← Back to Payloads
AI Models2026-06-12

OpenAI Just Bought the Background-Agent Runtime, and the Acquisition Nobody Is Naming Is What It Does to Devin, Cursor, and Every Agent Sandbox You've Ever Used

Three weeks after the S-1, OpenAI announced the acquisition of Ona — the cloud sandbox and persistent-execution layer formerly known as Gitpod — to fold directly into Codex. 2 million developers, 5 million weekly Codex users, customer-controlled execution with hash-based program blocking, and a $20/month entry point that the lab is about to reprice. The press is framing this as a talent grab. It is a vertical-integration move for the agent stack, and it changes what every competing coding agent has to ship by Q4.
Quick Access
Install command
$ mrt install openai
Browse related skills
View in Registry
OpenAI Just Bought the Background-Agent Runtime, and the Acquisition Nobody Is Naming Is What It Does to Devin, Cursor, and Every Agent Sandbox You've Ever Used

OpenAI Just Bought the Background-Agent Runtime, and the Acquisition Nobody Is Naming Is What It Does to Devin, Cursor, and Every Agent Sandbox You've Ever Used

OpenAI announced on June 11, 2026 that it is acquiring Ona — officially Gitpod GmbH, the cloud-sandbox and persistent-execution platform formerly known as Gitpod that has been quietly running as "Ona" since its September 2025 rebrand. Terms were not disclosed. The Ona team joins the Codex team. The product, the customer base, the security primitives, and the runtime go into Codex. (OpenAI announcement; SiliconANGLE, June 11, 2026)

The press is going to frame this as a talent acquisition. Most of the early coverage will say something like "OpenAI scoops up cloud-sandbox team" and move on. That framing is wrong, and it is going to cost every team building a competing coding agent six to twelve months they do not have.

This is not a talent grab. This is a vertical-integration move for the long-running agent, and the part OpenAI is buying — the part Ona has been building for years, the part 2 million developers are already paying for, the part Devin and Cursor and Claude Code and Codex itself have all been papering over with brittle homegrown sandboxes — is the part every production agent stack is going to need by Q4 2026. OpenAI is buying the substrate. The model is the easy part. The substrate is the part that has been quietly blocking the agent economy for the last eighteen months.

I have been writing about this problem for a year. I have built homegrown sandboxes. I have written the runbook for the kind of failure modes that show up at 2 AM when an agent loop outlives the workstation that started it. This is the first acquisition in 2026 that actually closes a real gap in the agent stack, and the gap is the one I have been telling every team to plan around.

What Ona Actually Is

The simplest way to describe Ona is: a cloud-based, persistent, secure execution environment designed from the ground up to run AI agents that take hours or days to do real work.

The longer description is more important. Ona is officially Gitpod GmbH, the company that, before the September 2025 rebrand, was Gitpod — the cloud-development-environment platform that helped developers move coding off local machines and into reproducible cloud workspaces. Gitpod was a real business. Gitpod was used by 2 million developers. Gitpod had enterprise customers. Gitpod had a security model. The 2025 rebrand to "Ona" was the moment the company stopped positioning itself as a developer-environment product and started positioning itself as a privacy-first coding agent platform for the enterprise. The product line kept the cloud workspace story but added the agent orchestration, the persistent runtime, and the security primitives an agent needs to run unsupervised in a production cloud. (InfoQ, September 24, 2025)

What that means concretely: an Ona environment is a full Linux workspace that lives in the cloud, persists across sessions, has your tools installed, has your network configured, has your credentials scoped, and is reachable by an agent over an authenticated channel. The agent can be Codex, Claude Code, Aider, Continue, Cline, the OpenAI Agents SDK, a custom LangGraph workflow, or anything else that can speak to a remote shell. The environment survives laptop sleep, workstation shutdown, network changes, and user attention. The agent keeps working. The user comes back later. The user reviews the work. The user pushes the branch.

