What is Drift
Drift compares current signal behavior to a baseline Persona built from historical observation. When values, relationships, or rhythms move beyond expected bounds, TOTAL surfaces drift highlights and detailed signal views so you can validate whether change is benign (new role, travel, tooling) or threat-related.Drift Highlights
Drift Highlights show human-readable before / after summaries for the strongest deviations—often with attribute-level detail so you can see what changed without opening every chart.
Types of Drift
Collaboration Topology Shift
Changes in who the identity works with, how resources are shared, and how collaboration graphs evolve—surfaced as cards with before/after attributes when the model detects a structural shift.Behavioral Pattern Shift
Broader changes in routine, tool usage, or work rhythm that do not map cleanly to a single category but still depart from the baseline (often visible across multiple signals in All Signals).New Login Locations
Geographic or logical origin of authentication expands in ways that are new relative to baseline (for example, additional cities or regions appearing alongside prior anchors).Auth Frequency Spike
Authentication or session-related activity accelerates compared to the learned cadence—useful for catching automation, shared credentials, or compromise-driven repetition. Other dimensions (sentiment, email patterns, passwordless metrics, peer Jaccard similarity, etc.) contribute to drift scoring as configured in your tenant.Drift from Base Persona vs Drift from Cluster
TOTAL measures two related notions:- Drift from base Persona: deviation from this identity’s own historical profile.
- Drift from Cluster: deviation from the like-cyber-minded cohort this Persona belongs to (see Clusters)
- Drift from Cluster: deviation from the like-cyber-minded cohort this Persona belongs to (see Clusters)