stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 23:20:14 +02:00
parent 3411e825cd
commit b058dbe031
356 changed files with 68310 additions and 1108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
docs/market/competitive-landscape.md
View File

@@ -1,45 +1,74 @@
# Competitive Landscape (Nov 2025)
Source: internal advisory 23-Nov-2025 - Stella Ops vs Competitors. Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
## StellaOps moats (why we win)
- **Deterministic replay:** feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
- **Hybrid reachability attestations:** graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
- **Lattice-based VEX engine:** merges advisories, runtime hits, reachability, waivers with explainable paths.
- **Crypto sovereignty:** FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
- **Proof graph:** DSSE + transparency across SBOM, call-graph, VEX, replay manifests.
---
## Verification Metadata
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-14 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](claims-citation-index.md) |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
**Confidence Levels:**
- **High (80-100%)**: Verified against source code or authoritative documentation
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
---
## Stella Ops moats (why we win)
| Moat | Description | Claim IDs | Confidence |
|------|-------------|-----------|------------|
| **Deterministic replay** | Feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes | DET-001, DET-002, DET-003 | High |
| **Hybrid reachability attestations** | Graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed | REACH-001, REACH-002, ATT-001, ATT-002 | High |
| **Lattice-based VEX engine** | Merges advisories, runtime hits, reachability, waivers with explainable paths | VEX-001, VEX-002, VEX-003 | High |
| **Crypto sovereignty** | FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs | ATT-004 | Medium |
| **Proof graph** | DSSE + transparency across SBOM, call-graph, VEX, replay manifests | ATT-001, ATT-002, ATT-003 | High |
## Top takeaways (sales-ready)
1. No competitor offers deterministic replay with frozen feeds; we do.
2. None sign reachability graphs; we sign graphs and (optionally) edges.
3. Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to StellaOps.
4. Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
5. Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.
| # | Claim | Claim IDs | Confidence |
|---|-------|-----------|------------|
| 1 | No competitor offers deterministic replay with frozen feeds; we do | DET-003 | High |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edges | REACH-002 | High |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | ATT-004 | Medium |
| 4 | Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 | High |
| 5 | Offline/air-gap readiness with mirrored transparency is rare; we ship it by default | OFF-001, OFF-004 | High |
## Where others fall short (high level)
- **No deterministic replay:** none of the 15 provide hash-stable, replayable scans with frozen feeds.
- **No lattice/VEX merge:** VEX is absent or bolt-on; no trust algebra elsewhere.
- **Attestation gaps:** most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
- **Offline/sovereign:** weak or SaaS-only; no regional crypto options.
| Gap | Description | Related Claims | Verified |
|-----|-------------|----------------|----------|
| **No deterministic replay** | None of the 15 provide hash-stable, replayable scans with frozen feeds | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is absent or bolt-on; no trust algebra elsewhere | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **Attestation gaps** | Most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **Offline/sovereign** | Weak or SaaS-only; no regional crypto options | COMP-SNYK-003, ATT-004 | 2025-12-14 |
## Snapshot table (condensed)
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella |
| ------------------- | -------- | ----------- | ------------- | ----- | ------- | ---------------------- |
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay |
| AWS (Inspector/Signer)| Partial| Partial | Notary v2 | No | Weak | Closed, no replay |
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice |
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella | Related Claims |
|--------|----------|-------------|---------------|-------|---------|------------------------|----------------|
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay | |
| AWS (Inspector/Signer) | Partial | Partial | Notary v2 | No | Weak | Closed, no replay | |
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice | |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts | |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice | |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability | |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto | |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice | |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused | |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice | |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE | |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice | |
## How to use this doc
- Sales/PMM: pull talking points and the gap list when building battlecards.
@@ -51,26 +80,27 @@ Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Superse
- Architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Reachability moat details: `docs/reachability/lead.md`
- Source advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
- **Claims Citation Index**: [`docs/market/claims-citation-index.md`](claims-citation-index.md)
---
## Battlecard Appendix (snippet-ready)
**One-liners**
- *Replay or its noise:* Only StellaOps can re-run a scan bit-for-bit from frozen feeds.
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges.
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.
- *Replay or it's noise:* Only Stella Ops can re-run a scan bit-for-bit from frozen feeds. [DET-003]
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges. [REACH-002]
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles. [ATT-004]
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths. [VEX-001]
**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped.
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional). [DET-001, DET-002]
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood. [REACH-001, REACH-002]
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped. [OFF-001, OFF-003, OFF-004]
**Objection handlers**
- “We already sign SBOMs.” → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
- Cosign/Rekor is enough.” → Without deterministic manifests + reachability proofs, you cant audit why a vuln was reachable.
- “Our runtime traces show reachability.” → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.
- "We already sign SBOMs." Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do. [DET-001, REACH-002]
- "Cosign/Rekor is enough." Without deterministic manifests + reachability proofs, you can't audit why a vuln was reachable. [DET-003]
- "Our runtime traces show reachability." We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge. [REACH-001, VEX-002]
**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
@@ -78,3 +108,4 @@ Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Superse
## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
- Claims Citation Index: `docs/market/claims-citation-index.md`