# Moat Gap Analysis: StellaOps Competitive Position > **Source Advisory**: 19-Dec-2025 - Stella Ops candidate features mapped to moat strength > **Analysis Date**: 2025-12-22 > **Status**: Sprints created, implementation pending --- ## Executive Summary This document captures the gap analysis between the competitive moat advisory and StellaOps' current implementation, along with the sprint plan to address identified gaps. ### Moat Scale Reference | Rating | Definition | |--------|------------| | **5** | Structural moat — new primitives, strong defensibility, durable switching cost | | **4** | Strong moat — difficult multi-domain engineering; incumbents have partial analogs | | **3** | Moderate moat — others can build; differentiation is execution + packaging | | **2** | Weak moat — table-stakes soon; limited defensibility | | **1** | Commodity — widely available in OSS / easy to replicate | --- ## Feature Implementation Matrix | Feature | Moat | Current % | Key Gaps | Sprint Coverage | |---------|------|-----------|----------|-----------------| | Signed, replayable risk verdicts | 5 | 85% | OCI push polish | 4300_0001_* | | VEX decisioning engine | 4 | 90% | Evidence hooks polish | Minimal | | Reachability with proof | 4 | 85% | Standalone artifact polish | 4400_0001_0002 | | Smart-Diff semantic delta | 4 | 85% | Signed delta verdict | 4400_0001_0001 | | Unknowns as first-class state | 4 | 80% | Policy budgets, attestations | 4300_0002_* | | Air-gapped epistemic mode | 4 | 80% | Sealed snapshot workflow | 4300_0003_0001 | | SBOM ledger + lineage | 3 | 70% | Historical tracking, BYOS | 4600_0001_* | | Policy engine with proofs | 3 | 90% | Compilation to artifact | Minimal | | VEX distribution network | 3-4 | 50% | Hub layer refinement | 4500_0001_* | | Symbolized call-stack proofs | 4 | 95% | Rust/Ruby/PHP language support | Sprint 0401+, 20260220_001-002 (marketplace) | | Deterministic signed scoring | 5 | 85% | SLO formalization | Existing | | Rekor size-aware pointer strategy | 4 | 90% | Documentation polish | Existing | | Signed execution evidence | 3-4 | 40% | Trace-to-DSSE pipeline, policy gate | 20260219_013 | | Runtime beacon attestations | 3 | 20% | Beacon fact type, attestation pipeline | 20260219_014 | | Privacy-preserving federated telemetry | 5 | 0% | Full stack: privacy primitives, sync, API, UI | 20260220_005-009 | | Remediation marketplace (signed-PR fixes) | 4 | 0% | Full stack: registry, webhook, verification, UI | 20260220_010-015 | --- ## Detailed Gap Analysis ### 1. Signed, Replayable Risk Verdicts (Moat 5) **What exists:** - `VerdictReceiptStatement` with in-toto predicate - `ProofSpine` and `ProofChainBuilder` infrastructure - `TrustLatticeEngine.Evaluate()` producing `ProofBundle` - `ReplayManifest` and `ReplayVerifier` - Input hashing (sbomDigest, feedsDigest, policyDigest) **Gaps:** | Gap | Sprint | |-----|--------| | Verdict as OCI-attached attestation | 4300_0001_0001 | | One-command audit replay CLI | 4300_0001_0002 | | Formal replay determinism tests | 4300_0001_0002 | **Moat Thesis**: "We don't output findings; we output an attestable decision that can be replayed." --- ### 2. VEX Decisioning Engine (Moat 4) **What exists:** - `VexConsensusEngine` with 5 modes - `TrustLatticeEngine` with K4 lattice atoms - `TrustWeightEngine` for issuer weighting - VEX normalizers for CycloneDX, OpenVEX, CSAF - `VexLens` module with consensus rationale **Gaps:** | Gap | Sprint | |-----|--------| | Configurable evidence hooks | Minor enhancement | **Moat Thesis**: "We treat VEX as a logical claim system, not a suppression file." --- ### 3. Reachability with Proof (Moat 4) **What exists:** - `ReachabilityWitnessStatement` attestation type - `PathWitnessBuilder` for call-path proofs - `CallPath` models with entrypoint → symbol chain - `ReachabilityLattice` for state management - `CompositeGateDetector` for boundary extraction **Gaps:** | Gap | Sprint | |-----|--------| | Standalone reachability subgraph as OCI artifact | 4400_0001_0002 | | Binary-level reachability proof | 6000_* (existing) | **Moat Thesis**: "We provide proof of exploitability in *this* artifact, not just a badge." --- ### 4. Smart-Diff Semantic Risk Delta (Moat 4) **What exists:** - `MaterialRiskChangeDetector` with R1-R4 rules - `RiskStateSnapshot` capturing full finding state - Detection of all flip types - Priority scoring algorithm - SARIF output generation **Gaps:** | Gap | Sprint | |-----|--------| | Signed delta verdict attestation | 4400_0001_0001 | | Diff over reachability graphs | Future | **Moat Thesis**: "We explain what changed in exploitable surface area, not what changed in CVE count." --- ### 5. Unknowns as First-Class State (Moat 4) **What exists:** - `UncertaintyTier` (T1-T4) with entropy classification - `UnknownStateLedger` tracking marker kinds - Risk modifiers from uncertainty - `BlocksNotAffected()` gate on T1 tier **Gaps:** | Gap | Sprint | |-----|--------| | Policy rule: "fail if unknowns > N" | 4300_0002_0001 | | Unknown budgets with decay | 4100_0001_0002 (existing) | | Unknowns in attestations | 4300_0002_0002 | **Moat Thesis**: "We quantify uncertainty and gate on it." --- ### 6. Air-Gapped Epistemic Mode (Moat 4) **What exists:** - `AirGap.Controller` with state management - `ReplayVerifier` with depth levels - `TrustStore` and `TufMetadataValidator` - `EgressPolicy` enforcement - `TimeAnchor` for offline time validation **Gaps:** | Gap | Sprint | |-----|--------| | Sealed knowledge snapshot export CLI | 4300_0003_0001 | | One-command import + replay validation | 4300_0003_0001 | | Feed snapshot versioning with merkle roots | 4300_0003_0001 | **Moat Thesis**: Air-gapped "runtime" is common; air-gapped **reproducibility** is not. --- ### 7. SBOM Ledger + Lineage (Moat 3) **What exists:** - `SbomService` with versioning events - `CatalogRecord` for storage - `Graph` module for dependency indexing - `SbomVersionEvents` **Gaps:** | Gap | Sprint | |-----|--------| | Historical SBOM tracking with diff lineage | 4600_0001_0001 | | BYOS ingestion workflow with validation | 4600_0001_0002 | | SBOM grouping by artifact family | 4600_0001_0001 | **Moat Strategy**: Make the ledger valuable via **semantic diff, evidence joins, and provenance**. --- ### 8. Policy Engine with Proofs (Moat 3) **What exists:** - `PolicyEvaluation` with `PolicyExplanation` - OPA/Rego integration - `ProofBundle` generation from TrustLattice - Evidence pointers in verdict statements **Gaps:** | Gap | Sprint | |-----|--------| | Policy compilation to standalone decision artifact | Minor enhancement | **Moat Strategy**: Keep policy language small but rigorous; always emit evidence pointers. --- ### 9. VEX Distribution Network (Moat 3-4) **What exists:** - Excititor ingests from 7+ VEX sources - `VexConnectorMetadata` for source tracking **Gaps:** | Gap | Sprint | |-----|--------| | VEX Hub aggregation layer | 4500_0001_0001 | | Trust scoring of VEX sources | 4500_0001_0002 | | VEX verification + validation pipeline | 4500_0001_0001 | | API for VEX discovery/subscription | 4500_0001_0001 | **Moat Strategy**: Differentiate with **verification + trust scoring** of VEX sources. --- ### 10. Signed Execution Evidence (Moat 3-4) > *Added 2026-02-19 from advisory review (rescoped from external "sandbox traces" proposal).