RESEARCH

Notes from inside the catalog layer.

Long-form on supply chain integrity, attestation, and the structural difference between scan-after-install and prove-before-install. We're starting with one essay — the wedge.

FIRST ESSAY

WEDGE Draft in progress

Prove-before-install: why provenance belongs at ingest

The structural argument for moving the verification boundary one hop earlier — attaching signed provenance to every Windows artifact at ingest, before it reaches an endpoint. Why that is a different control from scanning after install, not the same control with better timing.

Notify me when it's published

Notes from inside the catalog layer.

Prove-before-install: why provenance belongs at ingest

Get the wedge in your inbox.