PRODUCT

Transforms.

Automatic MSI/MST transformation for first-install.

PIPELINE

On the roadmap — vote it up.

THE PROBLEM

What's broken without it.

MSI packaging in 2026 is still a manual craft. First-install configuration — license keys, server URLs, feature flags — gets baked in via hand-authored MST transforms or post-install scripts that nobody owns. The result: a folder of brittle MSTs, a wiki page that goes stale, and a deployment that breaks every time a vendor reships.

audit-trail.log · status quo

1 # T+0 install completes on 1,204 endpoints

2 # T+2d scanner runs across the fleet

3 # T+2d scanner flags 14 endpoints with vulnerable artifact

4 # T+3d helpdesk tickets begin to arrive

5 # T+5d incident response opens IR-2026-0418

6 # T+9d auditor asks: "who approved this artifact?"

7 # T+9d answer: nobody. it shipped because the CDN said so.

HOW ATTESTREE SOLVES IT

The approach.

Attestree Transforms generates and signs MSTs from declarative policy. You describe what should be true after first-install — registry keys, services, permissions — and the control plane synthesizes a transform, attaches an attestation, and applies it during ingest. Vendor reships do not break your deployment.

attestree.toml · transforms

1 # pipeline product

2

3 # Syntax stabilizes once development starts.

4 # Vote this up on the waitlist to influence the design.

BUILT FOR

Small business Mid-market Enterprise Financial services

WHAT'S NEXT

Roadmap, in three moves.

Q4 2026

Declarative MST DSL

Describe post-install state in YAML; the compiler emits a signed MST.

design-partner mode through GA

Vendor-reship resilience

Detect upstream MSI changes and regenerate transforms automatically.

Q2 2027

Policy lint + dry-run

Catch conflicts and unintended changes before they ship to a single endpoint.

Ready for transforms on your fleet?

Get on the list — your vote moves this up the roadmap.

Join pipeline waitlist

OTHER PRODUCTS

Winget Enterprise Inventory Transforms Drivers Firmware Windows Updates