stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-03 12:41:57 +02:00
parent 83c37243e0
commit d486d41a48
48 changed files with 7174 additions and 1086 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
docs/market/competitive-landscape.md
View File

@@ -1,6 +1,8 @@
# Competitive Landscape (Nov 2025)
# Competitive Landscape
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
> **TL;DR:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation.
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors", updated Jan 2026. This summary distils a 15-vendor comparison into actionable positioning notes for sales/PMM and engineering prioritization.
---
@@ -8,7 +10,7 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-14 |
| **Last Updated** | 2026-01-03 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](claims-citation-index.md) |
@@ -21,6 +23,32 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
---
## Why Competitors Plateau (Structural Analysis)
The scanner market evolved from three distinct origins. Each origin created architectural assumptions that make Stella Ops' capabilities structurally difficult to retrofit.
| Origin | Representatives | What They Optimized For | Why They Can't Easily Catch Up |
|--------|----------------|------------------------|-------------------------------|
| **Package Scanners** | Trivy, Syft/Grype | Fast CLI, broad ecosystem coverage | No forensic reproducibility in architecture; VEX is boolean, not lattice; no DSSE for reachability graphs |
| **Developer UX** | Snyk | IDE integration, fix PRs, onboarding | SaaS-only (offline impossible); no attestation infrastructure; reachability limited to specific languages |
| **Policy/Compliance** | Prisma Cloud, Aqua | Runtime protection, CNAPP breadth | No deterministic replay; no cryptographic provenance for verdicts; no semantic diff |
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX reasoning; no signed reachability graphs; no regional crypto profiles |
### The Core Problem
**Scanners output findings. Stella Ops outputs decisions.**
A finding says "CVE-2024-1234 exists in this package." A decision says "CVE-2024-1234 is reachable via this call path, vendor VEX says not_affected but our runtime disagrees, creating a conflict that policy must resolve, and here's the signed proof chain."
This isn't a feature gapit's a category difference. Retrofitting it requires:
- Rearchitecting the evidence model (content-addressed, not row-based)
- Adding lattice logic to VEX handling (not just filtering)
- Instrumenting reachability at three layers (static, binary, runtime)
- Building deterministic replay infrastructure (frozen feeds, manifests, seeds)
- Implementing regional crypto profiles (not just "signing")
---
## Stella Ops moats (why we win)
| Moat | Description | Claim IDs | Confidence |
@@ -33,22 +61,50 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
## Top takeaways (sales-ready)
| # | Claim | Claim IDs | Confidence |
|---|-------|-----------|------------|
| 1 | No competitor offers deterministic replay with frozen feeds; we do | DET-003 | High |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edges | REACH-002 | High |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | ATT-004 | Medium |
| 4 | Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 | High |
| 5 | Offline/air-gap readiness with mirrored transparency is rare; we ship it by default | OFF-001, OFF-004 | High |
### The Five One-Liners
## Where others fall short (high level)
| # | One-Liner | What It Means | Claim IDs |
|---|-----------|---------------|-----------|
| 1 | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. Any verdict from 6 months ago can be re-verified today with `stella replay srm.yaml`. | DET-001, DET-003 |
| 2 | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice logic aggregates multiple VEX sources, detects conflicts, and produces explainable dispositions with proof links. | VEX-001, VEX-002 |
| 3 | "We provide proof of exploitability in *this* artifact, not just a badge." | Three-layer reachability (static graph + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path." | REACH-001, REACH-002 |
| 4 | "We explain what changed in exploitable surface area, not what changed in CVE count." | Smart-Diff outputs "This release reduces exploitability by 41% despite +2 CVEs" semantic risk deltas, not raw numbers. | |
| 5 | "We quantify uncertainty and gate on it." | Unknowns are first-class state with bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk; we surface and score it. | UNKNOWNS-001, UNKNOWNS-002 |
| Gap | Description | Related Claims | Verified |
|-----|-------------|----------------|----------|
| **No deterministic replay** | None of the 15 provide hash-stable, replayable scans with frozen feeds | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is absent or bolt-on; no trust algebra elsewhere | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **Attestation gaps** | Most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **Offline/sovereign** | Weak or SaaS-only; no regional crypto options | COMP-SNYK-003, ATT-004 | 2025-12-14 |
