# StellaOps Moat Strategy Summary

**Date**: 2025-12-20
**Source**: Product Advisories (19-Dec-2025 Moat Series)
**Status**: DOCUMENTED

---

## Executive Summary

StellaOps competitive moats are built on **decision integrity** - deterministic, attestable, replayable security verdicts - not just scanner features.

## Moat Strength Rankings

| Moat Level | Feature | Defensibility |
|------------|---------|---------------|
| **5 (Structural)** | Signed, replayable risk verdicts | Highest - requires deterministic eval + proof schema + knowledge snapshots |
| **4 (Strong)** | VEX decisioning engine | Formal conflict resolution, provenance-aware trust weighting |
| **4 (Strong)** | Reachability with proofs | Portable proofs, artifact-level mapping, deterministic replay |
| **4 (Strong)** | Smart-Diff (semantic risk delta) | Graph-based diff over SBOM + reachability + VEX |
| **4 (Strong)** | Unknowns as first-class state | Uncertainty budgets in policies, scoring, attestations |
| **4 (Strong)** | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility |
| **3 (Moderate)** | SBOM ledger + lineage | Table stakes; differentiate via semantic diff + evidence joins |
| **3 (Moderate)** | Policy engine with proofs | Common; moat is proof output + deterministic replay |
| **1-2 (Commodity)** | Integrations everywhere | Necessary but not defensible |

## Core Moat Thesis (One-Liners)

- **Deterministic signed verdicts:** "We don't output findings; we output an attestable decision that can be replayed."
- **VEX decisioning:** "We treat VEX as a logical claim system, not a suppression file."
- **Reachability proofs:** "We provide proof of exploitability in *this* artifact, not just a badge."
- **Smart-Diff:** "We explain what changed in exploitable surface area, not what changed in CVE count."
- **Unknowns modeling:** "We quantify uncertainty and gate on it."

## Implementation Status

| Feature | Sprint(s) | Status |
|---------|-----------|--------|
| Signed verdicts | 3500.0002.* | ✅ DONE |
| VEX decisioning | Existing lattice engine | ✅ DONE |
| Reachability proofs | 3500.0003.*, 3600.* | ✅ DONE |
| Smart-Diff | 3500.0001.* (archived) | ✅ DONE |
| Unknowns | 3500.0002.0002 | ✅ DONE |
| Air-gapped mode | 3500.0004.0001 (offline bundles) | ✅ DONE |
| Reachability Drift | Proposed | 🎯 NEXT |

## Competitor Positioning

### Avoid Head-On Fights With:
- **Snyk**: Developer adoption + reachability prioritization
- **Prisma Cloud**: CNAPP breadth + graph-based investigation
- **Anchore**: SBOM operations maturity
- **Aqua/Trivy**: Runtime protection + VEX Hub network

### Win With:
- **Decision integrity** (deterministic, attestable, replayable)
- **Proof portability** (offline audits, evidence bundles)
- **Semantic change control** (risk deltas, not CVE counts)

---

## Source Documents

See `docs/product-advisories/unprocessed/moats/` for full advisory content:
- 19-Dec-2025 - Moat #1 through #7
- 19-Dec-2025 - Stella Ops candidate features mapped to moat strength
- 19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops

---

**Last Updated**: 2025-12-20