← All posts
July 13, 2026 · 5 min read

"TEE-Verified" Is Becoming Everyone's Marketing Line. Here's What It Actually Has to Prove.

Inference infrastructure has raised about $1.8 billion over the past two months. Groq closed $650 million in June to expand its inference cloud. Together AI closed $800 million in July at an $8.3 billion valuation. Modal Labs raised $355 million in May, quadrupling its valuation to $4.65 billion. Money is pouring into "who runs the model" at a pace that hasn't slowed all year.

At the same time, "verifiable privacy" is becoming the term every serious inference provider reaches for. Chutes, the TEE infrastructure ZDrive itself runs on, recently published its own case for confidential compute: prompts encrypted client-side, decrypted only inside a hardware-attested enclave, response re-encrypted before it ever leaves. That's real, and it's good for the category. It also means the phrase "TEE-verified" is about to show up on a lot of pricing pages that mean very different things by it.

So it's worth being precise about what a TEE attestation actually has to prove, and where most implementations of the idea quietly stop short.

What "Attested" Should Mean

A hardware enclave running your inference is a real security boundary. But "we run inside a TEE" and "we can prove to you, specifically, that this exact query ran inside a TEE, with this exact model, and here's a record you can check without asking us" are different claims. The first is an architecture decision. The second is a proof chain, and it has four links, each of which can be skipped:

A fresh challenge, not a cached one. If the proof you're shown is static, generated once and served to everyone, it proves the system was attested at some point in the past, not that your specific query ran inside it. A real proof starts with a nonce, a random value generated per request, so the response can't be replayed from an earlier session.

Hardware evidence, not a status page. The enclave itself (Intel TDX in ZDrive's case) has to return a cryptographic quote, and if GPU compute is involved, separate confidential-compute evidence from the GPU. A green checkmark on a dashboard is not hardware evidence. A signed quote is.

A hash of what's actually running, not a claim about what's supposed to be running. The quote should let you compute a hash that corresponds to the specific binary executing inside the enclave. That's the difference between "trust us, it's the TEE build" and "here's the cryptographic fingerprint of the exact code that processed your prompt."

A record that exists after the response does. This is the link almost everyone skips, because it's the one with no reason to build unless permanence is the whole point of your product. If the proof only exists in a UI panel during the session, closing the tab destroys the only evidence the query was ever attested. A real proof survives the session, and ideally survives the vendor.

How ZDrive's Attestation Actually Works

Every ZDrive query with attestation enabled generates a fresh 64-character random nonce. That nonce goes to Chutes' TDX-backed inference cluster along with the request. Chutes returns hardware evidence: an Intel TDX quote proving the enclave itself is genuine, and, where GPU compute is involved, separate confidential-compute evidence from the GPU (Blackwell or Hopper architecture, run in CC mode).

ZDrive takes that quote and computes a SHA-256 hash of it: a fixed-length fingerprint that changes completely if a single byte of what's running inside the enclave changes. That hash, along with the instance count and verification status, is what powers the attestation panel you see per query.

Then it goes one step further than the session. The attestation record is written to Arweave, permanently, the same storage layer ZDrive uses for vault data. Not cached for 24 hours and discarded. Not held in a database ZDrive could edit or delete later. A public, permanent, independently checkable record that a specific query, with a specific nonce, produced a specific hardware quote, at a specific time.

Why the Last Link Is the One That Matters

Everything up to the permanent record is good infrastructure. It's also infrastructure any well-funded provider can build, and several now are. What a live attestation panel can't do is outlive the company that built it. If the provider shuts down, gets acquired, or just quietly stops showing the panel, every proof it ever generated goes with it. You were never wrong to trust the attestation while it existed. You just can't point to it anymore.

That's the gap between "we run inside a TEE" and a receipt. ZDrive's attestation isn't just proof that a query was private when it happened. It's a permanent, third-party record that stays checkable years later, by anyone, without ZDrive's cooperation. As TEE-based inference becomes the table-stakes claim the current funding cycle is pushing every provider toward, that's the part worth asking about before you trust the badge: not "is it attested," but "will the proof still exist when you need it?"

Try It

Every inference query on ZDrive can be checked against its own attestation record, permanently, on Arweave. Start at zdrive.io.

10 free queries. No account needed. Connect a wallet for 25/day.

Try ZDrive free →