git.stella-ops.org/docs/product/moat-strategy-summary.md

StellaOps Moat Strategy Summary

Date: 2026-01-03 Source: Product Advisories (19-Dec-2025 Moat Series), Competitive Analysis (Jan 2026) Status: DOCUMENTED

---

Executive Summary

Core Thesis: Stella Ops isn't a scanner that outputs findings. It's a platform that outputs attestable decisions that can be replayed.

StellaOps competitive moats are built on decision integrity—deterministic, attestable, replayable security verdicts—not just scanner features. This is a category difference, not a feature gap.

The Category Shift

Traditional Scanners	Stella Ops
Output findings	Output decisions
VEX as suppression	VEX as logical claims
Reachability as badge	Reachability as proof
CVE counts	Semantic risk deltas
Hide unknowns	Surface and score unknowns
Online-first	Offline-first with parity

Moat Strength Rankings

Understanding the Scale

Level	Definition	Defensibility
5	Structural moat	New primitives, strong defensibility, durable switching cost. Requires fundamental rearchitecture to replicate.
4	Strong moat	Difficult multi-domain engineering. Incumbents have partial analogs but retrofitting is expensive.
3	Moderate moat	Others can build. Differentiation is execution + packaging.
2	Weak moat	Table-stakes soon. Limited defensibility.
1	Commodity	Widely available in OSS or easy to replicate.

Ranked Capabilities

Level	Capability	Why It's Defensible	Module(s)	Status
5	Signed, replayable risk verdicts	Requires deterministic eval + proof schema + knowledge snapshots + frozen feeds. No competitor has this architecture.	Attestor, ReplayVerifier, Scanner	Implemented
4	VEX decisioning (K4 lattice)	Formal conflict resolution using Belnap logic. Requires rethinking VEX from suppression to claims.	VexLens, TrustLatticeEngine, Excititor	Implemented
4	Reachability with proofs	Three-layer (static + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the proof."	ReachGraph, Scanner.VulnSurfaces, PathWitnessBuilder	Implemented
4	Smart-Diff (semantic risk delta)	Graph-based diff over reachability + VEX. Outputs meaning ("exploitability dropped 41%"), not numbers ("+3 CVEs").	MaterialRiskChangeDetector, Scanner.ReachabilityDrift	Implemented
4	Unknowns as first-class state	Uncertainty budgets, bands (HOT/WARM/COLD), decay algorithms, policy gates.	Policy, Signals, UnknownStateLedger	Implemented
4	Air-gapped epistemic mode	Sealed knowledge snapshots, offline reproducibility, regional crypto (GOST/SM/eIDAS).	AirGap.Controller, CryptoProfile, RootPack	Implemented
3	SBOM ledger + lineage	Table stakes; differentiated via semantic diff + evidence joins + deterministic generation.	SbomService, BinaryIndex	Implemented
3	Policy engine with proofs	Common; moat is proof output + deterministic replay + K4 integration.	Policy, TrustLatticeEngine	Implemented
1-2	Integrations	Necessary but not defensible. Anyone can build CI/CD plugins.	Various	Ongoing

Core Moat Thesis (One-Liners)

Use these in sales conversations, marketing materials, and internal alignment.

Capability	One-Liner	What It Actually Means
Deterministic verdicts	"We don't output findings; we output attestable decisions that can be replayed."	Given identical inputs, Stella produces identical outputs. stella replay srm.yaml reproduces any past scan bit-for-bit.
VEX decisioning	"We treat VEX as a logical claim system, not a suppression file."	K4 lattice (Unknown/True/False/Conflict) aggregates multiple VEX sources. Conflicts are explicit state, not hidden.
Reachability proofs	"We provide proof of exploitability in this artifact, not just a badge."	Three-layer reachability with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path from entrypoint to vuln."
Smart-Diff	"We explain what changed in exploitable surface area, not what changed in CVE count."	Output: "Exploitability dropped 41% despite +2 CVEs." Semantic meaning, not raw numbers.
Unknowns modeling	"We quantify uncertainty and gate on it."	Unknowns have bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk—we surface and score it.

Implementation Status

Core Moats (All Implemented)

Capability	Key Modules	Evidence
Signed verdicts	Attestor, Signer, ReplayVerifier	DSSE envelopes, SRM manifests, bit-for-bit replay
VEX decisioning (K4)	VexLens, TrustLatticeEngine	110+ tests passing; CycloneDX/OpenVEX/CSAF normalizers
Reachability proofs	ReachGraph, PathWitnessBuilder	DSSE-signed graphs; edge-bundle attestations
Smart-Diff	MaterialRiskChangeDetector, RiskStateSnapshot	R1-R4 rules; priority scoring; SARIF output
Unknowns modeling	UnknownStateLedger, Policy	Bands (HOT/WARM/COLD); decay algorithms
Air-gapped mode	AirGap.Controller, RootPack	Sealed snapshots; regional crypto
Binary backport	Feedser, BinaryIndex, SourceIntel	Tier 1-3 complete; Tier 4 (binary fingerprinting) in progress