* **What exists:** - `RuntimeTracesEndpoints` — runtime trace ingestion in Findings module - `RuntimeSignalIngester` — containment/blast-radius signal ingestion in Unknowns - `SignalSnapshotBuilder` — signal snapshot composition for replay/audit - Signals `POST /signals/runtime-facts` — runtime fact ingestion (eBPF/ETW) - `InMemoryRuntimeInstrumentationServices` — address canonicalization, hot-symbol aggregation **Gaps:** | Gap | Sprint | |-----|--------| | `executionEvidence@v1` predicate type | 20260219_013 (SEE-01) | | Trace-to-DSSE pipeline (canonicalize → aggregate → sign) | 20260219_013 (SEE-02) | | Policy gate: require execution evidence before promotion | 20260219_013 (SEE-03) | | Execution evidence in audit packs | 20260219_013 (SEE-04) | **Moat Thesis**: "We don't just claim it ran — we provide signed, replayable proof of execution with deterministic trace summarization." **Moat Strategy**: Elevates from Level 3 (runtime instrumentation exists elsewhere) to Level 4 when combined with existing proof chain (signed execution evidence + verdict + reachability = attestable decision lifecycle). --- ### 11. Runtime Beacon Attestations (Moat 3) > *Added 2026-02-19 from advisory review (rescoped from external "canary beacons" proposal).* **What exists:** - Signals runtime-facts ingestion pipeline - Zastava module (planned runtime protection/admission controller) - Doctor module runtime host capabilities (eBPF, ETW, dyld agents) **Gaps:** | Gap | Sprint | |-----|--------| | `beacon` fact type in Signals | 20260219_014 (BEA-01) | | `beaconAttestation@v1` predicate type | 20260219_014 (BEA-01) | | Beacon ingestion + batched attestation pipeline | 20260219_014 (BEA-02) | | Beacon verification rate as policy input | 20260219_014 (BEA-03) | | Beacon attestations in audit packs | 20260219_014 (BEA-04) | **Moat Thesis**: "Low-volume signed proof that this artifact actually ran in this environment — verifiable offline, no image modification required." **Moat Strategy**: Level 3 standalone; combined with execution evidence and proof chain, contributes to the "attestable decision lifecycle" story for compliance-oriented customers. --- ### 12. Privacy-Preserving Federated Runtime Telemetry (New L5 — Structural) > *Added 2026-02-19 from moat-gap advisory.* **What exists:** - Signals runtime-facts ingestion pipeline (eBPF/ETW/dyld) - FederationHub / CrossRegionSync for bundle transport - DsseEnvelope signing infrastructure - AirGap egress policy enforcement **Implementation (Sprints 20260220_005-009):** | Component | Sprint | |-----------|--------| | Privacy primitives (k-anonymity, DP, epsilon budget) | 20260220_005 (FPT-01 → FPT-07) | | Federation sync + intelligence merger | 20260220_006 (FTS-01 → FTS-06) | | API endpoints + CLI + Doctor plugin | 20260220_007 (FAC-01 → FAC-05) | | UI (5 pages under Platform Ops) | 20260220_008 (FUI-01 → FUI-07) | | Documentation + contracts | 20260220_009 (FDC-01 → FDC-05) | **Moat Thesis**: "We share exploit intelligence across sites without sharing raw code — privacy-preserving, consent-proven, offline-compatible." **Moat Strategy**: No competitor has DP + k-anonymity over federated runtime signals with DSSE consent. Network-effect moat: each new participant enriches the shared corpus. Combined with existing proof chain, creates attestable federated intelligence lifecycle. --- ### 13. Developer-Facing Signed-PR Remediation Marketplace (New L4 — Strong) > *Added 2026-02-19 from moat-gap advisory.* **What exists:** - FixChainAttestationService (DSSE-signed fix chain proofs) - SCM webhook pipeline in Signals - ReachGraph for reachability delta computation - Integration Hub plugin framework **Implementation (Sprints 20260220_010-015):** | Component | Sprint | |-----------|--------| | Registry + persistence + domain models | 20260220_010 (REM-01 → REM-07) | | Signals webhook handler | 20260220_011 (REM-08 → REM-12) | | Verification pipeline (scan → delta → attest) | 20260220_012 (REM-13 → REM-17) | | Matching + marketplace sources + policy | 20260220_013 (REM-18 → REM-22) | | UI (3 pages + contextual badge) | 20260220_014 (REM-23 → REM-27) | | Offline bundles + CLI + docs | 20260220_015 (REM-28 → REM-32) | **Moat Thesis**: "Every remediation PR is verified against reachability proof deltas and cryptographically attested — not just a patch, but proof the fix actually reduces exploitable surface." **Moat Strategy**: No competitor has PR-level fix attestations verified against reachability proof deltas. Six-module integration depth (Attestor + ReachGraph + Signals + Scanner + Policy + EvidenceLocker) creates deep switching cost. --- ## Sprint Roadmap ### Phase 1: Moat 5 Anchor (P0) ``` 4300_0001_0001 → 4300_0001_0002 │ └── Verdict becomes portable, replayable ``` ### Phase 2: Moat 4 Hardening (P1) ``` 4300_0002_0001 → 4300_0002_0002 │ └── Unknowns become actionable 4300_0003_0001 │ └── Air-gap becomes reproducible 4500_0001_0001 → 4500_0001_0002 │ └── VEX becomes distributable ``` ### Phase 3: Moat 4 Extensions (P2) ``` 4400_0001_0001 (Delta Verdict) 4400_0001_0002 (Reachability Artifact) ``` ### Phase 4: Moat 3 Foundation (P2) ``` 4600_0001_0001 → 4600_0001_0002 │ └── SBOM becomes historical ``` ### Phase 5: Runtime Evidence (P2-P3) ``` 20260219_013 (SEE-01 → SEE-04) │ └── Execution becomes attestable 20260219_014 (BEA-01 → BEA-04) │ └── Presence becomes provable ``` ### Phase 6: Moat Expansion — Three New Capabilities (P1) ``` 20260220_001 → 20260220_002 → 20260220_003 │ └── Symbol Marketplace (L4 @ 95%) 20260220_005 → 20260220_006 → 20260220_007 → 20260220_008 │ └── Federated Telemetry (New L5) 20260220_010 → 20260220_011 → 20260220_012 → 20260220_013 → 20260220_014 │ └── Remediation Marketplace (New L4) ``` --- ## Competitive Positioning Summary ### Where StellaOps Is Strong 1. **VEX decisioning** — Multi-mode consensus engine is ahead of all competitors (including Docker Scout, JFrog) 2. **Smart-Diff** — R1-R4 rules with priority scoring is unique 3. **Policy engine** — OPA/Rego with proof output is mature 4. **Attestor** — in-toto/DSSE infrastructure is complete 5. **Symbolized call-stack proofs** — No competitor (Docker Scout, Trivy, JFrog) delivers function-level symbol evidence with demangled names and build-ID binding 6. **Deterministic signed scoring** — JFrog centralizes evidence but can't replay; Stella produces seeded, verifiable scoring envelopes 7. **Rekor size-aware strategy** — Hash pointer in Rekor + full payload in Evidence Locker solves real ~100KB upload constraints 8. **Federated telemetry** — Privacy-preserving cross-site exploit intelligence with DP + k-anonymity + DSSE consent proofs 9. **Remediation marketplace** — Signed-PR fix attestations verified against reachability proof deltas with contributor trust scoring ### Where StellaOps Must Improve 1. **Verdict portability** — OCI push makes verdicts first-class artifacts 2. **Audit replay** — One-command replay is essential for compliance 3. **VEX distribution** — Hub layer creates network effects 4. **Unknown governance** — Policy budgets make uncertainty actionable ### Avoid Head-On Fights - **Snyk**: Don't compete on developer UX; compete on proof-carrying reachability - **Prisma**: Don't compete on CNAPP breadth; compete on decision integrity - **Anchore**: Don't compete on SBOM storage; compete on semantic diff + VEX reasoning - **Docker Scout**: Don't compete on registry-native DHI integration; compete on call-stack symbolization, replay, and lattice VEX - **JFrog**: Don't compete on artifact management breadth; compete on deterministic scoring, replayable verdicts, and function-level proofs --- ## References - **Sprints**: `docs/implplan/SPRINT_4300_*.md`, `SPRINT_4400_*.md`, `SPRINT_4500_*.md`, `SPRINT_4600_*.md` - **Original Advisory**: `docs/product/advisories/archived/19-Dec-2025 - Stella Ops candidate features mapped to moat strength.md` - **Architecture**: `docs/ARCHITECTURE_OVERVIEW.md`