SPECTRE vs Competitor Gap Analysis (2026-05-16)
Superseded by
spectre-vs-competitors-gap-analysis-2026-05-17.md. Kept for historical reference. The 2026-05-17 refresh captures the post-replay-closure positioning (24/24 exact-rule + 24/24 class-level) and the four-detector ship train (ITER-001, CROSS-007, ACC-014, ACC-015) that landed in the 24-hour push following this doc.
Author: spectre-solana-max engineering
Supersedes: documents/spectre/spectre-vs-audit-firms-gap-analysis-2026-05.md
Scope: Static analysis, formal verification, audit-firm tooling, and
real-time monitoring on Solana, with SPECTRE's current state benchmarked
against each.
Method: Web research on competitor feature surfaces (May 2026),
cross-referenced with SPECTRE branch state at 0efba5bd (58 commits
ahead of main).
Executive summary
SPECTRE has the strongest architectural-pattern rule pack in the Solana static-analysis market and the only published historical- incident replay benchmark (24/24 exact-rule = 100%, 24/24 class-level = 100% across mapped Solana exploits 2021-2026, post- 2026-05-17 rule-pack completion). Its cross-program analysis (CROSS-001 through CROSS-020 + CROSS-CDF) is genuinely unique substrate; no public competitor reasons across multi-program workspaces.
Where SPECTRE is behind: distribution (no public install path, no published binary, no GitHub Action), AI-augmented analysis (Sec3 Premium, L3X, Octane all ship AI features), formal verification (Certora Solana Prover is the only production option), and dev-facing triage workflow (no suppression markers, no baseline file, no SARIF output).
The single highest-leverage gap is distribution. The rule pack is genuinely good; the wrapper around it isn't yet dev-grade.
Competitor inventory
Static analysis (direct competitors)
| Tool | Open source | Language layer | Approach | Distribution | Rule count |
|---|---|---|---|---|---|
| Sec3 X-Ray (github) | yes | LLVM-IR (compiles AST → LLVM IR) | data-flow + symbolic | CLI on cargo, GH Action, hosted at pro.sec3.dev (free + premium tiers) |
50+ |
| Sec3 X-Ray Premium | no | LLVM-IR + AI | data-flow + ML triage | hosted only | 50+ plus AI auto-auditor |
| L3X (VulnPlanet/l3x) | yes | Rust AST | AI-driven pattern + LLM-based semantic | CLI | ~20 baseline + LLM-augmented |
| Solana Fender (honey-guard/solana-fender) | yes | Rust AST | pattern | CLI | small / Anchor-only |
| Sol-azy (fuzzinglabs) | partial | sBPF disassembly | static + RE | CLI | reverse-engineering oriented |
| Eloizer (Inversive-Labs/eloizer) | yes | Rust AST | pattern | CLI | research-stage |
| Octane | no | Rust AST + AI | per-PR semantic analysis | hosted | unknown rule surface |
| CodeQL / Semgrep | partial | generic | pattern | GH Action + cloud | minimal Solana coverage |
| SPECTRE (this project) | not yet public | Rust AST + symbol table + cross-program linker | pattern + cross-program trust-posture comparator + TS↔Anchor cross-language | none yet | 75 (55 Solana + 20 generic) |
Formal verification
- Certora Solana Prover (SCP) (CertoraProver) — decompiles SBF to Certora IR, runs full formal proofs. Open-sourced. Production-grade. Secures $75B+ in DeFi. Requires hand-written verification harnesses. Different layer from SPECTRE: catches logic bugs in specific functions against specifications, not architectural patterns across a codebase.
Audit firms (manual + internal tooling)
- OtterSec (osec.io) — Solana-native firm, 120+ audits, $36B TVL protected. Uses formal verification + differential fuzzing + incident response. Internal tooling not public.
- Zellic — manual + internal tooling. V12 / multiple Solana protocol audits.
- Halborn, Trail of Bits, Neodyme — manual reviews with proprietary tooling.
Real-time monitoring (adjacent, not direct competitors)
- Hexagate (Chainalysis) (hexagate) — real-time tx simulation, ML threat detection, custom Gatelang DSL, 75+ chains. Different layer (run-time, not build-time).
- Forta — decentralized monitoring network. Run-time.
These watch live chain state. SPECTRE catches the architectural patterns before they're deployed. They compose; they don't compete.
Feature matrix
| Dimension | SPECTRE | Sec3 X-Ray (open) | Sec3 Premium | L3X | Solana Fender | Certora SCP | OtterSec |
|---|---|---|---|---|---|---|---|
| Rule count (Solana) | 55 | 50+ | 50+ | ~20 | small | n/a (specs) | n/a (manual) |
| Native Solana support | yes | yes | yes | yes | no (Anchor only) | yes | yes |
| Anchor support | yes | yes | yes | yes | yes | yes | yes |
| Cross-program analysis | yes (CROSS-001 … CROSS-020 + CROSS-CDF) | no | partial | no | no | yes (per-protocol harness) | yes (manual) |
| TS-client ↔ Anchor handler cross-language | yes (META-001) | no | no | no | no | no | manual |
| AI / LLM augmentation | no | no | yes | yes | no | no | partial |
| Formal verification | no | no | no | no | no | yes | yes |
| Differential fuzzing | no | no | no | no | no | no | yes |
| Real-time monitoring | no | no | no | no | no | no | no |
| Historical-incident replay benchmark | yes (24 distinct incidents, 100% exact-rule + class-level) | no published | no published | no | no | no | no |
| Per-rule F1 published | yes (corpus benchmark) | no | no | no | no | no | no |
| Open source | not yet | yes | no | yes | yes | yes | no |
| GitHub Action / CI | no | yes | yes | yes | yes | yes | n/a |
| Cargo install | no | yes | n/a | yes | yes | yes | n/a |
| SARIF output | no | unclear | unclear | unclear | no | no | n/a |
| Baseline / suppress workflow | no | yes | yes | yes | no | yes | n/a |
| Triage UI | no | no | yes (pro.sec3.dev) | no | no | no | n/a |
SPECTRE's genuine differentiators
Three pieces of substrate no public competitor has matched:
Cross-program analysis with trust-posture comparator. SPECTRE models each program's admin-gating / oracle-dependency posture from its single-program scan output, then evaluates posture relationships across CPI edges. CROSS-001 flags trust downgrades; CROSS-002 flags missing program-id verification on financial-class CPIs; CROSS-004 flags account-binding drift across CPI; CROSS-005 flags signer- privilege forwarding; CROSS-010 reasons across multi-hop chains; CROSS-020 detects 2-hop reentrancy cycles. Every other public tool reasons program-by-program.