The problem Ona solves is the problem every team building a long-running agent runs into around week three: the agent's host process died. The laptop closed. The IDE crashed. The CI runner timed out. The dev container was destroyed by a cleanup policy. The agent's context was lost, the tool calls mid-flight were never committed, the migration it was halfway through is now in a half-applied state in a worktree nobody is watching, and the user does not know whether the agent finished, failed, or is stuck in a loop talking to itself.

I have personally debugged this failure mode at least twenty times across three companies. Every team I have worked with on a long-running agent has had at least one production incident caused by a host process death in the first six months. The homegrown fix is a recipe: a heartbeat, a checkpoint, a remote workspace sync, a fallback sandbox, a reconnection protocol. Most teams ship the recipe. None of the recipes are as good as what Ona has been shipping as a product for two years. Ona has been treating this failure mode as the entire product. Now OpenAI owns it.

The Security Story Is The Part That Matters For Enterprise

Read the OpenAI announcement and the SiliconANGLE coverage carefully. The part of the deal the enterprise buyers care about is not the long-running execution. The part they care about is how the sandbox isolates the agent from the rest of the cloud.

Ona's platform can be configured to prevent AI agents from accessing programs the customer's security team has flagged as risky. The mechanism is hashing — every program the admin wants to block gets a unique cryptographic signature, and Ona can identify a blocked application even if the attacker renames the file, moves it to a different path, or hides it inside a script. The agent cannot run a renamed curl. The agent cannot run a renamed bash. The agent cannot run a tool it does not have an explicit allowlist entry for. (SiliconANGLE, June 11, 2026)

Ona also blocks the agent from accessing parts of the file system that hold sensitive credentials, blocks outbound connections to known-malicious servers, and runs each agent in a disposable sandbox that gets deleted when the work is done. The result is a customer-controlled execution model where the agent operates inside the customer's own cloud environment, the customer owns the network and the credentials, and OpenAI provides the model and the orchestration. The customer gets the benefits of the Codex intelligence without giving the agent the keys to the kingdom. (OpenAI announcement, June 11, 2026)

This is the part that is going to unlock enterprise procurement. The "we cannot let a coding agent touch our production AWS account" objection is the one I have heard from every CISO I have talked to in the last six months. The objection is real. The objection blocks deals. The homegrown answer is a separate sandboxed AWS account, manual IAM role scoping, manual outbound network rules, manual secret rotation, and a security review that takes three months. Ona's answer is a configured sandbox with a hash-based blocklist, scoped credentials, blocked outbound, and a customer-controlled cloud execution model. The procurement story collapses from "do we trust the agent" to "do we trust the sandbox," and the second question is one enterprise security teams have been answering for a decade.

The fact that OpenAI is buying this — instead of building it — is the load-bearing piece. OpenAI could have built a cloud sandbox. OpenAI chose to acquire the team, the product, the security primitives, the customer base, and the years of hardened production runs. The build-vs-buy math came down on the side of buy, and the reason is that the security model is not a one-quarter project. It is a multi-year production hardening effort with real customers in regulated industries. Ona has that. OpenAI gets it for the cost of an acquisition.

The 5 Million Number Is The Part The Press Is Missing

The OpenAI announcement leads with the 5 million weekly Codex users figure, up 400% from earlier this year. That is a real number and it is the right number to lead with, because it is the user base that is going to inherit the Ona product. The number nobody is naming is the 2 million developers Ona already has, the multiple shared enterprise customers Ona was already serving, and the fact that Ona was already Codex-compatible. (OpenAI announcement, June 11, 2026)

This is not a customer-acquisition problem. The Ona product was already in production with enterprise customers who were already running Codex against Ona environments. The Ona team was already in the loop with the Codex team on integration work. The acquisition makes that integration first-party and removes the procurement friction for the customers who were already buying both. The 5 million weekly Codex users get Ona as a built-in part of Codex. The 2 million Ona developers get Codex as the default model in their environment. The 400% growth number on Codex becomes the basis for the cross-sell story in the S-1.

