Drift Detection

Compare two discovery sessions to detect infrastructure changes over time. Drift detection helps you identify unauthorized changes, track infrastructure evolution, and maintain compliance.

How It Works

Run Initial Baseline Scan

Create a snapshot of your current infrastructure

Wait for Changes

Infrastructure changes happen (manual or automated)

Run New Scan

Capture the current state after changes

Compare Sessions

See exactly what changed between the two scans

Session Comparison

To compare two sessions:

Navigate to Discovery → Sessions
Select any 2 sessions from the list
Click "Compare" button

Note: You can compare any 2 sessions to detect changes between them.

Comparison Results

The comparison shows three categories of changes:

Added Resources

New resources created since the baseline scan

Removed Resources

Resources deleted since the baseline scan

Modified Resources

Resources with configuration changes

Drift Categories

Category	Description	Example
Configuration Drift	Resource exists but settings changed	Security group rule modified from port 80 to 443
Topology Drift	New resources added or removed	New EC2 instance launched, old instance terminated
Tag Drift	Resource tags added, removed, or changed	Environment tag changed from "dev" to "prod"

Use Cases

Detect Unauthorized Changes

Identify manual changes made outside of IaC workflows

Track Infrastructure Evolution

Monitor how your infrastructure grows and changes over time

Compliance Monitoring

Ensure infrastructure stays compliant with organizational policies

Pre-Deployment Validation

Compare expected vs. actual state before deploying changes

Example: Detecting Unauthorized Security Group Change

Initial Baseline (Session 1)

Scan captured production VPC on Monday:

Scanned Resources:
VPC                 vpc-0abc123
Security Group      sg-web (port 443 allowed)
EC2 Instance        i-web-server-1

New Scan (Session 2)

Scan captured same VPC on Friday:

Scanned Resources:
VPC                 vpc-0abc123
Security Group      sg-web (ports 443, 22 allowed)
EC2 Instance        i-web-server-1
EC2 Instance        i-web-server-2 (NEW)

Comparison Results

Change Type	Resource	Details
Modified	Security Group `sg-web`	New inbound rule added: SSH (port 22) from 0.0.0.0/0
Added	EC2 Instance `i-web-server-2`	New instance launched in us-east-1a

Action Taken

Security Risk Identified: SSH port opened to public (0.0.0.0/0)
Investigation: Unauthorized change made outside Terraform
Remediation: Remove SSH rule, update security policy
Prevention: Enforce IaC-only changes via policy

Supported Providers

Provider	Drift Detection	Supported Resource Types
AWS	✅ 88% coverage	68 of 77 resource types
GCP	✅ 81% coverage	50 of 62 resource types
Azure	✅ 90% coverage	57 of 63 resource types

See Supported Resources for the complete list.

Best Practices

Tips for Effective Drift Detection

• Run regular scans - Weekly scans help catch drift early

• Compare against baseline - Keep a "golden" baseline session for each environment

• Investigate all drift - Even small changes can indicate security issues

• Document approved changes - Update baseline after intentional infrastructure updates

• Use with IaC - Combine drift detection with Terraform plan to catch manual changes