Historical-incident architectural-fingerprint replay. Each of 44 curated Solana incidents (Wormhole, Cashio, Mango v3, Solend, Cypher, Jet v1, Drift v2, Metaplex CMv2, …) ships with an
architectural_fingerprintof SPECTRE rule IDs that should fire on the pre-hack source. The replay benchmark scans the mapped corpus snapshots and reports exact-rule + class-level detection. This is the only methodology-grade defense-in-depth measurement I can find in the Solana static-analysis market.TypeScript-to-Anchor cross-language analysis. META-001 traces from a TS client's
program.methods.xxx()call into the Anchor handler it invokes. Lets cross-language rules check whether a client's call-site assumptions match the handler's actual constraints. No public competitor offers this.
SPECTRE's actual gaps (ranked by leverage)
Tier 1: blocks adoption today
Distribution / install path. Sec3 X-Ray, L3X, Solana Fender, Certora SCP are all
cargo install-able and have GitHub Actions. SPECTRE has neither. A protocol team's path from "I read the README" to "SPECTRE found this in our CI" is currently undefined. This is the single highest-leverage gap.SARIF output. GitHub PR annotations + GitLab MR diffs both consume SARIF. Sec3 X-Ray supports it. SPECTRE emits JSON only. ~1 day of work; large UX delta.
Suppression + baseline. Real CI usage requires
// spectre-allow: ITER-001 — slot array is dense, see #1234and a baseline file so pre-existing findings don't gate PRs. SPECTRE has neither. Without them, the first 50-finding scan drives the dev away. ~1 week of work.
Tier 2: feature parity for serious bake-offs
AI / LLM augmentation. Sec3 Premium, L3X, and Octane all ship AI-augmented features (semantic intent matching, false-positive reranking, exploit-impact summarization). SPECTRE is pure pattern. In bake-off marketing this is a real disadvantage; in actual detection precision the pattern pack still wins (100% class-level vs nothing comparable published). Adding LLM-based finding triage and description enrichment is a ~2-week feature.
Hosted scan UI. Sec3 has
pro.sec3.dev; SPECTRE has no self-serve hosted option. For protocol teams unwilling to wire CI themselves, this matters.Bug-bounty marketing channel. Sec3 actively positions X-Ray for bug-bounty hunters, who then file findings on Immunefi and credit the tool. SPECTRE has zero ecosystem visibility. Distribution (item 1) is the prerequisite.
Tier 3: orthogonal capabilities
Formal verification. Certora SCP is the only production-grade FV for Solana. SPECTRE has no FV capability. This is a different layer (per-function logic vs codebase architecture) and may be "buy not build" — Certora itself is open-sourced.
Differential fuzzing. OtterSec's internal differential fuzzing catches behavior divergence between equivalent implementations. SPECTRE has no fuzzing.
Real-time monitoring. Hexagate / Forta catch run-time exploits. SPECTRE is build-time only. These compose; not a SPECTRE gap per se.
CROSS-DELEGATE-RISK rule class. Yield aggregators and stablecoin protocols that delegate economic backing to weakly-gated external venues (UXD into Mango v3, Tulip into Mango v3) are not caught by CROSS-001's "trust downgrade" semantics because the source's own admin gating is often Unknown. This is the only historical incident class on the replay benchmark currently at ✗. New rule shape, ~300 LoC.
Where SPECTRE is genuinely competitive today (May 2026)
A protocol team that already does manual audits and wants continuous architectural-pattern detection in CI gets the most value. The 100% class-level + 100% exact-rule historical coverage is the strongest reproducible number in the market.
A protocol team auditing a multi-program workspace (Kamino, Drift, Jet, Cypher, Cardinal, Marginfi, Squads) gets cross-program rules nobody else ships. Single-program tools structurally cannot see these patterns.
A team running both a TypeScript client and an Anchor program gets cross-language linking nobody else offers.
Honest read
SPECTRE's rule pack and substrate are at or above market. Distribution is the only thing that separates "research preview" from "Solana devs use it." Items 1-3 (install path, SARIF, suppression) are 1-2 weeks of focused work and would unlock the existing rule quality. AI augmentation (item 4) is a competitive-table-stakes feature for the next 12 months; the pure-pattern story is defensible today but becomes hard to maintain by 2027.
The historical-incident replay benchmark is a methodology asset every
competitor lacks. Publishing it (under documents/audits/methodology/,
with reproducible scan scripts and the corpus manifest schema) would
itself be a differentiator and a credibility-builder for the static-
analysis layer of Solana security.