Cloudflare’s new Dynamic Workers ditch containers to run AI agent code 100x faster

Izzo Your AI agent just wrote some code to pull customer data and it's sitting there... waiting. For three hundred milliseconds. While a container spins up.

Izzo You're listening to Exploring Next, I'm Izzo, and this is episode 240. Boone, Cloudflare just dropped Dynamic Workers and they're claiming it runs AI agent code a hundred times faster than containers. That's not incremental — that's architectural.

Boone Right. And the timing isn't coincidental. We're hitting this inflection point where agents aren't just calling APIs anymore — they're generating code on the fly. Suddenly your runtime characteristics matter as much as your model capabilities.

Izzo Okay but help me understand the user story here. Who's actually hitting this container bottleneck?

Boone Think about it — you've got an agent that needs to transform some data, maybe filter a CSV and call three different services. Traditional approach is tool orchestration: call tool A, wait, call tool B, wait, chain them together. Each step burns tokens and latency.

Izzo So instead of that...

Boone Instead, the LLM writes a TypeScript function that does all of it in one shot. But now you need somewhere to run that generated code safely. Containers are overkill — you're spinning up a full Linux environment to run twenty lines of JavaScript.

Izzo And Dynamic Workers?

Boone Built on V8 isolates — the same tech that lets your browser run multiple tabs without them interfering. Cloudflare's been using this since 2017 for Workers. Now they're saying: what if every agent request gets its own fresh isolate?

Izzo Wait, same thread execution? That's wild.

Boone Yeah, the dynamic worker can literally run on the same thread as the worker that created it. No network hops to find a warm container somewhere. The Dynamic Worker Loader API lets you instantiate, execute, and destroy in milliseconds.

Izzo But Boone, I'm looking at this from a product angle — what's the actual adoption path? Who's building on this first?

Boone Anyone doing consumer-scale AI where you can't predict demand. Think ChatGPT plugins but for millions of concurrent users. Each user gets their own agent, each agent writes code, each piece of code needs isolation.

Izzo The economics make sense. Instead of keeping containers warm or eating cold-start penalties...

Boone Exactly. Cloudflare's claiming the same platform characteristics as regular Workers — millions of requests per second. Most container sandbox providers rate-limit you or cap concurrent instances.

Izzo Okay but security. V8 isolates versus hardware VMs — that's a big trust gap.

Boone They're not pretending it's easier. They explicitly admit V8 bugs are more common than hypervisor bugs. But they've got nine years of hardening — automatic security patches within hours, custom second-layer sandbox, hardware MPK extensions.

Izzo So they're betting their existing security model scales to generated code?

Boone Plus they're scanning for malicious patterns and can dynamically quarantine suspicious workloads. The argument is: we've already made multi-tenant isolates safe for the public web.

Izzo Let me dig into this Code Mode thing because that feels like the real strategic play. They're saying TypeScript beats tool orchestration?

Boone Look at their MCP server example. Instead of exposing hundreds of Cloudflare API endpoints as individual tools, they expose two tools — search and execute — and let the model write TypeScript against the full API.

Izzo Eighty-one percent token reduction. That's not marginal.

Boone And it's architecturally cleaner. The model can chain operations, filter results, handle errors — all in one function instead of burning context with intermediate steps.

Izzo So they're positioning the execution layer itself as strategic infrastructure.

Boone Right. If agents are increasingly writing code instead of calling tools, then your runtime becomes as important as your model. Speed, memory efficiency, security — all first-class concerns.

Izzo The TypeScript interface is interesting too. They're doing Cap'n Web RPC so the sandbox can call typed interfaces like local libraries.

Boone Way cleaner than forcing LLMs to reason through OpenAPI specs. TypeScript is concise, well-represented in training data, and gives you a narrow security surface. You expose exactly the capabilities you want.

Izzo Speaking of security surfaces — globalOutbound is clever. Intercept every HTTP request from the dynamic worker? Yeah, you can inspect, rewrite, inject credentials, or block entirely. That's huge for enterprise adoption — you're not just trusting the agent's generated code, you're controlling exactly what it can reach. I'm giving this a solid A-minus. The architecture is sound, the use case is real, and the timing feels right. My only hesitation is developer adoption — how man