Moat Enhancement Roadmap

Enhancement	Priority	Sprint Coverage
OCI-attached verdict attestations	P0	4300_0001_0001
One-command audit replay CLI	P0	4300_0001_0002
VEX Hub aggregation layer	P1	4500_0001_*
Trust scoring of VEX sources	P1	4500_0001_0002
Tier 4 binary fingerprinting	P1	7204-7206
SBOM historical lineage	P2	4600_0001_*
Signed execution evidence (trace-to-DSSE)	P2	20260219_013
Runtime beacon attestations	P3	20260219_014
Symbol/Debug Pack Marketplace	P1	20260220_001-003
Privacy-Preserving Federated Telemetry	P1	20260220_005-009
Developer-Facing Remediation Marketplace	P1	20260220_010-015

Competitor Positioning

Where to Compete (and How)

Competitor	Their Strength	Don't Compete On	Win With
Snyk	Developer UX, fix PRs, onboarding	Adoption velocity	Proof-carrying reachability, offline capability, attestation chain
Prisma Cloud	CNAPP breadth, graph investigation	Platform completeness	Decision integrity, deterministic replay, semantic diff
Anchore	SBOM operations maturity	SBOM storage	Lattice VEX, signed reachability, proof chains
Aqua/Trivy	Runtime protection, broad coverage	Ecosystem breadth	Forensic reproducibility, K4 logic, regional crypto
Docker Scout	DHI integration, SBOM/VEX/provenance attestations via cosign	Registry-native UX	Symbolized call-stack proofs, deterministic replay, lattice VEX, Rekor size-aware pointer strategy
JFrog	Evidence Collection centralizing signed SDLC evidence	Artifact management breadth	Deterministic scoring envelopes, function-level reachability proofs, replayable verdicts, formal VEX reasoning
Oligo Security	Runtime call-stack exploitability proofs	Runtime-only depth	Three-layer fusion (static+binary+runtime), SBOM/VEX integration, deterministic replay, offline/air-gap, signed graphs

Our Winning Positions

Position	What It Means	Proof Point
Decision integrity	Every verdict is deterministic, attestable, and replayable	stella replay srm.yaml --assert-digest <sha>
Proof portability	Evidence bundles work offline and survive audits	Decision Capsules with sealed SBOM/VEX/reachability/policy
Semantic change control	Risk deltas show meaning, not numbers	"Exploitability dropped 41% despite +2 CVEs"
Sovereign deployment	Self-hosted, regional crypto, air-gap parity	GOST/SM/eIDAS profiles; RootPack bundles

Where We're Ahead

1. VEX decisioning — K4 lattice with conflict detection; no competitor has this (including Docker Scout, JFrog)
2. Smart-Diff — Semantic risk deltas with priority scoring; unique
3. Signed reachability — DSSE graphs + edge bundles; unique. Docker Scout/JFrog/Trivy stop at SBOM/VEX/provenance attestations
4. Deterministic replay — Bit-for-bit reproducibility; unique. JFrog Evidence Collection centralizes evidence but can't replay verdicts
5. Regional crypto — FIPS/eIDAS/GOST/SM/PQC; unique
6. Symbolized call-stack proofs + Symbol Marketplace — Demangled symbols, build-ID binding, OCI symbol packs as first-class referrer artifacts; no competitor has function-level symbol evidence. The Symbol Marketplace adds source trust scoring (freshness/signature/coverage/SLA), browsable catalog with DSSE-verified install, and multi-provider federation (Microsoft Symbols, debuginfod distros, partner feeds)
7. Privacy-Preserving Federated Telemetry — Differential privacy (Laplacian noise, epsilon budget) + k-anonymity over federated runtime signals with DSSE-signed consent proofs; no competitor has privacy-safe cross-site exploit intelligence sharing. Network-effect moat.
8. Developer-Facing Remediation Marketplace — Signed-PR fix attestations verified against reachability proof deltas with contributor trust scoring; no competitor has PR-level fix verification tied to reachability evidence. Six-module integration depth.
9. Rekor size-aware pointer strategy — Hash pointer in transparency log + full payload in vault; addresses real Rekor ~100KB upload constraints that competitors ignore
10. Deterministic signed scoring envelopes — Seeded, replayable score computation with DSSE-signed intermediates; competitors sign evidence but not deterministic scoring traces

Where Competitors Lead (For Now)

Area	Competitor Lead	Our Response
Mass-market UX polish	Snyk	Focus on power users who need proofs
SaaS onboarding friction	Snyk, Prisma	Offer both SaaS and self-hosted
Marketplace integrations	All major players	Prioritize based on customer demand
Ecosystem breadth	Trivy	Focus on depth over breadth

---

Quick Reference

Key Documents

• Competitive Landscape: docs/product/competitive-landscape.md
• Claims Index: docs/product/claims-citation-index.md
• Proof Architecture: docs/modules/platform/proof-driven-moats-architecture.md
• Key Features: docs/key-features.md
• Moat Gap Analysis: docs/modules/platform/moat-gap-analysis.md

Key Commands (Demo-Ready)

# Determinism proof
stella scan --image <img> --srm-out a.yaml
stella scan --image <img> --srm-out b.yaml
diff a.yaml b.yaml  # Identical

# Replay proof
stella replay srm.yaml --assert-digest <sha>

# Reachability proof
stella graph show --cve CVE-XXXX-YYYY --artifact <digest>

# VEX evaluation
stella vex evaluate --artifact <digest>

# Offline scan
stella rootpack import bundle.tar.gz
stella scan --offline --image <digest>

---

Last Updated: 2026-02-19