stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
2de8d1784bc8e846ca9f320ddd99582b0d441582
git.stella-ops.org/docs/market/competitive-landscape.md
master 2de8d1784b
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
new advisories
2025-11-23 23:38:25 +02:00

5.6 KiB
Raw Blame History

Competitive Landscape (Nov 2025)

Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.

StellaOps moats (why we win)

  • Deterministic replay: feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
  • Hybrid reachability attestations: graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
  • Lattice-based VEX engine: merges advisories, runtime hits, reachability, waivers with explainable paths.
  • Crypto sovereignty: FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
  • Proof graph: DSSE + transparency across SBOM, call-graph, VEX, replay manifests.

Top takeaways (sales-ready)

  1. No competitor offers deterministic replay with frozen feeds; we do.
  2. None sign reachability graphs; we sign graphs and (optionally) edges.
  3. Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to StellaOps.
  4. Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
  5. Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.

Where others fall short (high level)

  • No deterministic replay: none of the 15 provide hash-stable, replayable scans with frozen feeds.
  • No lattice/VEX merge: VEX is absent or bolt-on; no trust algebra elsewhere.
  • Attestation gaps: most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
  • Offline/sovereign: weak or SaaS-only; no regional crypto options.

Snapshot table (condensed)

Vendor SBOM Gen SBOM Ingest Attest (DSSE) Rekor Offline Primary gaps vs Stella
Trivy Yes Yes Cosign Query Strong No replay, no lattice
Syft/Grype Yes Yes Cosign-only Indir Medium No replay, no lattice
Snyk Yes Limited No No Weak No attest/VEX/replay
Prisma Yes Limited No No Strong No attest/replay
AWS (Inspector/Signer) Partial Partial Notary v2 No Weak Closed, no replay
Google Yes Yes Yes Opt Weak No offline/lattice
GitHub Yes Partial Yes Yes No No replay/crypto opts
GitLab Yes Limited Partial No Medium No replay/lattice
Microsoft Defender Partial Partial No No Weak No attest/reachability
Anchore Enterprise Yes Yes Some No Good No sovereign crypto
JFrog Xray Yes Yes No No Medium No attest/lattice
Tenable Partial Limited No No Weak Not SBOM/VEX-focused
Qualys Limited Limited No No Medium No attest/lattice
Rezilion Yes Yes No No Medium Runtime-only; no DSSE
Chainguard Yes Yes Yes Yes Medium No replay/lattice

How to use this doc

  • Sales/PMM: pull talking points and the gap list when building battlecards.
  • Product: map gaps to roadmap; keep replay/lattice/sovereign as primary differentiators.
  • Engineering: ensure new features keep determinism + sovereign crypto front-and-center; link reachability attestations into proof graph.

Cross-links

  • Vision: docs/03_VISION.md (Moats section)
  • Architecture: docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • Reachability moat details: docs/reachability/lead.md
  • Source advisory: docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md

Battlecard Appendix (snippet-ready)

One-liners

  • Replay or its noise: Only StellaOps can re-run a scan bit-for-bit from frozen feeds.
  • Signed reachability, not guesses: Graph DSSE always; optional edge DSSE for runtime/init edges.
  • Sovereign-first: FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
  • Trust algebra: Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.

Proof points

  • Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
  • Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
  • Offline: transparency mirrors + sealed bundles keep verification working air-gapped.

Objection handlers

  • “We already sign SBOMs.” → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
  • “Cosign/Rekor is enough.” → Without deterministic manifests + reachability proofs, you cant audit why a vuln was reachable.
  • “Our runtime traces show reachability.” → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.

CTA for reps

  • Demo: show stella graph verify --graph <hash> with and without edge-bundle verification.
  • Leave-behind: link docs/reachability/lead.md and this appendix.

Sources

  • Full advisory: docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md