15 KiB
Moat Gap Analysis: StellaOps Competitive Position
Source Advisory: 19-Dec-2025 - Stella Ops candidate features mapped to moat strength Analysis Date: 2025-12-22 Status: Sprints created, implementation pending
Executive Summary
This document captures the gap analysis between the competitive moat advisory and StellaOps' current implementation, along with the sprint plan to address identified gaps.
Moat Scale Reference
| Rating | Definition |
|---|---|
| 5 | Structural moat — new primitives, strong defensibility, durable switching cost |
| 4 | Strong moat — difficult multi-domain engineering; incumbents have partial analogs |
| 3 | Moderate moat — others can build; differentiation is execution + packaging |
| 2 | Weak moat — table-stakes soon; limited defensibility |
| 1 | Commodity — widely available in OSS / easy to replicate |
Feature Implementation Matrix
| Feature | Moat | Current % | Key Gaps | Sprint Coverage |
|---|---|---|---|---|
| Signed, replayable risk verdicts | 5 | 85% | OCI push polish | 4300_0001_* |
| VEX decisioning engine | 4 | 90% | Evidence hooks polish | Minimal |
| Reachability with proof | 4 | 85% | Standalone artifact polish | 4400_0001_0002 |
| Smart-Diff semantic delta | 4 | 85% | Signed delta verdict | 4400_0001_0001 |
| Unknowns as first-class state | 4 | 80% | Policy budgets, attestations | 4300_0002_* |
| Air-gapped epistemic mode | 4 | 80% | Sealed snapshot workflow | 4300_0003_0001 |
| SBOM ledger + lineage | 3 | 70% | Historical tracking, BYOS | 4600_0001_* |
| Policy engine with proofs | 3 | 90% | Compilation to artifact | Minimal |
| VEX distribution network | 3-4 | 50% | Hub layer refinement | 4500_0001_* |
| Symbolized call-stack proofs | 4 | 95% | Rust/Ruby/PHP language support | Sprint 0401+, 20260220_001-002 (marketplace) |
| Deterministic signed scoring | 5 | 85% | SLO formalization | Existing |
| Rekor size-aware pointer strategy | 4 | 90% | Documentation polish | Existing |
| Signed execution evidence | 3-4 | 40% | Trace-to-DSSE pipeline, policy gate | 20260219_013 |
| Runtime beacon attestations | 3 | 20% | Beacon fact type, attestation pipeline | 20260219_014 |
| Privacy-preserving federated telemetry | 5 | 0% | Full stack: privacy primitives, sync, API, UI | 20260220_005-009 |
| Remediation marketplace (signed-PR fixes) | 4 | 0% | Full stack: registry, webhook, verification, UI | 20260220_010-015 |
Detailed Gap Analysis
1. Signed, Replayable Risk Verdicts (Moat 5)
What exists:
VerdictReceiptStatementwith in-toto predicateProofSpineandProofChainBuilderinfrastructureTrustLatticeEngine.Evaluate()producingProofBundleReplayManifestandReplayVerifier- Input hashing (sbomDigest, feedsDigest, policyDigest)
Gaps:
| Gap | Sprint |
|---|---|
| Verdict as OCI-attached attestation | 4300_0001_0001 |
| One-command audit replay CLI | 4300_0001_0002 |
| Formal replay determinism tests | 4300_0001_0002 |
Moat Thesis: "We don't output findings; we output an attestable decision that can be replayed."
2. VEX Decisioning Engine (Moat 4)
What exists:
VexConsensusEnginewith 5 modesTrustLatticeEnginewith K4 lattice atomsTrustWeightEnginefor issuer weighting- VEX normalizers for CycloneDX, OpenVEX, CSAF
VexLensmodule with consensus rationale
Gaps:
| Gap | Sprint |
|---|---|
| Configurable evidence hooks | Minor enhancement |
Moat Thesis: "We treat VEX as a logical claim system, not a suppression file."
