1 provide storage. Workers AI provides inference. Artifacts now gives agents Git-compatible storage for the code they generate.

None of these primitives were designed for agents. All of them turn out to be exactly what agents need. That convergence is either extraordinarily lucky or the result of design principles (isolate-based execution, single-threaded coordination, CPU-time billing, hibernation) that happen to produce the right properties for any workload requiring lightweight, stateful, sandboxed compute. Agents are that workload. They won't be the last.

Security that's structural, not aspirational

I architect systems handling Official-Sensitive data across government and policing. I am professionally incapable of getting excited about a platform's security story unless the security is baked into the execution model rather than sprinkled on top. Cloudflare's agent security passes that test.

When you spawn a Dynamic Worker, you specify exactly which APIs it can reach by passing explicit RPC stubs. Set globalOutbound: null and the sandbox has zero internet access. The agent cannot reach what you didn't hand it. This is categorically different from running code in a container and then trying to filter its outbound requests. The attack surface isn't reduced; it's defined from the start.

The Agents SDK adds another layer through permission-based tool registration on MCP servers. Tools that don't exist for a given user's permission level cannot be called, full stop. No amount of prompt injection can invoke a function that was never registered. Combine this with token indirection, where your MCP server issues its own tokens rather than passing through upstream provider credentials, and you get defence in depth that is architectural rather than aspirational. A compromised client token can only invoke tools your server explicitly exposes, never the broader APIs behind them.

Think adds persistence. Sandboxes reaching GA provide full Linux environments when you genuinely need them. But the platform's gravity pulls you toward the lighter, faster, more constrained option by default. That's the right instinct for agent security: start locked down, open up deliberately.

Where I'd point a client today

Six months ago I would have recommended Cloudflare for agent workloads with caveats. Today the caveats are shrinking fast.

The heuristic from my book holds: start with Cloudflare and find reasons not to use it. For agents, the reasons not to are becoming harder to find. GPU-heavy training still lives elsewhere. Specific models Cloudflare doesn't host still need external inference endpoints. But for the execution layer, state management, sandboxing, tooling infrastructure, and the economics of running agents at scale, the gap between Cloudflare and the alternatives widened considerably this morning.

Agents Week is not a pivot. It is a reveal. The platform was always building toward a world of millions of lightweight, stateful, sandboxed compute instances running simultaneously at the edge, each maintaining its own state, each constrained to its own capabilities, each costing fractions of a penny when active and nothing when idle.

We just didn't have a name for what those instances were. Now we do.