How drift works

Drift answers the question that matters most day to day: what changed since the last run? Not a score that wiggles — the actual tests that started failing, started passing, appeared, or disappeared.

What gets compared

Every parsed run stores one row per test. A drift comparison takes two runs of the same report family (Maester with Maester, Zero Trust with Zero Trust — diffing across families would be all noise) from the same tenant, and matches tests by their stable id (case-insensitively). By default the portal compares the newest run that has an older same-family run to compare against — so one fresh Zero Trust run never hides the drift available between your two latest Maester runs.

The categories

Category	Rule
Regressions	The result changed to `Failed`, `Error`, or `Investigate`. Investigate counts as failing on purpose — it's Maester asking a human to look, which is exactly what a drift report is for.
Fixed	The result changed to `Passed`.
Added	The test exists only in the newer run (new Maester version, new checks enabled).
Removed	The test exists only in the older run.
Other changes	Movement between non-failing states (e.g. `Skipped` → `NotRun`) — visible, but never dressed up as a regression.

Posture

The posture number you see everywhere is passed ÷ (passed + failed), where errors count as failures. Skipped and not-run tests don't inflate it. The trend charts plot this per run — real history, not an illustration.

Zero Trust specifics

Zero Trust Assessment results map onto the same model: the recommendation risk becomes severity, the pillar becomes the grouping (and drives the product), and the Planned state is bucketed with skipped — so a recommendation moving Planned → Failed is a regression, but sitting at Planned isn't noise in every report.

Where you see it

The Overview shows the headline ("2 regressions") with the top offenders.
The Changes page is the full diff with severity and product on every row, plus the raw report link.
Drift emails bring regressions to your inbox.