docs: expand Socket CLI comparison with concrete examples and structured sections

website/docs/comparison.md

@@ -302,15 +302,133 @@ Use CVE Lite CLI for fast, account-free developer-time scanning and as a lightwe
 
 ## CVE Lite CLI vs Socket CLI
 
-Socket is a supply-chain security platform that goes beyond CVEs — detecting malware, abandoned packages, typosquatting, and install-time script risks before a CVE is published. CVE Lite CLI is narrowly focused on known dependency vulnerabilities with validated fix commands.
+Socket and CVE Lite CLI approach dependency security from different angles.
 
-CVE Lite CLI stands out when you want:
+CVE Lite CLI focuses on known vulnerabilities and remediation. Its goal is
+to identify vulnerable dependency versions and provide the fastest path to
+a safe upgrade with validated, copy-and-run fix commands.
+
+Socket focuses on software supply-chain security. In addition to known
+vulnerabilities, it evaluates package trust signals such as malware,
+typosquatting, suspicious maintainers, install scripts, and license risk.
+
+Because they answer different questions, the tools are often complementary
+rather than direct competitors.
+
+Some Socket capabilities require a paid account for full access, whereas CVE Lite CLI is fully available without registration or usage limits.
+
+### Different threat models
+
+The biggest difference between the tools is the type of risk they are
+designed to detect.
+
+CVE Lite CLI answers:
+
+- Is this dependency version vulnerable?
+- What version should I upgrade to?
+- What command should I run?
+
+Socket answers:
+
+- Can this package be trusted?
+- Does it exhibit suspicious behavior?
+- Does it resemble a known package name?
+- Are there maintainer, malware, or license concerns?
+
+A package may have no known CVEs and still be considered risky by Socket.
+Likewise, a package may be trustworthy but contain a publicly disclosed
+vulnerability that CVE Lite identifies and helps remediate.
+
+### Feature comparison
+
+| Capability | CVE Lite CLI | Socket CLI |
+|---|:---:|:---:|
+| Known CVE detection | ✅ | ✅ |
+| Validated fix commands | ✅ | ❌ |
+| Parent-aware transitive remediation | ✅ | ⚠️ |
+| Offline advisory DB workflow | ✅ | ❌ |
+| No account required | ✅ | ❌ |
+| Local-first workflow | ✅ | ⚠️ |
+| Malware detection | ❌ | ✅ |
+| Typosquatting detection | ❌ | ✅ |
+| Suspicious maintainer analysis | ❌ | ✅ |
+| License risk detection | ❌ | ✅ |
+| Supply-chain trust analysis | ❌ | ✅ |
+
+<sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>
+
+### Example: known vulnerability
+
+Suppose a project depends on a version of a package affected by a published
+CVE.
+
+CVE Lite CLI identifies the vulnerable version, validates a safe upgrade
+target, and generates the exact package-manager command required to fix it.
+
+Socket can surface the vulnerability as part of its broader analysis, but
+its primary focus is understanding package risk rather than generating
+remediation workflows.
+
+### Example: suspicious package
+
+Imagine a package has no published CVEs but closely resembles a popular
+package name and includes unexpected install-time behavior.
+
+Socket can flag those supply-chain trust concerns even when no known
+vulnerability exists.
+
+CVE Lite CLI will not report the package because there is no known CVE
+associated with it.
+
+### Where CVE Lite CLI has the edge
+
+- Free and requires no account
+- Runs locally without sending dependency data to a cloud platform
+- Validated copy-and-run remediation commands
+- Parent-aware transitive dependency guidance
+- Offline advisory database support
+- Fast terminal-first developer workflow
+
+### Where Socket has the edge
+
+- Malware and suspicious package detection
+- Typosquatting analysis
+- Supply-chain trust signals
+- Maintainer risk evaluation
+- License risk visibility
+- Broader package trust assessment beyond known CVEs
+
+### Why results differ
+
+Socket and CVE Lite evaluate different kinds of risk.
+
+A package can be flagged by Socket because of suspicious behavior,
+maintainer activity, typosquatting indicators, or license concerns even
+when no published CVE exists.
+
+Likewise, CVE Lite may identify a known vulnerability in a package that
+otherwise appears trustworthy from a supply-chain perspective.
+
+As a result, it is normal for the two tools to report different findings
+on the same dependency tree.
+
+### Recommended approach
+
+The strongest dependency security workflow combines both perspectives.
+
+Use Socket to evaluate whether a package should be trusted before it enters
+your dependency graph. Use CVE Lite CLI to identify known vulnerabilities,
+prioritize fixes, and generate remediation commands once dependencies are
+installed.
+
+In practice the tools answer different questions:
+
+- Socket: "Can I trust this package?"
+- CVE Lite CLI: "Is this version vulnerable and how do I fix it?"
+
+For teams that care about both vulnerability management and software
+supply-chain security, the tools work well together.
 
-- a focused CVE scanner without supply-chain signal noise mixed into the output
-- a clear answer to "what should I fix before this release?" — validated fix commands grouped by severity
-- parent-aware transitive remediation with specific package-manager commands
-- no account, no cloud dependency, and a fully offline advisory DB option
-- a free, MIT-licensed, OWASP-recognized tool with no paid tiers
 
 ---