TridentStack Control is patch management, vulnerability detection, compliance scoring, and policy management for Windows and Linux fleets. One platform, simple pricing, no feature tiers, no enterprise sales process. The first 200 endpoints are free forever, then five dollars per endpoint per month with every feature included.
I am Adam Curtis, co-founder of TridentStack. I helped build TridentStack Control because the existing options for IT teams that just want to patch their fleet, prove they are compliant, and keep moving are either too heavy, too expensive, or too narrow. This post is the long version: what TridentStack Control does, what it does not do, what it costs, and what we were trying to fix when we started this.
Why does IT software cost so much, and do so little?
Endpoint management has been stuck in a frustrating middle ground for years.
On one side you have the legacy enterprise stack. Configuration Manager, Microsoft Endpoint Configuration Manager, Intune, Defender for Endpoint, Tanium. Powerful, deeply integrated, and priced per feature. You buy Plan 1 for management, Plan 2 for advanced capabilities, the Suite for the rest, and a separate SKU for vulnerability data, and somewhere along the way you also need an integrator because none of it stands up cleanly without one. The first invoice for a mid-size fleet often lands well into six figures a year, and the second meeting is usually about which features you are not actually going to roll out because the implementation timeline is longer than your patience.
On the other side you have the SMB-focused tools. Simple, cheap, easy to install. They work. Then you grow past a few hundred endpoints, or your auditor asks for CIS Benchmark Level 1 scoring with per-control evidence, and the tool runs out of room. You start stitching together two or three products, paying multiple subscription fees, and managing the seams.
Neither side is bad at what they do. The legacy enterprise stack genuinely does cover the largest fleets and the most regulated environments. The SMB tools are genuinely simple. The frustration is the gap between them. Most of the IT teams I know live in that gap.
The complexity is overhead, not capability. It shows up as implementation time, daily admin attention, the licensing math you do twice a year, and the operational risk of stitched-together tools that drift out of sync. Every IT director I have ever talked to has a version of the same complaint: my tools are not the problem; the work it takes to keep my tools running is the problem.
That is the gap I wanted to close.
What does TridentStack Control do?
TridentStack Control is one product that handles five jobs.
Patch management. Native Windows Update catalog ingestion with supersedence tracking, deployment rings with canary, expanding, and complete phases, pre-staging for scheduled deployments, and CVE-enriched update metadata. The Windows agent reports system telemetry on every heartbeat (OS build, installed KBs, software inventory, hardware state), and a custom applicability engine on the TridentStack Control platform decides which updates apply to which endpoint. We do not delegate that decision to the local Windows Update client, which means we can apply our own logic to the same catalog Microsoft publishes. It also means TridentStack Control coexists cleanly with WSUS or Intune during a migration, because we do not depend on their approval signaling. You do not have to rip out the old tool to start using the new one.
Third-party application updates. Browsers, runtimes, and common Windows applications get patched without you packaging each one yourself. The platform integrates with package managers and a maintained third-party catalog, then layers version pinning, custom installer support, and silent installation with progress tracking on top. The packaging time savings are usually the largest single operational win in a migration from a tool like SCCM or PDQ.
Vulnerability detection. The agent reports software inventory on every heartbeat. TridentStack Control matches it against an enriched CVE catalog with CVSS scoring, applies severity prioritization, and surfaces exceptions with expiration dates. There is a fleet-wide dashboard that tells you the things you actually want to know: how many endpoints have a known critical CVE that is not yet patched, how long they have had it, and whether you are trending up or down across the fleet. CVE data is part of the base product. It is not a separate Defender Plan 2 add-on.
Compliance baselines. CIS Benchmark Level 1 and Level 2, DISA STIGs for Windows, Microsoft Security Baselines, and NIST 800-53 control mapping. Each baseline produces an automated score with per-control evidence and trend tracking. When the auditor asks you for a CIS Level 1 report, you click a button. You do not stand up a separate compliance product, run a one-off scan, and reconcile the output. Compliance scoring is in the base product because compliance scoring is what most teams in regulated industries actually need from their endpoint management.
