The question
Can you prove what your AI did?
Better yet, can you prevent it from doing it again?
With Atested, AI operations stop being a black box and become a signed record on disk that anyone can verify.
All traffic passes through Atested
Your Agent
Sends request / receives what passes
Atested
Forwards requests / examines responses
Model Provider
Receives request / responds with tool calls
ALLOW
Evidence present and sound. The instruction passes to your agent. Recorded in the chain with the classification and matched rule.
DENY
Evidence deficient. The denial is sent back to the model with reasons why. The model reconsiders. Often it retries with better evidence.
One environment variable. Five minutes. Done.
HTTP proxy
Install once, point your agent at it. The API conversation works the same way it always did.
Any agent
Works with any agent that talks to its model over an HTTP API. No changes to your agent's code.
Multi-provider
Anthropic, OpenAI, Gemini, and any other provider that follows standard API patterns.
Multi-machine when licensed
Personal runs on one machine. Paid tiers add remotes that govern locally and sync verified records to the primary.
The problem
You know what this is
Models hallucinate, are lazy, cut corners. Atested sees the fabricated justifications and confident-sounding reasoning for what they are: a prelude to mistakes, wasted work, or worse. It catches them before they become an issue.
We sit on the API connection
MCP servers and CLI tools can't stop an agent from going around them. We know because we tried that route first. As often as not, agents avoided our path.
We provide the policy
The rules that ship with Atested are the ones an experienced engineer would write if they had the time.
Full capability preserved
Sandboxes work by restricting capabilities when they work at all. Often they get in the way. We work transparently.
Zero token use
We sit on the connection, not in the conversation. The model has no awareness of Atested. Denied actions return standard responses the model handles normally. Zero token use, imperceptible latency.
What the action contains, not what the tool is named
The classifier inspects evidence and produces a structured classification: action type, target class, scope, and a confidence tier that honestly reports how much Atested can see. That classification is then evaluated against the policy rules to produce an ALLOW or DENY, along with the evidence that drove the decision.
Declarative rules. Only one match to decide.
Ships with rules
Covers file operations, network calls, shell execution, and the other action types agents and AI apps generate. The governance logic an experienced engineer would write, ready to go.
Only one match to decide
Rules are evaluated in order. One matched rule is enough to determine ALLOW or DENY. No ambiguity, no competing rules.
Scoped approvals
Some things have to run, so if there are tier 3 or 4 operations you need then approve them. One and done, unless Atested detects a change then it surfaces again for your approval.
Every decision explained
Atested's chain records all the data, not just ALLOW or DENY. When you review the chain, you see the reasoning, not just the outcome.
Strong evidence. Deposition ready.
Append-only
Records never modified after written.
Hash-chained and Immutable
Breaks in the chain can indicate tampering. Atested tracks these events and notifies you.
Ed25519 signed
Anyone with the public key can verify it on their own machine.
On your disk
The chain lives on your infrastructure. No third-party custody, no cloud dependency for your audit trail. You own the data.
When a regulator asks what your AI agent did on a specific date, you hand them the chain and the public key. They verify it themselves.
Multi-machine governance
Local decisions. Unified evidence.
Every machine runs its own local proxy and writes its own signed chain. Remotes sync to the primary, which records import envelopes proving exactly which remote material was received and verified. The unified dashboard view merges those records for operations and reporting without rewriting remote history.
Primary plus remotes
The primary talks to Atested servers. Remotes talk only to the primary and keep governing when the network is unavailable.
Machine-scoped evidence
Activity, Audit, Reports, and evidence export can show all machines, only the primary, or selected machines.
Shared approvals
The primary distributes approval and policy state. Decision records include the hashes used at the time of the decision.
Operational status
Health shows connected remotes, pending sync counts, remote versions, and freshness of approval and policy state.
Your control center
This is the real Atested operator interface running with simulated data, including multi-machine fixtures for paid tiers. The code is the same production code running on real installs. Give it a run.
Chain Health
42,137 events
OK integrity · 61d age
Atested Activity
42,137 mediated
259 denied · 5 users
Recent Activity
What Atested can and can't do
We check the work, not the answer
Atested can tell you what your agent did and whether policy allowed it. It cannot tell you whether the decision was right.
What we can't see, we stop
If the contents are opaque, Atested denies it until you approve the exception. We don't guess.
The chain is honest about its limits
Every record includes the confidence tier — what Atested could observe and what it couldn't. The proof includes its own caveats.
Honest limits are better than false confidence
A system that tells you what it can't verify is more trustworthy than one that claims to verify everything. The confidence tier exists because we'd rather give you an accurate picture than a comfortable one.
Start attesting your AI operations
Stop worrying and start knowing in less than five minutes.