stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
952ba77924b98f0fb6c3f68e2af95bfef46883fc
git.stella-ops.org/docs/market/competitive-landscape.md
master 2de8d1784b
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
new advisories
2025-11-23 23:38:25 +02:00

81 lines
5.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Competitive Landscape (Nov 2025)
Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
## StellaOps moats (why we win)
- **Deterministic replay:** feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
- **Hybrid reachability attestations:** graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
- **Lattice-based VEX engine:** merges advisories, runtime hits, reachability, waivers with explainable paths.
- **Crypto sovereignty:** FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
- **Proof graph:** DSSE + transparency across SBOM, call-graph, VEX, replay manifests.
## Top takeaways (sales-ready)
1. No competitor offers deterministic replay with frozen feeds; we do.
2. None sign reachability graphs; we sign graphs and (optionally) edges.
3. Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to StellaOps.
4. Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
5. Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.
## Where others fall short (high level)
- **No deterministic replay:** none of the 15 provide hash-stable, replayable scans with frozen feeds.
- **No lattice/VEX merge:** VEX is absent or bolt-on; no trust algebra elsewhere.
- **Attestation gaps:** most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
- **Offline/sovereign:** weak or SaaS-only; no regional crypto options.
## Snapshot table (condensed)
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella |
| ------------------- | -------- | ----------- | ------------- | ----- | ------- | ---------------------- |
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay |
| AWS (Inspector/Signer)| Partial| Partial | Notary v2 | No | Weak | Closed, no replay |
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice |
## How to use this doc
- Sales/PMM: pull talking points and the gap list when building battlecards.
- Product: map gaps to roadmap; keep replay/lattice/sovereign as primary differentiators.
- Engineering: ensure new features keep determinism + sovereign crypto front-and-center; link reachability attestations into proof graph.
## Cross-links
- Vision: `docs/03_VISION.md` (Moats section)
- Architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Reachability moat details: `docs/reachability/lead.md`
- Source advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
---
## Battlecard Appendix (snippet-ready)
**One-liners**
- *Replay or its noise:* Only StellaOps can re-run a scan bit-for-bit from frozen feeds.
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges.
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.
**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped.
**Objection handlers**
- “We already sign SBOMs.” → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
- “Cosign/Rekor is enough.” → Without deterministic manifests + reachability proofs, you cant audit why a vuln was reachable.
- “Our runtime traces show reachability.” → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.
**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
- Leave-behind: link `docs/reachability/lead.md` and this appendix.
## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
Reference in New Issue View Git Blame Copy Permalink