Endpoint State Policy (ESP) is a policy-as-data system that keeps policy intent separate from execution.
Policies define desired state and evidence as structured data, not scripts. They’re compiled into constrained contracts that execution engines must follow, producing attestations instead of free-form output.
The contract model limits what execution can do, preventing policy logic from turning into ad-hoc tooling, while allowing the same policy to run across different environments and backends.
ESP focuses on portable intent, constrained execution, and verifiable outcomes — not embedding policy into tools.
ESP treats policy as data and compiles it into constrained contracts. Those contracts can be mapped to external frameworks (NIST 800-53/171, CIS, MITRE ATT&CK, etc.) without embedding framework logic into execution. The mapping lives at the policy layer; execution stays generic.
Its strength is in Zero Trust–style architectures: policies define what state is allowed, execution verifies it continuously, and evidence is emitted as attestations rather than one-off reports. That makes it easier to reason about drift, enforcement, and trust boundaries over time.
It’s not a scanner replacement by itself — it’s a substrate for expressing and enforcing policy intent consistently across environments.