OpenAI Just Bought Ona — The AI Coding Sandbox Arms Race Is Here, and No-Code Should Pay Attention

On Thursday, OpenAI bought itself a sandbox.

The company announced it's acquiring Ona, a 79-person German startup (formerly Gitpod) that builds secure, self-hosted cloud environments where AI agents can run. The price wasn't disclosed, though IDC analysts ballpark it somewhere between $300 million and $500 million. Ona's team will fold into the Codex division, and its technology will give Codex agents something they've never had before: a persistent place to work that doesn't shut down when you close your laptop.

The official line is that this will let Codex handle "longer-running tasks." The real story is bigger. This acquisition marks the start of an infrastructure arms race in AI coding, and it's a race where no-code platforms already have a head start they barely talk about.

What Ona actually does

Ona provides cloud sandboxes for AI agents. Not the kind of sandbox you'd use to test untrusted JavaScript, a full development environment that lives in the cloud, stays running after you log off, and operates under the customer's own security controls.

An agent running inside Ona can keep working on a multi-day refactor while you're asleep. When it finishes, the sandbox gets deleted automatically. Credentials are scoped. File system access is restricted. Outbound connections to suspicious servers get blocked. Administrators can blacklist specific applications by cryptographic hash, so renaming or relocating a blocked program doesn't fool it.

That is the kind of operational discipline most developer laptops will never achieve. And it's exactly what enterprises have been demanding before they'll let AI agents anywhere near production systems.

The numbers back it up. Codex now has more than 5 million weekly users, up from 3 million in April. Ona's own weekly agent sessions grew 13x since the start of the year, serving customers that include the oldest bank in the US and one of Europe's largest pharmaceutical companies. Enterprises want agents. They just want them running somewhere they control.

The Anthropic-shaped elephant in the room

Nobody should pretend this is purely about product vision. Anthropic launched self-hosted sandboxes for Claude Managed Agents in May 2026. Gartner's analysts called the Ona deal a direct response. Tom Findling, CEO of Conifers.ai, put it bluntly: "I'd read this less as OpenAI taking out a small competitor and more as OpenAI trying to make sure Codex is enterprise-ready before Anthropic gets too far ahead."

Both companies have filed confidentially for IPO. Both are racing to be the agent platform that big companies trust with production workloads. And what those companies want isn't just a smarter model. They want somewhere safe to run the agent, with audit trails, access controls, and the ability to review work before it touches anything real.

The infrastructure layer is turning out to matter as much as the model itself. Maybe more.

No-code shipped this years ago

Here's where things get interesting for anyone building with no-code tools.

Sandboxed execution? Managed environments? Built-in security boundaries? No-code platforms have been doing this since before AI agents were a thing anyone worried about.

When you build an app on Bubble, you're not spinning up a local development environment with random dependencies and exposed credentials. The platform handles the runtime, the security, the deployment. When you use Webflow, you're not SSHing into a server and hoping your permissions are right. The environment is managed for you. When you use Stacker, your app runs inside a controlled workspace with authentication, role-based access, and an audit trail built in from day one.

None of this was designed for AI agents specifically. But it solves the same problem OpenAI just spent hundreds of millions of dollars to address: how do you give powerful software the freedom to work without giving it the freedom to break things?

AI coding tools are now racing to bolt on the infrastructure that no-code platforms shipped as table stakes. The sandbox, the access controls, the environment management, the audit trail, the ability to review before deploying. Every item on the Ona feature list maps to something no-code builders have had for years.

What no-code platforms should do next

The Ona deal isn't just a fun piece of competitive intelligence. It's a signal about where the market is going, and no-code platforms should be paying attention.

First, the sandbox itself is becoming a product. Ona's acquisition suggests there's serious money in being the execution layer for AI agents. No-code platforms already are that layer: they're the environment where the work happens. The platforms that lean into this, building explicit agent hosting, agent orchestration, and agent observability into their products, will find themselves in a market that's just starting to take shape.

Second, the enterprise trust pitch is being rewritten. OpenAI's messaging around Ona is all about customer-controlled execution: you keep the data, you keep the credentials, you keep the audit trail. That's the exact same argument no-code platforms make when they sell to IT departments. The difference is that no-code platforms can also say "and you don't need to hire developers." That's a stronger pitch. Are they making it?

Third, and this is the uncomfortable one: no-code platforms should probably be thinking about acquiring infrastructure of their own. Not necessarily sandbox companies, but the tools that let builders extend beyond what the platform natively supports. OpenAI just signalled that the execution environment is worth acquiring. If no-code wants to compete as the serious infrastructure for AI-powered building, the same logic applies.

What no-code builders should watch

If you're building with no-code tools today, three things from this deal are worth tracking over the next 12 months.

One: agent persistence. The ability to kick off a task and come back to it later is coming to every major AI coding tool. When it lands in no-code platforms, it will change what you can delegate. Watch for it.

Two: security defaults. Ona's sandboxing is aggressive by design: auto-delete environments, hashed application blocking, credential isolation. As no-code platforms add AI features, the ones that match this level of paranoia will win enterprise trust.

Three: the colocation question. Ona's big selling point is that agents run inside the customer's cloud, not OpenAI's. For no-code platforms, the equivalent is keeping your app logic, data, and agent execution in one environment you control. The platforms that offer this, versus those that farm agent execution out to third-party APIs, will pull ahead with any customer who has a compliance team.

The takeaway

OpenAI just told the market something that no-code platforms should have been shouting for years: the execution environment is a product. It's worth acquiring. It's worth building. And it's the thing that separates a cool demo from something an enterprise will actually deploy.

The AI coding world is frantically assembling the infrastructure layer that no-code shipped ages ago. Sandboxes, access controls, managed runtimes, audit trails. This isn't new territory. It's just newly expensive.

The no-code platforms that recognise this, and start treating their execution environments as a competitive weapon rather than background plumbing, are going to look very smart in about 18 months. The ones that don't might find themselves watching AI coding tools eat their lunch from both directions: smarter models above, and now, finally, the infrastructure below.