Endpoint compliance without the MDM.

Why it exists

Endpoint evidence for SOC 2, minus the heavyweight MDM.

Built for teams of 5–50 where the CTO is also the IT admin.

Startups preparing for SOC 2 need endpoint evidence but don't need — or want — a full device-management platform. The usual options are manual screenshots, heavyweight MDMs, or tools that cost more than your seed round. Open Attest is the lightweight middle path: deploy the server in one click, install the agent in one command, and have signed endpoint compliance evidence flowing in under ten minutes.

Target team size

5–50 devices, no dedicated IT

Cost to run

Free — Cloudflare Workers free tier covers ~50 devices

Infrastructure

None. No servers, no databases to manage, no Docker

Time to first evidence

Under 10 minutes

Posture checks

Twenty posture checks, evaluated against SOC 2 thresholds.

Disk encryption, firewall, screen lock, EDR, admin roster, SSH, MDM, and more.

The agent collects 20 posture checks on every snapshot and evaluates them against default compliance thresholds — pass, fail, or warning. Disk encryption maps to FileVault, BitLocker, or LUKS depending on the platform; firewall, screen-lock policy, password policy, auto-update, and EDR presence are all normalized into a single cross-platform schema. Heavy lists like installed apps ship on a 24-hour cadence; everything else flows on every snapshot.

Disk encryption

FileVault / BitLocker / LUKS — must be enabled

Screen lock

Password required, timeout ≤ 15 min, MDM-enforced when present

EDR / antivirus

XProtect, Defender, CrowdStrike, SentinelOne, AppArmor, SELinux

Identity & access

Admin roster, local users, SSH daemon + authorized-key count

Signed attestations

Every attestation is Ed25519-signed and tamper-evident.

The server verifies each report came from a registered agent and hasn't been altered.

Each attestation is signed with an Ed25519 key generated at enrollment, so the server can verify it originated from a registered agent and that the record has not been tampered with in transit or at rest. Signatures prove origin authenticity and record integrity — auditor-friendly proof that the posture facts came from the device they claim to. Keys can be rotated without re-enrolling.

Signature scheme

Ed25519, per-device key created at enrollment

Key rotation

Rekey endpoint — rotate without re-enrolling

Trust model

Best-effort, self-reported posture; signatures prove origin + integrity

Auth model

Agents use signatures; admins use API keys or the admin secret

Quick start

Deploy the server, share a link, install the agent.

One-click Cloudflare deploy, a multi-use enrollment token, one command per laptop.

Deploy the server to Cloudflare Workers with the one-click button or wrangler. Open the admin UI, create an enrollment token with a device cap, and share the link with your team. Employees run a single enroll command — the agent installs a background daemon, enrolls, and starts reporting hourly with no further interaction. For non-technical users, build a macOS .pkg that installs and enrolls automatically.

Server

TypeScript on Cloudflare Workers + D1 (SQLite) + Drizzle

Enrollment

Multi-use tokens with a max-device cap, shared as a link

Agent install

open-attest enroll --token <TOKEN> --server <URL>

Non-technical users

Prebuilt macOS .pkg installs and enrolls automatically

Open source

Inspect every check and every byte sent to the server.

MIT licensed. Rust agent, TypeScript server, React admin UI — all in the open.

Open Attest is MIT licensed and fully open source. The agent is a Rust binary you can read, build, and audit; the server is TypeScript on Cloudflare Workers; the admin UI is a React SPA built with shadcn/ui. Inspect exactly which commands each posture check runs and precisely what data leaves the device. The agent ships with 195 tests, the server with 32 — run them yourself.

License

MIT

Agent

Rust binary — macOS, Windows, Linux. 195 tests

Server

TypeScript on Cloudflare Workers. 32 tests

Admin UI

React SPA with shadcn/ui, served from the same Worker