Compare any two discovery sessions to see exactly what changed in your infrastructure between scans — added resources, removed resources, configuration modifications, cost changes, and security findings.
| Scenario | What to Compare |
|---|---|
| Weekly drift review | This week's scan vs. last week's scan |
| Post-incident audit | Scan taken after an incident vs. before |
| Pre/post migration | Before migrating to IaC vs. after |
| Compliance audit | Current state vs. last audited baseline |
| Cost investigation | Current scan vs. scan from last billing cycle |
Go to Discovery → Sessions and find the two sessions you want to compare.
Use the checkboxes to select exactly two sessions. The comparison button becomes active once two are selected.
Click Compare Sessions. ops0 runs the diff and redirects you to the comparison results page.
The results page breaks changes into categories: Added, Removed, Modified, and Unchanged resources, along with summary metrics.
You can compare any two sessions, regardless of whether they were run on the same schedule or integration. Comparing sessions from different integrations is valid — for example, comparing a pre-migration scan of your AWS staging account against a post-migration scan.
The top of the results page shows a high-level summary across all change categories:
| Metric | Description |
|---|---|
| Resources Added | Count of new resources present in the newer session but not the older |
| Resources Removed | Count of resources in the older session that no longer exist |
| Resources Modified | Count of resources present in both sessions with configuration differences |
| Resources Unchanged | Count of resources identical in both sessions |
| Cost Delta | Estimated monthly cost change (positive = cost increase, negative = savings) |
| Security Regressions | New security findings in the newer session not present in the older |
| Security Improvements | Findings resolved between sessions |
| Compliance Violations Added | New policy violations in the newer session |
| Compliance Violations Resolved | Violations fixed between sessions |
Resources that exist in the newer session but were not present in the older session. These represent net-new infrastructure — intentional deployments or resources created outside your IaC workflow.
Each added resource shows:
Resources present in the older session that no longer appear in the newer session. These may represent intentional teardowns, accidental deletions, or resources that moved accounts.
Each removed resource shows:
Resources present in both sessions where at least one attribute changed between scans. This is the most important category for detecting unauthorized or unexpected changes.
Each modified resource shows:
Example modified resource diff:
aws_security_group "web-sg" (sg-0abc123def)
Region: us-east-1
Changed:
ingress_rules:
- old: [{ from_port: 443, to_port: 443, cidr: 10.0.0.0/8 }]
+ new: [{ from_port: 443, to_port: 443, cidr: 10.0.0.0/8 },
{ from_port: 22, to_port: 22, cidr: 0.0.0.0/0 }]
Cost difference: $0.00/mo
The cost delta section shows the net estimated monthly cost change across all modifications, additions, and removals.
| Change Type | Cost Impact |
|---|---|
| Added resources | + (cost of new resources) |
| Removed resources | - (cost savings) |
| Modified resources | +/- (cost of configuration changes) |
| Net delta | Sum of all changes |
Cost estimates are based on resource type, size, and region-specific pricing. They represent monthly costs at the current configuration and may not reflect actual billed amounts, which vary with usage patterns.
If security scanning was run on both sessions, the comparison surfaces security regressions — new vulnerabilities or misconfigurations introduced between scans.
| Field | Description |
|---|---|
| Regressions | Findings present in the newer session that were not in the older |
| Improvements | Findings in the older session that are resolved in the newer |
| Net change | Regressions minus improvements |
A negative net change (more improvements than regressions) means your security posture improved. A positive number warrants investigation.
For ongoing drift monitoring, pin a session as a named baseline so you always have a fixed reference point to compare against.
Navigate to the completed discovery session you want to freeze as a reference.
Click the Save as Baseline option in the session actions menu.
Give it a descriptive name: "Q2-2026-Audit", "Pre-Migration-Prod", or "Post-Security-Review".
In any future comparison, select the named baseline as one of the two sessions.
| Event | Baseline Name Pattern |
|---|---|
| After a compliance audit | audit-YYYY-MM |
| Before a major migration | pre-migration-<env> |
| After production hardening | post-hardening-prod |
| Quarterly review | q<N>-<YYYY> |
Baselines remain available indefinitely, even as newer sessions accumulate. They do not expire.
When you enable auto-compare on a scheduled discovery, ops0 automatically runs a comparison after each scan completes and compares against the most recent previous session for the same integration.
This gives you continuous drift monitoring with no manual steps:
See Scheduled Discovery for setup instructions.
You run weekly discovery scans on your production AWS account every Sunday night. You receive a notification on Monday that the comparison detected a modified resource.
Summary:
Modified Resource:
aws_security_group "web-sg" (sg-0abc123)
ingress_rules:
- old: [{ port: 443, cidr: 10.0.0.0/8 }]
+ new: [{ port: 443, cidr: 10.0.0.0/8 },
{ port: 22, cidr: 0.0.0.0/0 }]
Security Regression: