Skip to main content

Evaluate

Kicking the tyres before you commit time. The honest answers.

1. Does it look easy to use?

One binary, one command. No agent, no account wiring, no daemon:

stave apply --observations ./snapshot/ --format text

Inputs are plain files (observation JSON + control YAML). Output is human text, JSON, or SARIF. If you can run a CLI and produce a config snapshot, you can run Stave.

2. Are there any red flags?

Things worth knowing up front (no surprises):

  • It evaluates snapshots, not live cloud. You produce the snapshot (AWS CLI, Terraform, an extractor); Stave never touches your account or credentials. That is deliberate (air-gapped, no supply-chain risk) — but it means coverage is only as complete as your snapshot.
  • It is reasoning over config, not runtime. It won't see what only appears in CloudTrail/runtime behaviour.
  • Controls are explicit. Detection is as good as the control catalog + any controls you write; it is not a magic "find everything" box.

3. Is pricing a barrier?

No. The CLI is open source and free — clone, build, run, in CI or air-gapped, no licence key, no seat count, no telemetry.

Use cases

  • Pre-merge CI gate — fail the build when a Terraform change would create a latent public bucket.
  • Audit evidence — deterministic, reproducible findings + reasoning traces for compliance (e.g. HIPAA control mappings).
  • Incident reasoning — "would this control have prevented that breach?" against a captured config.
  • Drift / time-travel — compare two snapshots to find when a control flipped.

FAQs

See the full FAQ. Most-asked:

  • Does it need cloud credentials? No — it reads snapshots.
  • Is the output stable? Yes — deterministic; pin time with --now.
  • How is it different from a scanner? It reasons across settings/time/resources (edges), not one flag at a time (nodes).

Convinced enough to try it hands-on? → Learn.