Reference
Shared vocabulary for security, platform, and IT teams evaluating Linux configuration integrity. These definitions match our public docs and console — if something reads differently elsewhere, this page wins.
The gradual (or sudden) divergence of a live system from an approved or expected state — new packages, changed sshd settings, altered sudo rules, or new listeners. Blackglass treats drift as a first-class signal with severity and evidence, not as noise buried in logs.
See also: Drift detection use case · Baseline snapshot
A point-in-time capture of a host's security-relevant configuration that your team explicitly marks as trusted. Every later scan diffs against the active baseline so 'change' always means 'change from what we approved'.
See also: Product tour · Configuration drift
Detecting unauthorised changes to critical files — typically via cryptographic hashes — so tampering with binaries, configs, or boot scripts surfaces quickly. Blackglass includes FIM-style signals as part of a broader drift model rather than as a standalone noisy alert stream.
See also: FIM use case
Center for Internet Security published hardening guidance and scored checks for operating systems and software. Blackglass helps teams stay close to CIS Linux expectations between formal audits by alerting when real hosts slip from the posture you captured.
See also: CIS monitoring use case
A database enforcement pattern where every query automatically filters rows to the current tenant's data. Blackglass uses Postgres RLS so application bugs cannot accidentally cross tenant boundaries — bypasses are rare, audited, and tagged in code.
See also: Security overview · Engineering blog: RLS
An exportable package (PDF + structured JSON) that ties drift findings, baseline metadata, and operator actions into a single artefact suitable for auditors, customers, or post-incident review.
See also: SOX evidence use case
Blackglass's optional cloud-resource hygiene module: read-only inventory across linked cloud accounts, idle-resource detection, and human-approved cleanup requests — bundled in the same console as Linux drift.
See also: Why Charon exists · Cloud waste estimator
How current the dashboard's view of a host is relative to the last successful scan. Blackglass documents expected maximum lag per deployment mode so teams can trust timestamps during incidents and audits.
See also: Snapshot freshness doc
Optional human-in-the-loop remediation assistant that proposes fix plans for drift, validates them in a sandbox where configured, and never applies changes to production without explicit operator approval.
See also: Pricing & FAQ
A cloud vendor technique that reads workload state from storage snapshots without an in-guest agent — excellent breadth, but inherently snapshot-time and blind to some in-server configuration nuances. Often complementary to Blackglass's inside-the-OS view.
See also: Blackglass vs Orca
Cloud-Native Application Protection Platform — an umbrella category covering CSPM, CIEM, CWPP, and related cloud controls. Blackglass is not a CNAPP; it specialises in Linux configuration integrity while CNAPPs focus on cloud control-plane risk.
See also: Blackglass vs Wiz
Controls over IT systems that support financial reporting integrity — change management, access, operations. Blackglass evidence exports are often used as supplementary ITGC artefacts for server configuration change review.
See also: SOX evidence use case