stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4db038123b0506453a16ed24975ef731fe545423
git.stella-ops.org/docs/product/claims-citation-index.md
master 04cacdca8a Gaps fill up, fixes, ui restructuring
2026-02-19 22:10:54 +02:00

15 KiB
Raw Blame History

Competitive Claims Citation Index

Purpose

This document is the authoritative source for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.

Last Updated: 2026-02-19 Next Review: 2026-05-19

Claim Categories

1. Determinism Claims

ID Claim Evidence Confidence Verified Next Review
DET-001 "StellaOps produces bit-identical scan outputs given identical inputs" tests/determinism/ golden fixtures; CI workflow scanner-determinism.yml High 2025-12-14 2026-03-14
DET-002 "All CVSS scoring decisions are receipted with cryptographic InputHash" ReceiptBuilder.cs:164-190; InputHash computation implementation High 2025-12-14 2026-03-14
DET-003 "No competitor offers deterministic replay manifests for audit-grade reproducibility" Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 High 2025-12-14 2026-03-14
DET-004 "Content-addressed proof bundles with Merkle roots enable cryptographic score verification" docs/db/SPECIFICATION.md Section 5.7 (scanner.proof_bundle); scanner scan replay --verify-proof High 2025-12-20 2026-03-20

2. Reachability Claims

ID Claim Evidence Confidence Verified Next Review
REACH-001 "Hybrid static + runtime reachability analysis reduces noise by 60-85%" docs/product/advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md High 2025-12-14 2026-03-14
REACH-002 "Signed reachability graphs with DSSE attestation" src/Attestor/ module; DSSE envelope implementation High 2025-12-14 2026-03-14
REACH-003 "~85% of critical vulnerabilities in containers are in inactive code" Sysdig 2024 Container Security Report (external) Medium 2025-11-01 2026-02-01
REACH-004 "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" Language analyzer implementations in src/Scanner/Analyzers/ High 2025-12-14 2026-03-14
REACH-005 "Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" src/Symbols/ module; src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/; Symbol Manifest v1 spec High 2026-02-19 2026-05-19
REACH-006 "OCI-attached symbol packs as first-class referrer artifacts" Symbol manifest OCI artifact type application/vnd.stella.symbols.manifest.v1+json; src/Symbols/ server REST API High 2026-02-19 2026-05-19

3. VEX & Lattice Claims

ID Claim Evidence Confidence Verified Next Review
VEX-001 "OpenVEX lattice semantics with deterministic state transitions" src/Excititor/ VEX engine; lattice documentation High 2025-12-14 2026-03-14
VEX-002 "VEX consensus from multiple sources (vendor, tool, analyst)" VexConsensusRefreshService.cs; consensus algorithm High 2025-12-14 2026-03-14
VEX-003 "Seven-state lattice: CR, SR, SU, DT, DV, DA, U" docs/product/advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md High 2025-12-14 2026-03-14

3a. Unknowns & Ambiguity Claims

ID Claim Evidence Confidence Verified Next Review
UNKNOWNS-001 "Two-factor unknowns ranking: uncertainty + exploit pressure (defer centrality)" docs/db/SPECIFICATION.md Section 5.6 (policy.unknowns); SPRINT_3500_0001_0001_deeper_moat_master.md High 2025-12-20 2026-03-20
UNKNOWNS-002 "Band-based prioritization: HOT/WARM/COLD/RESOLVED for triage queues" policy.unknowns.band column; band CHECK constraint High 2025-12-20 2026-03-20
UNKNOWNS-003 "No competitor offers systematic unknowns tracking with escalation workflows" Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 High 2025-12-20 2026-03-20

4. Attestation Claims

ID Claim Evidence Confidence Verified Next Review
ATT-001 "DSSE-signed attestations for all evidence artifacts" src/Attestor/StellaOps.Attestor.Envelope/ High 2025-12-14 2026-03-14
ATT-002 "Optional Sigstore Rekor transparency logging" src/Attestor/StellaOps.Attestor.Rekor/ integration High 2025-12-14 2026-03-14
ATT-003 "in-toto attestation format support" in-toto predicates in attestation module High 2025-12-14 2026-03-14
ATT-004 "Regional crypto support: eIDAS, FIPS, GOST, SM" StellaOps.Cryptography with plugin architecture Medium 2025-12-14 2026-03-14
ATT-005 "Size-aware Rekor pointer strategy: hash pointer in transparency log, full payload in Evidence Locker CAS" src/Attestor/ detached payload references; src/EvidenceLocker/ CAS storage; Rekor v2 submission with hash pre-check High 2026-02-19 2026-05-19

