> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/runtime-security/drift-anomalies.md). # Drift / Anomalies Drift & Anomaly Detection identifies **deviations from the expected or approved state** of systems, workloads, and configurations in production. In dynamic cloud environments, changes happen continuously — some intentional (deployments, scaling, configuration updates) and others unauthorized or malicious. Drift and anomaly detection ensures that **what was tested and approved is what actually runs in production** — and that any deviation, however subtle, is caught and investigated. ## **Two Types of Deviations Detected** **Configuration Drift** — when the actual state of a system diverges from its intended baseline: | Example | Risk | | --------------------------------------------------------------- | --------------------------- | | Unauthorized changes to Kubernetes RBAC configurations | Privilege escalation | | Modified security group rules in cloud infrastructure | Unexpected network exposure | | Changes to container images or runtime parameters post-approval | Supply chain compromise | | Altered security policies or admission control rules | Policy bypass | **Behavioral Anomalies** — unusual patterns in system activity: | Example | Risk | | ----------------------------------------------- | ----------------------------- | | Unexpected process execution within a container | Malware or exploit running | | Abnormal API usage patterns | Account takeover or API abuse | | Sudden spikes in resource consumption | Cryptomining or DDoS | | Unusual outbound network traffic | Data exfiltration | ## **Why Drift & Anomaly Detection Is Used in OpsMx** Many sophisticated attacks do not rely on introducing new vulnerabilities — they exploit **changes or inconsistencies in the environment**. Drift detection closes this vector by: * **Continuously comparing running state against approved baseline** — any deviation triggers an alert * **Creating a continuous validation loop** — ensuring approved configurations persist across deployments and scaling events * **Detecting silent failures and insider threats** — changes that should not have happened are immediately visible * **Improving compliance posture** — continuous drift detection provides always-current evidence that systems match their approved configurations * **Reducing time to detect** — anomalies are surfaced in real time, not discovered during periodic audits ## **Benefits for the User** * Organizations know immediately when production deviates from what was approved — no more waiting for quarterly audits to surface drift * Behavioral anomalies are detected before they escalate into incidents * Continuous drift evidence supports regulatory frameworks requiring ongoing compliance validation (SOC 2, PCI DSS, HIPAA) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/runtime-security/drift-anomalies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.