Attestree
Run it free
FOR SAAS ENGINEERING

Ship at SaaS speed,
with an SBOM for every artifact.

You ship daily and pull npm, pip, and winget across a Windows dev fleet and CI runners. EU CRA, EO 14028, and CISA Secure-by-Design now expect a verifiable SBOM for every artifact — without a security team slowing engineering down. Attestree signs and SBOMs each artifact at ingest, so the evidence is a side effect of shipping, not a release-day scramble.

Request access Read the wedge
Multi-tenant SaaS EU CRA · EO 14028 SBOM at ingest SOC 2 evidence
INGEST · LAST 24H npm · pip · winget
  • ingest npm:[email protected]
    sbom · 312 deps sig:9c2a…
  • ingest pip:[email protected]
    detonated · clean sig:1f7b…
  • block npm:[email protected]
    malware · halted BLOCK
  • sbom cyclonedx · 312 components
    signed sig:a4d0…
  • siem siem://attest.stream
    streaming sig:77e1…
  • export evidence-bundle.zip
    cra-ready sig:0be4…
Multi-tenant SaaS · SIEM · CRA bundle 4,117 verified
WHY THIS MATTERS HERE

What engineering-led security teams ask us first.

SBOM by construction

Every npm, pip, and winget artifact gets a CycloneDX SBOM and an in-toto attestation at ingest — not a scanner bolted on before release. The SBOM and vulnerability-handling evidence the EU CRA expects falls out of normal operations.

Multi-tenant SaaS, no appliance

Run Attestree as a hosted, multi-tenant control plane — no on-prem box for your platform team to operate. Same attestations and evidence as the appliance; self-host stays available when a tenant needs it.

Evidence regulators accept

Signed, verifiable attestations map to EO 14028, CISA Secure-by-Design, and SOC 2 evidence requests. One CLI call verifies any artifact — in your fleet or your auditor's.

WHAT YOU GET

The platform, sized for an engineering org.

Start with attested ingest for the package managers your engineers actually use, then add inventory and policy as your supply-chain story matures.

/products/winget-enterprise In dev

Winget Enterprise

Attested install gates in front of every Windows package channel.

Read product
/products/inventory In dev

Inventory

One attested inventory across your package managers — winget today, more as they land.

Read product
/products/transforms Pipeline

Transforms

Cedar policy-as-code: rewrite, gate, or block any artifact in flight.

Read product
/products/windows-updates Pipeline

Windows Updates

Approve, stage, and attest every KB before deployment.

Read product
Drivers · available on request Firmware · available on request
PRICING

Commercial — request access.

Pre-GA pricing is design-partner friendly. Tell us about your stack — we'll come back within two business days.

Multi-tenant SaaS EU CRA-ready SBOM Sentinel · Splunk SOC 2 evidence
ENDPOINTS

We'll only use this to schedule a 30-minute fit-check.

DESIGN-PARTNER QUOTE · TBD

"Design partner pipeline open. Be first to be quoted."

Your name here · Head of Security, SaaS design partner
COMPARE SEGMENTS

Same primitive, different posture.

Homelab
Hobbyists & enthusiasts
Free signed attestations for the artifacts your home fleet pulls.
Small business
5–50 endpoints
Attested install gates without a full SOC.
Mid-market
50–2,000 endpoints
Drop-in policy in front of Intune, Chocolatey, and PSGallery.
Enterprise
2,000+ endpoints
Block unsigned artifacts at ingest across every channel.
SaaS engineering You are here
Engineering-led security
SBOM-by-construction at ingest — multi-tenant SaaS, evidence mapped to EU CRA and Secure-by-Design.
Financial services
Regulated environments
Auditor-ready attestation evidence with cryptographic chain-of-custody.