Read the OpenAI announcement one more time. "Ona will improve Codex's ability to perform long-running tasks that take hours or days. In particular, it will enable users to review the work of agents and provide input when necessary." That is the human-in-the-loop story for an autonomous coding agent. The agent runs for hours or days. The user comes back, reviews the work, makes decisions, and the agent continues. The pattern is not new — every agent team I have worked with has shipped some version of it — but the pattern is now first-party in the closed-API stack. The closed lab is shipping the harness, the runtime, the persistence, and the security in one bundle, and the bundle is what every other coding agent product is going to have to match.

What This Does To Devin, Cursor, Claude Code, And The Rest

I am going to be specific about the competitive impact, because most of the analysis I have read today is generic and most of it is wrong.

Devin. Cognition's Devin was the first widely-deployed coding agent, and Devin's main moat was always the long-running agent harness — the ability to keep working while the user was not looking. Devin's customers are exactly the customers Ona is targeting: enterprise engineering teams that want a coding agent they can point at a real ticket and come back to a finished pull request. OpenAI just bought the runtime substrate Devin was building on top of, integrated it into Codex, and made it first-party. Devin's product positioning just got harder. Devin's answer has to be a better model, a better harness, or a domain moat that Codex does not have. None of those answers are obvious. (Devin)

Cursor. Cursor is the IDE-shaped coding assistant, and Cursor's moat is the editor integration and the multi-file awareness. Cursor's long-running agent story has been weaker than Devin's, and Cursor's enterprise story is the editor-distribution story, not the cloud-runtime story. Cursor does not need to match Ona's cloud-sandbox capability one-for-one. Cursor does need to make sure its long-running story is good enough that enterprise customers do not switch to Codex for the multi-day migrations. The Cursor team has been shipping fast, and the Cursor team has money, and the Cursor team has a real editor product. This is the threat that requires a real answer.

Claude Code. Anthropic's terminal-native coding agent is the strongest in the field on raw code quality and on a terminal-native workflow. Claude Code does not have a first-party cloud runtime. Claude Code runs against the developer's local machine. Anthropic's answer to Ona is going to have to come from somewhere — a partnership, a build, or a separate acquisition. The Anthropic S-1 filed June 1, 2026, on a $852B private valuation, with $15B/year committed to SpaceX compute. Anthropic has the capital. Anthropic does not have the team or the product. Watch the next 60 days for an Anthropic move in the runtime space.

The independent sandboxes. Modal, E2B, Codesandbox, Daytona, Blaxel, the dozen other "agent sandbox" platforms that have raised money in the last twelve months — they all just lost their largest potential acquirer to the closed lab that was most likely to buy them, and they all just lost their differentiation to the closed lab that was most likely to bundle the capability. The independent sandbox market is not dead. The independent sandbox market is now in the same position the agent-framework market is in: it is going to compress into three or four serious choices, the closed labs are going to ship the integration the sandbox vendors were building, and the only thing left for the sandbox vendors to own is the vertical, the on-prem story, or the cross-cloud abstraction. If you are running an agent sandbox startup, this is your 60-day clock.

The Ona customers who were not on Codex. Ona had shared enterprise customers. Some of those customers were running Claude Code or Aider or their own custom agents against Ona environments. The acquisition does not foreclose that — Ona is a runtime, not a model — but the practical reality is that the integration priority for the next six months is going to be Codex, and the third-party integration quality is going to degrade as a result. Customers who built against Ona expecting a model-agnostic runtime are going to get a Codex-optimized runtime, and that is a different product even if the API surface is the same.

The Vertical-Integration Story For The S-1

Three weeks before the Ona acquisition, OpenAI confidentially filed its draft S-1 with the SEC. Reuters is reporting a $1T valuation target with a public offering as early as September. The S-1 has to answer the question every public-market investor is going to ask: what stops Amazon, Microsoft, Google, or a coordinated open-weights consortium from undercutting the API tier and collapsing OpenAI's gross margin?

The honest answer, the one the S-1 is going to be built around, is that the closed API tier is not just a model. The closed API tier is a model, a runtime, a security model, an enterprise procurement story, a developer distribution story, and a vertically integrated bundle that the open-weights stack and the hyperscalers are not going to replicate by the time the public markets price the stock. The Ona acquisition is the first concrete step toward making that argument with receipts.

