Skip to main content

Access anything.Expose nothing.

Legba is a disposable browser engine. A real browser, spawned fresh, destroyed on close. No cookies in, no fingerprint left, no trail back. Reach it as an extension, a sandbox, an MCP server, or an API.

NVIDIA Inception
MuckerLab
Google for Startups
Founder University

One engine.
Four ways to reach it.

Legba is a disposable browser engine. It spawns a real browser, off your machine, with a real residential IP from the city you pick. You do the work. It burns on close.

That is the engine. How you reach it is your call. A browser tab. A hosted sandbox. An MCP config line. A REST API. Same isolation. Same access. Different doors.

Point the same engine at your own attack surface and it becomes Adversary: validated exposures, not scanner noise.

01/Extension
FOR HUMANS

Legba

A browser tab that runs off your machine. Nothing executes locally. Close it and the session is gone. For people who would rather not trust their laptop with the open web.

Best for
IndividualsTeamsPrivacy-sensitive work
02/Sandbox
FOR THE AGENTS YOU RUN

Legba Sandbox

A hosted browser an agent operates inside. It burns on close by default. Built on OpenClaw with real residential IPs and captcha solving baked in.

Best for
Solo buildersOSS agentsDemos & pilots
03/MCP
FOR THE AGENTS THAT TALK TO YOU

Legba MCP

One config line and any MCP-aware agent gets a real browser. Disposable by default, scoped by you, served by the same engine. Claude, GPT, your own.

Best for
ClaudeOpenAI agentsInternal tooling
04/Adversary
FOR SECURITY TEAMS

Legba Adversary

Maps your external attack surface, then validates the real exposures. Exposed API keys, subdomain takeover, leaked secrets. A client-ready report in minutes, not weeks. Validated findings, not scanner noise.

Best for
Security teamsMSSPsAgencies
import { Sandbox } from "@legba/sandbox"

const sandbox = await Sandbox.create({
  geo: "phoenix-az",
  scope: ["legba.app"],
  ttl: "15m",
})

await sandbox.agent.run(
  "Log in and download my latest statement."
)

await sandbox.destroy()

What every surface
inherits.

The engine carries the work. Reach it through the extension, the MCP server, or the API. You get the same six guarantees, and the same proof: 2.5x reliability over datacenter, 0 session residue on close.

01

Real browser.

Full Chromium with GPU rendering, real fonts, real canvas, real WebGL. Not a stealth plugin over headless. Detection vendors see a person.

02

Real residential IP.

Real ISPs. Real cities. Pick the geography the target site expects. Phoenix, Frankfurt, Seoul. Not a datacenter range pretending to be a home.

03

Smart routing.

Sessions spawn in the region you call from, or the one your target needs. Routing rotates around degradation on its own. No manual switching.

04

Burn on close.

Each session is a container. When the TTL hits or you close it, everything inside is destroyed. No state. No logs. No reach. Nothing to leak.

05

Captcha solving.

hCaptcha and reCAPTCHA resolve in-session. No third-party stitching, no copy-paste flows. Your agent never sees the gate.

06

Anti-bot evasion.

We built and broke detection systems before we built Legba. Cloudflare, Incapsula, DataDome. The engine routes around the checks those systems run.

Built for buyers who can't afford to get blocked.

Three buyers, one engine. AI companies need a browser that does not expose them. Fintechs need access that holds up on hostile sites. Security teams need to find their exposure before attackers do.

01For AI agents

AI companies shipping agents

Your agent logs in, clicks, and transacts. It does that without leaking credentials, getting blocked, or risking your stack when prompt injection lands.

Burn per taskNo reachMCP-native
02For fintechs

Fintechs on hardened sites

Banks, brokerages, benefits portals. The sites your users hold accounts on fight automation. Headless tools fail where Legba holds.

Site-tunedSub-15s MFAPersistent state
03For security teams

Security teams mapping exposure

You cannot defend what you cannot see. Adversary maps your external surface and validates the real exposures: exposed API keys, subdomain takeover, leaked secrets.

Validated, not noiseMinutesEvidence

Three calls.
One throwaway browser.

Reach Legba through the MCP server, the API, or the SDK. The lifecycle is the same every time. Spawn a scoped session, do the work, destroy it. Nothing persists unless you say so.

Three step lifecycle: Spawn, Operate, Burn

Pick a geography, scope what the session can reach, set the TTL. The container boots in under 200ms with a real residential IP and a fresh fingerprint.

Same engine,
every tier.

Start free. Scale to production. Burn-on-close sessions, residential IPs, and the same anti-bot evasion run across every tier.

Tier 01

Free

Prototype, evaluate, and find us in the MCP registry.

$0
  • 30 hours per month
  • 1 concurrent session
  • Datacenter IPs only
  • Basic fingerprint masking
  • Community support
Most chosen
Tier 02

Pro

For solo builders and small teams shipping agents to production.

$499/mo
  • 200 hours per month
  • 10 concurrent sessions
  • Residential IPs in 5 geos
  • MCP and API access
  • Captcha solving included
Tier 03

Production

For agent companies and fintechs running at scale.

$5,000/mo
  • 100 concurrent sessions
  • Unlimited residential IPs, all geos
  • Full MCP, API, and SDKs
  • Site-tuning service
  • Priority support with an SLA
Tier 04

Enterprise

For multi-product platforms and regulated buyers.

Custom
  • Dedicated infrastructure
  • SOC 2 Type II in progress
  • VPC and air-gap options
  • Custom SLAs and terms
  • Named support engineer
FAQ

Things people
actually ask.

Access anything. Expose nothing.

Read the docs