Competitive Claims Citation Index
Purpose
This document is the authoritative source for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.
Last Updated: 2026-02-19
Next Review: 2026-05-19
Claim Categories
1. Determinism Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| DET-001 |
"StellaOps produces bit-identical scan outputs given identical inputs" |
tests/determinism/ golden fixtures; CI workflow scanner-determinism.yml |
High |
2025-12-14 |
2026-03-14 |
| DET-002 |
"All CVSS scoring decisions are receipted with cryptographic InputHash" |
ReceiptBuilder.cs:164-190; InputHash computation implementation |
High |
2025-12-14 |
2026-03-14 |
| DET-003 |
"No competitor offers deterministic replay manifests for audit-grade reproducibility" |
Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 |
High |
2025-12-14 |
2026-03-14 |
| DET-004 |
"Content-addressed proof bundles with Merkle roots enable cryptographic score verification" |
docs/db/SPECIFICATION.md Section 5.7 (scanner.proof_bundle); scanner scan replay --verify-proof |
High |
2025-12-20 |
2026-03-20 |
2. Reachability Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| REACH-001 |
"Hybrid static + runtime reachability analysis reduces noise by 60-85%" |
docs/product/advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md |
High |
2025-12-14 |
2026-03-14 |
| REACH-002 |
"Signed reachability graphs with DSSE attestation" |
src/Attestor/ module; DSSE envelope implementation |
High |
2025-12-14 |
2026-03-14 |
| REACH-003 |
"~85% of critical vulnerabilities in containers are in inactive code" |
Sysdig 2024 Container Security Report (external) |
Medium |
2025-11-01 |
2026-02-01 |
| REACH-004 |
"Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" |
Language analyzer implementations in src/Scanner/Analyzers/ |
High |
2025-12-14 |
2026-03-14 |
| REACH-005 |
"Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" |
src/BinaryIndex/__Libraries/StellaOps.Symbols.* (moved from src/Symbols/); src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/; Symbol Manifest v1 spec |
High |
2026-02-19 |
2026-05-19 |
| REACH-006 |
"OCI-attached symbol packs as first-class referrer artifacts" |
Symbol manifest OCI artifact type application/vnd.stella.symbols.manifest.v1+json; src/BinaryIndex/StellaOps.Symbols.Server/ REST API |
High |
2026-02-19 |
2026-05-19 |
3. VEX & Lattice Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| VEX-001 |
"OpenVEX lattice semantics with deterministic state transitions" |
src/Excititor/ VEX engine; lattice documentation |
High |
2025-12-14 |
2026-03-14 |
| VEX-002 |
"VEX consensus from multiple sources (vendor, tool, analyst)" |
VexConsensusRefreshService.cs; consensus algorithm |
High |
2025-12-14 |
2026-03-14 |
| VEX-003 |
"Seven-state lattice: CR, SR, SU, DT, DV, DA, U" |
docs/product/advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md |
High |
2025-12-14 |
2026-03-14 |
3a. Unknowns & Ambiguity Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| UNKNOWNS-001 |
"Two-factor unknowns ranking: uncertainty + exploit pressure (defer centrality)" |
docs/db/SPECIFICATION.md Section 5.6 (policy.unknowns); SPRINT_3500_0001_0001_deeper_moat_master.md |
High |
2025-12-20 |
2026-03-20 |
| UNKNOWNS-002 |
"Band-based prioritization: HOT/WARM/COLD/RESOLVED for triage queues" |
policy.unknowns.band column; band CHECK constraint |
High |
2025-12-20 |
2026-03-20 |
| UNKNOWNS-003 |
"No competitor offers systematic unknowns tracking with escalation workflows" |
Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 |
High |
2025-12-20 |
2026-03-20 |
4. Attestation Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| ATT-001 |
"DSSE-signed attestations for all evidence artifacts" |
src/Attestor/StellaOps.Attestor.Envelope/ |
High |
2025-12-14 |
2026-03-14 |
| ATT-002 |
"Optional Sigstore Rekor transparency logging" |
src/Attestor/StellaOps.Attestor.Rekor/ integration |
High |
2025-12-14 |
2026-03-14 |
| ATT-003 |
"in-toto attestation format support" |
in-toto predicates in attestation module |
High |
2025-12-14 |
2026-03-14 |
| ATT-004 |
"Regional crypto support: eIDAS, FIPS, GOST, SM" |
StellaOps.Cryptography with plugin architecture |
Medium |
2025-12-14 |
2026-03-14 |
| ATT-005 |
"Size-aware Rekor pointer strategy: hash pointer in transparency log, full payload in Evidence Locker CAS" |