Policy management. A settings catalog with policy versioning, rollback, and enforcement verification. The platform does not require Active Directory. Endpoints can be domain-joined, workgroup, or EntraID-joined; policy applies through the agent regardless of directory state. This was a deliberate decision. Every team I have worked with has had at least a few endpoints that are not domain-joined, and the tools that assume otherwise generate constant exception cases that consume real time.
That is the whole product. Five capabilities, one agent, one price, all included.
Why does TridentStack Control support Linux when most competitors do not?
Most endpoint management tools are Windows-first, and Linux is bolted on later if at all. TridentStack Control supports Linux on the same agent from day one because Linux fleets in SMB and mid-market are growing and underserved.
The Linux agent integrates apt and dpkg natively. It is not a Windows-first product wrapping a Linux compatibility shim. Kernel update detection, reboot orchestration with service-restart awareness, advisory feed ingestion (USN for Ubuntu, DSA for Debian), and the same ring-by-ring rollout model as Windows are all part of the same agent. If you have 80 percent Windows and 20 percent Linux, you do not need a separate tool for the Linux fleet. If you have 80 percent Linux and 20 percent Windows, the math is the same in reverse.
What this looks like operationally: you approve a kernel update for Ubuntu in the same console where you approve a Windows cumulative update. The deployment ring policy applies to both. The compliance scoring runs against both. The vulnerability dashboard shows both. The MSP tenancy model applies to both.
macOS is not supported today. It is on the 2026 roadmap, scheduled to ship this year. I would rather be honest about that than ship a half-finished macOS agent.
How does TridentStack Control work for MSPs managing multiple customers?
TridentStack Control is multi-tenant from the first agent. Each managed customer is an isolated tenant with its own policies, deployment rings, agent inventory, and reporting. MSP technicians switch between tenants from one console.
Pricing applies per tenant, on the same per-endpoint terms covered below. A small managed customer with 80 endpoints is genuinely free for an MSP to onboard, run, and bill back at whatever margin makes sense. There is no separate MSP SKU to negotiate, no minimum spend, and no per-tenant fee on top of the per-endpoint fee.
The operational pain TridentStack Control was built to solve for MSPs is the seventeen-RMM problem. Every MSP I have talked to spends a non-trivial fraction of every day logging into different customer RMMs to apply the same patch, run the same compliance scan, or write the same exception. TridentStack Control is one console, with proper tenant isolation, that does the patch and compliance work across every customer in one place.
If you have a customer that needs CIS Level 1 evidence for SOC 2 or HIPAA, and a different customer that needs DISA STIG scoring for a federal contract, the same TridentStack Control handles both. You do not stand up a separate product per customer.
What does TridentStack Control not do?
I think saying no out loud is rare in this industry, so here is the list.
TridentStack Control is not an RMM. There is no remote control session, no general-purpose script execution engine, no help desk module. If you want to remote into a user's machine to fix something, use a different tool.
TridentStack Control is not an EDR. We do not race CrowdStrike, SentinelOne, or Defender for Endpoint on threat detection, behavioral analytics, or active response. Compliance scoring is not the same job as EDR.
TridentStack Control is not a SIEM. There is no log aggregation, no correlation, no SOAR. Our agent reports state and events relevant to patch management and compliance. If you need fleet-wide log correlation, that is a different product.
TridentStack Control is not unconditionally free. The first 200 endpoints are free forever, no time limit, no feature limit. Past that there is a per-endpoint price (covered in the pricing section below). We are not the right answer if you are looking for a free 5,000-endpoint patch management tool. There is no such thing.
TridentStack Control is not on-prem. The agent is cloud-native; it requires connectivity to our platform for update metadata, vulnerability data, and reporting. If your environment is fully air-gapped, WSUS remains the right answer for Microsoft updates and a different tool entirely for everything else.
