# Stella Ops Suite — Pricing & Offer Guide (On‑Prem) _Evidence-grade release orchestration for containerized applications outside Kubernetes._ --- ## What Stella Ops Suite is Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates. It: - orchestrates environment promotions (Dev -> Stage -> Prod), - gates releases using reachability-aware security and policy, - and produces verifiable evidence for every decision (exportable and replayable). You can run Stella in two modes: - **Verified releases (recommended):** promotions require Stella evidence for each new digest. - **Unverified releases (CD-only):** orchestration runs without evidence gates (still logged, but not certifiable). --- ## The problem we solve Teams deploying containers without Kubernetes often cobble together a fragmented toolchain: | Function | Typical tools | Typical gap | |---|---|---| | Vulnerability scanning | Trivy, Grype, Snyk | Scanner output isn't automatically tied to approvals, promotions, and audit export | | SBOM generation | Syft, manual export | SBOM exists, but not linked to release decisions | | Deployment | Docker Compose, shell scripts, Ansible | No deterministic release ledger; approvals are informal; rollback is ad-hoc | | Approvals | Slack, email, Jira | Not cryptographically bound to the exact artifact(s) deployed | | Audit trail | Spreadsheets, Confluence | Not replayable; evidence is not end-to-end; "why approved?" is hard to prove | **Result:** - Release decisions are not traceable to the evidence they were based on. - Audits and incident reviews require manual reconstruction and often produce evidence gaps. - Operational confidence depends on tribal knowledge. --- ## What "evidence-grade" means An **evidence-grade release** is one where: 1. Each new artifact digest can be deeply analyzed to produce SBOM + reachability evidence. 2. Promotion decisions are recorded with the exact evidence they were based on. 3. Approvals are linked to specific artifact digests and policy outcomes. 4. The decision chain is hashable, exportable, and replayable. 5. Operators can ask "why was this blocked?" and get a deterministic explanation trace. This is Stella's core value: end-to-end release certification, not just scanning or CD automation. --- ## What Stella delivers (one platform, one evidence chain) | Capability | What Stella does | Why it matters | |---|---|---| | Reachability-aware security decisioning | Deep scans produce evidence that can reduce "raw CVE noise" by focusing on what's relevant to your app's execution paths | Engineers spend less time on false urgency; policy gates are more credible | | Evidence packets | Hashable, immutable bundles linking SBOM + reachability + policy verdict + approvals | Auditors and incident responders can verify "what was known" at decision time | | Release orchestration (non-K8s) | Environments, promotions, approvals, rollbacks, step graphs, per-step logs | Replaces informal approvals and script sprawl with a governed control plane | | Policy engine + explainability | Declarative gates with deterministic evaluation and "why blocked?" traces | Governance becomes inspectable, repeatable, and defensible | | Deployment execution | Docker Compose + scripted deployments; immutable generated artifacts; version stickers; controlled restarts/reloads | "What was deployed where" becomes precise and reconstructible | | Audit export | Compliance-ready export of decision evidence | Reduces audit time and evidence gaps | --- ## Competitive anchors (public list pricing signals) These are not full TCO models; they are public, vendor-published pricing anchors that shape buyer expectations. - **Snyk Team**: starts at **$25/month per contributing developer**, **minimum of 5 contributing developers**, and **products are purchased separately**. citeturn1view0 - **Snyk Free** includes **Snyk Container tests/month = 100** (container testing limit on Free). citeturn1view0turn0search3 - **Octopus Deploy**: **annual billing only** for Octopus Cloud and Octopus Server. citeturn1view1 - **Octopus Free** includes **10 projects, 10 tenants, and 10 machines**. citeturn1view2 - **Octopus Professional** is listed **from $4,170 USD/year**. citeturn1view2 ### A simple comparison that buyers can sanity-check A common "two-tool" baseline for non-K8s governance is: - a CD/orchestration tool (e.g., Octopus) plus - a paid scanner for teams (e.g., Snyk Team) Using public minimums: - Octopus Professional starts at $4,170/year (~$347.50/month annualized). citeturn1view2 - Snyk Team minimum purchase (5 contributing devs) starts at 5 x $25 = $125/month, per product. citeturn1view0 That baseline is **~$472.50/month** before add-ons, scaling effects, or additional products. Stella **Plus** is **$399/month** and includes the integrated evidence-grade orchestration + security gate in one platform. --- ## Pricing model (simple, predictable) **All features are included at every tier.