src/Attestor/ detached payload references; src/EvidenceLocker/ CAS storage; Rekor v2 submission with hash pre-check |
High |
2026-02-19 |
2026-05-19 |
4a. Proof & Evidence Chain Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| PROOF-001 |
"Deterministic proof ledgers with canonical JSON and CBOR serialization" |
docs/db/SPECIFICATION.md Section 5.6-5.7 (policy.proof_segments, scanner.proof_bundle) |
High |
2025-12-20 |
2026-03-20 |
| PROOF-002 |
"Cryptographic proof chains link scans to frozen feed state via Merkle roots" |
scanner.scan_manifest (concelier_snapshot_hash, excititor_snapshot_hash) |
High |
2025-12-20 |
2026-03-20 |
| PROOF-003 |
"Score replay command verifies proof integrity against original calculation" |
stella score replay --scan <id> --verify-proof; docs/OFFLINE_KIT.md Section 2.2 |
High |
2025-12-20 |
2026-03-20 |
5. Offline & Air-Gap Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| OFF-001 |
"Full offline/air-gap operation capability" |
docs/airgap/; offline kit implementation |
High |
2025-12-14 |
2026-03-14 |
| OFF-002 |
"Offline scans produce identical results to online (same advisory date)" |
docs/airgap/offline-parity-verification.md (pending) |
Medium |
TBD |
TBD |
| OFF-003 |
"Risk bundles include NVD, KEV, EPSS data" |
docs/airgap/risk-bundles.md; bundle manifest schema |
High |
2025-12-14 |
2026-03-14 |
| OFF-004 |
"DSSE-signed offline bundles for integrity verification" |
Bundle signing implementation |
High |
2025-12-14 |
2026-03-14 |
6. CVSS & Risk Scoring Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| CVSS-001 |
"Full CVSS v4.0 MacroVector-based scoring with 324 lookup combinations" |
MacroVectorLookup.cs |
High |
2025-12-14 |
2026-03-14 |
| CVSS-002 |
"Support for CVSS v2.0, v3.0, v3.1, and v4.0 vectors" |
CvssV2Engine.cs, CvssV3Engine.cs, CvssEngineFactory.cs |
High |
2025-12-14 |
2026-03-14 |
| CVSS-003 |
"Threat Metrics (Exploit Maturity) integration per v4.0 spec" |
CvssV4Engine.cs:365-375 |
High |
2025-12-14 |
2026-03-14 |
| CVSS-004 |
"EPSS percentile-based risk bonuses (99th=+10%, 90th=+5%, 50th=+2%)" |
CvssKevEpssProvider.cs |
High |
2025-12-14 |
2026-03-14 |
| CVSS-005 |
"KEV (Known Exploited Vulnerabilities) +20% risk bonus" |
CvssKevProvider.cs:33 |
High |
2025-12-14 |
2026-03-14 |
7. SBOM Claims
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| SBOM-001 |
"SPDX 3.0.1 and CycloneDX 1.6 output formats" |
SBOM generator implementations |
High |
2025-12-14 |
2026-03-14 |
| SBOM-002 |
"Multi-ecosystem support: APK, DEB, RPM, npm, Maven, NuGet, PyPI, Go, Cargo" |
Ecosystem analyzers in src/Scanner/ |
High |
2025-12-14 |
2026-03-14 |
| SBOM-003 |
"Deterministic SBOM generation (same image = same SBOM)" |
SBOM determinism tests |
High |
2025-12-14 |
2026-03-14 |
Competitive Comparison Claims
vs. Trivy
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-TRIVY-001 |
"Trivy lacks lattice VEX semantics (boolean only)" |
Trivy v0.55.0 source: pkg/vex/ |
High |
2025-12-14 |
2026-03-14 |
| COMP-TRIVY-002 |
"Trivy lacks deterministic replay manifests" |
Trivy v0.55.0 source audit |
High |
2025-12-14 |
2026-03-14 |
| COMP-TRIVY-003 |
"Trivy lacks native reachability analysis" |
Trivy v0.55.0 feature matrix |
High |
2025-12-14 |
2026-03-14 |
vs. Grype
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-GRYPE-001 |
"Grype lacks DSSE attestation signing" |
Grype v0.80.0 source audit |
High |
2025-12-14 |
2026-03-14 |
| COMP-GRYPE-002 |
"Grype lacks VEX state lattice (affected/not_affected only)" |
Grype v0.80.0 VEX implementation |
High |
2025-12-14 |
2026-03-14 |
| COMP-GRYPE-003 |
"Grype lacks CVSS v4.0 scoring" |
Grype v0.80.0 feature matrix |
Medium |
2025-12-14 |
2026-03-14 |
vs. Snyk
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-SNYK-001 |
"Snyk lacks deterministic replay manifests" |
Snyk CLI v1.1292 audit |
High |
2025-12-14 |
2026-03-14 |
| COMP-SNYK-002 |
"Snyk's reachability is limited to specific languages" |
Snyk documentation review |
Medium |
2025-12-14 |
2026-03-14 |
| COMP-SNYK-003 |
"Snyk lacks offline/air-gap capability" |
Snyk architecture documentation |
High |
2025-12-14 |
2026-03-14 |
vs. Docker Scout
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-SCOUT-001 |
"Docker Scout produces SBOM/VEX/provenance attestations via cosign but lacks symbolized call-stack proofs, deterministic replay, and lattice VEX reasoning" |
