10.1. Interpreting Drift#
The drift score summarizes the net change in security posture between two assessment runs.
10.1.1. Drift Score#
The drift score ranges from -100 to +100:
Range |
Interpretation |
|---|---|
Positive |
Net improvement in security posture |
Zero |
No net change |
Negative |
Net regression in security posture |
The score accounts for both the count and severity weight of regressions and improvements.
10.1.2. Score Calculation#
driftScore = ((improvementScore - regressionScore) / total) × 100
Where:
improvementScoreis the sum of severity weights for findings that changed from FAIL to PASSregressionScoreis the sum of severity weights for findings that changed from PASS to FAILtotalis the sum of all possible severity weights
10.1.3. Grade Changes#
The diff output also shows grade changes between assessments:
Grade: C → B (+1)
Grade values: A=5, B=4, C=3, D=2, F=1. The delta is the difference between the two grade values.
10.1.4. Common Drift Scenarios#
New Deployment Introduces Regression
A new deployment disables WAF on a zone:
REGRESSION: CFL-WAF-001 (WAF Security Level) — PASS → FAIL
Drift score: -7 (high severity weight)
Security Hardening
A security team enables DNSSEC on previously unprotected zones:
IMPROVEMENT: CFL-DNS-001 (DNSSEC Enablement) — FAIL → PASS
Drift score: +7 (high severity weight)
New Check Coverage
A new check category is added between runs:
NEW: CFL-AIGW-001 (AI Gateway Configuration) — FAIL
(This is not a regression — the check did not exist in the baseline)