Drift Detection
Drift detection is BLACKOUT's continuous monitoring capability. It alerts you when vendor behavior changes from your established baseline.
What is Drift?
Drift = Any change from your baseline scan.
When you first scan a site, BLACKOUT establishes a baseline — the known-good state of your vendor ecosystem. Subsequent scans compare against this baseline to detect:
- New vendors appearing
- Existing vendors disappearing
- Behavior changes (new cookies, endpoints, data collection)
- Consent mechanism changes
Drift Types
| Drift Type | Severity | Meaning |
|---|---|---|
vendor_added | HIGH | New third-party detected |
vendor_removed | INFO | Vendor no longer present |
vendor_behavior_changed | MEDIUM | Same vendor, different behavior |
script_added | MEDIUM | New script URL |
script_hash_changed | LOW | Script content changed |
endpoint_added | HIGH | New data exfiltration endpoint |
consent_regression | CRITICAL | Consent bypass detected |
chain_depth_increased | HIGH | Piggyback chain grew |
Baseline Management
Automatic Baseline
By default, BLACKOUT uses your first scan as the baseline.
Manual Refresh
To update your baseline after intentional changes:
- Navigate to Sites > [Your Site] > Baseline
- Click Refresh Baseline
- Confirm the new baseline scan
⚠️
Refreshing baseline clears drift history. Only do this after verified changes.
Drift Incidents
Multiple related drift events are grouped into incidents:
{
"incident_id": "DI-2024-001",
"vendor_id": "hotjar",
"drift_type": "vendor_behavior_changed",
"event_count": 3,
"max_severity": "high",
"window": "2024-01-15 to 2024-01-17"
}This prevents alert fatigue from repeated similar events.
Alert Configuration
Slack Integration
// Settings > Integrations > Slack
{
"webhook_url": "https://hooks.slack.com/...",
"channel": "#security-alerts",
"severity_threshold": "medium"
}Email Digest
- Daily: Summary of all drift events
- Weekly: Trend report with recommendations
- Immediate: Critical drift only
Responding to Drift
When drift is detected:
- Review the drift event details
- Investigate what changed and why
- Decide:
- If intentional → Update baseline
- If unauthorized → Escalate + remediate
- Acknowledge the drift event
- Document your decision for audit trail
Drift Dashboard
The SOC workspace shows:
- Unacknowledged drift count
- Drift by severity (chart)
- Recent drift timeline
- Sites with most drift
Best Practices
- Monitor weekly at minimum
- Acknowledge promptly — don't let alerts pile up
- Update baselines after marketing changes
- Set severity thresholds appropriate to your risk tolerance
- Document decisions for compliance audits
Next Steps
- Evidence Packs — Export drift evidence
- Workspaces — Configure SOC view for triage