feat(policy): Start Epic 3900 - Exception Objects as Auditable Entities
Advisory Processing: - Processed 7 unprocessed advisories and 12 moat documents - Created advisory processing report with 3 new epic recommendations - Identified Epic 3900 (Exception Objects) as highest priority Sprint 3900.0001.0001 - 4/8 tasks completed: - T1: ExceptionObject domain model with full governance fields - T2: ExceptionEvent model for event-sourced audit trail - T4: IExceptionRepository interface with CRUD and query methods - T6: ExceptionEvaluator service with PURL pattern matching New library: StellaOps.Policy.Exceptions - Models: ExceptionObject, ExceptionScope, ExceptionEvent - Enums: ExceptionStatus, ExceptionType, ExceptionReason - Services: ExceptionEvaluator with scope matching and specificity - Repository: IExceptionRepository with filter and history support Remaining tasks: PostgreSQL schema, repository implementation, tests
This commit is contained in:
StellaOps Bot
71
docs/market/moat-strategy-summary.md
Normal file
71
docs/market/moat-strategy-summary.md
Normal file
@@ -0,0 +1,71 @@
|
||||
# StellaOps Moat Strategy Summary
|
||||
|
||||
**Date**: 2025-12-20
|
||||
**Source**: Product Advisories (19-Dec-2025 Moat Series)
|
||||
**Status**: DOCUMENTED
|
||||
|
||||
---
|
||||
|
||||
## Executive Summary
|
||||
|
||||
StellaOps competitive moats are built on **decision integrity** - deterministic, attestable, replayable security verdicts - not just scanner features.
|
||||
|
||||
## Moat Strength Rankings
|
||||
|
||||
| Moat Level | Feature | Defensibility |
|
||||
|------------|---------|---------------|
|
||||
| **5 (Structural)** | Signed, replayable risk verdicts | Highest - requires deterministic eval + proof schema + knowledge snapshots |
|
||||
| **4 (Strong)** | VEX decisioning engine | Formal conflict resolution, provenance-aware trust weighting |
|
||||
| **4 (Strong)** | Reachability with proofs | Portable proofs, artifact-level mapping, deterministic replay |
|
||||
| **4 (Strong)** | Smart-Diff (semantic risk delta) | Graph-based diff over SBOM + reachability + VEX |
|
||||
| **4 (Strong)** | Unknowns as first-class state | Uncertainty budgets in policies, scoring, attestations |
|
||||
| **4 (Strong)** | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility |
|
||||
| **3 (Moderate)** | SBOM ledger + lineage | Table stakes; differentiate via semantic diff + evidence joins |
|
||||
| **3 (Moderate)** | Policy engine with proofs | Common; moat is proof output + deterministic replay |
|
||||
| **1-2 (Commodity)** | Integrations everywhere | Necessary but not defensible |
|
||||
|
||||
## Core Moat Thesis (One-Liners)
|
||||
|
||||
- **Deterministic signed verdicts:** "We don't output findings; we output an attestable decision that can be replayed."
|
||||
- **VEX decisioning:** "We treat VEX as a logical claim system, not a suppression file."
|
||||
- **Reachability proofs:** "We provide proof of exploitability in *this* artifact, not just a badge."
|
||||
- **Smart-Diff:** "We explain what changed in exploitable surface area, not what changed in CVE count."
|
||||
- **Unknowns modeling:** "We quantify uncertainty and gate on it."
|
||||
|
||||
## Implementation Status
|
||||
|
||||
| Feature | Sprint(s) | Status |
|
||||
|---------|-----------|--------|
|
||||
| Signed verdicts | 3500.0002.* | ✅ DONE |
|
||||
| VEX decisioning | Existing lattice engine | ✅ DONE |
|
||||
| Reachability proofs | 3500.0003.*, 3600.* | ✅ DONE |
|
||||
| Smart-Diff | 3500.0001.* (archived) | ✅ DONE |
|
||||
| Unknowns | 3500.0002.0002 | ✅ DONE |
|
||||
| Air-gapped mode | 3500.0004.0001 (offline bundles) | ✅ DONE |
|
||||
| Reachability Drift | Proposed | 🎯 NEXT |
|
||||
|
||||
## Competitor Positioning
|
||||
|
||||
### Avoid Head-On Fights With:
|
||||
- **Snyk**: Developer adoption + reachability prioritization
|
||||
- **Prisma Cloud**: CNAPP breadth + graph-based investigation
|
||||
- **Anchore**: SBOM operations maturity
|
||||
- **Aqua/Trivy**: Runtime protection + VEX Hub network
|
||||
|
||||
### Win With:
|
||||
- **Decision integrity** (deterministic, attestable, replayable)
|
||||
- **Proof portability** (offline audits, evidence bundles)
|
||||
- **Semantic change control** (risk deltas, not CVE counts)
|
||||
|
||||
---
|
||||
|
||||
## Source Documents
|
||||
|
||||
See `docs/product-advisories/unprocessed/moats/` for full advisory content:
|
||||
- 19-Dec-2025 - Moat #1 through #7
|
||||
- 19-Dec-2025 - Stella Ops candidate features mapped to moat strength
|
||||
- 19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: 2025-12-20
|
||||
Reference in New Issue
Block a user