### Verified Gaps (High Confidence)
| # | Gap | Evidence | Claim IDs |
|---|-----|----------|-----------|
| 1 | No competitor offers deterministic replay with frozen feeds | Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 | DET-003 |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edge bundles | Feature matrix analysis | REACH-002 |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | Architecture review | ATT-004 |
| 4 | Lattice VEX with conflict detection is unmatched; others ship boolean VEX or none | Trivy pkg/vex source; Grype VEX implementation | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 |
| 5 | Offline/air-gap with mirrored transparency is rare; we ship it by default | Documentation and feature testing | OFF-001, OFF-004 |
## Where others fall short (detailed)
### Capability Gap Matrix
| Capability | Trivy | Grype | Snyk | Prisma | Aqua | Anchore | Stella Ops |
|-----------|-------|-------|------|--------|------|---------|------------|
| **Deterministic replay** | No | No | No | No | No | No | Yes |
| **VEX lattice (K4 logic)** | Boolean only | Boolean only | None | None | Limited | Limited | Full K4 |
| **Signed reachability graphs** | No | No | No | No | No | No | Yes (DSSE) |
| **Binary-level backport detection** | No | No | No | No | No | No | Tier 1-4 |
| **Semantic risk diff** | No | No | No | No | No | No | Yes |
| **Unknowns as state** | Hidden | Hidden | Hidden | Hidden | Hidden | Hidden | First-class |
| **Regional crypto (GOST/SM)** | No | No | No | No | No | No | Yes |
| **Offline parity** | Medium | Medium | No | Strong | Medium | Good | Full |
### Specific Gaps by Competitor
| Gap | What This Means | Related Claims | Verified |
|-----|-----------------|----------------|----------|
| **No deterministic replay** | A scan from last month cannot be re-run to produce identical results. Feed drift, analyzer changes, and non-deterministic ordering break reproducibility. Auditors cannot verify past decisions. | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is either absent or treated as a suppression filter. When vendor says "not_affected" but runtime shows the function was called, these tools can't represent the conflictthey pick one or the other. | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **No signed reachability** | Reachability claims are assertions, not proofs. There's no cryptographic binding between "this CVE is reachable" and the call path that proves it. | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **No semantic diff** | Tools report "+3 CVEs" without context. They can't say "exploitable surface decreased despite new CVEs" because they don't track reachability deltas. | | 2025-12-14 |
| **Offline/sovereign gaps** | Snyk is SaaS-only. Others have partial offline support but no regional crypto (GOST, SM2, eIDAS) and no sealed knowledge snapshots for air-gapped reproducibility. | COMP-SNYK-003, ATT-004 | 2025-12-14 |
## Snapshot table (condensed)
@@ -86,25 +142,52 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
## Battlecard Appendix (snippet-ready)
**One-liners**
- *Replay or it's noise:* Only Stella Ops can re-run a scan bit-for-bit from frozen feeds. [DET-003]
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges. [REACH-002]
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles. [ATT-004]
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths. [VEX-001]
### Elevator Pitches (by Audience)
**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional). [DET-001, DET-002]
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood. [REACH-001, REACH-002]
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped. [OFF-001, OFF-003, OFF-004]
| Audience | Pitch |
|----------|-------|
| **CISO/Security Leader** | "Stella Ops turns vulnerability noise into auditable decisions. Every verdict is signed, replayable, and proves *why* something is or isn't exploitable." |
| **Compliance/Audit** | "Unlike scanners that output findings, we output decisions with proof chains. Six months from now, you can replay any verdict bit-for-bit to prove what you knew and when." |
| **DevSecOps Engineer** | "Tired of triaging the same CVE across 50 images? Stella deduplicates by root cause, shows reachability proofs, and explains exactly what to fix and why." |
| **Air-gap/Regulated** | "Full offline parity with regional crypto (FIPS/GOST/SM/eIDAS). Sealed knowledge snapshots ensure your air-gapped environment produces identical results to connected." |
**Objection handlers**
- "We already sign SBOMs." Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do. [DET-001, REACH-002]
- "Cosign/Rekor is enough." Without deterministic manifests + reachability proofs, you can't audit why a vuln was reachable. [DET-003]
- "Our runtime traces show reachability." We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge. [REACH-001, VEX-002]
### One-Liners with Proof Points
**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
- Leave-behind: link `docs/reachability/lead.md` and this appendix.
