stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-03 12:41:57 +02:00
parent 83c37243e0
commit d486d41a48
48 changed files with 7174 additions and 1086 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
docs/market/competitive-landscape.md
View File

@@ -1,6 +1,8 @@
# Competitive Landscape (Nov 2025)
# Competitive Landscape
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
> **TL;DR:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation.
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors", updated Jan 2026. This summary distils a 15-vendor comparison into actionable positioning notes for sales/PMM and engineering prioritization.
---
@@ -8,7 +10,7 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-14 |
| **Last Updated** | 2026-01-03 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](claims-citation-index.md) |
@@ -21,6 +23,32 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
---
## Why Competitors Plateau (Structural Analysis)
The scanner market evolved from three distinct origins. Each origin created architectural assumptions that make Stella Ops' capabilities structurally difficult to retrofit.
| Origin | Representatives | What They Optimized For | Why They Can't Easily Catch Up |
|--------|----------------|------------------------|-------------------------------|
| **Package Scanners** | Trivy, Syft/Grype | Fast CLI, broad ecosystem coverage | No forensic reproducibility in architecture; VEX is boolean, not lattice; no DSSE for reachability graphs |
| **Developer UX** | Snyk | IDE integration, fix PRs, onboarding | SaaS-only (offline impossible); no attestation infrastructure; reachability limited to specific languages |
| **Policy/Compliance** | Prisma Cloud, Aqua | Runtime protection, CNAPP breadth | No deterministic replay; no cryptographic provenance for verdicts; no semantic diff |
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX reasoning; no signed reachability graphs; no regional crypto profiles |
### The Core Problem
**Scanners output findings. Stella Ops outputs decisions.**
A finding says "CVE-2024-1234 exists in this package." A decision says "CVE-2024-1234 is reachable via this call path, vendor VEX says not_affected but our runtime disagrees, creating a conflict that policy must resolve, and here's the signed proof chain."
This isn't a feature gapit's a category difference. Retrofitting it requires:
- Rearchitecting the evidence model (content-addressed, not row-based)
- Adding lattice logic to VEX handling (not just filtering)
- Instrumenting reachability at three layers (static, binary, runtime)
- Building deterministic replay infrastructure (frozen feeds, manifests, seeds)
- Implementing regional crypto profiles (not just "signing")
---
## Stella Ops moats (why we win)
| Moat | Description | Claim IDs | Confidence |
@@ -33,22 +61,50 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
## Top takeaways (sales-ready)
| # | Claim | Claim IDs | Confidence |
|---|-------|-----------|------------|
| 1 | No competitor offers deterministic replay with frozen feeds; we do | DET-003 | High |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edges | REACH-002 | High |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | ATT-004 | Medium |
| 4 | Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 | High |
| 5 | Offline/air-gap readiness with mirrored transparency is rare; we ship it by default | OFF-001, OFF-004 | High |
### The Five One-Liners
## Where others fall short (high level)
| # | One-Liner | What It Means | Claim IDs |
|---|-----------|---------------|-----------|
| 1 | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. Any verdict from 6 months ago can be re-verified today with `stella replay srm.yaml`. | DET-001, DET-003 |
| 2 | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice logic aggregates multiple VEX sources, detects conflicts, and produces explainable dispositions with proof links. | VEX-001, VEX-002 |
| 3 | "We provide proof of exploitability in *this* artifact, not just a badge." | Three-layer reachability (static graph + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path." | REACH-001, REACH-002 |
| 4 | "We explain what changed in exploitable surface area, not what changed in CVE count." | Smart-Diff outputs "This release reduces exploitability by 41% despite +2 CVEs" semantic risk deltas, not raw numbers. | |
| 5 | "We quantify uncertainty and gate on it." | Unknowns are first-class state with bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk; we surface and score it. | UNKNOWNS-001, UNKNOWNS-002 |
| Gap | Description | Related Claims | Verified |
|-----|-------------|----------------|----------|
| **No deterministic replay** | None of the 15 provide hash-stable, replayable scans with frozen feeds | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is absent or bolt-on; no trust algebra elsewhere | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **Attestation gaps** | Most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **Offline/sovereign** | Weak or SaaS-only; no regional crypto options | COMP-SNYK-003, ATT-004 | 2025-12-14 |
