Element34
Platform
Product editionsSBOX CoreSBOX AISBOX Managed
AI native modulesStudioAI authoringAuto HealSelf-healing locatorsAutomated RCAFailure root causePulse ReportsSite health intelligenceReal Device CloudiOS and Android
Integrations & moreCI/CD integrationsJenkins, GitLab, GitHub ActionsNotificationsSlack, MS Teams, JiraAI capabilitiesPrivate inference, BYO LLMRoadmapAPI, Visual, TCM, Accessibility
Deployment
Private Cloud (self-hosted)Virtual Private Cloud (VPC)Managed Private CloudCompare deployments
Security
ArchitectureCompliance postureAudit and governanceResponsible disclosure
Industries
Banking and Financial ServicesInsurance and ReinsuranceGovernment and Public SectorHealthcare and HealthTechMedTech
Resources
Case studiesComparison guidesBlogDocumentationWhitepapers
Contact
Contact
Book a demo
Deployment · Private Cloud (self-hosted)

Own the infrastructure. Own the data. Own the keys.

Run SBOX in a fully isolated environment or your own dedicated infrastructure. You own the network, the data, and the keys. Element34 ships the platform, you operate it. Kubernetes, Helm, Docker, bare metal, air-gapped. No public cloud test data. Ever.

  • Customer-owned infrastructure
  • Air-gapped supported
Public egress
Zero bytes
Customer keys
KMS · HSM · BYOK
AI inference
Inside perimeter
Selenium Box · Private Cloud
Deployment topology
🔒 grid.private.yourcorp Self-hosted
Customer network perimeter
Edge
Load Balancer · 20GB
Control
Hub-1 · 20GB Hub-2 · 20GB Hub-3 · 20GB Hub-4 · 20GB
Executors
100 nodes · 50-200GB each · pulls images from your Artifactory
Load Balancer Hub (AI features here) Executor
Banking & Financial Services
Test data never leaves

PCI-DSS scopes shrink when test traffic never crosses the boundary. European tier-1 banks and reinsurers run SBOX inside their own networks.

Zero public egress
Insurance & Healthcare
PHI-safe by deployment

Patient data stays inside the customer HIPAA-aligned perimeter. Element34 has no network path into the SBOX environment after install.

HIPAA-aligned architecture
Government & Public Sector
True air-gap

DoD, NATO, and national-agency customers run SBOX fully air-gapped. Self-hosted LLM keeps inference inside the security boundary.

Air-gap ready
Defense & Critical Infrastructure
Keep the encryption boundary inside your perimeter

The encryption boundary stays inside your perimeter. Element34 never holds a credential into your environment, and never receives a session token from one.

Customer-controlled keys
The procurement gate

Your security review keeps rejecting SaaS testing platforms.

Public-cloud test grids look great in the demo and die in the security review. Test traffic crosses the customer network boundary. Test data lands on shared infrastructure. The vendor controls the keys. The compliance team marks it red. Private Cloud (self-hosted) clears the gate before the demo starts.

Pain pattern 01

Security blocks public-cloud testing platforms

Symptom. The QA team picked a SaaS testing platform. Security blocked the procurement because test data crosses the boundary. Six months of evaluation, no deployment.

Private Cloud response SBOX deploys inside the customer perimeter. Zero public egress, customer-controlled keys, no shared infrastructure. Clears the same security review that blocked the SaaS platform.
Pain pattern 02

DIY Selenium grids decay without an owner

Symptom. The team built a Selenium grid in-house. It works, until someone leaves. Versions drift. Browsers fall behind. Sessions hang. No one wants to own it anymore.

Private Cloud response SBOX is a supported platform deployed on customer-owned infrastructure. Element34 ships releases, customer operates and scales. Reference deployment: 4 Hubs × 25 Executors handles 15K to 50K daily executions.
Pain pattern 03

Air-gap mandates rule out commercial platforms

Symptom. Defense, intelligence, and national-security workloads cannot pull anything from the public internet. Every commercial testing platform assumes outbound connectivity. None work.

Private Cloud response SBOX runs fully air-gapped. Container images are pulled from the customer Artifactory or registry. Self-hosted LLM keeps inference inside the boundary. No vendor callback, no outbound license check.
Reference architecture

Three components run entirely inside your network.

SBOX self-hosted runs as three components inside the customer network: a Load Balancer that fronts the API, one or more Hubs that orchestrate sessions, and Executor nodes that host the browser containers. All three live inside the customer perimeter. Nothing reaches out.

Component 01

Load Balancer

Fronts the SBOX API and Hub web UI. Routes traffic across Hub instances. Customer-owned and customer-operated. TLS termination at the customer-managed cert authority.

Storage: 20GB
Form: VM or K8s ingress
TLS: Customer cert authority
Component 02

Hub

The control plane. Orchestrates sessions, manages the executor pool, exposes the API, runs the AI features (Auto Heal, Automated RCA, Pulse Report), writes the session record. AI features are integrated directly into the Hub.

Storage: 20GB
AI features: On Hub
Sizing: CPU/RAM = peak parallel sessions
Component 03

Executor

Browser execution nodes. Each executor pulls browser container images and runs the actual test session. Disk IOPS throughput matters at scale.

Min storage: 50GB
Old browsers: 75GB
Local images: 200GB
Reference deployment at scale
4 Hubs · 25 Executors per Hub · 100 Executors total · 15K-50K daily executions · peaks to 100K
Live production deployment, regulated industry customer.
Deployment surfaces

Run SBOX wherever your security team approves.

