237 lines
17 KiB
Markdown
237 lines
17 KiB
Markdown
# Competitive Landscape
|
|
|
|
> **TL;DR:** Stella Ops Suite isn't a scanner or a deployment tool—it's a **release control plane** that gates releases using reachability-aware security and produces **attestable decisions that can be replayed**. Non-Kubernetes container estates finally get a central release authority.
|
|
|
|
Source: internal advisories "23-Nov-2025 - Stella Ops vs Competitors" and "09-Jan-2026 - Stella Ops Pivot", updated Jan 2026. This summary covers both release orchestration and security positioning.
|
|
|
|
---
|
|
|
|
## The New Category: Release Control Plane
|
|
|
|
**Stella Ops Suite** occupies a unique position by combining:
|
|
- Release orchestration (promotions, approvals, workflows)
|
|
- Security decisioning as a gate (not a blocker)
|
|
- Non-Kubernetes target specialization
|
|
- Evidence-linked decisions with deterministic replay
|
|
|
|
### Why Competitors Can't Easily Catch Up (Release Orchestration)
|
|
|
|
| Category | Representatives | What They Optimized For | Why They Can't Easily Catch Up |
|
|
|----------|----------------|------------------------|-------------------------------|
|
|
| **CI/CD Tools** | GitHub Actions, Jenkins, GitLab CI | Running pipelines, build automation | No central release authority; no audit-grade evidence; deployment is afterthought |
|
|
| **CD Orchestrators** | Octopus, Harness, Spinnaker | Deployment automation, Kubernetes | Security is bolt-on; non-K8s is second-class; pricing punishes automation |
|
|
| **Registries** | Harbor, JFrog Artifactory | Artifact storage, scanning | No release governance; no promotion workflows; no deployment execution |
|
|
| **Scanners/CNAPP** | Trivy, Snyk, Aqua | Vulnerability detection | No release orchestration; findings don't integrate with promotion gates |
|
|
|
|
### Stella Ops Suite Positioning
|
|
|
|
| vs. Category | Why Stella Wins |
|
|
|--------------|-----------------|
|
|
| **vs. CI/CD tools** | They run pipelines; we provide central release authority with audit-grade evidence |
|
|
| **vs. CD orchestrators** | They bolt on security; we integrate it as gates. They punish automation with per-project pricing; we don't |
|
|
| **vs. Registries** | They store and scan; we govern releases and orchestrate deployments |
|
|
| **vs. Scanners** | They output findings; we output release decisions with evidence packets |
|
|
|
|
### Unique Differentiators (Release Orchestration)
|
|
|
|
| Differentiator | What It Means |
|
|
|----------------|---------------|
|
|
| **Non-Kubernetes Specialization** | Docker hosts, Compose, ECS, Nomad are first-class—not afterthoughts |
|
|
| **Digest-First Release Identity** | Releases are immutable OCI digests, not mutable tags |
|
|
| **Security Gates in Promotion** | Scan on build, evaluate on release, re-evaluate on CVE updates |
|
|
| **Evidence Packets** | Every release decision is cryptographically signed and replayable |
|
|
| **Cost Model** | No per-seat, per-project, per-deployment tax. Environments + new digests/day |
|
|
|
|
---
|
|
|
|
## Security Positioning (Original Analysis)
|
|
|
|
---
|
|
|
|
## Verification Metadata
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Last Updated** | 2026-01-03 |
|
|
| **Last Verified** | 2025-12-14 |
|
|
| **Next Review** | 2026-03-14 |
|
|
| **Claims Index** | [`docs/product/claims-citation-index.md`](claims-citation-index.md) |
|
|
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
|
|
|
|
**Confidence Levels:**
|
|
- **High (80-100%)**: Verified against source code or authoritative documentation
|
|
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
|
|
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
|
|
|
|
---
|
|
|
|
## Why Competitors Plateau (Structural Analysis)
|
|
|
|
The scanner market evolved from three distinct origins. Each origin created architectural assumptions that make Stella Ops' capabilities structurally difficult to retrofit.
