Key Features – Capability Cards

Each card is a fast read pairing the headline capability with the evidence that backs it and why it matters day to day.

1. Delta SBOM Engine

What it is: Layer-aware ingestion keeps the SBOM catalog content-addressed; rescans only fetch new layers and update dependency/vulnerability cartographs.
Evidence: Deterministic Replay Manifest (SRM) captures the exact analyzer inputs/outputs per layer.
Why it matters: Warm scans drop below one second, so CI/CD pipelines stay fast even under the free-tier quota.

What it is: Policy engine merges SBOM, advisories, VEX, and waivers through lattice logic that prioritises exploitability.
Evidence: OpenVEX is treated as first-class input; the policy UI renders explain traces, while custom rule packs let teams automate muting, expirations, and non-VEX alert logic.
Why it matters: Teams can distinguish exploitable risk from noise, tune the experience beyond VEX statements, and prove why a deployment was blocked or allowed.

What it is: Bring-your-own trust bundles that switch signing algorithms (FIPS, eIDAS, GOST, SM) without code changes.
Evidence: Crypto profiles travel with Offline Update Kits and post-quantum trust packs, keeping signatures verifiable in regulated sectors.
Why it matters: You meet regional crypto requirements while keeping provenance attestations consistent across tenants.

What it is: Every scan produces a DSSE + SRM bundle that can be replayed with stella replay.
Evidence: Replay manifests capture analyzer versions, lattice state, and attestations in content-addressed storage for audit trails.
Why it matters: Auditors and incident responders can re-run a historical scan and trust the findings were not tampered with.

What it is: Redis-backed counters surface {{ quota_token }} scans/day via headers, UI banners, and /quota API; Offline Update Kits mirror feeds.
Evidence: Quota tokens verify locally using bundled public keys, and Offline Update Kits include mirrored advisories, SBOM feeds, and VEX sources.
Why it matters: You stay within predictable limits, avoid surprise throttling, and operate entirely offline when needed.

What it is: Every reachability graph is sealed with a graph-level DSSE and optional edge-bundle DSSEs for runtime/init/contested edges; Rekor-backed when enabled.
Evidence: CAS layout cas://reachability/graphs/{hash} + {hash}.dsse; edge bundles capped and sorted; quarantine/dispute uses per-edge revocation. See docs/reachability/hybrid-attestation.md.
Why it matters: You can prove (or contest) exactly why a vuln is reachable, replay results offline, and avoid flooding transparency logs.

What it is: Deterministic replay, lattice VEX, sovereign crypto profiles, proof graph, and hybrid reachability attestations held as first-class product pillars.
Evidence: docs/market/competitive-landscape.md distils a 15-vendor comparison; 03_VISION.md lists moats; docs/reachability/lead.md details the reachability proof moat.
Why it matters: Clear differentiation guides roadmap and sales; keeps us focused on replayable, sovereign, and explainable security.

Walk the first deployment in quickstart.md.
Dive into architectural flows in high-level-architecture.md.
Need detailed matrices? The legacy feature matrix and vision remain available for deep dives.