stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4a98dfef353e6065bb8daaa43c05943205fd49
git.stella-ops.org/docs/product/moat-strategy-summary.md
master 4789027317 docs consolidation and others
2026-01-06 19:07:48 +02:00

163 lines
8.9 KiB
Markdown
Raw Blame History

# StellaOps Moat Strategy Summary
**Date**: 2026-01-03
**Source**: Product Advisories (19-Dec-2025 Moat Series), Competitive Analysis (Jan 2026)
**Status**: DOCUMENTED
---
## Executive Summary
> **Core Thesis:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**.
StellaOps competitive moats are built on **decision integrity**—deterministic, attestable, replayable security verdicts—not just scanner features. This is a category difference, not a feature gap.
### The Category Shift
| Traditional Scanners | Stella Ops |
|---------------------|------------|
| Output findings | Output decisions |
| VEX as suppression | VEX as logical claims |
| Reachability as badge | Reachability as proof |
| CVE counts | Semantic risk deltas |
| Hide unknowns | Surface and score unknowns |
| Online-first | Offline-first with parity |
## Moat Strength Rankings
### Understanding the Scale
| Level | Definition | Defensibility |
|-------|------------|---------------|
| **5** | Structural moat | New primitives, strong defensibility, durable switching cost. Requires fundamental rearchitecture to replicate. |
| **4** | Strong moat | Difficult multi-domain engineering. Incumbents have partial analogs but retrofitting is expensive. |
| **3** | Moderate moat | Others can build. Differentiation is execution + packaging. |
| **2** | Weak moat | Table-stakes soon. Limited defensibility. |
| **1** | Commodity | Widely available in OSS or easy to replicate. |
### Ranked Capabilities
| Level | Capability | Why It's Defensible | Module(s) | Status |
|-------|-----------|---------------------|-----------|--------|
| **5** | Signed, replayable risk verdicts | Requires deterministic eval + proof schema + knowledge snapshots + frozen feeds. No competitor has this architecture. | `Attestor`, `ReplayVerifier`, `Scanner` | Implemented |
| **4** | VEX decisioning (K4 lattice) | Formal conflict resolution using Belnap logic. Requires rethinking VEX from suppression to claims. | `VexLens`, `TrustLatticeEngine`, `Excititor` | Implemented |
| **4** | Reachability with proofs | Three-layer (static + binary + runtime) with DSSE-signed call paths. Not "potentially reachable" but "here's the proof." | `ReachGraph`, `Scanner.VulnSurfaces`, `PathWitnessBuilder` | Implemented |
| **4** | Smart-Diff (semantic risk delta) | Graph-based diff over reachability + VEX. Outputs meaning ("exploitability dropped 41%"), not numbers ("+3 CVEs"). | `MaterialRiskChangeDetector`, `Scanner.ReachabilityDrift` | Implemented |
| **4** | Unknowns as first-class state | Uncertainty budgets, bands (HOT/WARM/COLD), decay algorithms, policy gates. | `Policy`, `Signals`, `UnknownStateLedger` | Implemented |
| **4** | Air-gapped epistemic mode | Sealed knowledge snapshots, offline reproducibility, regional crypto (GOST/SM/eIDAS). | `AirGap.Controller`, `CryptoProfile`, `RootPack` | Implemented |
| **3** | SBOM ledger + lineage | Table stakes; differentiated via semantic diff + evidence joins + deterministic generation. | `SbomService`, `BinaryIndex` | Implemented |
| **3** | Policy engine with proofs | Common; moat is proof output + deterministic replay + K4 integration. | `Policy`, `TrustLatticeEngine` | Implemented |
| **1-2** | Integrations | Necessary but not defensible. Anyone can build CI/CD plugins. | Various | Ongoing |
## Core Moat Thesis (One-Liners)
Use these in sales conversations, marketing materials, and internal alignment.