The closed lab vertical-integration playbook is now visible. Anthropic bought into Project Glasswing, signed a $15B/year SpaceX compute deal, and shipped Claude Fable 5 with a routing classifier as the regulatory story. OpenAI bought Ona, filed the S-1, and is now building the runtime + security + enterprise procurement story for the prospectus. Google is shipping Gemini 3.1 Pro on its own cloud and using SynthID for the watermarking story. The three labs are not competing on the model anymore. They are competing on the bundle. The model is the easy part. The bundle is the part that compounds.

The press will write about the 5 million Codex users. The S-1 will write about the bundle. The bundle is the part that is going to be priced into the stock.

The Numbers That Actually Matter

Let me leave you with the numbers I am watching, because these are the ones that are going to move the agent stack over the next two quarters.

Ona pricing today. Ona Core: $20/month per user, up to 100 team members, unlimited parallel environments, up to 32 cores and 128 GB of RAM and 200 GB of disk, GPU support, Codex subscription integration. Ona has higher tiers for enterprise, with a customer-controlled execution model and dedicated cloud isolation. (Ona pricing)

The Codex free tier. OpenAI has been pushing the free tier of Codex hard since the GPT-5 launch, and the 5 million weekly user number is largely free-tier growth. If the Ona product is folded into the free tier — and I expect it will be, at least at the entry point — the per-user economics of an "AI coding assistant" collapse to near zero. The "AI add-on" pricing tier for coding assistance is going to be very hard to defend against a free Codex with a free Ona-equivalent runtime.

Codex weekly active users. 5 million today, up 400% from earlier this year. The number is going to keep growing because the closed lab vertical-integration story is the right story for the moment, and because the S-1 is going to be priced against the next quarterly update of the number. Watch this number. It is the only public metric that ties the closed lab growth story to the developer adoption story.

The open-weights competitor. MiniMax M3 is the open-weights coding leader, with a SWE-Bench Pro number in the high 50s against Fable 5's 80.3%. The capability gap on agent coding just widened. The open-weights stack is still the right answer for the cost-sensitive workloads, the in-vpc deployments, and the behavior-pinned workloads. The open-weights stack is not the right answer for the long-running-agent-in-the-customer's-cloud workload. That workload needs a customer-controlled execution model with hash-based program blocking, scoped credentials, and blocked outbound. The open-weights labs do not have that product. NVIDIA has the hardware. The open-weights labs need to build the runtime, or partner with the runtime vendors, or be acquired by the runtime vendors. Watch the Qwen and DeepSeek roadmaps for the answer.

The promptfoo precedent. OpenAI acquired Promptfoo in March 2026 for AI application security — specifically to add vulnerability detection and remediation to the OpenAI Frontier enterprise agent platform. The Ona acquisition is the second acquisition in 90 days. The acquisition cadence is the signal. OpenAI is not waiting for the S-1 to start buying. OpenAI is buying the substrate for the agent stack it has to ship for the S-1, and the substrate includes the runtime, the security, the persistence, and the enterprise procurement story. Two acquisitions in 90 days is a pattern. Three is a thesis. Watch the next 90 days.

What To Do This Week

If you are building a coding agent product, this is your week. Four things, in order.

One: re-price your long-running agent story. If your product's value prop includes "the agent keeps working when the user closes the laptop," you are now competing with a closed lab that owns the runtime, the model, the security model, and the enterprise procurement motion. You do not have a multi-year head start. You have a six-to-twelve-month head start. Use it.

Two: pick the wedge. If you are not OpenAI, you cannot win on the bundle. You can win on the wedge. The wedge is the part of the agent stack that the closed lab does not ship and that you ship better. The wedge might be a vertical — Devin for incident response, Claude Code for refactors, Aider for legacy migrations. The wedge might be a deployment model — on-prem, in-vpc, air-gapped, regulated. The wedge might be a model moat — fine-tuned for a specific codebase, fine-tuned for a specific language, fine-tuned for a specific compliance regime. The wedge has to be a thing the closed lab cannot ship by bundling. Pick it. Announce it. Build the deepest possible integration.

