One config changed. Nobody noticed.

Where the gap actually opens

A registry value flips on a domain controller at 2:14 AM. A file in /etc/ssh/sshd_config gets a single line appended. A firewall ACL on a switch in a regional office picks up a new permit rule. None of these trip a SIEM alert. None of them break anything. None of them show up on a vulnerability scan, because the scanner ran yesterday and won't run again until next week.

The gap is open. The attacker reads it before you do, because they're looking for exactly that, the small deviation, the unlogged modification, the drift nobody owns.

This is why file integrity monitoring as an afterthought doesn't work. Pulling event logs and grepping for 4663 is the equivalent of watching the match on a delay. You're not pressing. You're reacting. The deviation has to be detected at the I/O layer, the moment it happens, against a baseline you actually trust.

The press, at the kernel

The Gen 7 Agent on Windows registers a minifilter driver with the Filter Manager at altitude 388790. Every file I/O operation (create, write, delete, rename, attribute change) passes through the filter stack, and the driver logs the events that match the tracking template into a memory buffer. The agent polls the buffer every 100 milliseconds. No file locks. No I/O modification. No reboot to enable it.

That's the press. You're not waiting for a log to flush. You're not polling the filesystem on a five-minute interval and hoping nothing happened in between. You're hooked into the I/O path itself, reading every touch in real time, comparing it against the shape you defined.

On Linux, the Gen 7 Agent uses Sysdig to capture the same depth, file integrity changes and the user identity behind them. Who made the change. Not just what changed. Because "someone modified /etc/pam.d/sshd" is half an alert. "Service account svc-backup modified /etc/pam.d/sshd at 02:14 from a session outside the maintenance window" is a decision.

Agentless coverage handles the rest. Network devices over SSH. Windows hosts via remote registry on port 445. Linux and Unix through shell. ESXi and vCenter through PowerCLI. Cloud platforms through provider APIs. One baseline across the whole back line, not nine different tools watching nine different positions.

Closing the loop

Real-time detection without context is a midfielder who fouls every player who runs past. Twenty minutes in, you're down to ten and the bench is yelling.

Most changes in any real environment are legitimate. Patching happens. Admins do admin things. Scheduled jobs touch files. A FIM tool that lights up on every one of those is noise, and noise gets ignored, and ignored is worse than nothing — now you have a tool and a false sense of coverage.

Change Tracker reconciles every detected change against what was supposed to happen. The Sync Service pulls approved change requests from ServiceNow, BMC Remedy, Cherwell, ManageEngine, ChangeGear, OpenText SMAX, and Samanage. Each RFC becomes a Planned Change with a scheduled window, a configuration item, and, on ServiceNow, the AssignedTo field, so events can be matched on who should have made the change, not just when. Detected events get assessed against the planned change ruleset and classified.

Planned. Acknowledged. Filtered.

Unplanned. Surfaced. Investigated.

That's the closed loop. Knowing which runs are decoys and which ones are the actual threat, and only committing to the ones that matter.

When there's no ticket, when the change has no matching RFC and no recorded justification, Change Tracker can raise the incident back into ServiceNow automatically, routed to the owner of the configuration item. The unauthorized change generates the work item that resolves it. The press doesn't just win the ball. It starts the counter.

The baseline is the formation

A back four without a shape is four guys standing on a field. Detection without a baseline is the same thing. You can't surface deviation if you haven't defined normal.

The Baseline Configuration feature treats this the way a coach treats a tactical setup. Pick a source device: your gold image, your hardened reference build. Capture its state. File integrity. Installed software. Running processes. Services and their states. Local accounts. Open ports. Registry keys on Windows. The baseline becomes the formation, and every other device in the group is measured against it. Drift shows up as exception. Exceptions get reviewed. Approved drift gets promoted to the baseline. Unapproved drift gets remediated.

This is what NERC CIP-010-4 and 5 want when it talks about authorized baseline configurations and 35-day change monitoring. It's what PCI DSS Requirement 11.5 wants when it talks about change detection mechanisms. It's what CIS Control 4 wants when it talks about secure configuration of enterprise assets. The frameworks all describe the same thing in different words: define the shape, hold the shape, surface the deviation. Change Tracker is built around that exact loop, with 250+ prebuilt compliance reports mapping the baseline to whichever framework the auditor is going to ask about in March.

Nothing moves without a record

The dashboard is green. Tickets are manageable. The team is comfortable.

That's the most dangerous moment in the match.

Somewhere in your environment, something just changed. The question isn't whether your tools eventually noticed. The question is how many passes the attacker completed between the moment the gap opened and the moment your detection actually fired.

Press earlier. Read the play at the point of change. Define the shape, hold the shape, and make sure nothing moves without a record.

That's the job. That's the standard. That's how you defend what's yours.