Who Uses Stella Ops

From security teams triaging CVEs to compliance officers preparing audits, Stella Ops serves anyone who needs verifiable, repeatable release decisions.

Free for small teams: up to 3 environments, 999 scans/month

Get started How it works

Security

Reachable CVEs only

→ Triage CVEs with reachability context — focus on what's actually exploitable
→ Track unknowns (unpatched, no-fix, disputed) with explicit budgets
→ Produce signed VEX statements for downstream consumers
→ Review risk deltas between releases, not entire SBOMs

Typical outcome: Significantly fewer CVEs requiring investigation

Learn about reachability →

Platform

Non-K8s release control

→ Define promotion graphs (dev → staging → prod) with approval gates
→ Deploy to Compose, Swarm, ECS, Nomad, or scripted hosts
→ Integrate with existing CI (GitHub Actions, GitLab CI, Jenkins)
→ Use digest-first versioning — immutable artifacts, immutable accountability

Typical outcome: Single pane for security + deployment across all non-K8s targets

Learn about deployment →

Compliance

Exportable audit bundles

→ Export Decision Capsules for any historical release
→ Replay decisions months later with frozen inputs — same result
→ Meet SOC 2, FedRAMP, and supply-chain audit requirements
→ No vendor lock-in: capsules are self-contained, verifiable offline

Typical outcome: Audit prep reduced from days to minutes with exportable capsules

Learn about evidence →

Air-Gap

Fully offline operation

→ Run fully offline with the Offline Kit (signed feed bundles)
→ Choose cryptographic profiles: FIPS-140-3, GOST, SM2/SM3, eIDAS
→ No mandatory telemetry; opt-in only (disabled by default)
→ Export capsules to external networks for external audit

Typical outcome: Full security scanning in disconnected environments with weekly bundle updates

Offline deployment →

What is a Decision Capsule?

Decision Capsules seal evidence so auditors can verify any release — offline, independently, bit-for-bit identical.

Each Decision Capsule bundles the exact SBOM, frozen vulnerability feeds, reachability graphs, policy version, derived VEX, and approval metadata.

Replay

Re-run any historical decision with stella replay. Same inputs yield same outputs, offline or online.

Full evidence documentation →

What sovereign-ready means

Sovereign means you control the infrastructure, the keys, and the evidence. Stella Ops runs without mandatory external dependencies and produces verifiable proof for every release decision.

Self-hosted control plane

No forced SaaS dependency. Deploy the entire suite on your infrastructure — on-premises, private cloud, or air-gapped network.

Air-gap / offline-first operations

Vulnerability feeds and verification data move via signed bundles. Core decisions stay offline; nothing leaves the network unless you manually opt in to telemetry.

Regional crypto profiles

Plugin architecture for compliance-driven cryptography. FIPS-140-3, GOST R 34.10, SM2/SM3, or eIDAS-qualified signatures.

Full sovereign documentation → · Offline Kit →