|
|
|
|
| Origin | Representatives | What They Optimized For | Why They Can't Easily Catch Up |
|
|
|--------|----------------|------------------------|-------------------------------|
|
|
| **Package Scanners** | Trivy, Syft/Grype | Fast CLI, broad ecosystem coverage | No forensic reproducibility in architecture; VEX is boolean, not lattice; no DSSE for reachability graphs |
|
|
| **Developer UX** | Snyk | IDE integration, fix PRs, onboarding | SaaS-only (offline impossible); no attestation infrastructure; reachability limited to specific languages |
|
|
| **Policy/Compliance** | Prisma Cloud, Aqua | Runtime protection, CNAPP breadth | No deterministic replay; no cryptographic provenance for verdicts; no semantic diff |
|
|
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX reasoning; no signed reachability graphs; no regional crypto profiles |
|
|
|
|
### The Core Problem
|
|
|
|
**Scanners output findings. Stella Ops outputs decisions.**
|
|
|
|
A finding says "CVE-2024-1234 exists in this package." A decision says "CVE-2024-1234 is reachable via this call path, vendor VEX says not_affected but our runtime disagrees, creating a conflict that policy must resolve, and here's the signed proof chain."
|
|
|
|
This isn't a feature gap—it's a category difference. Retrofitting it requires:
|
|
- Rearchitecting the evidence model (content-addressed, not row-based)
|
|
- Adding lattice logic to VEX handling (not just filtering)
|
|
- Instrumenting reachability at three layers (static, binary, runtime)
|
|
- Building deterministic replay infrastructure (frozen feeds, manifests, seeds)
|
|
- Implementing regional crypto profiles (not just "signing")
|
|
|
|
---
|
|
|
|
## Stella Ops moats (why we win)
|
|
|
|
| Moat | Description | Claim IDs | Confidence |
|
|
|------|-------------|-----------|------------|
|
|
| **Deterministic replay** | Feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes | DET-001, DET-002, DET-003 | High |
|
|
| **Hybrid reachability attestations** | Graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed | REACH-001, REACH-002, ATT-001, ATT-002 | High |
|
|
| **Lattice-based VEX engine** | Merges advisories, runtime hits, reachability, waivers with explainable paths | VEX-001, VEX-002, VEX-003 | High |
|
|
| **Crypto sovereignty** | FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs | ATT-004 | Medium |
|
|
| **Proof graph** | DSSE + transparency across SBOM, call-graph, VEX, replay manifests | ATT-001, ATT-002, ATT-003 | High |
|
|
|
|
## Top takeaways (sales-ready)
|
|
|
|
### The Five One-Liners
|
|
|
|
| # | One-Liner | What It Means | Claim IDs |
|
|
|---|-----------|---------------|-----------|
|
|
| 1 | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. Any verdict from 6 months ago can be re-verified today with `stella replay srm.yaml`. | DET-001, DET-003 |
|
|
| 2 | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice logic aggregates multiple VEX sources, detects conflicts, and produces explainable dispositions with proof links. | VEX-001, VEX-002 |
|
|
| 3 | "We provide proof of exploitability in *this* artifact, not just a badge." | Three-layer reachability (static graph + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path." | REACH-001, REACH-002 |
|
|
| 4 | "We explain what changed in exploitable surface area, not what changed in CVE count." | Smart-Diff outputs "This release reduces exploitability by 41% despite +2 CVEs" — semantic risk deltas, not raw numbers. | — |
|
|
| 5 | "We quantify uncertainty and gate on it." | Unknowns are first-class state with bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk; we surface and score it. | UNKNOWNS-001, UNKNOWNS-002 |
|
|
|
|
### Verified Gaps (High Confidence)
|
|
|
|
| # | Gap | Evidence | Claim IDs |
|
|
|---|-----|----------|-----------|
|
|
| 1 | No competitor offers deterministic replay with frozen feeds | Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 | DET-003 |
|
|
| 2 | None sign reachability graphs; we sign graphs and (optionally) edge bundles | Feature matrix analysis | REACH-002 |
|
|
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | Architecture review | ATT-004 |
|
|
| 4 | Lattice VEX with conflict detection is unmatched; others ship boolean VEX or none | Trivy pkg/vex source; Grype VEX implementation | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 |
|
|
| 5 | Offline/air-gap with mirrored transparency is rare; we ship it by default | Documentation and feature testing | OFF-001, OFF-004 |
|
|
|
|
## Where others fall short (detailed)
|
|
|
|
### Capability Gap Matrix
|
|
|
|
| Capability | Trivy | Grype | Snyk | Prisma | Aqua | Anchore | Stella Ops |
|
|
|-----------|-------|-------|------|--------|------|---------|------------|
|
|
| **Deterministic replay** | No | No | No | No | No | No | Yes |
|
|
| **VEX lattice (K4 logic)** | Boolean only | Boolean only | None | None | Limited | Limited | Full K4 |
|
|
| **Signed reachability graphs** | No | No | No | No | No | No | Yes (DSSE) |
|
|
| **Binary-level backport detection** | No | No | No | No | No | No | Tier 1-4 |
|
|
| **Semantic risk diff** | No | No | No | No | No | No | Yes |
|
|
| **Unknowns as state** | Hidden | Hidden | Hidden | Hidden | Hidden | Hidden | First-class |
|
|
| **Regional crypto (GOST/SM)** | No | No | No | No | No | No | Yes |
|
|
| **Offline parity** | Medium | Medium | No | Strong | Medium | Good | Full |
|
|
|
|
### Specific Gaps by Competitor
|
|
|
|
| Gap | What This Means | Related Claims | Verified |
|
|
|-----|-----------------|----------------|----------|
|
|
| **No deterministic replay** | A scan from last month cannot be re-run to produce identical results. Feed drift, analyzer changes, and non-deterministic ordering break reproducibility. Auditors cannot verify past decisions. | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
|
|
| **No lattice/VEX merge** | VEX is either absent or treated as a suppression filter. When vendor says "not_affected" but runtime shows the function was called, these tools can't represent the conflict—they pick one or the other. | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
|
|
| **No signed reachability** | Reachability claims are assertions, not proofs. There's no cryptographic binding between "this CVE is reachable" and the call path that proves it. | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
|
|
| **No semantic diff** | Tools report "+3 CVEs" without context. They can't say "exploitable surface decreased despite new CVEs" because they don't track reachability deltas. | — | 2025-12-14 |
|
|
| **Offline/sovereign gaps** | Snyk is SaaS-only. Others have partial offline support but no regional crypto (GOST, SM2, eIDAS) and no sealed knowledge snapshots for air-gapped reproducibility. | COMP-SNYK-003, ATT-004 | 2025-12-14 |
|
|
|
|
## Snapshot table (condensed)
|
|
|
|
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella | Related Claims |
|
|
|--------|----------|-------------|---------------|-------|---------|------------------------|----------------|
|
|
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
|
|
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
|
|
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
|
|
| Prisma | Yes | Limited | No | No | Strong | No attest/replay | — |
|
|
| AWS (Inspector/Signer) | Partial | Partial | Notary v2 | No | Weak | Closed, no replay | — |
|
|
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice | — |
|
|
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts | — |
|
|
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice | — |
|
|
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability | — |
|
|
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto | — |
|
|
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice | — |
|
|
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused | — |
|
|
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice | — |
|
|
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE | — |
|
|
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice | — |
|
|
|
|
## How to use this doc
|
|
- Sales/PMM: pull talking points and the gap list when building battlecards.
|
|
- Product: map gaps to roadmap; keep replay/lattice/sovereign as primary differentiators.
|
|
- Engineering: ensure new features keep determinism + sovereign crypto front-and-center; link reachability attestations into proof graph.
