Drift Detection
Compare two discovery sessions to detect infrastructure changes over time. Drift detection helps you identify unauthorized changes, track infrastructure evolution, and maintain compliance.
How It Works
Run Initial Baseline Scan
Create a snapshot of your current infrastructure
Wait for Changes
Infrastructure changes happen (manual or automated)
Run New Scan
Capture the current state after changes
Compare Sessions
See exactly what changed between the two scans
Session Comparison
To compare two sessions:
- Navigate to Discovery → Sessions
- Select any 2 sessions from the list
- Click "Compare" button
Note: You can compare any 2 sessions to detect changes between them.
Comparison Results
The comparison shows three categories of changes:
Added Resources
New resources created since the baseline scan
Removed Resources
Resources deleted since the baseline scan
Modified Resources
Resources with configuration changes
Drift Categories
| Category | Description | Example |
|---|---|---|
| Configuration Drift | Resource exists but settings changed | Security group rule modified from port 80 to 443 |
| Topology Drift | New resources added or removed | New EC2 instance launched, old instance terminated |
| Tag Drift | Resource tags added, removed, or changed | Environment tag changed from "dev" to "prod" |
Use Cases
Detect Unauthorized Changes
Identify manual changes made outside of IaC workflows
Track Infrastructure Evolution
Monitor how your infrastructure grows and changes over time
Compliance Monitoring
Ensure infrastructure stays compliant with organizational policies
Pre-Deployment Validation
Compare expected vs. actual state before deploying changes
Example: Detecting Unauthorized Security Group Change
Initial Baseline (Session 1)
Scan captured production VPC on Monday:
Scanned Resources:
VPC vpc-0abc123
Security Group sg-web (port 443 allowed)
EC2 Instance i-web-server-1
New Scan (Session 2)
Scan captured same VPC on Friday:
Scanned Resources:
VPC vpc-0abc123
Security Group sg-web (ports 443, 22 allowed)
EC2 Instance i-web-server-1
EC2 Instance i-web-server-2 (NEW)
Comparison Results
| Change Type | Resource | Details |
|---|---|---|
| Modified | Security Group sg-web | New inbound rule added: SSH (port 22) from 0.0.0.0/0 |
| Added | EC2 Instance i-web-server-2 | New instance launched in us-east-1a |
Action Taken
- Security Risk Identified: SSH port opened to public (0.0.0.0/0)
- Investigation: Unauthorized change made outside Terraform
- Remediation: Remove SSH rule, update security policy
- Prevention: Enforce IaC-only changes via policy
Supported Providers
| Provider | Drift Detection | Supported Resource Types |
|---|---|---|
| AWS | ✅ 88% coverage | 68 of 77 resource types |
| GCP | ✅ 81% coverage | 50 of 62 resource types |
| Azure | ✅ 90% coverage | 57 of 63 resource types |
See Supported Resources for the complete list.
Best Practices
Tips for Effective Drift Detection
• Run regular scans - Weekly scans help catch drift early
• Compare against baseline - Keep a "golden" baseline session for each environment
• Investigate all drift - Even small changes can indicate security issues
• Document approved changes - Update baseline after intentional infrastructure updates
• Use with IaC - Combine drift detection with Terraform plan to catch manual changes