PRICING

Pricing built for every fleet.

Free for homelab. Request access for everything else — we're in design-partner mode through GA.

01 Free / Apache-2.0

Homelab

For the engineer who runs their own infra.

Self-host on a single node
winget + scoop attestations
Local SQLite evidence store
GitHub-backed identity
Community support

Run it free

02 Request access

Small business

For 5-100 endpoints without a dedicated security team.

Managed control plane
Pooled fleet attestation tree
Slack / Teams routing
GitOps-driven policy bundles
Email support, business hours

Request access

03 Request access

Mid-market

For platform teams running 100-5,000 endpoints.

Multi-tenant org structure
SSO (Entra ID / Azure AD)
Custom roots of trust
API + webhook integrations
7-year signed audit retention
Priority support

Request access

04 Request access

Enterprise

For 5,000+ endpoints across regions and BUs.

Dedicated tenancy
Region-pinned data residency
Custom WDAC / signing policies
Hardware-backed roots
Named solutions architect
Recovery SLOs

Request access

05 Request access

Financial services

For banks, brokers, and insurers under heavy audit load.

Auditor-ready evidence bundles
Evidence bundles designed to support GLBA / SOX; 23 NYCRR 500.15 control attestation
On-prem appliance with vTPM keys
Air-gapped evidence sync
SIEM streaming: Sentinel + Splunk (others via webhook)
90-day proof-of-evidence engagement

Request access

Pre-GA pricing. Commercial tiers move to listed pricing at general availability.

EVERY TIER

What you get at every tier.

Provenance at ingest

Every artifact gets a signed in-toto attestation before it ever touches a fleet node.

GitOps reconciliation

Desired state lives in Git. The control plane reconciles drift continuously.

Signed evidence

Every state transition emits a signed receipt — exportable as a portable bundle.

OSS interoperability

in-toto, SLSA, CycloneDX, Sigstore — open formats, no vendor lock-in.

FAQ

Questions, answered.

When does Attestree go GA?

We have not committed a public GA date. Every commercial tier is in design-partner mode through GA — we onboard a small number of customers per quarter and give them direct access to the founding team.

Is there a free tier I can run today?

Yes — the free Community Edition. It is the full platform, self-hosted with docker compose for up to 50 endpoints (free under a closed-source EULA; the installer shim is Apache-2.0 OSS). It runs without Azure, covers winget ingest today with more package managers as they land, generates signed attestations, and keeps a Postgres-backed evidence store.

How does Attestree compare to other tools in the space?

Most existing tools either scan after install (so you find out about a bad artifact once it is already on your fleet) or require you to pre-build everything in their own pipeline. Attestree attaches signed provenance to artifacts at ingest, before they reach a node, and works with the package managers you already use.

Can I run this fully on-prem?

Yes. Mid-market, Enterprise, and Financial Services tiers ship a self-hosted control plane. FinServ adds a hardware-rooted appliance with vTPM-bound keys and air-gapped evidence sync for regulated environments.

What is covered under the OSS license vs the commercial license?

Apache-2.0 covers the control plane core, ingest adapters for public package managers, the attestation format, and the CLI. The commercial license adds multi-tenancy, SSO (Entra ID / Azure AD), custom roots of trust, SIEM connectors, and the on-prem appliance.

How do I become a design partner?

Fill out the access request form. Tell us about your fleet, your compliance posture, and what is broken about your current attestation story. We respond within two business days and reserve about a third of design-partner slots for teams under 1,000 endpoints.

Ready to attest your fleet?

We're in design-partner mode through GA. Get on the list — we'll route you within two business days.

Or tell us more about your fleet and we'll route you faster.