Single binary. On-prem. Air-gappable. Yours.
ForestEcho is licensed commercially per forest. There's no SaaS, no multi-tenant cloud, no telemetry. Your snapshots, your keys, your audit chain. This page is what your procurement team will want to read.
One signed binary. Runs where you tell it to.
ForestEcho ships as a single signed Windows executable plus the Studio reader. There is no agent on your domain controllers, no daemon to keep alive, and no SaaS dependency. The collector is invoked when you want a snapshot, and exits when it's done.
Production deployments fall into one of three shapes — connected (Studio talks to a small ForestEcho update service for catalog updates), offline (catalog updated by file), or fully air-gapped (you sign the catalog yourself against our published key). All three use the same binary.
| Form factor | Single signed Windows binary (forestecho.exe ~46 MB) + Studio reader |
| Runtime | Windows Server 2016 or later · Windows 10/11 for Studio · no .NET dependency outside system runtime |
| Privileges | Read-only LDAP account; no schema changes; no agent install on DCs |
| Network egress | None required. Optional update channel for catalog refresh — disable in airgapped mode. |
| Telemetry | None. No phone-home, no analytics, no usage reporting. Confirmed by network capture in our security review pack. |
| Data residency | Snapshots and reports stay on your filesystem. No customer data ever transits ForestEcho infrastructure. |
| Studio | Local desktop reader for .fes snapshots. Reads only; never modifies forest state without an explicit signed action. |
| Compliance posture | Architecture documented for SOC 2 CC7.2, ISO 27001 A.12.6 evidence collection. Security review pack available under NDA. |
Commercial license, per forest, contact us.
ForestEcho is sold under a commercial license per Active Directory forest. License grants are negotiated annually and include access to catalog updates, security advisories, and support across the term. We don't post pricing on this page — sizing depends on forest size, deployment shape, and support tier — but we'll quote within one business day after a scoping call.
Single forest
- One forest licensed (any size)
- Catalog updates & advisories
- Email support, business hours
- Studio for unlimited operators
Multi-forest
- Up to N forests per agreement
- Cross-forest reporting in Studio
- Priority support & named contact
- Quarterly catalog roadmap review
- Onboarding workshop included
Air-gapped & regulated
- Fully air-gapped operation
- Catalog signed against your key
- Source escrow available
- Dedicated security review
- Region-restricted support staffing
Procurement gates we've already passed: standard MSA terms, mutual NDA, security review pack with architecture diagrams, third-party penetration test summary (Q1 2026), W-9 and supplier onboarding documents. Send your security questionnaire to trust@forestecho.io.
What "private beta" means, concretely.
Private beta means the binary is feature-complete for the shipping rule categories (ADCS, GPO, EVTX), the audit-chain architecture is locked, and we are onboarding a small number of design partners each month under a beta license agreement. The catalog continues to expand on the published roadmap. GA is targeted within the next two quarters.
Beta cohort terms
Beta license is free of charge for the duration of the beta program. In exchange, design partners commit to monthly office hours with our research team and feedback on at least one rule category. Beta licenses convert to commercial licenses at GA at a 30% discount in the first annual term.
What you get in beta
- The current shipping binary, signed and supported.
- Catalog updates as they land — typically every 14 days.
- Direct access to the research team via shared Slack and monthly office hours.
- Influence on rule prioritization for your environment.
- 30-day notice on any breaking changes to the snapshot or audit-chain format.
What we ask in return
- One scoping call per month with the research team.
- Honest feedback on at least one rule category — false positives, missed findings, copy & UX.
- A reference call with one prospective customer per quarter, after 90 days. Anonymized references available if your security policy requires.
Named contact. Defined response. No outsourced front line.