TridentStack Control is not a macOS product yet. macOS is on the 2026 roadmap. Today, Windows and Linux only.
TridentStack Control is not an AI product. We are not going to slap an "AI" label on a feature that does not earn it, and we are not going to bill you for a chatbot wrapper around our existing UI. If we eventually integrate a language model into something, it will be because the model does a job nothing else can do for the operator, and the cost stays on our side of the line. Adding an "AI" tier to your invoice for the privilege of asking our product the same questions you can already answer by clicking around it is not on the roadmap.
Naming the boundaries earns trust. People rightly do not trust products that say yes to everything.
How much does TridentStack Control cost?
Every tenant gets 200 endpoints free forever. Beyond 200, the price is five dollars per endpoint per month, with every feature included. There are no per-feature SKUs, no separate vulnerability or compliance modules, and no enterprise sales gate.
Annual billing saves about two months. Fleets at or above 500 endpoints get custom pricing because that is where the unit economics start to actually matter, and where it makes sense to talk to us directly about deployment specifics.
The math examples for a few common fleet sizes:
A 100-endpoint workstation fleet: free.
A 250-endpoint mid-market fleet: 50 paid endpoints, $250 per month.
A 500-endpoint MSP customer: 300 paid endpoints, $1,500 per month, all features.
The same 500 endpoints on Microsoft Intune Plan 1 with Defender for Endpoint Plan 2 (vulnerability management) would land near $6,600 per month at list price ($13.20 per user per month, 500 users), and that does not include the implementation overhead. If your tenant already has Microsoft 365 E3 or E5, Intune Plan 1 is included at no incremental cost, which changes that math meaningfully. The point is not that we are unconditionally cheaper. The point is that the comparison is direct and public, and you can do the math without a sales call.
We will not raise these prices in a year. There is no per-feature SKU map sitting behind the curtain waiting to be unbundled, and no add-on tier waiting to claw back the features other vendors sell separately.
What is on the TridentStack Control roadmap, and what will not ship?
Already shipping today, in production, behind the public beta:
- Windows and Linux patch management with deployment rings
- Third-party application updates
- Vulnerability detection with CVSS scoring and exception management
- CIS Benchmark Level 1 and Level 2, DISA STIG, Microsoft Security Baseline, and NIST control mapping with per-control evidence
- Policy management without Active Directory
- MSP multi-tenancy
Shipping in 2026:
- macOS agent
- Custom MSI and EXE installer support (the package authoring workflow that PDQ Deploy customers depend on)
- Companion products: TridentStack Protect (managed security operations) and TridentStack Administer (managed IT services)
What we will not ship: an RMM module, an EDR engine, a SIEM, or an "AI" add-on whose primary purpose is to justify a price increase. Saying no in writing is part of the deal.
Why I built TridentStack Control
I have spent most of my career on the customer side of endpoint management tools. I have priced out the per-feature SKU sheets, sat through the four-week implementation kickoffs, listened to the integrator pitch about why we needed a six-month engagement to roll out a tool that was supposed to be turn-key. I have watched compliance scoring get pulled out into a separate product, then bundled back in, then pulled out again, depending on which year's licensing renegotiation we were inside.
I had two recurring frustrations.
The first was operational sprawl. Tools that are technically capable of solving the problem, but require so much surrounding infrastructure (a Windows Server VM here, an Active Directory schema extension there, a SQL Server instance, an integration partner, a per-product training course) that the actual work of patching the fleet became a small fraction of the total effort.
The second was the per-feature math. Patch management was one SKU. Vulnerability scanning was another. Compliance scoring was a third. Multi-tenant for MSPs was a flag on a fourth. Each came with its own minimums, its own implementation requirements, its own renewal cycle, and its own surprise pricing change every two or three years. The annual budget conversation became a tax accounting exercise.