3. Reachability with Proof (Moat 4)
What exists:
ReachabilityWitnessStatementattestation typePathWitnessBuilderfor call-path proofsCallPathmodels with entrypoint → symbol chainReachabilityLatticefor state managementCompositeGateDetectorfor boundary extraction
Gaps:
| Gap | Sprint |
|---|---|
| Standalone reachability subgraph as OCI artifact | 4400_0001_0002 |
| Binary-level reachability proof | 6000_* (existing) |
Moat Thesis: "We provide proof of exploitability in this artifact, not just a badge."
4. Smart-Diff Semantic Risk Delta (Moat 4)
What exists:
MaterialRiskChangeDetectorwith R1-R4 rulesRiskStateSnapshotcapturing full finding state- Detection of all flip types
- Priority scoring algorithm
- SARIF output generation
Gaps:
| Gap | Sprint |
|---|---|
| Signed delta verdict attestation | 4400_0001_0001 |
| Diff over reachability graphs | Future |
Moat Thesis: "We explain what changed in exploitable surface area, not what changed in CVE count."
5. Unknowns as First-Class State (Moat 4)
What exists:
UncertaintyTier(T1-T4) with entropy classificationUnknownStateLedgertracking marker kinds- Risk modifiers from uncertainty
BlocksNotAffected()gate on T1 tier
Gaps:
| Gap | Sprint |
|---|---|
| Policy rule: "fail if unknowns > N" | 4300_0002_0001 |
| Unknown budgets with decay | 4100_0001_0002 (existing) |
| Unknowns in attestations | 4300_0002_0002 |
Moat Thesis: "We quantify uncertainty and gate on it."
6. Air-Gapped Epistemic Mode (Moat 4)
What exists:
AirGap.Controllerwith state managementReplayVerifierwith depth levelsTrustStoreandTufMetadataValidatorEgressPolicyenforcementTimeAnchorfor offline time validation
Gaps:
| Gap | Sprint |
|---|---|
| Sealed knowledge snapshot export CLI | 4300_0003_0001 |
| One-command import + replay validation | 4300_0003_0001 |
| Feed snapshot versioning with merkle roots | 4300_0003_0001 |
Moat Thesis: Air-gapped "runtime" is common; air-gapped reproducibility is not.
7. SBOM Ledger + Lineage (Moat 3)
What exists:
SbomServicewith versioning eventsCatalogRecordfor storageGraphmodule for dependency indexingSbomVersionEvents
Gaps:
| Gap | Sprint |
|---|---|
| Historical SBOM tracking with diff lineage | 4600_0001_0001 |
| BYOS ingestion workflow with validation | 4600_0001_0002 |
| SBOM grouping by artifact family | 4600_0001_0001 |
Moat Strategy: Make the ledger valuable via semantic diff, evidence joins, and provenance.
8. Policy Engine with Proofs (Moat 3)
What exists:
PolicyEvaluationwithPolicyExplanation- OPA/Rego integration
ProofBundlegeneration from TrustLattice- Evidence pointers in verdict statements
Gaps:
| Gap | Sprint |
|---|---|
| Policy compilation to standalone decision artifact | Minor enhancement |
Moat Strategy: Keep policy language small but rigorous; always emit evidence pointers.
9. VEX Distribution Network (Moat 3-4)
What exists:
- Excititor ingests from 7+ VEX sources
VexConnectorMetadatafor source tracking
Gaps:
| Gap | Sprint |
|---|---|
| VEX Hub aggregation layer | 4500_0001_0001 |
| Trust scoring of VEX sources | 4500_0001_0002 |
| VEX verification + validation pipeline | 4500_0001_0001 |
| API for VEX discovery/subscription | 4500_0001_0001 |
Moat Strategy: Differentiate with verification + trust scoring of VEX sources.
10. Signed Execution Evidence (Moat 3-4)
Added 2026-02-19 from advisory review (rescoped from external "sandbox traces" proposal).