Support is provided directly by the engineering and research team that builds the product. There is no L1 outsourced contact center. When you open a ticket, the person who picks it up has shipped code in the binary you're running.
| Channel | Email support@forestecho.io · shared Slack channel for Enterprise & Sovereign |
| Response target | Critical (binary or catalog regression): same business day · High: 1 business day · Other: 3 business days |
| Hours | Pacific business hours by default · extended hours available on Enterprise & Sovereign |
| Named contact | Enterprise & Sovereign tiers receive a named primary engineer for the term |
| Severity criteria | Documented in the support handbook included with every license |
| Security advisories | Direct notification within 24h of a confirmed advisory affecting your version |
Single-tenant. Always. By design.
ForestEcho does not operate a multi-tenant cloud. There is no shared backend that holds customer data, because there is no backend that holds customer data. Every deployment is single-tenant by construction: the binary runs on your infrastructure, the snapshots stay on your filesystem, the keys stay in your KMS or HSM.
This is a deliberate architectural choice. It costs us some product surface — there's no centralised cross-customer telemetry to learn from, no managed service to upsell — and it gains us a deployment posture that fits classified, sovereign, regulated, and zero-trust environments without an exception process.
The questions we get most often.
Does ForestEcho require an agent on domain controllers?
No. The collector is invoked from a domain-joined host with a read-only account, talks LDAP and ADCS RPCs over the network, and exits when it's done. Nothing is installed on the DCs themselves. We've shipped this way deliberately because most identity teams cannot get an agent past their DC change-control board.
What data leaves my environment?
None. The collector writes the snapshot to your filesystem. Studio reads it locally. The optional update channel pulls signed catalog updates over HTTPS — no customer data is uploaded in either direction. In airgapped mode the update channel is disabled and the catalog is updated by file.
How do you handle credentials?
The collector uses the Windows-native credential of the user invoking it (or a service account you provide). There is no password storage, no key escrow, no credential vault inside ForestEcho. Signed actions use a key you control — file-based for evaluation, HSM/KMS-backed for production.
What's the difference between ForestEcho and BloodHound Enterprise / Defender for Identity / Purple Knight?
BloodHound Enterprise and Defender for Identity are continuous-monitoring SaaS products with cloud backends and agents — they're optimised for "always watching" rather than "audit-grade snapshot." Purple Knight is a free assessment tool without remediation automation or signed evidence chain. ForestEcho is deliberately positioned as the artefact-producing audit tool: signed snapshot in, signed remediation out, signed follow-up to prove the fix held. Many of our customers run one of the others alongside.
Can we run ForestEcho fully offline?
Yes. The Sovereign tier is built for this. The binary itself never requires outbound network. The catalog can be updated by file, and verified against either our public signing key or one you've cross-signed. Source escrow is available for organisations that require it.
What happens to our snapshots and audit logs if we cancel?
They remain on your filesystem and remain readable in Studio. There is no licence-server kill switch. Studio will continue to open existing .fes files and verify their signatures after the licence term ends; only catalog updates and support stop. The audit chain you generated during the term remains valid evidence.
Do you have a SOC 2 / ISO 27001 report?
SOC 2 Type I is in progress, scheduled for completion ahead of GA. We can share the security review pack — architecture, threat model, build provenance, third-party pen-test summary — under mutual NDA today. Contact trust@forestecho.io.
How does the catalog get updated, and how do I verify it?
The catalog ships as a signed manifest. In connected mode, Studio fetches updates over HTTPS from our update endpoint and verifies the signature against a key bundled with the binary. In offline mode, you import the signed manifest by file. In Sovereign mode, you can additionally cross-sign against your own key so updates only apply when both signatures verify. Every update ships with a published changelog and rule-by-rule diff.
What's on the rule roadmap?
The shipping categories at v1.0 are ADCS, GPO, and EVTX. Kerberos, AD ACL & objects, and Schema & forest are in active development and target landing within the next two quarters. The Product page shows the current detail; the catalog is signed and version-stamped, so you can always verify what your binary covers.
Who's behind ForestEcho?
A small team of identity-and-detection engineers based in the Pacific Northwest. Backgrounds across Microsoft IDM, large-enterprise red and purple teams, and AD-focused incident response. We can introduce you to the people on the call when you reach out.
Get on the waitlist.
Tell us about your forest and we'll send the security review pack and a scoping call link.