4a. Proof & Evidence Chain Claims

ID Claim Evidence Confidence Verified Next Review
PROOF-001 "Deterministic proof ledgers with canonical JSON and CBOR serialization" docs/db/SPECIFICATION.md Section 5.6-5.7 (policy.proof_segments, scanner.proof_bundle) High 2025-12-20 2026-03-20
PROOF-002 "Cryptographic proof chains link scans to frozen feed state via Merkle roots" scanner.scan_manifest (concelier_snapshot_hash, excititor_snapshot_hash) High 2025-12-20 2026-03-20
PROOF-003 "Score replay command verifies proof integrity against original calculation" stella score replay --scan <id> --verify-proof; docs/OFFLINE_KIT.md Section 2.2 High 2025-12-20 2026-03-20

5. Offline & Air-Gap Claims

ID Claim Evidence Confidence Verified Next Review
OFF-001 "Full offline/air-gap operation capability" docs/airgap/; offline kit implementation High 2025-12-14 2026-03-14
OFF-002 "Offline scans produce identical results to online (same advisory date)" docs/airgap/offline-parity-verification.md (pending) Medium TBD TBD
OFF-003 "Risk bundles include NVD, KEV, EPSS data" docs/airgap/risk-bundles.md; bundle manifest schema High 2025-12-14 2026-03-14
OFF-004 "DSSE-signed offline bundles for integrity verification" Bundle signing implementation High 2025-12-14 2026-03-14

6. CVSS & Risk Scoring Claims

ID Claim Evidence Confidence Verified Next Review
CVSS-001 "Full CVSS v4.0 MacroVector-based scoring with 324 lookup combinations" MacroVectorLookup.cs High 2025-12-14 2026-03-14
CVSS-002 "Support for CVSS v2.0, v3.0, v3.1, and v4.0 vectors" CvssV2Engine.cs, CvssV3Engine.cs, CvssEngineFactory.cs High 2025-12-14 2026-03-14
CVSS-003 "Threat Metrics (Exploit Maturity) integration per v4.0 spec" CvssV4Engine.cs:365-375 High 2025-12-14 2026-03-14
CVSS-004 "EPSS percentile-based risk bonuses (99th=+10%, 90th=+5%, 50th=+2%)" CvssKevEpssProvider.cs High 2025-12-14 2026-03-14
CVSS-005 "KEV (Known Exploited Vulnerabilities) +20% risk bonus" CvssKevProvider.cs:33 High 2025-12-14 2026-03-14

7. SBOM Claims

ID Claim Evidence Confidence Verified Next Review
SBOM-001 "SPDX 3.0.1 and CycloneDX 1.6 output formats" SBOM generator implementations High 2025-12-14 2026-03-14
SBOM-002 "Multi-ecosystem support: APK, DEB, RPM, npm, Maven, NuGet, PyPI, Go, Cargo" Ecosystem analyzers in src/Scanner/ High 2025-12-14 2026-03-14
SBOM-003 "Deterministic SBOM generation (same image = same SBOM)" SBOM determinism tests High 2025-12-14 2026-03-14

Competitive Comparison Claims

vs. Trivy

ID Claim Evidence Confidence Verified Next Review
COMP-TRIVY-001 "Trivy lacks lattice VEX semantics (boolean only)" Trivy v0.55.0 source: pkg/vex/ High 2025-12-14 2026-03-14
COMP-TRIVY-002 "Trivy lacks deterministic replay manifests" Trivy v0.55.0 source audit High 2025-12-14 2026-03-14
COMP-TRIVY-003 "Trivy lacks native reachability analysis" Trivy v0.55.0 feature matrix High 2025-12-14 2026-03-14

vs. Grype

ID Claim Evidence Confidence Verified Next Review
COMP-GRYPE-001 "Grype lacks DSSE attestation signing" Grype v0.80.0 source audit High 2025-12-14 2026-03-14
COMP-GRYPE-002 "Grype lacks VEX state lattice (affected/not_affected only)" Grype v0.80.0 VEX implementation High 2025-12-14 2026-03-14
COMP-GRYPE-003 "Grype lacks CVSS v4.0 scoring" Grype v0.80.0 feature matrix Medium 2025-12-14 2026-03-14

vs. Snyk

ID Claim Evidence Confidence Verified Next Review
COMP-SNYK-001 "Snyk lacks deterministic replay manifests" Snyk CLI v1.1292 audit High 2025-12-14 2026-03-14
COMP-SNYK-002 "Snyk's reachability is limited to specific languages" Snyk documentation review Medium 2025-12-14 2026-03-14
COMP-SNYK-003 "Snyk lacks offline/air-gap capability" Snyk architecture documentation High 2025-12-14 2026-03-14

vs. Docker Scout

ID Claim Evidence Confidence Verified Next Review
COMP-SCOUT-001 "Docker Scout produces SBOM/VEX/provenance attestations via cosign but lacks symbolized call-stack proofs, deterministic replay, and lattice VEX reasoning" Docker Scout documentation (docs.docker.com/scout); DHI surface analysis High 2026-02-19 2026-05-19
COMP-SCOUT-002 "Docker Scout does not address Rekor payload size constraints or provide size-aware pointer strategies" Docker Scout attestation flow analysis; Rekor public instance constraints High 2026-02-19 2026-05-19

vs. JFrog (Xray + Evidence Collection)

