Attestree
Run it free
FOR ENTERPRISE

Stop supply-chain attacks
at ingest, not at the endpoint.

Tens of thousands of endpoints, multiple business units, Tanium and ServiceNow already in place — and supply chain attacks keep getting closer. Attestree sits in front of your install paths and signs every artifact before it ships to a workstation.

Request access Talk to us
5k–50k+ endpoints SaaS or on-prem ServiceNow VR Sentinel · Splunk
FLEET · 32,481 ENDPOINTS 14 BUs · 6 regions
  • ingest npm:left-pad@1.3.1
    detonated · clean sig:c4e1…
  • block choco/risky-tool@2.4
    malware · halted BLOCK
  • snow-vr INC0184221 · CVE-2025-31214
    opened sig:7a09…
  • siem sentinel://attest.signed.2.1m
    streaming sig:bd71…
  • attest KB5037768 · ring:broad
    31,902 ok sig:0fa9…
  • topology us-east · saas + emea-on-prem
    reconciled sig:e45a…
SaaS + on-prem · ServiceNow · Sentinel 32,478 verified
WHY THIS MATTERS HERE

Three things enterprise security teams ask us about first.

Detonate at ingest

Sandbox detonation and SBOM extraction happen before any endpoint touches the package. Supply-chain attacks die in the ingest stage, not on a workstation.

Stack-native integrations

ServiceNow Vulnerability Response, plus Microsoft Sentinel and Splunk SIEMs in v1 — Chronicle, Devo, and QRadar via the documented webhook schema. Tickets and signals route through the systems your SOC already runs.

SaaS or on-prem, one bundle

Multi-tenant SaaS for the BUs that want it, on-prem appliance for the ones that don't. Same control plane, same attestations, one license.

WHAT YOU GET

The whole product surface, sized for enterprise.

Every Attestree primitive is enterprise-relevant. Pick a starting product, add the rest as your supply-chain control story matures.

/products/winget-enterprise In dev

Winget Enterprise

Attested install gates in front of every Windows package channel.

Read product
/products/inventory In dev

Inventory

Single source of truth across winget, Choco, npm, pip, .NET, PSGallery.

Read product
/products/transforms Pipeline

Transforms

Cedar policy-as-code: rewrite, gate, or block any artifact in flight.

Read product
/products/drivers Pipeline

Drivers

Driver update rings with WHQL + provenance verification.

Read product
/products/firmware Pipeline

Firmware

BIOS / UEFI update orchestration with vendor signatures pinned.

Read product
/products/windows-updates Pipeline

Windows Updates

Approve, stage, and attest every KB before deployment.

Read product
PRICING

Commercial — request access.

Pre-GA pricing is design-partner friendly. Tell us about your fleet — we'll come back within two business days.

SaaS or on-prem ServiceNow VR Sentinel + Splunk (others via webhook) Multi-tenant
ENDPOINTS

We'll only use this to schedule a 30-minute fit-check.

DESIGN-PARTNER QUOTE · TBD

"Design partner pipeline open. Be first to be quoted."

Your name here · CISO, enterprise design partner
COMPARE SEGMENTS

Same primitive, different posture.

Homelab
Hobbyists & enthusiasts
Free signed attestations for the artifacts your home fleet pulls.
Small business
5–50 endpoints
Attested install gates without a full SOC.
Mid-market
50–2,000 endpoints
Drop-in policy in front of Intune, Chocolatey, and PSGallery.
Enterprise You are here
2,000+ endpoints
Block unsigned artifacts at ingest across every channel.
Financial services
Regulated environments
Auditor-ready attestation evidence with cryptographic chain-of-custody.