| One-Liner | Proof Point | Claims |
|-----------|-------------|--------|
| *Replay or it's noise* | `stella replay srm.yaml --assert-digest <sha>` reproduces any past scan bit-for-bit | DET-001, DET-003 |
| *Signed reachability, not guesses* | Graph-level DSSE always; edge-bundle DSSE for contested paths; Rekor-backed | REACH-001, REACH-002 |
| *Sovereign-first* | FIPS/eIDAS/GOST/SM/PQC profiles as config; multi-sig with regional roots | ATT-004 |
| *Trust algebra, not suppression files* | K4 lattice merges advisories, runtime, reachability, waivers; conflicts are explicit state | VEX-001, VEX-002 |
| *Semantic risk deltas* | "Exploitability dropped 41% despite +2 CVEs" not just CVE counts | |
### Objection Handlers
| Objection | Response | Supporting Claims |
|-----------|----------|-------------------|
| "We already sign SBOMs." | Great start. But do you sign call-graphs and VEX decisions? Can you replay a scan from 6 months ago and get identical results? We do both. | DET-001, REACH-002 |
| "Cosign/Rekor is enough." | Cosign signs artifacts. We sign *decisions*. Without deterministic manifests and reachability proofs, you can sign findings but can't audit *why* a vuln was reachable. | DET-003, REACH-002 |
| "Our runtime traces show reachability." | Runtime is one signal. We fuse it with static call graphs and VEX lattice into a signed, replayable verdict. You can quarantine or dispute individual edges, not just all-or-nothing. | REACH-001, VEX-002 |
| "Snyk does reachability." | Snyk's reachability is language-limited (Java, JavaScript), SaaS-only, and unsigned. We support 6+ languages, work offline, and sign every call path with DSSE. | COMP-SNYK-002, COMP-SNYK-003, REACH-002 |
| "We use Trivy and it's free." | Trivy is excellent for broad coverage. We're for organizations that need audit-grade reproducibility, VEX reasoning, and signed proofs. Different use cases. | COMP-TRIVY-001, COMP-TRIVY-002 |
| "Can't you just add this to Trivy?" | Trivy's architecture assumes findings, not decisions. Retrofitting deterministic replay, lattice VEX, and proof chains would require fundamental rearchitecturenot just features. | |
### Demo Scenarios
| Scenario | What to Show | Command |
|----------|-------------|---------|
| **Determinism** | Run scan twice, show identical digests | `stella scan --image <img> --srm-out a.yaml && stella scan --image <img> --srm-out b.yaml && diff a.yaml b.yaml` |
| **Replay** | Replay a week-old scan, verify identical output | `stella replay srm.yaml --assert-digest <sha>` |
| **Reachability proof** | Show signed call path from entrypoint to vulnerable symbol | `stella graph show --cve CVE-XXXX-YYYY --artifact <digest>` |
| **VEX conflict** | Show lattice handling vendor vs runtime disagreement | Trust Algebra Studio UI or `stella vex evaluate --artifact <digest>` |
| **Offline parity** | Import sealed bundle, scan, compare to online result | `stella rootpack import bundle.tar.gz && stella scan --offline ...` |
### Leave-Behind Materials
- **Reachability deep-dive:** `docs/reachability/lead.md`
- **Competitive landscape:** This document
- **Proof architecture:** `docs/modules/platform/proof-driven-moats-architecture.md`
- **Key features:** `docs/key-features.md`
## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`

177
docs/market/moat-strategy-summary.md
View File

@@ -1,71 +1,162 @@
# StellaOps Moat Strategy Summary
**Date**: 2025-12-20
**Source**: Product Advisories (19-Dec-2025 Moat Series)
**Date**: 2026-01-03
**Source**: Product Advisories (19-Dec-2025 Moat Series), Competitive Analysis (Jan 2026)
**Status**: DOCUMENTED
---
## Executive Summary
StellaOps competitive moats are built on **decision integrity** - deterministic, attestable, replayable security verdicts - not just scanner features.