| Capability | One-Liner | What It Actually Means |
|-----------|-----------|------------------------|
| **Deterministic verdicts** | "We don't output findings; we output attestable decisions that can be replayed." | Given identical inputs, Stella produces identical outputs. `stella replay srm.yaml` reproduces any past scan bit-for-bit. |
| **VEX decisioning** | "We treat VEX as a logical claim system, not a suppression file." | K4 lattice (Unknown/True/False/Conflict) aggregates multiple VEX sources. Conflicts are explicit state, not hidden. |
| **Reachability proofs** | "We provide proof of exploitability in *this* artifact, not just a badge." | Three-layer reachability with DSSE-signed call paths. Not "potentially reachable" but "here's the exact path from entrypoint to vuln." |
| **Smart-Diff** | "We explain what changed in exploitable surface area, not what changed in CVE count." | Output: "Exploitability dropped 41% despite +2 CVEs." Semantic meaning, not raw numbers. |
| **Unknowns modeling** | "We quantify uncertainty and gate on it." | Unknowns have bands (HOT/WARM/COLD), decay algorithms, and policy budgets. Uncertainty is risk—we surface and score it. |
## Implementation Status
### Core Moats (All Implemented)
| Capability | Key Modules | Evidence |
|-----------|-------------|----------|
| **Signed verdicts** | `Attestor`, `Signer`, `ReplayVerifier` | DSSE envelopes, SRM manifests, bit-for-bit replay |
| **VEX decisioning (K4)** | `VexLens`, `TrustLatticeEngine` | 110+ tests passing; CycloneDX/OpenVEX/CSAF normalizers |
| **Reachability proofs** | `ReachGraph`, `PathWitnessBuilder` | DSSE-signed graphs; edge-bundle attestations |
| **Smart-Diff** | `MaterialRiskChangeDetector`, `RiskStateSnapshot` | R1-R4 rules; priority scoring; SARIF output |
| **Unknowns modeling** | `UnknownStateLedger`, `Policy` | Bands (HOT/WARM/COLD); decay algorithms |
| **Air-gapped mode** | `AirGap.Controller`, `RootPack` | Sealed snapshots; regional crypto |
| **Binary backport** | `Feedser`, `BinaryIndex`, `SourceIntel` | Tier 1-3 complete; Tier 4 (binary fingerprinting) in progress |
### Moat Enhancement Roadmap
| Enhancement | Priority | Sprint Coverage |
|-------------|----------|-----------------|
| OCI-attached verdict attestations | P0 | 4300_0001_0001 |
| One-command audit replay CLI | P0 | 4300_0001_0002 |
| VEX Hub aggregation layer | P1 | 4500_0001_* |
| Trust scoring of VEX sources | P1 | 4500_0001_0002 |
| Tier 4 binary fingerprinting | P1 | 7204-7206 |
| SBOM historical lineage | P2 | 4600_0001_* |
## Competitor Positioning
### Where to Compete (and How)
| Competitor | Their Strength | Don't Compete On | Win With |
|-----------|----------------|------------------|----------|
| **Snyk** | Developer UX, fix PRs, onboarding | Adoption velocity | Proof-carrying reachability, offline capability, attestation chain |
| **Prisma Cloud** | CNAPP breadth, graph investigation | Platform completeness | Decision integrity, deterministic replay, semantic diff |
| **Anchore** | SBOM operations maturity | SBOM storage | Lattice VEX, signed reachability, proof chains |
| **Aqua/Trivy** | Runtime protection, broad coverage | Ecosystem breadth | Forensic reproducibility, K4 logic, regional crypto |
### Our Winning Positions
| Position | What It Means | Proof Point |
|----------|--------------|-------------|
| **Decision integrity** | Every verdict is deterministic, attestable, and replayable | `stella replay srm.yaml --assert-digest <sha>` |
| **Proof portability** | Evidence bundles work offline and survive audits | Decision Capsules with sealed SBOM/VEX/reachability/policy |
| **Semantic change control** | Risk deltas show meaning, not numbers | "Exploitability dropped 41% despite +2 CVEs" |
| **Sovereign deployment** | Self-hosted, regional crypto, air-gap parity | GOST/SM/eIDAS profiles; RootPack bundles |
### Where We're Ahead
1. **VEX decisioning** — K4 lattice with conflict detection; no competitor has this
2. **Smart-Diff** — Semantic risk deltas with priority scoring; unique
3. **Signed reachability** — DSSE graphs + edge bundles; unique
4. **Deterministic replay** — Bit-for-bit reproducibility; unique
5. **Regional crypto** — FIPS/eIDAS/GOST/SM/PQC; unique
### Where Competitors Lead (For Now)
| Area | Competitor Lead | Our Response |
|------|-----------------|--------------|
| Mass-market UX polish | Snyk | Focus on power users who need proofs |
| SaaS onboarding friction | Snyk, Prisma | Offer both SaaS and self-hosted |
| Marketplace integrations | All major players | Prioritize based on customer demand |
| Ecosystem breadth | Trivy | Focus on depth over breadth |
---
## Quick Reference
### Key Documents
- **Competitive Landscape**: `docs/product/competitive-landscape.md`
- **Claims Index**: `docs/product/claims-citation-index.md`
- **Proof Architecture**: `docs/modules/platform/proof-driven-moats-architecture.md`
- **Key Features**: `docs/key-features.md`
- **Moat Gap Analysis**: `docs/modules/platform/moat-gap-analysis.md`
### Key Commands (Demo-Ready)
```bash
# Determinism proof
stella scan --image <img> --srm-out a.yaml
stella scan --image <img> --srm-out b.yaml
diff a.yaml b.yaml # Identical
# Replay proof
stella replay srm.yaml --assert-digest <sha>
# Reachability proof
stella graph show --cve CVE-XXXX-YYYY --artifact <digest>
# VEX evaluation
stella vex evaluate --artifact <digest>
# Offline scan
stella rootpack import bundle.tar.gz
stella scan --offline --image <digest>
```
---
**Last Updated**: 2026-01-03
Reference in New Issue View Git Blame Copy Permalink