Pricing built for every fleet.

We have not committed a public GA date. Every commercial tier is in design-partner mode through GA — we are taking on a small number of design partners and giving them direct access to the founder.

Yes — the free Community Edition. It is the full platform, self-hosted with docker compose for up to 50 endpoints (free under a closed-source EULA; the installer shim is Apache-2.0 OSS). It runs without Azure, covers winget ingest today with more package managers as they land, generates signed attestations, and keeps a Postgres-backed evidence store.

Most existing tools either scan after install (so you find out about a bad artifact once it is already on your fleet) or require you to pre-build everything in their own pipeline. Attestree attaches signed provenance to artifacts at ingest, before they reach a node, and works with the package managers you already use.

Yes. Mid-market, Enterprise, and Financial Services tiers ship a self-hosted control plane. FinServ adds a hardware-rooted appliance with vTPM-bound keys and air-gapped evidence sync for regulated environments.

Apache-2.0 covers the control plane core, ingest adapters for public package managers, the attestation format, and the CLI. The commercial license adds multi-tenancy, SSO (Entra ID / Azure AD), custom roots of trust, SIEM connectors, and the on-prem appliance.

Fill out the access request form. Tell us about your fleet, your compliance posture, and what is broken about your current attestation story. We respond within a few business days, and we keep room for smaller teams (under 1,000 endpoints), not just large fleets.