10 KiB
10 KiB
Stella Ops Suite — Pricing & Offer Guide (On‑Prem)
Evidence-grade release orchestration for containerized applications outside Kubernetes.
What Stella Ops Suite is
Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates. It:
- orchestrates environment promotions (Dev -> Stage -> Prod),
- gates releases using reachability-aware security and policy,
- and produces verifiable evidence for every decision (exportable and replayable).
You can run Stella in two modes:
- Verified releases (recommended): promotions require Stella evidence for each new digest.
- Unverified releases (CD-only): orchestration runs without evidence gates (still logged, but not certifiable).
The problem we solve
Teams deploying containers without Kubernetes often cobble together a fragmented toolchain:
| Function | Typical tools | Typical gap |
|---|---|---|
| Vulnerability scanning | Trivy, Grype, Snyk | Scanner output isn't automatically tied to approvals, promotions, and audit export |
| SBOM generation | Syft, manual export | SBOM exists, but not linked to release decisions |
| Deployment | Docker Compose, shell scripts, Ansible | No deterministic release ledger; approvals are informal; rollback is ad-hoc |
| Approvals | Slack, email, Jira | Not cryptographically bound to the exact artifact(s) deployed |
| Audit trail | Spreadsheets, Confluence | Not replayable; evidence is not end-to-end; "why approved?" is hard to prove |
Result:
- Release decisions are not traceable to the evidence they were based on.
- Audits and incident reviews require manual reconstruction and often produce evidence gaps.
- Operational confidence depends on tribal knowledge.
What "evidence-grade" means
An evidence-grade release is one where:
- Each new artifact digest can be deeply analyzed to produce SBOM + reachability evidence.
- Promotion decisions are recorded with the exact evidence they were based on.
- Approvals are linked to specific artifact digests and policy outcomes.
- The decision chain is hashable, exportable, and replayable.
- Operators can ask "why was this blocked?" and get a deterministic explanation trace.
This is Stella's core value: end-to-end release certification, not just scanning or CD automation.
What Stella delivers (one platform, one evidence chain)
| Capability | What Stella does | Why it matters |
|---|---|---|
| Reachability-aware security decisioning | Deep scans produce evidence that can reduce "raw CVE noise" by focusing on what's relevant to your app's execution paths | Engineers spend less time on false urgency; policy gates are more credible |
| Evidence packets | Hashable, immutable bundles linking SBOM + reachability + policy verdict + approvals | Auditors and incident responders can verify "what was known" at decision time |
| Release orchestration (non-K8s) | Environments, promotions, approvals, rollbacks, step graphs, per-step logs | Replaces informal approvals and script sprawl with a governed control plane |
| Policy engine + explainability | Declarative gates with deterministic evaluation and "why blocked?" traces | Governance becomes inspectable, repeatable, and defensible |
| Deployment execution | Docker Compose + scripted deployments; immutable generated artifacts; version stickers; controlled restarts/reloads | "What was deployed where" becomes precise and reconstructible |
| Audit export | Compliance-ready export of decision evidence | Reduces audit time and evidence gaps |
Competitive anchors (public list pricing signals)
These are not full TCO models; they are public, vendor-published pricing anchors that shape buyer expectations.
- Snyk Team: starts at $25/month per contributing developer, minimum of 5 contributing developers, and products are purchased separately. citeturn1view0
- Snyk Free includes Snyk Container tests/month = 100 (container testing limit on Free). citeturn1view0turn0search3
- Octopus Deploy: annual billing only for Octopus Cloud and Octopus Server. citeturn1view1
- Octopus Free includes 10 projects, 10 tenants, and 10 machines. citeturn1view2
- Octopus Professional is listed from $4,170 USD/year. citeturn1view2
A simple comparison that buyers can sanity-check
A common "two-tool" baseline for non-K8s governance is:
- a CD/orchestration tool (e.g., Octopus) plus
- a paid scanner for teams (e.g., Snyk Team)
Using public minimums:
- Octopus Professional starts at $4,170/year (~$347.50/month annualized). citeturn1view2
- Snyk Team minimum purchase (5 contributing devs) starts at 5 x $25 = $125/month, per product. citeturn1view0
That baseline is ~$472.50/month before add-ons, scaling effects, or additional products.
Stella Plus is $399/month and includes the integrated evidence-grade orchestration + security gate in one platform.
Pricing model (simple, predictable)
All features are included at every tier. No capability is gated behind higher tiers.
You pay for:
- Environments (policy/config boundaries: dev/stage/prod, regions, compliance zones, tenant boundaries)
- New digest deep scan credits per month (evidence-grade analysis of previously unseen OCI digests)
Deployment targets are unlimited (no per-target / per-machine licensing).