### Verified Gaps (High Confidence)
| # | Gap | Evidence | Claim IDs |
|---|-----|----------|-----------|
| 1 | No competitor offers deterministic replay with frozen feeds | Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 | DET-003 |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edge bundles | Feature matrix analysis | REACH-002 |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | Architecture review | ATT-004 |
| 4 | Lattice VEX with conflict detection is unmatched; others ship boolean VEX or none | Trivy pkg/vex source; Grype VEX implementation | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 |
| 5 | Offline/air-gap with mirrored transparency is rare; we ship it by default | Documentation and feature testing | OFF-001, OFF-004 |
## Where others fall short (detailed)
### Capability Gap Matrix
| Capability | Trivy | Grype | Snyk | Prisma | Aqua | Anchore | Stella Ops |
|-----------|-------|-------|------|--------|------|---------|------------|
| **Deterministic replay** | No | No | No | No | No | No | Yes |
| **VEX lattice (K4 logic)** | Boolean only | Boolean only | None | None | Limited | Limited | Full K4 |
| **Signed reachability graphs** | No | No | No | No | No | No | Yes (DSSE) |
| **Binary-level backport detection** | No | No | No | No | No | No | Tier 1-4 |
| **Semantic risk diff** | No | No | No | No | No | No | Yes |
| **Unknowns as state** | Hidden | Hidden | Hidden | Hidden | Hidden | Hidden | First-class |
| **Regional crypto (GOST/SM)** | No | No | No | No | No | No | Yes |
| **Offline parity** | Medium | Medium | No | Strong | Medium | Good | Full |
### Specific Gaps by Competitor
| Gap | What This Means | Related Claims | Verified |
|-----|-----------------|----------------|----------|
| **No deterministic replay** | A scan from last month cannot be re-run to produce identical results. Feed drift, analyzer changes, and non-deterministic ordering break reproducibility. Auditors cannot verify past decisions. | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is either absent or treated as a suppression filter. When vendor says "not_affected" but runtime shows the function was called, these tools can't represent the conflictthey pick one or the other. | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **No signed reachability** | Reachability claims are assertions, not proofs. There's no cryptographic binding between "this CVE is reachable" and the call path that proves it. | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **No semantic diff** | Tools report "+3 CVEs" without context. They can't say "exploitable surface decreased despite new CVEs" because they don't track reachability deltas. | | 2025-12-14 |
| **Offline/sovereign gaps** | Snyk is SaaS-only. Others have partial offline support but no regional crypto (GOST, SM2, eIDAS) and no sealed knowledge snapshots for air-gapped reproducibility. | COMP-SNYK-003, ATT-004 | 2025-12-14 |
## Snapshot table (condensed)
@@ -86,25 +142,52 @@ Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/
## Battlecard Appendix (snippet-ready)
**One-liners**
- *Replay or it's noise:* Only Stella Ops can re-run a scan bit-for-bit from frozen feeds. [DET-003]
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges. [REACH-002]
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles. [ATT-004]
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths. [VEX-001]
### Elevator Pitches (by Audience)
**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional). [DET-001, DET-002]
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood. [REACH-001, REACH-002]
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped. [OFF-001, OFF-003, OFF-004]
| Audience | Pitch |
|----------|-------|
| **CISO/Security Leader** | "Stella Ops turns vulnerability noise into auditable decisions. Every verdict is signed, replayable, and proves *why* something is or isn't exploitable." |
| **Compliance/Audit** | "Unlike scanners that output findings, we output decisions with proof chains. Six months from now, you can replay any verdict bit-for-bit to prove what you knew and when." |
| **DevSecOps Engineer** | "Tired of triaging the same CVE across 50 images? Stella deduplicates by root cause, shows reachability proofs, and explains exactly what to fix and why." |
| **Air-gap/Regulated** | "Full offline parity with regional crypto (FIPS/GOST/SM/eIDAS). Sealed knowledge snapshots ensure your air-gapped environment produces identical results to connected." |
**Objection handlers**
- "We already sign SBOMs." Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do. [DET-001, REACH-002]
- "Cosign/Rekor is enough." Without deterministic manifests + reachability proofs, you can't audit why a vuln was reachable. [DET-003]
- "Our runtime traces show reachability." We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge. [REACH-001, VEX-002]
### One-Liners with Proof Points
**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
- Leave-behind: link `docs/reachability/lead.md` and this appendix.