Three: ship the persistent runtime or partner with one. The homegrown sandbox story is over. The independent sandbox market is going to compress. Either you build the persistent runtime and own it as a moat, or you partner with one of the remaining independent runtimes and treat that partnership as a load-bearing dependency. If you are Modal or E2B or Daytona, the next 60 days are when you find your strategic partner, raise your next round on the partnership narrative, or get acquired.

Four: get your S-1 story straight. If you are a coding agent company and you are on a path that has any public-equity-adjacent step in the next 18 months — secondary, tender, direct listing, IPO — the S-1 question is going to be: what stops the closed labs from shipping your product as a first-party feature? The Ona acquisition is the new bar. The closed lab answer is the bundle. Your answer is the wedge. Make it specific. Make it defensible. Make it the story the public markets can price.

The Take

OpenAI bought the background-agent runtime. The acquisition closes the substrate gap in the closed-API coding agent stack. The Ona product, the security model, the 2 million developers, and the 5 million weekly Codex users are now one bundle, and the bundle is the S-1 story for the most-anticipated IPO of 2026.

The press is going to write about the talent. The S-1 is going to write about the bundle. The enterprise buyer is going to write the procurement motion around the security model. The competitors — Devin, Cursor, Claude Code, the independent sandboxes — are going to have to ship the wedge or get acquired or get run over.

I have been telling every team I work with for the last year that the agent stack is downstream of the runtime, not the model. The model is the easy part. The runtime is the part that survives the laptop closing. The runtime is the part that scopes the credentials. The runtime is the part that blocks the malicious hash. The runtime is the part the closed lab just bought. The Ona acquisition is the moment the agent stack stopped being a model story and became a runtime story. Every coding agent team that does not have a runtime answer is now on a 12-month clock.

The substrate is the story. OpenAI bought it. Everyone else has to react.

Mr. Technology

Release date: June 12, 2026. Source event: OpenAI announcement of Ona acquisition, June 11, 2026, 20:41 EDT. Subject company: Gitpod GmbH (d/b/a Ona since September 2025). Key product facts: cloud-based persistent sandbox and execution environment for long-running AI agents; 2 million developers on the platform; multiple shared enterprise customers; customer-controlled execution model with hash-based program blocking, scoped credentials, and blocked outbound connections. Ona Core pricing: $20/month per user, up to 100 team members, up to 32 cores / 128 GB RAM / 200 GB disk, GPU support, Codex integration. Codex adoption: 5 million weekly users, up 400% from earlier in 2026. Previous OpenAI acquisition: Promptfoo, March 2026 (AI application security for the OpenAI Frontier enterprise agent platform). Ona rebrand from Gitpod: September 24, 2025. Sources: OpenAI — OpenAI to acquire Ona (June 11, 2026); SiliconANGLE — OpenAI acquires AI agent orchestration startup Ona (June 11, 2026, 20:41 EDT); InfoQ — Gitpod Rebrands to Ona (September 24, 2025); Ona pricing; Ona product page; Devin; AWS Marketplace — Ona Enterprise; Reuters — OpenAI files for US IPO (June 8, 2026, S-1 context). Deal terms not disclosed at announcement.

#openai#ona#gitpod#acquisition#codex#agent-runtime#cloud-sandbox#background-agents#long-running-agents#agent-security#hash-based-blocking#enterprise-ai#coding-agents#devin#cursor#claude-code#agent-stack#s-1#ipo#vertical-integration
Related Dispatches
AI Models
Amazon Reported Anthropic to the Government. Anthropic's Biggest Investor Just Killed Anthropic's Flagship Model.
Read dispatch →
AI Models
Claude Fable 5 Just Hit 95% on SWE-Bench Verified. The Frontier Didn't Creep — It Jumped.
Read dispatch →
AI Models
Thinking Machines Lab Cracks Sub-Second AI Conversation With 0.40s Turn Latency
Read dispatch →
AI Models
Moonshot Just Open-Sourced the Coding Model That Beats Claude Opus 4.8 on Tool Use
Read dispatch →