> **Core Thesis:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**.
StellaOps competitive moats are built on **decision integrity**—deterministic, attestable, replayable security verdicts—not just scanner features. This is a category difference, not a feature gap.
### The Category Shift
| Traditional Scanners | Stella Ops |
|---------------------|------------|
| Output findings | Output decisions |
| VEX as suppression | VEX as logical claims |
| Reachability as badge | Reachability as proof |
| CVE counts | Semantic risk deltas |
| Hide unknowns | Surface and score unknowns |
| Online-first | Offline-first with parity |
## Moat Strength Rankings
| Moat Level | Feature | Defensibility |
|------------|---------|---------------|
| **5 (Structural)** | Signed, replayable risk verdicts | Highest - requires deterministic eval + proof schema + knowledge snapshots |
| **4 (Strong)** | VEX decisioning engine | Formal conflict resolution, provenance-aware trust weighting |
| **4 (Strong)** | Reachability with proofs | Portable proofs, artifact-level mapping, deterministic replay |
| **4 (Strong)** | Smart-Diff (semantic risk delta) | Graph-based diff over SBOM + reachability + VEX |
| **4 (Strong)** | Unknowns as first-class state | Uncertainty budgets in policies, scoring, attestations |
| **4 (Strong)** | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility |
| **3 (Moderate)** | SBOM ledger + lineage | Table stakes; differentiate via semantic diff + evidence joins |
| **3 (Moderate)** | Policy engine with proofs | Common; moat is proof output + deterministic replay |
| **1-2 (Commodity)** | Integrations everywhere | Necessary but not defensible |
### Understanding the Scale
| Level | Definition | Defensibility |
|-------|------------|---------------|
| **5** | Structural moat | New primitives, strong defensibility, durable switching cost. Requires fundamental rearchitecture to replicate. |
| **4** | Strong moat | Difficult multi-domain engineering. Incumbents have partial analogs but retrofitting is expensive. |
| **3** | Moderate moat | Others can build. Differentiation is execution + packaging. |
| **2** | Weak moat | Table-stakes soon. Limited defensibility. |
| **1** | Commodity | Widely available in OSS or easy to replicate. |
### Ranked Capabilities
| Level | Capability | Why It's Defensible | Module(s) | Status |
|-------|-----------|---------------------|-----------|--------|
| **5** | Signed, replayable risk verdicts | Requires deterministic eval + proof schema + knowledge snapshots + frozen feeds. No competitor has this architecture. | `Attestor`, `ReplayVerifier`, `Scanner` | Implemented |
| **4** | VEX decisioning (K4 lattice) | Formal conflict resolution using Belnap logic. Requires rethinking VEX from suppression to claims. | `VexLens`, `TrustLatticeEngine`, `Excititor` | Implemented |
| **4** | Reachability with proofs | Three-layer (static + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the proof." | `ReachGraph`, `Scanner.VulnSurfaces`, `PathWitnessBuilder` | Implemented |
| **4** | Smart-Diff (semantic risk delta) | Graph-based diff over reachability + VEX. Outputs meaning ("exploitability dropped 41%"), not numbers ("+3 CVEs"). | `MaterialRiskChangeDetector`, `Scanner.ReachabilityDrift` | Implemented |
| **4** | Unknowns as first-class state | Uncertainty budgets, bands (HOT/WARM/COLD), decay algorithms, policy gates. | `Policy`, `Signals`, `UnknownStateLedger` | Implemented |
| **4** | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility, regional crypto (GOST/SM/eIDAS). | `AirGap.Controller`, `CryptoProfile`, `RootPack` | Implemented |
| **3** | SBOM ledger + lineage | Table stakes; differentiated via semantic diff + evidence joins + deterministic generation. | `SbomService`, `BinaryIndex` | Implemented |
| **3** | Policy engine with proofs | Common; moat is proof output + deterministic replay + K4 integration. | `Policy`, `TrustLatticeEngine` | Implemented |
| **1-2** | Integrations | Necessary but not defensible. Anyone can build CI/CD plugins. | Various | Ongoing |
## Core Moat Thesis (One-Liners)
- **Deterministic signed verdicts:** "We don't output findings; we output an attestable decision that can be replayed."
