8.9 KiB
8.9 KiB
StellaOps Moat Strategy Summary
Date: 2026-01-03 Source: Product Advisories (19-Dec-2025 Moat Series), Competitive Analysis (Jan 2026) Status: DOCUMENTED
Executive Summary
Core Thesis: Stella Ops isn't a scanner that outputs findings. It's a platform that outputs attestable decisions that can be replayed.
StellaOps competitive moats are built on decision integrity—deterministic, attestable, replayable security verdicts—not just scanner features. This is a category difference, not a feature gap.
The Category Shift
| Traditional Scanners | Stella Ops |
|---|---|
| Output findings | Output decisions |
| VEX as suppression | VEX as logical claims |
| Reachability as badge | Reachability as proof |
| CVE counts | Semantic risk deltas |
| Hide unknowns | Surface and score unknowns |
| Online-first | Offline-first with parity |
Moat Strength Rankings
Understanding the Scale
| Level | Definition | Defensibility |
|---|---|---|
| 5 | Structural moat | New primitives, strong defensibility, durable switching cost. Requires fundamental rearchitecture to replicate. |
| 4 | Strong moat | Difficult multi-domain engineering. Incumbents have partial analogs but retrofitting is expensive. |
| 3 | Moderate moat | Others can build. Differentiation is execution + packaging. |
| 2 | Weak moat | Table-stakes soon. Limited defensibility. |
| 1 | Commodity | Widely available in OSS or easy to replicate. |
Ranked Capabilities
| Level | Capability | Why It's Defensible | Module(s) | Status |
|---|---|---|---|---|
| 5 | Signed, replayable risk verdicts | Requires deterministic eval + proof schema + knowledge snapshots + frozen feeds. No competitor has this architecture. | Attestor, ReplayVerifier, Scanner |
Implemented |
| 4 | VEX decisioning (K4 lattice) | Formal conflict resolution using Belnap logic. Requires rethinking VEX from suppression to claims. | VexLens, TrustLatticeEngine, Excititor |
Implemented |
| 4 | Reachability with proofs | Three-layer (static + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the proof." | ReachGraph, Scanner.VulnSurfaces, PathWitnessBuilder |
Implemented |
| 4 | Smart-Diff (semantic risk delta) | Graph-based diff over reachability + VEX. Outputs meaning ("exploitability dropped 41%"), not numbers ("+3 CVEs"). | MaterialRiskChangeDetector, Scanner.ReachabilityDrift |
Implemented |
| 4 | Unknowns as first-class state | Uncertainty budgets, bands (HOT/WARM/COLD), decay algorithms, policy gates. | Policy, Signals, UnknownStateLedger |
Implemented |
| 4 | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility, regional crypto (GOST/SM/eIDAS). | AirGap.Controller, CryptoProfile, RootPack |
Implemented |
| 3 | SBOM ledger + lineage | Table stakes; differentiated via semantic diff + evidence joins + deterministic generation. | SbomService, BinaryIndex |
Implemented |
| 3 | Policy engine with proofs | Common; moat is proof output + deterministic replay + K4 integration. | Policy, TrustLatticeEngine |
Implemented |
| 1-2 | Integrations | Necessary but not defensible. Anyone can build CI/CD plugins. | Various | Ongoing |
Core Moat Thesis (One-Liners)
Use these in sales conversations, marketing materials, and internal alignment.
