release orchestrator pivot, architecture and planning

docs/product/competitive-landscape.md

@@ -1,8 +1,50 @@
 # Competitive Landscape
 
-> **TL;DR:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation.
+> **TL;DR:** Stella Ops Suite isn't a scanner or a deployment tool—it's a **release control plane** that gates releases using reachability-aware security and produces **attestable decisions that can be replayed**. Non-Kubernetes container estates finally get a central release authority.
 
-Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors", updated Jan 2026. This summary distils a 15-vendor comparison into actionable positioning notes for sales/PMM and engineering prioritization.
+Source: internal advisories "23-Nov-2025 - Stella Ops vs Competitors" and "09-Jan-2026 - Stella Ops Pivot", updated Jan 2026. This summary covers both release orchestration and security positioning.
+
+---
+
+## The New Category: Release Control Plane
+
+**Stella Ops Suite** occupies a unique position by combining:
+- Release orchestration (promotions, approvals, workflows)
+- Security decisioning as a gate (not a blocker)
+- Non-Kubernetes target specialization
+- Evidence-linked decisions with deterministic replay
+
+### Why Competitors Can't Easily Catch Up (Release Orchestration)
+
+| Category | Representatives | What They Optimized For | Why They Can't Easily Catch Up |
+|----------|----------------|------------------------|-------------------------------|
+| **CI/CD Tools** | GitHub Actions, Jenkins, GitLab CI | Running pipelines, build automation | No central release authority; no audit-grade evidence; deployment is afterthought |
+| **CD Orchestrators** | Octopus, Harness, Spinnaker | Deployment automation, Kubernetes | Security is bolt-on; non-K8s is second-class; pricing punishes automation |
+| **Registries** | Harbor, JFrog Artifactory | Artifact storage, scanning | No release governance; no promotion workflows; no deployment execution |
+| **Scanners/CNAPP** | Trivy, Snyk, Aqua | Vulnerability detection | No release orchestration; findings don't integrate with promotion gates |
+
+### Stella Ops Suite Positioning
+
+| vs. Category | Why Stella Wins |
+|--------------|-----------------|
+| **vs. CI/CD tools** | They run pipelines; we provide central release authority with audit-grade evidence |
+| **vs. CD orchestrators** | They bolt on security; we integrate it as gates. They punish automation with per-project pricing; we don't |
+| **vs. Registries** | They store and scan; we govern releases and orchestrate deployments |
+| **vs. Scanners** | They output findings; we output release decisions with evidence packets |
+
+### Unique Differentiators (Release Orchestration)
+
+| Differentiator | What It Means |
+|----------------|---------------|
+| **Non-Kubernetes Specialization** | Docker hosts, Compose, ECS, Nomad are first-class—not afterthoughts |
+| **Digest-First Release Identity** | Releases are immutable OCI digests, not mutable tags |
+| **Security Gates in Promotion** | Scan on build, evaluate on release, re-evaluate on CVE updates |
+| **Evidence Packets** | Every release decision is cryptographically signed and replayable |
+| **Cost Model** | No per-seat, per-project, per-deployment tax. Environments + new digests/day |
+
+---
+
+## Security Positioning (Original Analysis)
 
 ---