The thing that finally got us to start building was realizing that the underlying capabilities are not actually that complicated. The Windows update catalog and metadata format have been stable and well-documented for years; you can build a custom applicability engine on top of them. The CVE catalog is public. The CIS Benchmarks and DISA STIGs are documented control sets. apt and dpkg work the same on every Debian-derived distribution in production. The hard part is not the technology. The hard part is the willingness to ship a single product at a single price that does all of these things together, and to keep saying no to the per-feature pricing reflex.
That is what TridentStack Control is. One product. One price. Everything I wished my tooling did when I was on the customer side, without the parts I never used and the SKUs I resented paying for.
If you are an IT director, an MSP owner, or a security and compliance lead who has spent twenty hours configuring something that should have taken twenty minutes, we built this for you.
How do I try TridentStack Control?
Sign up at control.tridentstack.com and install the agent on a single endpoint. The first heartbeat populates the dashboard within a few minutes. The product is in public beta, which currently means everything is free regardless of fleet size while we prove out the platform at scale.
There is no credit card, no sales call, no time limit on the free tier. If your fleet is unusual (federal, fully air-gapped, or extremely large), reach out before you start so we can talk through fit honestly.
For the side-by-side, see how TridentStack Control compares to WSUS, Microsoft Intune, PDQ Deploy, Tanium, and Action1.
Frequently asked questions
What is TridentStack Control?
TridentStack Control is patch management, third-party application updates, vulnerability detection, compliance scoring, and policy management for Windows and Linux endpoints. One product, one price. The first 200 endpoints are free forever, then five dollars per endpoint per month. There are no feature tiers, no per-module add-ons, and no enterprise sales gate.
What operating systems does TridentStack Control support?
Windows 10 and 11, Windows Server 2012 R2 through Windows Server 2025, and Debian-based Linux distributions including Ubuntu and Debian via native apt and dpkg integration. macOS support is on the 2026 roadmap.
Does TridentStack Control replace WSUS or Intune?
Yes for the patch management, vulnerability detection, compliance scoring, and policy parts. TridentStack Control is not an MDM, an EDR, or a SIEM, so if Intune handles your iOS, Android, or macOS device enrollment, that stays in place. WSUS was deprecated by Microsoft in September 2024, so most teams using it are looking for the next thing anyway.
How much does TridentStack Control cost?
200 endpoints free forever, then five dollars per endpoint per month. All features included: patching, third-party app updates, vulnerability detection, CIS Benchmarks, DISA STIGs, Microsoft Security Baselines, NIST mapping, and policy management. Annual billing saves about two months. Fleets above 500 endpoints get custom pricing.
Does TridentStack Control require Active Directory?
No. Endpoints can be domain-joined, workgroup, or EntraID-joined. Policy is enforced through the agent regardless of directory state. This was a deliberate design choice: every team I have ever worked with has at least a few endpoints that are not domain-joined, and the tools that assume otherwise create constant exception cases.
Is TridentStack Control multi-tenant for MSPs?
Yes. Each managed customer is an isolated tenant with its own policies, deployment rings, and reporting. MSP technicians switch between tenants from one console. There is no extra cost for multi-tenancy and no separate MSP SKU to negotiate.
How does TridentStack Control detect vulnerabilities?
The agent reports a full software inventory on every heartbeat. TridentStack Control matches that inventory against an enriched CVE catalog with CVSS scoring, applies severity prioritization, and surfaces a fleet-wide vulnerability dashboard with exception management and expiration dates. CVE detection is part of the base product, not a separate licensed module.
What compliance frameworks does TridentStack Control support?
CIS Benchmark Level 1 and Level 2, DISA STIGs for Windows, Microsoft Security Baselines, and NIST 800-53 control mapping. Each baseline produces an automated score with per-control evidence and trend tracking. Compliance scoring is included in the base product, not a paid add-on.