Same SBOX, five surfaces. Pick the surface that matches your operating model. Move between them without changing the platform.

Surface 01

Kubernetes

Helm-installable on customer K8s. Self-managed executor pods. Standard kubectl operations. Elastic scaling that VM-based deployments handle manually.

Surface 02

Helm + Terraform

Infrastructure-as-code from day one. Helm chart for SBOX components, Terraform modules for VMs, network, storage. ArgoCD ready for GitOps customers.

Surface 03

Docker on VM

Classic deployment on Linux VMs (RHEL, Ubuntu, Debian). Docker-based component images. Manual scaling. Predictable behaviour. How most regulated customers run SBOX today.

Surface 04

Bare metal

Physical servers, no virtualisation layer, no shared kernel. Defense and high-compliance customers run this way. Container runtime sits directly on the host OS.

Surface 05

Air-gapped

No outbound internet required at runtime. Container images pulled from customer Artifactory or registry. Self-hosted LLM keeps AI inside the boundary. No vendor telemetry.

Three deployment models

Pick the deployment model that matches your operating model.

Three private deployment models. Same SBOX product runs across all three. Pick the model that matches your operating model and your compliance posture.

Dimension
Private Cloud
(this page)
VPC
Managed Private Cloud
Where it runs
Customer-owned infrastructure (fully isolated or customer datacenter)
Customer AWS, Azure, or GCP account
Element34-operated, customer-isolated environment
Who operates it
Customer operates everything (Element34 ships the software)
Customer operates cloud account, Element34 provisions via Terraform
Element34 operates with 24x7 SLA
Network posture
Customer network only, air-gap supported
Customer VPC, customer-controlled VPN or PrivateLink
Element34-operated, optional VPN or PrivateLink to customer network
Best fit
Defense, government, regulated finance, healthcare with hard data-residency requirements
Enterprises with cloud-first IT mandates that still require single-tenant isolation
Teams that want enterprise testing infrastructure without operating it

See the full compare deployments page →

Security posture

Built to clear the questions your security review asks.

Private Cloud (self-hosted) is the deployment model designed for the customer security review. Every common audit objection has a deployment-level answer, not a contractual one.

Zero public egress

SBOX runtime makes no outbound call to Element34. No license callback, no telemetry. Test data stays inside the customer perimeter.

Customer-controlled keys

Customer KMS, HSM, or BYOK. Encryption boundary stays customer-owned. Element34 never holds a credential into the SBOX environment.

Customer-owned LLM

AI features use a customer-supplied LLM endpoint, cloud or self-hosted. Prompts never reach Element34.

Air-gap supported

Customer pulls container images from their own registry. Runtime needs no outbound connectivity. Supports defense and intelligence workloads.

SSO and SCIM

Customer identity provider, customer audit log. SAML and OIDC. Element34 holds no user account in the customer environment.

Customer-controlled retention

Video, screenshots, and session metadata follow customer-set retention rules. Video offloads to customer S3 with customer-defined lifecycle policies.

Private Cloud FAQ

Private Cloud, answered.

What is Private Cloud (self-hosted) for Element34 SBOX?
Private Cloud (self-hosted) is the deployment model where the customer owns and operates the infrastructure. Element34 ships the SBOX platform as Helm charts and container images. The customer runs the Load Balancer, Hubs, and Executors inside their own network. No outbound connectivity to Element34 is required at runtime.
What are the SBOX components in a Private Cloud deployment?
Three components. A Load Balancer that fronts the API. One or more Hubs that orchestrate sessions and host the AI features. Executor nodes that run the browser containers. All three live inside the customer perimeter.
Can SBOX run fully air-gapped?
Yes. The runtime requires no outbound internet connectivity. Container images are pulled from the customer Artifactory or container registry. The AI features use a customer-supplied LLM endpoint, which can be a self-hosted open-weight model running inside the customer environment. No vendor callback, no outbound license check.
Does Private Cloud support Kubernetes?
Yes. SBOX is installable via Helm chart on customer Kubernetes clusters. AI features are integrated directly into the Selenium Box Hub, so the platform is environment-agnostic across VM and K8s deployments. K8s adds the benefit of self-managed executor pods for browser containers.
What is the recommended sizing for Hubs, Executors, and Load Balancers?
Hub: 20GB storage for logs and temporary files. Executor: 50GB minimum, 75GB if older browsers are in coverage, 200GB if browser images stay local and video offloads to S3. Load Balancer: 20GB. RAM and CPU on the Executor scale with peak parallel session count. Disk IOPS throughput matters at scale.
How does Element34 update the platform in a Private Cloud deployment?
Element34 publishes new Helm chart versions and container images to a release feed the customer subscribes to. The customer pulls the new version into their own Artifactory or registry, then applies the upgrade through their normal Helm upgrade procedure. Element34 never accesses the customer environment.
What support does Element34 provide for Private Cloud deployments?
Element34 provides the platform, the release stream, the documentation, the deployment templates (Helm, Terraform, ArgoCD examples), and customer-engineer support. Customer operations team handles infrastructure, monitoring, and scaling. Element34 does not access the customer environment to operate the platform.

Walk our solutions team through your security review.

We sit with your platform, security, and procurement teams. We answer the questions in the order your review asks them. We hand you the deployment plan that clears the gate. Annual licensing, predictable across the contract term.