# Competitive Landscape (Nov 2025)

Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.

## Stella Ops moats (why we win)
- **Deterministic replay:** feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
- **Hybrid reachability attestations:** graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
- **Lattice-based VEX engine:** merges advisories, runtime hits, reachability, waivers with explainable paths.
- **Crypto sovereignty:** FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
- **Proof graph:** DSSE + transparency across SBOM, call-graph, VEX, replay manifests.

## Top takeaways (sales-ready)
1. No competitor offers deterministic replay with frozen feeds; we do.
2. None sign reachability graphs; we sign graphs and (optionally) edges.
3. Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops.
4. Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
5. Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.

## Where others fall short (high level)
- **No deterministic replay:** none of the 15 provide hash-stable, replayable scans with frozen feeds.
- **No lattice/VEX merge:** VEX is absent or bolt-on; no trust algebra elsewhere.
- **Attestation gaps:** most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
- **Offline/sovereign:** weak or SaaS-only; no regional crypto options.

## Snapshot table (condensed)
| Vendor              | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella |
| ------------------- | -------- | ----------- | ------------- | ----- | ------- | ---------------------- |
| Trivy               | Yes      | Yes         | Cosign        | Query | Strong  | No replay, no lattice  |
| Syft/Grype          | Yes      | Yes         | Cosign-only   | Indir | Medium  | No replay, no lattice  |
| Snyk                | Yes      | Limited     | No            | No    | Weak    | No attest/VEX/replay   |
| Prisma              | Yes      | Limited     | No            | No    | Strong  | No attest/replay       |
| AWS (Inspector/Signer)| Partial| Partial     | Notary v2     | No    | Weak    | Closed, no replay      |
| Google              | Yes      | Yes         | Yes           | Opt   | Weak    | No offline/lattice     |
| GitHub              | Yes      | Partial     | Yes           | Yes   | No      | No replay/crypto opts  |
| GitLab              | Yes      | Limited     | Partial       | No    | Medium  | No replay/lattice      |
| Microsoft Defender  | Partial  | Partial     | No            | No    | Weak    | No attest/reachability |
| Anchore Enterprise  | Yes      | Yes         | Some          | No    | Good    | No sovereign crypto    |
| JFrog Xray          | Yes      | Yes         | No            | No    | Medium  | No attest/lattice      |
| Tenable             | Partial  | Limited     | No            | No    | Weak    | Not SBOM/VEX-focused   |
| Qualys              | Limited  | Limited     | No            | No    | Medium  | No attest/lattice      |
| Rezilion            | Yes      | Yes         | No            | No    | Medium  | Runtime-only; no DSSE  |
| Chainguard          | Yes      | Yes         | Yes           | Yes   | Medium  | No replay/lattice      |

## How to use this doc
- Sales/PMM: pull talking points and the gap list when building battlecards.
- Product: map gaps to roadmap; keep replay/lattice/sovereign as primary differentiators.
- Engineering: ensure new features keep determinism + sovereign crypto front-and-center; link reachability attestations into proof graph.

## Cross-links
- Vision: `docs/03_VISION.md` (Moats section)
- Architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Reachability moat details: `docs/reachability/lead.md`
- Source advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`

---

## Battlecard Appendix (snippet-ready)

**One-liners**
- *Replay or it’s noise:* Only Stella Ops can re-run a scan bit-for-bit from frozen feeds.
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges.
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.

**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped.

**Objection handlers**
- “We already sign SBOMs.” → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
- “Cosign/Rekor is enough.” → Without deterministic manifests + reachability proofs, you can’t audit why a vuln was reachable.
- “Our runtime traces show reachability.” → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.

**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
- Leave-behind: link `docs/reachability/lead.md` and this appendix.

## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`