Knowledge Base
Quick reference on key DriftAlarm concepts. These sections are linked from contextual help tooltips throughout the platform.
How Risk Scores Work
DriftAlarm assigns each asset a risk score from 0 (most vulnerable) to 100 (most secure). The score is calculated from multiple factors including the number and severity of open vulnerabilities, exposed high-risk ports (SSH, RDP, databases), SSL/TLS certificate health, and drift history.
A score below 50 indicates significant risk requiring immediate attention. Scores between 50-75 suggest moderate risk with room for improvement. Scores above 75 indicate a well-secured asset. The score updates after every scan to reflect your current security posture.
Vulnerability Severity Levels
DriftAlarm uses industry-standard CVSS-based severity levels to classify vulnerabilities:
- Critical (9.0-10.0) — Immediate action required. Remote code execution, authentication bypasses, or publicly known exploited vulnerabilities.
- High (7.0-8.9) — Address soon. Significant security weaknesses that could lead to data exposure or unauthorized access.
- Medium (4.0-6.9) — Plan remediation. Security misconfigurations or information disclosure issues.
- Low (0.1-3.9) — Monitor. Minor issues with limited security impact.
How Drift Detection Works
Drift detection continuously monitors your assets for unexpected changes by comparing current scan results against a known-good baseline. When you first scan an asset, DriftAlarm captures a baseline snapshot of your attack surface — ports, services, subdomains, technologies, and vulnerabilities.
On subsequent scans, every change is classified: positive changes (hardening, patching) are marked green, neutral changes (expected updates) are gray, and negative changes (new exposure, new vulnerabilities) trigger alerts. The drift system tracks 29 rules across 6 security packs.
Scan Types: Fast vs Deep
Fast Scan performs quick reconnaissance in 2-5 minutes. It covers the top 100 ports, SSL/TLS certificates, DNS records, HTTP analysis, technology detection, and AI-powered risk scoring. Ideal for quick checks and initial discovery.
Deep Scan runs exhaustive testing in 15-30 minutes. It includes full DNS enumeration, comprehensive web crawling, complete vulnerability scanning with 10,000+ Nuclei templates, and detailed service analysis. Use Deep Scan for thorough security assessments.
Configuring Drift Alarms
Drift Alarms are policy-based rules that trigger when your attack surface changes in ways you care about. DriftAlarm includes 29 built-in rules organized into 6 security packs: Essential Security, Network Monitoring, Certificate Management, Compliance Readiness, DNS Monitoring, and Registration Monitoring.
Each rule can be independently enabled or disabled, and you can create custom rules on Pro and Enterprise plans. Rules evaluate changes after every scan and generate events with configurable severity levels.
Notification Channels
DriftAlarm supports three notification channel types: Email, Slack webhooks, and generic webhooks. Channels receive alerts when drift alarm rules trigger, allowing you to route different types of changes to different teams or systems.
Each channel can be independently enabled, tested, and configured. Webhook payloads are signed with HMAC-SHA256 for verification. Configure notification channels in Settings to stay informed about security-relevant changes.
Understanding EPSS Scores
EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be actively exploited in the wild within the next 30 days. Scores range from 0 to 1, where higher values indicate greater exploitation likelihood.
An EPSS score of 0.5 means there is a 50% chance of exploitation in the next month. DriftAlarm uses EPSS alongside CVSS severity to help you prioritize remediation — a medium-severity vulnerability with high EPSS may be more urgent than a high-severity vulnerability with low EPSS.
Technology Fingerprinting
DriftAlarm detects software technologies running on your assets through multiple methods: HTTP response header analysis, JavaScript library detection, HTML meta tag inspection, and service banner grabbing on open ports.
Detected technologies are categorized into groups like Web Servers, Frameworks, Languages, Databases, CDN providers, and JavaScript Libraries. Knowing your technology stack helps identify version-specific vulnerabilities and track shadow IT.