Provenance, before install.
Most tools scan after an artifact is already on your fleet. Attestree moves the work to ingest: every Windows artifact gets a signed SBOM and attestation before any endpoint installs it, and together they form a verifiable tree of trust across the fleet.
What we are building
One agent, one control plane, every package channel — winget today, with cross-package-manager inventory, MSI/MST transforms, driver and firmware rings, and Windows Updates following on the same primitive. Inventory across what is installed, deploy and roll back safely in rings, and get SBOM and attestation as a byproduct rather than an afterthought.
Where we are
Pre-GA and in design-partner mode. The free Community Edition is the on-ramp — self-host it on a single box, up to 50 endpoints, no cloud account. The commercial tiers add scale, identity, hardware-backed signing, and the evidence bundles regulated teams need. It's built and operated from Switzerland — waitlist data stays in the EU under a hard residency guarantee (revFADP + GDPR; see Privacy).
Talk to us
We work closely with a small set of early teams. If your fleet feels brittle, we would like to hear about it.