Monthly scan credits (how to interpret them)
- Credits are counted per month and reset monthly.
- You may burst within the month; a soft protective rate limit may exist to prevent abuse, but licensing is based on the monthly pool.
- Re-deploying or promoting an already-scanned digest does not consume credits.
- Re-evaluation on vulnerability intel updates does not consume credits.
Tier overview (Suite: Orchestrator + Scanner)
Annual billing: pay for 11 months, get 12 (1 month free).
| Tier | Monthly | Annual (11x) | Environments | New digest deep scans / month | Support |
|---|---|---|---|---|---|
| Free | $0 | $0 | 3 | 999 | Community forum + Doctor |
| Plus | $399 | $4,389 | 33 | 9,999 | Community forum + Doctor |
| Pro | $999 | $10,989 | 333 | 99,999 | Community + Doctor + $99/ticket (pay-per-incident) |
| Business | $2,999 | $32,989 | 3,333 | 999,999 | Community + Doctor + 5 tickets/month included + $99/additional |
Add-ons (self-serve)
| Add-on | Price | Intended use |
|---|---|---|
| +10,000 new digest deep scans | $499 | Temporary capacity for release sprints, migrations, or one-off spikes |
What every tier includes (no feature gating)
Release orchestration (non-K8s)
- Environment management with promotion rules
- Approval workflows (manual, automated, policy-gated)
- Rollback orchestration with evidence preservation
- Step graphs (sequential and parallel execution)
- Real-time deployment UI with per-step logs
- Deployment inventory ("what is deployed where")
Deployment execution
- Docker Compose deployments
- Scripted deployments (.NET 10 scripting)
- Immutable generated deployment artifacts
- Version stickers for traceability
- Controlled restarts and config reloads
Security and evidence
- Scan on build, gate on release, continuous re-evaluation
- Reachability and hybrid reachability analysis
- Evidence packets (hashable, immutable, replayable)
- Deterministic decision records
- Exportable audit trail
- "Why blocked?" explainability traces
Extensibility and operability
- Plugin model for SCM, CI, registry, vault, and agent providers
- Workflow engine supports plugin-specific steps
- Doctor tooling for self-service diagnostics (connectivity, agent health, config validation)
Definitions
Environment
A policy and configuration boundary with its own:
- Security policy profile
- Target/agent selection
- Secrets and config bindings
- Promotion rules and approval requirements
Examples: dev/staging/prod, regional deployments, compliance zones, customer isolation boundaries.
Deployment target
An endpoint that receives deployments (Docker host, VM, scripted target via SSH/WinRM provider).
Targets are unlimited at all tiers.
New digest deep scan
A deep scan occurs the first time Stella analyzes a unique OCI digest, producing:
- SBOM
- reachability and hybrid reachability evidence
- vulnerability findings with an evidence-backed verdict
- an evidence packet usable for gating and audit
Does not consume scan credits:
- re-deploying/promoting an already-scanned digest
- re-evaluation on CVE/vuln intel updates
- querying existing evidence packets
Support ticket
A bounded support request handled by maintainers. For effective resolution, include:
- clear problem statement
- reproduction steps
- Doctor bundle output (when applicable)
Tickets are bounded so Stella can remain self-serve by default.
Choosing the right tier
| Your situation | Recommended tier | Why |
|---|---|---|
| Evaluating Stella with real workflows | Free | Full features; enough capacity to test verified releases in practice |
| Small team, low artifact churn | Free | 999 scans/month covers many small estates |
| Production team with growing CI/CD velocity | Plus | 9,999 scans/month supports broad evidence coverage without sampling |
| Multi-team / multi-region governance | Pro | 333 environments + 99,999 scans/month + ticket access |
| Platform org with formal audit posture | Business | Scale + email channel + high ticket allowance |
Fair use (Business tier)
Fair use exists to prevent abuse, not normal operational usage. It may apply to:
- vulnerability feed mirroring bandwidth/frequency (if mirroring is enabled)
- automation patterns that intentionally generate duplicate work
- ticket volume beyond included entitlements
Deployment and licensing
- On-premises deployment (you host Stella on your infrastructure)
- Offline-friendly licensing options (air-gapped supported)
- Updates included during subscription term
- You provide compute/storage for scanning and evidence retention
Summary (the simple offer)
- One platform for non-Kubernetes container releases: orchestration + evidence-grade security gating.
- All features included at all tiers.
- Unlimited deployment targets.
- Predictable pricing based on environments and new digests per month.
Start on Free. Upgrade when your environment count or new-digest velocity demands more evidence capacity.