What exists:
RuntimeTracesEndpoints— runtime trace ingestion in Findings moduleRuntimeSignalIngester— containment/blast-radius signal ingestion in UnknownsSignalSnapshotBuilder— signal snapshot composition for replay/audit- Signals
POST /signals/runtime-facts— runtime fact ingestion (eBPF/ETW) InMemoryRuntimeInstrumentationServices— address canonicalization, hot-symbol aggregation
Gaps:
| Gap | Sprint |
|---|---|
executionEvidence@v1 predicate type |
20260219_013 (SEE-01) |
| Trace-to-DSSE pipeline (canonicalize → aggregate → sign) | 20260219_013 (SEE-02) |
| Policy gate: require execution evidence before promotion | 20260219_013 (SEE-03) |
| Execution evidence in audit packs | 20260219_013 (SEE-04) |
Moat Thesis: "We don't just claim it ran — we provide signed, replayable proof of execution with deterministic trace summarization."
Moat Strategy: Elevates from Level 3 (runtime instrumentation exists elsewhere) to Level 4 when combined with existing proof chain (signed execution evidence + verdict + reachability = attestable decision lifecycle).
11. Runtime Beacon Attestations (Moat 3)
Added 2026-02-19 from advisory review (rescoped from external "canary beacons" proposal).
What exists:
- Signals runtime-facts ingestion pipeline
- Zastava module (planned runtime protection/admission controller)
- Doctor module runtime host capabilities (eBPF, ETW, dyld agents)
Gaps:
| Gap | Sprint |
|---|---|
beacon fact type in Signals |
20260219_014 (BEA-01) |
beaconAttestation@v1 predicate type |
20260219_014 (BEA-01) |
| Beacon ingestion + batched attestation pipeline | 20260219_014 (BEA-02) |
| Beacon verification rate as policy input | 20260219_014 (BEA-03) |
| Beacon attestations in audit packs | 20260219_014 (BEA-04) |
Moat Thesis: "Low-volume signed proof that this artifact actually ran in this environment — verifiable offline, no image modification required."
Moat Strategy: Level 3 standalone; combined with execution evidence and proof chain, contributes to the "attestable decision lifecycle" story for compliance-oriented customers.
12. Privacy-Preserving Federated Runtime Telemetry (New L5 — Structural)
Added 2026-02-19 from moat-gap advisory.
What exists:
- Signals runtime-facts ingestion pipeline (eBPF/ETW/dyld)
- FederationHub / CrossRegionSync for bundle transport
- DsseEnvelope signing infrastructure
- AirGap egress policy enforcement
Implementation (Sprints 20260220_005-009):
| Component | Sprint |
|---|---|
| Privacy primitives (k-anonymity, DP, epsilon budget) | 20260220_005 (FPT-01 → FPT-07) |
| Federation sync + intelligence merger | 20260220_006 (FTS-01 → FTS-06) |
| API endpoints + CLI + Doctor plugin | 20260220_007 (FAC-01 → FAC-05) |
| UI (5 pages under Platform Ops) | 20260220_008 (FUI-01 → FUI-07) |
| Documentation + contracts | 20260220_009 (FDC-01 → FDC-05) |
Moat Thesis: "We share exploit intelligence across sites without sharing raw code — privacy-preserving, consent-proven, offline-compatible."
Moat Strategy: No competitor has DP + k-anonymity over federated runtime signals with DSSE consent. Network-effect moat: each new participant enriches the shared corpus. Combined with existing proof chain, creates attestable federated intelligence lifecycle.
13. Developer-Facing Signed-PR Remediation Marketplace (New L4 — Strong)
Added 2026-02-19 from moat-gap advisory.
What exists:
- FixChainAttestationService (DSSE-signed fix chain proofs)
- SCM webhook pipeline in Signals
- ReachGraph for reachability delta computation
- Integration Hub plugin framework
Implementation (Sprints 20260220_010-015):
| Component | Sprint |
|---|---|
| Registry + persistence + domain models | 20260220_010 (REM-01 → REM-07) |
| Signals webhook handler | 20260220_011 (REM-08 → REM-12) |
| Verification pipeline (scan → delta → attest) | 20260220_012 (REM-13 → REM-17) |
| Matching + marketplace sources + policy | 20260220_013 (REM-18 → REM-22) |
| UI (3 pages + contextual badge) | 20260220_014 (REM-23 → REM-27) |
| Offline bundles + CLI + docs | 20260220_015 (REM-28 → REM-32) |
Moat Thesis: "Every remediation PR is verified against reachability proof deltas and cryptographically attested — not just a patch, but proof the fix actually reduces exploitable surface."
