Drift & Baseline Refresh: A Whitepaper

Why one-off scans aren’t enough — and how baseline snapshots plus refresh evidence support posture review over time.

What’s Inside

From Baseline to Refresh Evidence

Baseline snapshots

Every completed scan produces a standardised baseline. That snapshot supports drift detection and shows what changed and when.

Drift detection

Compare refresh runs against the baseline to see what’s new, changed, or disappeared. No guesswork — clear evidence of posture change over time.

Refresh evidence

Refresh cadence depends on plan and scope. Drift events give reviewers a timeline of observed change, not a point-in-time snapshot that goes stale.

Five Layers of LTS Drift

Not just change detection — evidence for external control changes and attacker-relevant exposure paths

  • Topology — Domains, subdomains, IPs, ports, APIs, cloud surface. Set-based diff only.
  • Control boundary — Per-endpoint auth, WAF, CSP, TLS. Detect when controls weaken (control regression).
  • Behavioral — Access semantics: 401/403→200, admin path newly reachable.
  • Exposure path relevance — Did the change increase attacker opportunity or shorten an exposure path?
  • Governance — First-seen, detection timestamp, and exposure window for auditor and regulator review.

Drift is positioned as baseline refresh evidence for external control changes and attacker-relevant exposure paths, not just “change detection.”

Download the Whitepaper

Get the full whitepaper on drift detection and baseline refresh evidence. Request the PDF below.

Request PDFHow It Works

All Resources · Contact Us