stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b9c288782ba3e06a395ee096963e8c4058eb1b72
git.stella-ops.org/docs/market/moat-strategy-summary.md
StellaOps Bot d55a353481 feat(policy): Start Epic 3900 - Exception Objects as Auditable Entities 
Advisory Processing:
- Processed 7 unprocessed advisories and 12 moat documents
- Created advisory processing report with 3 new epic recommendations
- Identified Epic 3900 (Exception Objects) as highest priority

Sprint 3900.0001.0001 - 4/8 tasks completed:
- T1: ExceptionObject domain model with full governance fields
- T2: ExceptionEvent model for event-sourced audit trail
- T4: IExceptionRepository interface with CRUD and query methods
- T6: ExceptionEvaluator service with PURL pattern matching

New library: StellaOps.Policy.Exceptions
- Models: ExceptionObject, ExceptionScope, ExceptionEvent
- Enums: ExceptionStatus, ExceptionType, ExceptionReason
- Services: ExceptionEvaluator with scope matching and specificity
- Repository: IExceptionRepository with filter and history support

Remaining tasks: PostgreSQL schema, repository implementation, tests
2025-12-20 23:44:55 +02:00

3.1 KiB
Raw Blame History

StellaOps Moat Strategy Summary

Date: 2025-12-20 Source: Product Advisories (19-Dec-2025 Moat Series) Status: DOCUMENTED

Executive Summary

StellaOps competitive moats are built on decision integrity - deterministic, attestable, replayable security verdicts - not just scanner features.

Moat Strength Rankings

Moat Level Feature Defensibility
5 (Structural) Signed, replayable risk verdicts Highest - requires deterministic eval + proof schema + knowledge snapshots
4 (Strong) VEX decisioning engine Formal conflict resolution, provenance-aware trust weighting
4 (Strong) Reachability with proofs Portable proofs, artifact-level mapping, deterministic replay
4 (Strong) Smart-Diff (semantic risk delta) Graph-based diff over SBOM + reachability + VEX
4 (Strong) Unknowns as first-class state Uncertainty budgets in policies, scoring, attestations
4 (Strong) Air-gapped epistemic mode Sealed knowledge snapshots, offline reproducibility
3 (Moderate) SBOM ledger + lineage Table stakes; differentiate via semantic diff + evidence joins
3 (Moderate) Policy engine with proofs Common; moat is proof output + deterministic replay
1-2 (Commodity) Integrations everywhere Necessary but not defensible

Core Moat Thesis (One-Liners)

  • Deterministic signed verdicts: "We don't output findings; we output an attestable decision that can be replayed."
  • VEX decisioning: "We treat VEX as a logical claim system, not a suppression file."
  • Reachability proofs: "We provide proof of exploitability in this artifact, not just a badge."
  • Smart-Diff: "We explain what changed in exploitable surface area, not what changed in CVE count."
  • Unknowns modeling: "We quantify uncertainty and gate on it."

Implementation Status

Feature Sprint(s) Status
Signed verdicts 3500.0002.* DONE
VEX decisioning Existing lattice engine DONE
Reachability proofs 3500.0003., 3600. DONE
Smart-Diff 3500.0001.* (archived) DONE
Unknowns 3500.0002.0002 DONE
Air-gapped mode 3500.0004.0001 (offline bundles) DONE
Reachability Drift Proposed 🎯 NEXT

Competitor Positioning

Avoid Head-On Fights With:

  • Snyk: Developer adoption + reachability prioritization
  • Prisma Cloud: CNAPP breadth + graph-based investigation
  • Anchore: SBOM operations maturity
  • Aqua/Trivy: Runtime protection + VEX Hub network

Win With:

  • Decision integrity (deterministic, attestable, replayable)
  • Proof portability (offline audits, evidence bundles)
  • Semantic change control (risk deltas, not CVE counts)

Source Documents

See docs/product-advisories/unprocessed/moats/ for full advisory content:

  • 19-Dec-2025 - Moat #1 through #7
  • 19-Dec-2025 - Stella Ops candidate features mapped to moat strength
  • 19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops

Last Updated: 2025-12-20