Tessera

How it works

Three jobs, one agent.

01 / DISCOVER

See every application on every endpoint

A lightweight agent enumerates installed software from every available source — registry, package managers, AppX, install paths. Inventory is deduplicated, normalized, and continuously updated.

02 / CLASSIFY

Categorize the long tail automatically

Every application is classified across 16 categories — Security, Productivity, Driver, Risk, and more — by an LLM that understands naming patterns no static rule set can keep up with. New apps get categorized within minutes of first appearing on a fleet.

03 / ENFORCE

Remove what doesn't belong

Define allow lists, block lists, and category-based rules. Tessera removes flagged software using the right uninstall path for each platform — silently, with full audit trail. Approval workflows available for higher-stakes actions.

Why Tessera

Built for the gap between inventory and control.

→
Inventory tools tell you what's installed. Tessera tells you what to do about it. Lansweeper and PDQ stop at the spreadsheet. Tessera connects inventory to policy and policy to action.
→
App-control tools require an enterprise budget. Tessera doesn't. Tools like ThreatLocker price for the Fortune 500. Tessera is built for the 50–1000-endpoint shop.
→
Classification that keeps up with reality. The LLM categorizes new software automatically — no rule maintenance, no taxonomy upkeep, no false confidence on apps you've never seen.
→
Lightweight, deployable, transparent. Self-hosted or hosted by us. Open architecture. Bring your own LLM if you want full data sovereignty.

Pricing

Tiers that scale with you.

Community

Free

Self-hosted. Up to 5 endpoints.

Self-hosted via Docker
Bring your own LLM
30-day audit retention
Community support

Starter EARLY ACCESS

$6 / endpoint / month

For small IT and security teams. Up to 100 endpoints.

Hosted by us
Managed LLM included (1,000 classifications/month)
6-month audit retention
Email support

Pro EARLY ACCESS

$9 / endpoint / month

For mid-market security teams. Up to 1,000 endpoints.

Hosted, or self-hosted with license
Managed LLM included (100,000 classifications/month)
SSO / SAML, SCIM provisioning
API + webhooks for SIEM integration
2-year audit retention
Priority support

Enterprise

Custom

1,000+ endpoints. Compliance-driven deployments.

Single-tenant deployment, BYO-LLM, or in-VPC
Custom retention, MSA, DPA, BAA
Dedicated support
SLA with credits