Answer the SBOM question
before your CISO asks twice.
Five hundred to five thousand endpoints, hybrid AD+Entra, and your CISO is asking SBOM questions you can't answer. Attestree turns every install into a signed evidence trail — by construction, not by scanner.
- sbom Microsoft.VisualStudio.202217.9.6 sig:c4e1…
- policy cedar://block-eol-runtimesv3.2 sig:7a09…
- gitops fleet/desired.yaml @ 9c4f1areconciled sig:bd71…
- drift finops-edge-04 · npm:lodash4.17.20 drift
- attest KB5037768 · ring:broad1,892 ok sig:0fa9…
- export SOC2-evidence · Q4-202514.2 MB sig:e45a…
Three things mid-market security teams ask us about first.
SBOM-by-construction
Every artifact ships with provenance attached at ingest. No post-install scan, no agent-based reconciliation lag — the SBOM is the install record.
Policy-as-code
Cedar policies version-controlled alongside your infra. Evidence export designed to produce SOC 2 evidence — attestations, approvals, and decisions, all signed.
GitOps reconciliation spine
Desired state in Git. Drift alerts surface in OpenTelemetry. Your existing observability and change-management tooling stays in the loop.
The products that fit a 2,000-endpoint fleet.
Inventory and Winget Enterprise are the foundation. Layer Transforms when policy gets opinionated, and Windows Updates to close the patch loop.
Winget Enterprise
Attested install gates in front of every Windows package channel.
Read productInventory
Single source of truth across winget, Choco, npm, pip, .NET, PSGallery.
Read productTransforms
Cedar policy-as-code: rewrite, gate, or block any artifact in flight.
Read productWindows Updates
Approve, stage, and attest every KB before deployment.
Read productCommercial — request access.
Pre-GA pricing is design-partner friendly. Tell us about your fleet — we'll come back within two business days.
"Design partner pipeline open. Be first to be quoted."