| One-Liner | Proof Point | Claims |
|-----------|-------------|--------|
| *Replay or it's noise* | `stella replay srm.yaml --assert-digest <sha>` reproduces any past scan bit-for-bit | DET-001, DET-003 |
| *Signed reachability, not guesses* | Graph-level DSSE always; edge-bundle DSSE for contested paths; Rekor-backed | REACH-001, REACH-002 |
| *Sovereign-first* | FIPS/eIDAS/GOST/SM/PQC profiles as config; multi-sig with regional roots | ATT-004 |
| *Trust algebra, not suppression files* | K4 lattice merges advisories, runtime, reachability, waivers; conflicts are explicit state | VEX-001, VEX-002 |
| *Semantic risk deltas* | "Exploitability dropped 41% despite +2 CVEs" not just CVE counts | |
### Objection Handlers
| Objection | Response | Supporting Claims |
|-----------|----------|-------------------|
| "We already sign SBOMs." | Great start. But do you sign call-graphs and VEX decisions? Can you replay a scan from 6 months ago and get identical results? We do both. | DET-001, REACH-002 |
| "Cosign/Rekor is enough." | Cosign signs artifacts. We sign *decisions*. Without deterministic manifests and reachability proofs, you can sign findings but can't audit *why* a vuln was reachable. | DET-003, REACH-002 |
| "Our runtime traces show reachability." | Runtime is one signal. We fuse it with static call graphs and VEX lattice into a signed, replayable verdict. You can quarantine or dispute individual edges, not just all-or-nothing. | REACH-001, VEX-002 |
| "Snyk does reachability." | Snyk's reachability is language-limited (Java, JavaScript), SaaS-only, and unsigned. We support 6+ languages, work offline, and sign every call path with DSSE. | COMP-SNYK-002, COMP-SNYK-003, REACH-002 |
| "We use Trivy and it's free." | Trivy is excellent for broad coverage. We're for organizations that need audit-grade reproducibility, VEX reasoning, and signed proofs. Different use cases. | COMP-TRIVY-001, COMP-TRIVY-002 |
| "Can't you just add this to Trivy?" | Trivy's architecture assumes findings, not decisions. Retrofitting deterministic replay, lattice VEX, and proof chains would require fundamental rearchitecturenot just features. | |
### Demo Scenarios
| Scenario | What to Show | Command |
|----------|-------------|---------|
| **Determinism** | Run scan twice, show identical digests | `stella scan --image <img> --srm-out a.yaml && stella scan --image <img> --srm-out b.yaml && diff a.yaml b.yaml` |
| **Replay** | Replay a week-old scan, verify identical output | `stella replay srm.yaml --assert-digest <sha>` |
| **Reachability proof** | Show signed call path from entrypoint to vulnerable symbol | `stella graph show --cve CVE-XXXX-YYYY --artifact <digest>` |
| **VEX conflict** | Show lattice handling vendor vs runtime disagreement | Trust Algebra Studio UI or `stella vex evaluate --artifact <digest>` |
| **Offline parity** | Import sealed bundle, scan, compare to online result | `stella rootpack import bundle.tar.gz && stella scan --offline ...` |
### Leave-Behind Materials
- **Reachability deep-dive:** `docs/reachability/lead.md`
- **Competitive landscape:** This document
- **Proof architecture:** `docs/modules/platform/proof-driven-moats-architecture.md`
- **Key features:** `docs/key-features.md`
## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`