Where Stella fits in technical release workflows

Security leads, platform leads, and compliance teams use Stella to reduce reachable-CVE triage noise, keep promotion decisions deterministic, and produce audit-ready evidence across non-Kubernetes targets.

Free tier for evaluation: up to 3 environments and 999 scans per month

Start verified trial Read technical docs

Evidence paths for these outcomes

Each use case links to inspectable artifacts and runbooks, not marketing summaries.

Evidence and Audit | Operations and Deployment | Offline operation

Security

Reachable CVEs only

  • → Prioritize reachable vulnerabilities instead of raw scanner totals
  • → Track unresolved and disputed findings with explicit risk state
  • → Publish signed VEX evidence to downstream consumers
  • → Review security delta between releases, not entire historical backlog

Outcome: less triage noise, faster risk decisions

See reachability model →

Platform

Non-Kubernetes release control

  • → Define promotion gates from dev to staging to production
  • → Deploy to Compose, ECS, Nomad, or scripted host targets
  • → Integrate with existing CI pipelines without replacing them
  • → Keep release identity digest-pinned across environments

Outcome: one release control model across non-Kubernetes targets

See deployment model →

Compliance

Exportable audit bundles

  • → Export historical promotion evidence on demand
  • → Replay decisions months later with frozen input sets
  • → Produce verifiable artifacts for SOC 2 and similar control programs
  • → Avoid vendor-dependent audit reconstruction

Outcome: audit preparation becomes evidence retrieval, not investigation

See evidence workflow →

Air-Gap

Fully offline operation

  • → Run with signed offline bundles in isolated environments
  • → Use customer-controlled cryptographic profiles and keys
  • → Operate without mandatory outbound telemetry
  • → Transfer signed decision artifacts for external review

Outcome: consistent release control in disconnected networks

See sovereign deployment →

Representative workflows

Operational flows that end in a signed, replayable decision record.

Security gate workflow

  1. Collect SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software and advisory inputs
  2. Compute reachable risk and resolve VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context state
  3. Apply promotion policy
  4. Export signed Decision CapsuleA signed, exportable evidence bundle that seals every input and output of a release decision for offline audit and deterministic replay

Integrations: Registries, advisory feeds, OpenVEX sources, ticketing/ChatOps

Platform promotion workflow

  1. Bind release to immutable digest
  2. Promote through environment gates
  3. Deploy via Compose/SSH/WinRM targets
  4. Rollback to last approved digest if needed

Integrations: SCM/CI, registries, runtime targets, secrets and service discovery

Compliance evidence workflow

  1. Export historical Decision CapsuleA signed, exportable evidence bundle that seals every input and output of a release decision for offline audit and deterministic replay
  2. Verify signatures offline
  3. Replay decision with frozen inputs
  4. Deliver package to audit stakeholders

Integrations: Evidence export endpoints, signing keys, audit systems

Air-gap update workflow

  1. Import signed Offline Kit bundle
  2. Refresh local feed and image mirrors
  3. Run policy-gated scans in isolated network
  4. Export signed evidence for cross-boundary review

Integrations: Offline Kit transport, internal registries, controlled transfer media

Common decision moments

Security operations review

Reduce triage from raw counts to reachable risk.

Security teams use reachability evidence to prioritize exploitable findings before promotion windows close.

Change advisory review

One signed packet instead of scattered approvals.

Reviewers get digest, policy verdict, approvals, and supporting evidence in a single package.

Sovereign network operations

Same control model, even without external network access.

Teams in disconnected environments run identical promotion logic with signed offline inputs.

Example deployment patterns

Regulated SaaS operator

A regulated SaaS team standardized release gating across multiple non-Kubernetes environments.

  • Reachability-based prioritization cut manual CVE triage load
  • Signed evidence packages reduced audit prep effort
  • Promotion criteria became consistent across teams

Air-gapped defense contractor

A defense program enforced promotion controls in a fully disconnected network.

  • Signed offline bundles kept vulnerability intelligence consistent
  • Decision export replaced manual spreadsheet tracking
  • Replay capability closed external audit evidence gaps

Fintech platform team

A fintech platform replaced disconnected scanner, approval, and deployment steps with one decision workflow.

  • Promotion latency dropped with explicit gate outcomes
  • Reachability filtering improved signal-to-noise for security
  • Release governance became reproducible across services

Examples are illustrative and depend on architecture, policy design, and team maturity.

Pilot evidence program

Pilot engagements establish baseline and delta for reachable-CVE triage load, promotion latency, and audit packet preparation.

Define pilot metrics

What is a Decision Capsule

Decision Capsules capture the exact inputs, policy context, and signatures behind each release decision so audits are evidence driven, not narrative driven.

Contents

A capsule includes SBOM data, vulnerability context, reachability outputs, policy inputs, approvals, and final verdict metadata.

Replay

Use stella replay to re-run a historical decision with identical inputs and verify the same outcome.

Full evidence documentation ->

What sovereign-ready means

Sovereign means you control the infrastructure, the keys, and the evidence. Stella Ops runs without mandatory external dependencies and produces verifiable proof for every release decision.

Self-hosted control plane

No forced SaaS dependency. Deploy the entire suite on your infrastructure — on-premises, private cloud, or air-gapped network.

Air-gap / offline-first operations

Vulnerability feeds and verification data move via signed bundles. Core decisions stay offline; nothing leaves the network unless you manually opt in to telemetry.

Regional crypto profiles

Plugin architecture for compliance-driven cryptography. FIPS-aligned, GOST R 34.10, SM2/SM3, or eIDAS-compatible signing (validation depends on your key provider).

Full sovereign documentation -> | Offline Kit documentation ->

Start verified trial Read technical docs

Learn more | Read technical docs