- **VEX decisioning:** "We treat VEX as a logical claim system, not a suppression file."
- **Reachability proofs:** "We provide proof of exploitability in *this* artifact, not just a badge."
- **Smart-Diff:** "We explain what changed in exploitable surface area, not what changed in CVE count."
- **Unknowns modeling:** "We quantify uncertainty and gate on it."
Use these in sales conversations, marketing materials, and internal alignment.
| Capability | One-Liner | What It Actually Means |
|-----------|-----------|------------------------|
| **Deterministic verdicts** | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. `stella replay srm.yaml` reproduces any past scan bit-for-bit. |
| **VEX decisioning** | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice (Unknown/True/False/Conflict) aggregates multiple VEX sources. Conflicts are explicit state, not hidden. |
| **Reachability proofs** | "We provide proof of exploitability in *this* artifact, not just a badge." | Three-layer reachability with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path from entrypoint to vuln." |
| **Smart-Diff** | "We explain what changed in exploitable surface area, not what changed in CVE count." | Output: "Exploitability dropped 41% despite +2 CVEs." Semantic meaning, not raw numbers. |
| **Unknowns modeling** | "We quantify uncertainty and gate on it." | Unknowns have bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk—we surface and score it. |
## Implementation Status
| Feature | Sprint(s) | Status |
|---------|-----------|--------|
| Signed verdicts | 3500.0002.* | ✅ DONE |
| VEX decisioning | Existing lattice engine | ✅ DONE |
| Reachability proofs | 3500.0003.*, 3600.* | ✅ DONE |
| Smart-Diff | 3500.0001.* (archived) | ✅ DONE |
| Unknowns | 3500.0002.0002 | ✅ DONE |
| Air-gapped mode | 3500.0004.0001 (offline bundles) | ✅ DONE |
| Reachability Drift | Proposed | 🎯 NEXT |
### Core Moats (All Implemented)
| Capability | Key Modules | Evidence |
|-----------|-------------|----------|
| **Signed verdicts** | `Attestor`, `Signer`, `ReplayVerifier` | DSSE envelopes, SRM manifests, bit-for-bit replay |
| **VEX decisioning (K4)** | `VexLens`, `TrustLatticeEngine` | 110+ tests passing; CycloneDX/OpenVEX/CSAF normalizers |
| **Reachability proofs** | `ReachGraph`, `PathWitnessBuilder` | DSSE-signed graphs; edge-bundle attestations |
| **Smart-Diff** | `MaterialRiskChangeDetector`, `RiskStateSnapshot` | R1-R4 rules; priority scoring; SARIF output |
| **Unknowns modeling** | `UnknownStateLedger`, `Policy` | Bands (HOT/WARM/COLD); decay algorithms |
| **Air-gapped mode** | `AirGap.Controller`, `RootPack` | Sealed snapshots; regional crypto |
| **Binary backport** | `Feedser`, `BinaryIndex`, `SourceIntel` | Tier 1-3 complete; Tier 4 (binary fingerprinting) in progress |
### Moat Enhancement Roadmap
| Enhancement | Priority | Sprint Coverage |
|-------------|----------|-----------------|
| OCI-attached verdict attestations | P0 | 4300_0001_0001 |
| One-command audit replay CLI | P0 | 4300_0001_0002 |
| VEX Hub aggregation layer | P1 | 4500_0001_* |
| Trust scoring of VEX sources | P1 | 4500_0001_0002 |
| Tier 4 binary fingerprinting | P1 | 7204-7206 |
| SBOM historical lineage | P2 | 4600_0001_* |
## Competitor Positioning
### Avoid Head-On Fights With:
- **Snyk**: Developer adoption + reachability prioritization
- **Prisma Cloud**: CNAPP breadth + graph-based investigation
- **Anchore**: SBOM operations maturity