Docker Scout documentation (docs.docker.com/scout); DHI surface analysis |
High |
2026-02-19 |
2026-05-19 |
| COMP-SCOUT-002 |
"Docker Scout does not address Rekor payload size constraints or provide size-aware pointer strategies" |
Docker Scout attestation flow analysis; Rekor public instance constraints |
High |
2026-02-19 |
2026-05-19 |
vs. JFrog (Xray + Evidence Collection)
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-JFROG-001 |
"JFrog Evidence Collection centralizes signed evidence across SDLC but lacks deterministic scoring envelopes, replayable verdicts, and formal VEX lattice reasoning" |
JFrog Evidence documentation (jfrog.com/evidence); solution sheet analysis |
High |
2026-02-19 |
2026-05-19 |
| COMP-JFROG-002 |
"JFrog lacks signed reachability graphs and call-stack symbolization; evidence is SBOM/provenance-level, not function-level" |
JFrog Xray feature matrix; Evidence Collection solution sheet |
High |
2026-02-19 |
2026-05-19 |
vs. Oligo Security
| ID |
Claim |
Evidence |
Confidence |
Verified |
Next Review |
| COMP-OLIGO-001 |
"Oligo Security provides runtime call-stack exploitability evidence but lacks SBOM/VEX integration, deterministic replay, lattice VEX reasoning, signed reachability graphs, and offline/air-gap capability" |
Oligo Security blog post on call-stack evidence; product positioning as runtime-only tool |
Medium |
2026-02-19 |
2026-05-19 |
Confidence Levels
| Level |
Percentage |
Definition |
| High |
80-100% |
Verified against source code or authoritative documentation |
| Medium |
50-80% |
Based on documentation or limited testing; needs deeper verification |
| Low |
<50% |
Unverified or based on indirect evidence; requires validation |
Update Process
Verification Schedule
- Quarterly Review: All claims reviewed every 90 days
- Major Version Triggers: Re-verify when competitors release major versions
- Market Events: Re-verify after significant market announcements
Verification Steps
- Source Audit: Review competitor source code (if open source)
- Documentation Review: Check official documentation
- Feature Testing: Test specific features when possible
- Third-Party Sources: Cross-reference analyst reports
Update Workflow
Deprecation Policy
Stale Claims
Claims older than 6 months without verification are marked STALE:
- STALE claims must NOT be used in external communications
- STALE claims require immediate re-verification or removal
- Marketing team notified of all STALE claims
Invalidated Claims
When a claim becomes false (e.g., competitor adds feature):
- Mark claim as INVALID
- Remove from all active materials within 7 days
- Update competitive documentation
- Notify stakeholders
Usage Guidelines
For Marketing
- Reference claims by ID (e.g., "Per DET-001...")
- Include verification date in footnotes
- Do not paraphrase claims without SME review
For Sales
- Use claims matrix for competitive conversations
- Check confidence levels before customer commitments
- Report feedback on claim accuracy
For Documentation
- Link to this index for competitive statements
- Update cross-references when claims change
- Flag questionable claims to Docs Guild
Execution Log
| Date |
Update |
Owner |
| 2025-12-14 |
Initial claims index created |
Docs Guild |
| 2025-12-14 |
Added CVSS v2/v3 engine claims (CVSS-002) |
AI Implementation |
| 2025-12-14 |
Added EPSS integration claims (CVSS-004) |
AI Implementation |
| 2025-12-20 |
Added DET-004 (content-addressed proof bundles) |
Agent |
| 2025-12-20 |
Added PROOF-001/002/003 (deterministic proof ledgers, proof chains, score replay) |
Agent |
| 2025-12-20 |
Added UNKNOWNS-001/002/003 (two-factor ranking, band prioritization, competitor gap) |
Agent |
| 2026-02-19 |
Added REACH-005/006 (symbolized call-stacks, OCI symbol packs) from competitive advisory review |
Product Manager |
| 2026-02-19 |
Added ATT-005 (Rekor size-aware pointer strategy) from competitive advisory review |
Product Manager |
| 2026-02-19 |
Added COMP-SCOUT-001/002 (Docker Scout gaps) and COMP-JFROG-001/002 (JFrog gaps) from competitive advisory review |
Product Manager |
| 2026-02-19 |
Added COMP-OLIGO-001 (Oligo Security runtime-only gaps) from VEX/call-stack/determinism competitive advisory |
Product Manager |
References
docs/product/advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.mddocs/product/competitive-landscape.mddocs/benchmarks/accuracy-metrics-framework.md