| Capability | One-Liner | What It Actually Means |
|---|---|---|
| Deterministic verdicts | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. stella replay srm.yaml reproduces any past scan bit-for-bit. |
| VEX decisioning | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice (Unknown/True/False/Conflict) aggregates multiple VEX sources. Conflicts are explicit state, not hidden. |
| Reachability proofs | "We provide proof of exploitability in this artifact, not just a badge." | Three-layer reachability with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path from entrypoint to vuln." |
| Smart-Diff | "We explain what changed in exploitable surface area, not what changed in CVE count." | Output: "Exploitability dropped 41% despite +2 CVEs." Semantic meaning, not raw numbers. |
| Unknowns modeling | "We quantify uncertainty and gate on it." | Unknowns have bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk—we surface and score it. |
Implementation Status
Core Moats (All Implemented)
| Capability | Key Modules | Evidence |
|---|---|---|
| Signed verdicts | Attestor, Signer, ReplayVerifier |
DSSE envelopes, SRM manifests, bit-for-bit replay |
| VEX decisioning (K4) | VexLens, TrustLatticeEngine |
110+ tests passing; CycloneDX/OpenVEX/CSAF normalizers |
| Reachability proofs | ReachGraph, PathWitnessBuilder |
DSSE-signed graphs; edge-bundle attestations |
| Smart-Diff | MaterialRiskChangeDetector, RiskStateSnapshot |
R1-R4 rules; priority scoring; SARIF output |
| Unknowns modeling | UnknownStateLedger, Policy |
Bands (HOT/WARM/COLD); decay algorithms |
| Air-gapped mode | AirGap.Controller, RootPack |
Sealed snapshots; regional crypto |
| Binary backport | Feedser, BinaryIndex, SourceIntel |
Tier 1-3 complete; Tier 4 (binary fingerprinting) in progress |
Moat Enhancement Roadmap
| Enhancement | Priority | Sprint Coverage |
|---|---|---|
| OCI-attached verdict attestations | P0 | 4300_0001_0001 |
| One-command audit replay CLI | P0 | 4300_0001_0002 |
| VEX Hub aggregation layer | P1 | 4500_0001_* |
| Trust scoring of VEX sources | P1 | 4500_0001_0002 |
| Tier 4 binary fingerprinting | P1 | 7204-7206 |
| SBOM historical lineage | P2 | 4600_0001_* |
Competitor Positioning
Where to Compete (and How)
| Competitor | Their Strength | Don't Compete On | Win With |
|---|---|---|---|
| Snyk | Developer UX, fix PRs, onboarding | Adoption velocity | Proof-carrying reachability, offline capability, attestation chain |
| Prisma Cloud | CNAPP breadth, graph investigation | Platform completeness | Decision integrity, deterministic replay, semantic diff |
| Anchore | SBOM operations maturity | SBOM storage | Lattice VEX, signed reachability, proof chains |
| Aqua/Trivy | Runtime protection, broad coverage | Ecosystem breadth | Forensic reproducibility, K4 logic, regional crypto |
Our Winning Positions
| Position | What It Means | Proof Point |
|---|---|---|
| Decision integrity | Every verdict is deterministic, attestable, and replayable | stella replay srm.yaml --assert-digest <sha> |
| Proof portability | Evidence bundles work offline and survive audits | Decision Capsules with sealed SBOM/VEX/reachability/policy |
| Semantic change control | Risk deltas show meaning, not numbers | "Exploitability dropped 41% despite +2 CVEs" |
| Sovereign deployment | Self-hosted, regional crypto, air-gap parity | GOST/SM/eIDAS profiles; RootPack bundles |
Where We're Ahead
- VEX decisioning — K4 lattice with conflict detection; no competitor has this
- Smart-Diff — Semantic risk deltas with priority scoring; unique
- Signed reachability — DSSE graphs + edge bundles; unique
- Deterministic replay — Bit-for-bit reproducibility; unique
- Regional crypto — FIPS/eIDAS/GOST/SM/PQC; unique
Where Competitors Lead (For Now)
| Area | Competitor Lead | Our Response |
|---|---|---|
| Mass-market UX polish | Snyk | Focus on power users who need proofs |
| SaaS onboarding friction | Snyk, Prisma | Offer both SaaS and self-hosted |
| Marketplace integrations | All major players | Prioritize based on customer demand |
| Ecosystem breadth | Trivy | Focus on depth over breadth |
Quick Reference
Key Documents
- Competitive Landscape:
docs/product/competitive-landscape.md - Claims Index:
docs/product/claims-citation-index.md - Proof Architecture:
docs/modules/platform/proof-driven-moats-architecture.md - Key Features:
docs/key-features.md - Moat Gap Analysis:
docs/modules/platform/moat-gap-analysis.md
Key Commands (Demo-Ready)
# Determinism proof
stella scan --image <img> --srm-out a.yaml
stella scan --image <img> --srm-out b.yaml
diff a.yaml b.yaml # Identical
# Replay proof
stella replay srm.yaml --assert-digest <sha>
# Reachability proof
stella graph show --cve CVE-XXXX-YYYY --artifact <digest>
# VEX evaluation
stella vex evaluate --artifact <digest>
# Offline scan
stella rootpack import bundle.tar.gz
stella scan --offline --image <digest>
Last Updated: 2026-01-03