Moat Strategy: No competitor has PR-level fix attestations verified against reachability proof deltas. Six-module integration depth (Attestor + ReachGraph + Signals + Scanner + Policy + EvidenceLocker) creates deep switching cost.
Sprint Roadmap
Phase 1: Moat 5 Anchor (P0)
4300_0001_0001 → 4300_0001_0002
│
└── Verdict becomes portable, replayable
Phase 2: Moat 4 Hardening (P1)
4300_0002_0001 → 4300_0002_0002
│
└── Unknowns become actionable
4300_0003_0001
│
└── Air-gap becomes reproducible
4500_0001_0001 → 4500_0001_0002
│
└── VEX becomes distributable
Phase 3: Moat 4 Extensions (P2)
4400_0001_0001 (Delta Verdict)
4400_0001_0002 (Reachability Artifact)
Phase 4: Moat 3 Foundation (P2)
4600_0001_0001 → 4600_0001_0002
│
└── SBOM becomes historical
Phase 5: Runtime Evidence (P2-P3)
20260219_013 (SEE-01 → SEE-04)
│
└── Execution becomes attestable
20260219_014 (BEA-01 → BEA-04)
│
└── Presence becomes provable
Phase 6: Moat Expansion — Three New Capabilities (P1)
20260220_001 → 20260220_002 → 20260220_003
│
└── Symbol Marketplace (L4 @ 95%)
20260220_005 → 20260220_006 → 20260220_007 → 20260220_008
│
└── Federated Telemetry (New L5)
20260220_010 → 20260220_011 → 20260220_012 → 20260220_013 → 20260220_014
│
└── Remediation Marketplace (New L4)
Competitive Positioning Summary
Where StellaOps Is Strong
- VEX decisioning — Multi-mode consensus engine is ahead of all competitors (including Docker Scout, JFrog)
- Smart-Diff — R1-R4 rules with priority scoring is unique
- Policy engine — OPA/Rego with proof output is mature
- Attestor — in-toto/DSSE infrastructure is complete
- Symbolized call-stack proofs — No competitor (Docker Scout, Trivy, JFrog) delivers function-level symbol evidence with demangled names and build-ID binding
- Deterministic signed scoring — JFrog centralizes evidence but can't replay; Stella produces seeded, verifiable scoring envelopes
- Rekor size-aware strategy — Hash pointer in Rekor + full payload in Evidence Locker solves real ~100KB upload constraints
- Federated telemetry — Privacy-preserving cross-site exploit intelligence with DP + k-anonymity + DSSE consent proofs
- Remediation marketplace — Signed-PR fix attestations verified against reachability proof deltas with contributor trust scoring
Where StellaOps Must Improve
- Verdict portability — OCI push makes verdicts first-class artifacts
- Audit replay — One-command replay is essential for compliance
- VEX distribution — Hub layer creates network effects
- Unknown governance — Policy budgets make uncertainty actionable
Avoid Head-On Fights
- Snyk: Don't compete on developer UX; compete on proof-carrying reachability
- Prisma: Don't compete on CNAPP breadth; compete on decision integrity
- Anchore: Don't compete on SBOM storage; compete on semantic diff + VEX reasoning
- Docker Scout: Don't compete on registry-native DHI integration; compete on call-stack symbolization, replay, and lattice VEX
- JFrog: Don't compete on artifact management breadth; compete on deterministic scoring, replayable verdicts, and function-level proofs
References
- Sprints:
docs/implplan/SPRINT_4300_*.md,SPRINT_4400_*.md,SPRINT_4500_*.md,SPRINT_4600_*.md - Original Advisory:
docs/product/advisories/archived/19-Dec-2025 - Stella Ops candidate features mapped to moat strength.md - Architecture:
docs/ARCHITECTURE_OVERVIEW.md