Takeaway 1
No competitor offers deterministic replay with frozen feeds; we do.
Competitive landscape
Stella Ops is the only scanner that ships signed reachability graphs, deterministic replay packs, and sovereign crypto profiles together.
Full reference: market comparison.
Key takeaways
Takeaway 2
None sign reachability graphs; we sign graphs and (optionally) edges.
Takeaway 3
Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops.
Takeaway 4
Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
Takeaway 5
Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.
Moats that show up in evaluations
Deterministic replay
Feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
Hybrid reachability attestations
Graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
Lattice-based VEX engine
Merges advisories, runtime hits, reachability, waivers with explainable paths.
Crypto sovereignty
FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
Proof graph
DSSE + transparency across SBOM, call-graph, VEX, replay manifests.
Where others fall short
Systemic gaps incumbents still have
- No deterministic replay: none of the 15 provide hash-stable, replayable scans with frozen feeds.
- No lattice/VEX merge: VEX is absent or bolt-on; no trust algebra elsewhere.
- Attestation gaps: most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
- Offline/sovereign: weak or SaaS-only; no regional crypto options.
What this means for buyers
When evaluating container security platforms, ask:
- Can you replay a scan from six months ago and get the same result?
- Do you sign call-graphs and VEX, not just SBOMs?
- Can the platform run fully air-gapped with regional crypto profiles?
- Does your VEX engine explain why a decision was made?
15-vendor comparison (condensed)
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella |
|---|---|---|---|---|---|---|
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay |
| AWS Inspector/Signer | Partial | Partial | Notary v2 | No | Weak | Closed, no replay |
| Yes | Yes | Yes | Opt | Weak | No offline/lattice | |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice |
Need more nuance? Jump to the full comparison for the complete notes.
Battlecard snippets
One-liners
- Replay or it's noise: Only Stella Ops can re-run a scan bit-for-bit from frozen feeds.
- Signed reachability, not guesses: Graph DSSE always; optional edge DSSE for runtime/init edges.
- Sovereign-first: FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
- Trust algebra: Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.
Proof points
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped.
Objection handlers
- "We already sign SBOMs." → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
- "Cosign/Rekor is enough." → Without deterministic manifests + reachability proofs, you can't audit why a vuln was reachable.
- "Our runtime traces show reachability." → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.
Demo & leave-behind
- Demo: show
stella graph verify --graph <hash>with and without edge-bundle verification. - Leave-behind: link to the reachability moat doc and this comparison page.