|
|
|
|
## Cross-links
|
|
- Vision: `docs/VISION.md` (Moats section)
|
|
- Architecture: `docs/ARCHITECTURE_REFERENCE.md`
|
|
- Reachability moat details: `docs/modules/reach-graph/guides/lead.md`
|
|
- Source advisory: `docs/product/advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
|
|
- **Claims Citation Index**: [`docs/product/claims-citation-index.md`](claims-citation-index.md)
|
|
|
|
---
|
|
|
|
## Battlecard Appendix (snippet-ready)
|
|
|
|
### Elevator Pitches (by Audience)
|
|
|
|
| Audience | Pitch |
|
|
|----------|-------|
|
|
| **CISO/Security Leader** | "Stella Ops turns vulnerability noise into auditable decisions. Every verdict is signed, replayable, and proves *why* something is or isn't exploitable." |
|
|
| **Compliance/Audit** | "Unlike scanners that output findings, we output decisions with proof chains. Six months from now, you can replay any verdict bit-for-bit to prove what you knew and when." |
|
|
| **DevSecOps Engineer** | "Tired of triaging the same CVE across 50 images? Stella deduplicates by root cause, shows reachability proofs, and explains exactly what to fix and why." |
|
|
| **Air-gap/Regulated** | "Full offline parity with regional crypto (FIPS/GOST/SM/eIDAS). Sealed knowledge snapshots ensure your air-gapped environment produces identical results to connected." |
|
|
|
|
### One-Liners with Proof Points
|
|
|
|
| One-Liner | Proof Point | Claims |
|
|
|-----------|-------------|--------|
|
|
| *Replay or it's noise* | `stella replay srm.yaml --assert-digest <sha>` reproduces any past scan bit-for-bit | DET-001, DET-003 |
|
|
| *Signed reachability, not guesses* | Graph-level DSSE always; edge-bundle DSSE for contested paths; Rekor-backed | REACH-001, REACH-002 |
|
|
| *Sovereign-first* | FIPS/eIDAS/GOST/SM/PQC profiles as config; multi-sig with regional roots | ATT-004 |
|
|
| *Trust algebra, not suppression files* | K4 lattice merges advisories, runtime, reachability, waivers; conflicts are explicit state | VEX-001, VEX-002 |
|
|
| *Semantic risk deltas* | "Exploitability dropped 41% despite +2 CVEs" — not just CVE counts | — |
|
|
|
|
### Objection Handlers
|
|
|
|
| Objection | Response | Supporting Claims |
|
|
|-----------|----------|-------------------|
|
|
| "We already sign SBOMs." | Great start. But do you sign call-graphs and VEX decisions? Can you replay a scan from 6 months ago and get identical results? We do both. | DET-001, REACH-002 |
|
|
| "Cosign/Rekor is enough." | Cosign signs artifacts. We sign *decisions*. Without deterministic manifests and reachability proofs, you can sign findings but can't audit *why* a vuln was reachable. | DET-003, REACH-002 |
|
|
| "Our runtime traces show reachability." | Runtime is one signal. We fuse it with static call graphs and VEX lattice into a signed, replayable verdict. You can quarantine or dispute individual edges, not just all-or-nothing. | REACH-001, VEX-002 |
|
|
| "Snyk does reachability." | Snyk's reachability is language-limited (Java, JavaScript), SaaS-only, and unsigned. We support 6+ languages, work offline, and sign every call path with DSSE. | COMP-SNYK-002, COMP-SNYK-003, REACH-002 |
|
|
| "We use Trivy and it's free." | Trivy is excellent for broad coverage. We're for organizations that need audit-grade reproducibility, VEX reasoning, and signed proofs. Different use cases. | COMP-TRIVY-001, COMP-TRIVY-002 |
|
|
| "Can't you just add this to Trivy?" | Trivy's architecture assumes findings, not decisions. Retrofitting deterministic replay, lattice VEX, and proof chains would require fundamental rearchitecture—not just features. | — |
|
|
|
|
### Demo Scenarios
|
|
|
|
| Scenario | What to Show | Command |
|
|
|----------|-------------|---------|
|
|
| **Determinism** | Run scan twice, show identical digests | `stella scan --image <img> --srm-out a.yaml && stella scan --image <img> --srm-out b.yaml && diff a.yaml b.yaml` |
|
|
| **Replay** | Replay a week-old scan, verify identical output | `stella replay srm.yaml --assert-digest <sha>` |
|
|
| **Reachability proof** | Show signed call path from entrypoint to vulnerable symbol | `stella graph show --cve CVE-XXXX-YYYY --artifact <digest>` |
|
|
| **VEX conflict** | Show lattice handling vendor vs runtime disagreement | Trust Algebra Studio UI or `stella vex evaluate --artifact <digest>` |
|
|
| **Offline parity** | Import sealed bundle, scan, compare to online result | `stella rootpack import bundle.tar.gz && stella scan --offline ...` |
|
|
|
|
### Leave-Behind Materials
|
|
|
|
- **Reachability deep-dive:** `docs/modules/reach-graph/guides/lead.md`
|
|
- **Competitive landscape:** This document
|
|
- **Proof architecture:** `docs/modules/platform/proof-driven-moats-architecture.md`
|
|
- **Key features:** `docs/key-features.md`
|
|
|
|
## Sources
|
|
- Full advisory: `docs/product/advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
|
|
- Claims Citation Index: `docs/product/claims-citation-index.md`
|