** No capability is gated behind higher tiers. You pay for: 1) **Environments** (policy/config boundaries: dev/stage/prod, regions, compliance zones, tenant boundaries) 2) **New digest deep scan credits per month** (evidence-grade analysis of previously unseen OCI digests) Deployment targets are **unlimited** (no per-target / per-machine licensing). ### Monthly scan credits (how to interpret them) - Credits are counted **per month** and reset monthly. - You may burst within the month; a soft protective rate limit may exist to prevent abuse, but licensing is based on the monthly pool. - Re-deploying or promoting an already-scanned digest does not consume credits. - Re-evaluation on vulnerability intel updates does not consume credits. --- ## Tier overview (Suite: Orchestrator + Scanner) **Annual billing:** pay for 11 months, get 12 (1 month free). | Tier | Monthly | Annual (11x) | Environments | New digest deep scans / month | Support | |---|---:|---:|---:|---:|---| | **Free** | $0 | $0 | **3** | **999** | Doctor self-diagnostics + community forum | | **Plus** | **$399** | **$4,389** | **33** | **9,999** | Doctor + priority forum + **1 support ticket/month** | | **Pro** | **$999** | **$10,989** | **333** | **99,999** | Doctor + priority forum + **5 support tickets/month** | | **Business** | **$2,999** | **$32,989** | **3,333** | **999,999** | Doctor + priority forum + **email channel** + **25 support tickets/month** (best-effort) + fair use | --- ## Add-ons (self-serve) | Add-on | Price | Intended use | |---|---:|---| | **+10 support tickets** | **$299** | Incident bursts, onboarding assistance, expansion without tier change | | **+10,000 new digest deep scans** | **$499** | Temporary capacity for release sprints, migrations, or one-off spikes | --- ## What every tier includes (no feature gating) ### Release orchestration (non-K8s) - Environment management with promotion rules - Approval workflows (manual, automated, policy-gated) - Rollback orchestration with evidence preservation - Step graphs (sequential and parallel execution) - Real-time deployment UI with per-step logs - Deployment inventory ("what is deployed where") ### Deployment execution - Docker Compose deployments - Scripted deployments (.NET 10 scripting) - Immutable generated deployment artifacts - Version stickers for traceability - Controlled restarts and config reloads ### Security and evidence - Scan on build, gate on release, continuous re-evaluation - Reachability and hybrid reachability analysis - Evidence packets (hashable, immutable, replayable) - Deterministic decision records - Exportable audit trail - "Why blocked?" explainability traces ### Extensibility and operability - Plugin model for SCM, CI, registry, vault, and agent providers - Workflow engine supports plugin-specific steps - Doctor tooling for self-service diagnostics (connectivity, agent health, config validation) --- ## Definitions ### Environment A policy and configuration boundary with its own: - Security policy profile - Target/agent selection - Secrets and config bindings - Promotion rules and approval requirements Examples: dev/staging/prod, regional deployments, compliance zones, customer isolation boundaries. ### Deployment target An endpoint that receives deployments (Docker host, VM, scripted target via SSH/WinRM provider). Targets are **unlimited** at all tiers. ### New digest deep scan A deep scan occurs the first time Stella analyzes a unique OCI digest, producing: - SBOM - reachability and hybrid reachability evidence - vulnerability findings with an evidence-backed verdict - an evidence packet usable for gating and audit Does not consume scan credits: - re-deploying/promoting an already-scanned digest - re-evaluation on CVE/vuln intel updates - querying existing evidence packets ### Support ticket A bounded support request handled by maintainers. For effective resolution, include: - clear problem statement - reproduction steps - Doctor bundle output (when applicable) Tickets are bounded so Stella can remain self-serve by default. --- ## Choosing the right tier | Your situation | Recommended tier | Why | |---|---|---| | Evaluating Stella with real workflows | **Free** | Full features; enough capacity to test verified releases in practice | | Small team, low artifact churn | **Free** | 999 scans/month covers many small estates | | Production team with growing CI/CD velocity | **Plus** | 9,999 scans/month supports broad evidence coverage without sampling | | Multi-team / multi-region governance | **Pro** | 333 environments + 99,999 scans/month + ticket access | | Platform org with formal audit posture | **Business** | Scale + email channel + high ticket allowance | --- ## Fair use (Business tier) Fair use exists to prevent abuse, not normal operational usage. It may apply to: - vulnerability feed mirroring bandwidth/frequency (if mirroring is enabled) - automation patterns that intentionally generate duplicate work - ticket volume beyond included entitlements --- ## Deployment and licensing - On-premises deployment (you host Stella on your infrastructure) - Offline-friendly licensing options (air-gapped supported) - Updates included during subscription term - You provide compute/storage for scanning and evidence retention --- ## Summary (the simple offer) - One platform for non-Kubernetes container releases: orchestration + evidence-grade security gating. - All features included at all tiers. - Unlimited deployment targets. - Predictable pricing based on environments and new digests per month. Start on **Free**. Upgrade when your environment count or new-digest velocity demands more evidence capacity.