- **Aqua/Trivy**: Runtime protection + VEX Hub network
### Where to Compete (and How)
### Win With:
- **Decision integrity** (deterministic, attestable, replayable)
- **Proof portability** (offline audits, evidence bundles)
- **Semantic change control** (risk deltas, not CVE counts)
| Competitor | Their Strength | Don't Compete On | Win With |
|-----------|----------------|------------------|----------|
| **Snyk** | Developer UX, fix PRs, onboarding | Adoption velocity | Proof-carrying reachability, offline capability, attestation chain |
| **Prisma Cloud** | CNAPP breadth, graph investigation | Platform completeness | Decision integrity, deterministic replay, semantic diff |
| **Anchore** | SBOM operations maturity | SBOM storage | Lattice VEX, signed reachability, proof chains |
| **Aqua/Trivy** | Runtime protection, broad coverage | Ecosystem breadth | Forensic reproducibility, K4 logic, regional crypto |
### Our Winning Positions
| Position | What It Means | Proof Point |
|----------|--------------|-------------|
| **Decision integrity** | Every verdict is deterministic, attestable, and replayable | `stella replay srm.yaml --assert-digest <sha>` |
| **Proof portability** | Evidence bundles work offline and survive audits | Decision Capsules with sealed SBOM/VEX/reachability/policy |
| **Semantic change control** | Risk deltas show meaning, not numbers | "Exploitability dropped 41% despite +2 CVEs" |
| **Sovereign deployment** | Self-hosted, regional crypto, air-gap parity | GOST/SM/eIDAS profiles; RootPack bundles |
### Where We're Ahead
1. **VEX decisioning** — K4 lattice with conflict detection; no competitor has this
2. **Smart-Diff** — Semantic risk deltas with priority scoring; unique
3. **Signed reachability** — DSSE graphs + edge bundles; unique
4. **Deterministic replay** — Bit-for-bit reproducibility; unique
5. **Regional crypto** — FIPS/eIDAS/GOST/SM/PQC; unique
### Where Competitors Lead (For Now)
| Area | Competitor Lead | Our Response |
|------|-----------------|--------------|
| Mass-market UX polish | Snyk | Focus on power users who need proofs |
| SaaS onboarding friction | Snyk, Prisma | Offer both SaaS and self-hosted |
| Marketplace integrations | All major players | Prioritize based on customer demand |
| Ecosystem breadth | Trivy | Focus on depth over breadth |
---
## Source Documents
## Quick Reference
See `docs/product-advisories/unprocessed/moats/` for full advisory content:
- 19-Dec-2025 - Moat #1 through #7
- 19-Dec-2025 - Stella Ops candidate features mapped to moat strength
- 19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops
### Key Documents
- **Competitive Landscape**: `docs/market/competitive-landscape.md`
- **Claims Index**: `docs/market/claims-citation-index.md`
- **Proof Architecture**: `docs/modules/platform/proof-driven-moats-architecture.md`
- **Key Features**: `docs/key-features.md`
- **Moat Gap Analysis**: `docs/modules/platform/moat-gap-analysis.md`
### Key Commands (Demo-Ready)
```bash
# Determinism proof
stella scan --image <img> --srm-out a.yaml
stella scan --image <img> --srm-out b.yaml
diff a.yaml b.yaml # Identical
# Replay proof
stella replay srm.yaml --assert-digest <sha>
# Reachability proof
stella graph show --cve CVE-XXXX-YYYY --artifact <digest>
# VEX evaluation
stella vex evaluate --artifact <digest>
# Offline scan
stella rootpack import bundle.tar.gz
stella scan --offline --image <digest>
```
---
**Last Updated**: 2025-12-20
**Last Updated**: 2026-01-03