ID Claim Evidence Confidence Verified Next Review
COMP-JFROG-001 "JFrog Evidence Collection centralizes signed evidence across SDLC but lacks deterministic scoring envelopes, replayable verdicts, and formal VEX lattice reasoning" JFrog Evidence documentation (jfrog.com/evidence); solution sheet analysis High 2026-02-19 2026-05-19
COMP-JFROG-002 "JFrog lacks signed reachability graphs and call-stack symbolization; evidence is SBOM/provenance-level, not function-level" JFrog Xray feature matrix; Evidence Collection solution sheet High 2026-02-19 2026-05-19

vs. Oligo Security

ID Claim Evidence Confidence Verified Next Review
COMP-OLIGO-001 "Oligo Security provides runtime call-stack exploitability evidence but lacks SBOM/VEX integration, deterministic replay, lattice VEX reasoning, signed reachability graphs, and offline/air-gap capability" Oligo Security blog post on call-stack evidence; product positioning as runtime-only tool Medium 2026-02-19 2026-05-19

Confidence Levels

Level Percentage Definition
High 80-100% Verified against source code or authoritative documentation
Medium 50-80% Based on documentation or limited testing; needs deeper verification
Low <50% Unverified or based on indirect evidence; requires validation

Update Process

Verification Schedule

  1. Quarterly Review: All claims reviewed every 90 days
  2. Major Version Triggers: Re-verify when competitors release major versions
  3. Market Events: Re-verify after significant market announcements

Verification Steps

  1. Source Audit: Review competitor source code (if open source)
  2. Documentation Review: Check official documentation
  3. Feature Testing: Test specific features when possible
  4. Third-Party Sources: Cross-reference analyst reports

Update Workflow

1. Identify claim requiring update
2. Conduct verification per type
3. Update evidence column
4. Update confidence level if changed
5. Set new verified date
6. Set next review date
7. Document changes in execution log

Deprecation Policy

Stale Claims

Claims older than 6 months without verification are marked STALE:

  • STALE claims must NOT be used in external communications
  • STALE claims require immediate re-verification or removal
  • Marketing team notified of all STALE claims

Invalidated Claims

When a claim becomes false (e.g., competitor adds feature):

  1. Mark claim as INVALID
  2. Remove from all active materials within 7 days
  3. Update competitive documentation
  4. Notify stakeholders

Usage Guidelines

For Marketing

  • Reference claims by ID (e.g., "Per DET-001...")
  • Include verification date in footnotes
  • Do not paraphrase claims without SME review

For Sales

  • Use claims matrix for competitive conversations
  • Check confidence levels before customer commitments
  • Report feedback on claim accuracy

For Documentation

  • Link to this index for competitive statements
  • Update cross-references when claims change
  • Flag questionable claims to Docs Guild

Execution Log

Date Update Owner
2025-12-14 Initial claims index created Docs Guild
2025-12-14 Added CVSS v2/v3 engine claims (CVSS-002) AI Implementation
2025-12-14 Added EPSS integration claims (CVSS-004) AI Implementation
2025-12-20 Added DET-004 (content-addressed proof bundles) Agent
2025-12-20 Added PROOF-001/002/003 (deterministic proof ledgers, proof chains, score replay) Agent
2025-12-20 Added UNKNOWNS-001/002/003 (two-factor ranking, band prioritization, competitor gap) Agent
2026-02-19 Added REACH-005/006 (symbolized call-stacks, OCI symbol packs) from competitive advisory review Product Manager
2026-02-19 Added ATT-005 (Rekor size-aware pointer strategy) from competitive advisory review Product Manager
2026-02-19 Added COMP-SCOUT-001/002 (Docker Scout gaps) and COMP-JFROG-001/002 (JFrog gaps) from competitive advisory review Product Manager
2026-02-19 Added COMP-OLIGO-001 (Oligo Security runtime-only gaps) from VEX/call-stack/determinism competitive advisory Product Manager

References

  • docs/product/advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md
  • docs/product/competitive-landscape.md
  • docs/benchmarks/accuracy-metrics-framework.md