Simple, predictable pricing
All features included at every tier. Pay for environments and scan volume, not seats or modules.
Self-serve by default. Limited support tickets available by request for high-volume or special terms.
A typical "scanner + CD" baseline costs ~$472/month
(Snyk Team 5 devs × $25 = $125/mo + Octopus Professional ~$347/mo)
Stella Plus: $299/month — one platform, evidence-grade orchestration + security
Pricing Tiers
Free
$0
- → 3 environments
- → 999 scans/month
- → All features included
- → Self-serve docs + Doctor diagnostics
Perfect for evaluation
Plus
$299
/month or $4,389/year
- → 33 environments
- → 9,999 scans/month
- → All features included
- → Self-serve docs + Doctor diagnostics
Most teams start here
Pro
$999
/month or $10,989/year
- → 333 environments
- → 99,999 scans/month
- → All features included
- → Limited support tickets by request
Multi-team / multi-region
Annual billing: pay for 11 months, get 12 (1 month free)
Business terms & limited support
Stella Ops is designed for self-serve operations (no standard support SLA). Special utilities are available to diagnose problems and provide solutions. High-volume or regulated buyers can request support tickets and procurement documentation.
Direct email: sales@stella-ops.org
Key Terms
Environment
A logical deployment target (e.g., dev, staging, prod). Each environment tracks its own release history, promotion rules, and policy gates.
New-digest deep scan
A full SBOM + CVE + reachability analysis on a new container digest. Re-scanning the same digest is free — only unique digests count toward your quota.
Doctor diagnostics
Self-serve diagnostic tooling built into Stella. Run stella doctor to check connectivity, permissions, registry access, and configuration issues.
All features included at every tier
Release Orchestration
- → Environment management with promotion rules
- → Approval workflows (manual, automated, policy-gated)
- → Rollback orchestration with evidence preservation
- → Step graphs (sequential and parallel execution)
- → Real-time deployment UI with per-step logs
Deployment Execution
- → Docker Compose deployments
- → Scripted deployments (.NET 10 scripting)
- → SSH/WinRM agentless deployment
- → HashiCorp Vault + Consul integration
- → Unlimited deployment targets
Security & Evidence
- → Reachability and hybrid reachability analysis
- → Decision Capsules (hashable, immutable, replayable)
- → Deterministic decision records
- → Exportable audit trail
- → "Why blocked?" explainability traces
Extensibility
- → Plugin model for SCM, CI, registry, vault
- → Workflow engine with plugin-specific steps
- → Doctor tooling for self-service diagnostics
- → Offline-friendly licensing (air-gap supported)
- → Regional crypto (FIPS, GOST, SM2)
How scan credits work
A new digest deep scan occurs the first time Stella analyzes a unique OCI digest, producing SBOM, reachability evidence, and a policy verdict.
Does NOT consume credits:
- → Re-deploying an already-scanned digest
- → Promoting an already-scanned digest
- → Re-evaluation on CVE/vuln intel updates
- → Querying existing Decision Capsules
Consumes 1 credit:
- → First scan of a new artifact digest
- → Credits reset monthly
- → Burst within month is OK
Add-ons
+10,000 new digest deep scans
$499
Temporary capacity for release sprints, migrations, or one-off spikes
What you get: Decision Capsule
$ stella export decision-capsule --artifact sha256:abc123...
{
"artifact": "sha256:abc123def456...",
"sbom": "sha256:sbom789...",
"reachability": {
"total_cves": 487,
"reachable": 12,
"proof": "sha256:reach456..."
},
"policy": {
"version": "sha256:policy123...",
"verdict": "ALLOW"
},
"approvals": [
{"user": "jsmith", "signature": "..."}
],
"timestamp": "2025-01-15T14:32:00Z",
"dsse_signature": "..."
}Every Decision Capsule is DSSE-signed and replayable months later with stella replay.
How we compare
See detailed comparisons with scanners and CD tools:
Start free, upgrade when you need more
Questions? hello@stella-ops.org